Mailing List Archive

You can get the CGI dir by calling cgibin(), like... cgidir = cgibin();

Yes, most of the plugins for UNIX CGI seem to look for /etc/passwd, and then parse for "root:". You could cut down on one 'if' by just
looking for "root:". Also, the check for "0:0" may fail if root is any group besides 0.

if("root:"><dataretrieved) { security_hole(port:port); }



Chris Sullo
____________________________________________________
http://www.cirt.net/
Default Passwords, Ports, SSIDs & more


> Here are NASLs for the zml.cgi and the PHP Rocket Add-in directory traversals.
>
> Is there a KB item for the name of the cgi-bin directory?
>
> Also, for directory traversals is there a standard file to check for on Unix boxes? (In these two nasls I just use /etc/passwd and grep for
root: and :0:0: to verify that it's actually /etc/passwd)
>
> --
> ^Drew
>
> http://guh.nu
>

----- Original Message -----
From: "Andrew Hintz (Drew)" <mail.drew@overt.org>
To: <plugins-writers@list.nessus.org>
Sent: Friday, January 04, 2002 6:45 PM
Subject: A couple NASLs for simple CGI traversals


> Here are NASLs for the zml.cgi and the PHP Rocket Add-in directory
traversals.
>
> Is there a KB item for the name of the cgi-bin directory?
cgibin() returns one of the paths entered by the user to use
instead of cgi-bin. This function duplicates the run of the script,
which means that if the user set the CGI path to be '/scripts:/cgi-bin' (the
default)
then the script will be executed twice when cgibin() is called - the first
time, it will return '/scripts', the second time it will return
'/cgi-bin'.
>
> Also, for directory traversals is there a standard file to check for on
Unix boxes? (In these two nasls I just use /etc/passwd and grep for root:
and :0:0: to verify that it's actually /etc/passwd)
Fine on Unix.
On Windows we use /winnt/win.ini and grep for [windows] or [fonts] (see
iplanet_traversal.nasl)

You can't use '/WINNT/system32/ipconfig.exe' and grep for 'IP Configuration'
because of international version of Windows.
The standard is to use 'dir /OG' and grep for '<DIR>' (see
iis_decode_bug.nasl).
If there is no way to send arguments use net.exe (see
alchemy_eye_http.nasl).

Georges Dagousset

> On Windows we use /winnt/win.ini and grep for [windows] or [fonts] (see
> iplanet_traversal.nasl)
>

What about looking for /boot.ini and looking for "[boot loader]", which solves some of the /winnt vs /windows problems? Felix Huber was
looking at changing some of the plugins to use this instead as it's a bit more portable (but still doesn't cover all the MS versions). Not
sure if he got to that or not...



Chris Sullo
____________________________________________________
http://www.cirt.net/
Default Passwords, Ports, SSIDs & more

----- Original Message -----
From: "sq" <sq@cirt.net>
To: <plugins-writers@list.nessus.org>
Sent: Friday, January 04, 2002 7:13 PM
Subject: Re: A couple NASLs for simple CGI traversals


>
> > On Windows we use /winnt/win.ini and grep for [windows] or [fonts] (see
> > iplanet_traversal.nasl)
> >
>
> What about looking for /boot.ini and looking for "[boot loader]", which
solves some of the /winnt vs /windows problems? Felix Huber was
> looking at changing some of the plugins to use this instead as it's a bit
more portable (but still doesn't cover all the MS versions). Not
> sure if he got to that or not...
>
I don't have any /boot.ini on my Windows 2000

Georges Dagousset

>What about looking for /boot.ini and looking for "[boot loader]", which
>solves some of the /winnt vs /windows problems? Felix Huber was
>looking at changing some of the plugins to use this instead as it's a bit
more
> portable (but still doesn't cover all the MS versions). Not
>sure if he got to that or not...

Like I wrote it should work for Win2k/XP/Nt4 ... I updated about 50 files (I
mailed them to Renaud).

> I don't have any /boot.ini on my Windows 2000

Hmm... I was able to find this file on about 10 Win2K machines.
Its hidden, write protected etc after the installation - is this the cause
why you haven't seen it?

Regards,
Felix Huber

----- Original Message -----
From: "Felix Huber" <huberfelix@webtopia.de>
To: "Georges Dagousset" <georges.dagousset@orange.fr>;
<plugins-writers@list.nessus.org>
Sent: Friday, January 04, 2002 7:30 PM
Subject: Re: A couple NASLs for simple CGI traversals


> >What about looking for /boot.ini and looking for "[boot loader]", which
> >solves some of the /winnt vs /windows problems? Felix Huber was
> >looking at changing some of the plugins to use this instead as it's a bit
> more
> > portable (but still doesn't cover all the MS versions). Not
> >sure if he got to that or not...
>
> Like I wrote it should work for Win2k/XP/Nt4 ... I updated about 50 files
(I
> mailed them to Renaud).
>
> > I don't have any /boot.ini on my Windows 2000
>
> Hmm... I was able to find this file on about 10 Win2K machines.
> Its hidden, write protected etc after the installation - is this the cause
> why you haven't seen it?
>
I've looked on a Win98, no /boot.ini.
I will check all my Server/WorkStation on monday.

Regards,
Georges Dagousset

> >
> > Like I wrote it should work for Win2k/XP/Nt4 ... I updated about 50
files
>
> I've looked on a Win98, no /boot.ini.
> I will check all my Server/WorkStation on monday.
>

Right - like I wrote boot.ini only exists on Win2k/XP/Nt4.
For Win9x/Me I suggest to look for the autoexec.bat.

Regards,
Felix

----- Original Message -----
From: "Brad Caldwell" <brad@securitymetrics.com>
To: "Georges Dagousset" <georges.dagousset@orange.fr>; "Felix Huber"
<huberfelix@webtopia.de>; <plugins-writers@list.nessus.org>
Sent: Friday, January 04, 2002 8:07 PM
Subject: RE: A couple NASLs for simple CGI traversals


> Boot.ini should be there.
>
> Did you try using the attrib command?
NO :(
> attrib boot*
It works with attrib ;-)
>
> Boot.ini is a hidden, system file so you won't see it with a basic dir
> command.
>
Question: If this file is hidden, can we use it for CGI traversals?

> >
> > Boot.ini is a hidden, system file so you won't see it with a basic dir
> > command.
> >
> Question: If this file is hidden, can we use it for CGI traversals?

Of course - it's only a problem with Win9x/Me, there we need Autoexec.bat
checks.

Regards,
Felix Huber

>
>