Raja

1.1 Disclaimer:

In no way does the author of this tutorial or Neworder encourage any sort of illegal activities

This tutorial's only purpose is to inform and teach about security problems regarding CGI-Scripts

and possible solutions to these problems. The author nor Neworder can be held responsible for anything you do with regards to the knowledge in this tutorial. Be a true hacker, learn and

help others (to learn).

1.2 Introduction:

Some time ago I ended up in some CGI-BIN directory, somewhere on the web. I had seen CGI-BIN directories before, but to be honest I never really knew what they did or what they were there for. Probably out of boredom, I started browsing the subdirectories and saw that these dirs contained all sorts of different scripts. CGI-Scripts. I was rather intrigued when I also found a file named password.txt and another file which contained a username and password combination. Could it be that this kind of information was just lying around here, for anyone to see? The answer is yes. So I decided to read some papers on CGI, perl and CGI-Security. I found out that what I had been doing was a simple sort of.....CGI-Hacking.

1.3 What are CGI-Scripts?

I know you probably can't wait to start learning to hack CGI-Scripts, but first you will have to know a little bit about the CGI-Scripts themself. CGI stands for Common Gateway Interface. CGI-Scripts allow web pages to communicate and interact with executeable programs on the server. For example: When you subscribe to a mailinglist (newsletter) your email-address will be added to some mailinglist so you wil receive a weekly or daily e-mail. This process

is fully automatic. No webmaster has to go and add all these email-addresses to some list. A CGI-Script does this for him. Another example is a Bulletin Board script. When a visitor posts a message on a bulletin board, a CGI script will turn this message into a nice looking html page, containing the posted message.

1.4 Hacking CGI-Scripts / Using CGI-Scripts to hack

There's an important difference between these two things. Using CGI-Scripts to hack is a way to exploit vulnerabilities in CGI-Scripts to gain acces to a server. This is a somewhat more complicated matter than hacking CGI-Scripts, but these two topics have a lot to do with each other. In this tutorial I will discuss "Hacking CGI-Scripts". "Using CGI-Scripts to hack" might be a subject for a next tutorial. Or not :-)

1.5 Why are (some) CGI-Scripts easy to hack?

A lot of scripts that are used on the internet are free CGI-Scripts written by hobbyists, who have put a lot of time and effort into them. These scripts are freely available on the web, for anyone to use. But some of these scripts have huge security problems, which could be exploited to hack the script. So why are they easy to hack? They are written by hobbyists, they are often not written with security in mind and since these scripts are free, they are used a lot, which means there's a lot of possible victims out there.

1.6 Vulnerable Scripts and How Do I Hack 'm?

--> Calendar CGI Script by Matt Kruse

One of the scripts that I found vulnerable is the Calendar Script. This script is, like the name says, a script which makes it possible to have a calendar on your website. The calendar script is located in the CGI-BIN directory, most often in a subdirectory called "calendar". The config file: calendar.cfg contains the administrator username and password that are needed to alter the scripts settings. This username and password combination can be found at the absolute end of the calendar.cfg file. However, they are both encrypted (most often in DES). Just download John The Ripper and a big dictionary and you will easily crack most passwords. (See the blacksun tutorial on how tu use John)

The calendar.cfg file is most often located at the following

address:

http://www.foobar.com/cgi-bin/calendar/calendar.cfg

After cracking the password/username you should go to the Admin Control Login at:

http://www.foobar.com/cgi-bin/calendar/calendar_admin.pl?admin (Hence the ?admin after the calendar_admin.pl file)

-->WebBBS Script by Darryl C. Burgdorf

WebBBS Script is a webbased Bulletin Board System. The WebBBS directory contains a profiles dir which in its turn contains profiles of people who have an account for the Bulletin Board. (Passwords) These passwords are also encrypted. (Use John The Ripper!)

You can probably find the txt-files containing userprofile at this location:

http://www.foobar.com/cgi-bin/webBBS/profiles/ )

-->WebAdverts Script by Darryl C. Burgdorf

WebAdverts Script is a script which allows webmasters to display rotating banners/adds on their webpages. Eventually you can use the password and username combination to replace banners with your own, create new banner accounts, delete accounts, view sensitive info, etc etc.

The location of the Webadverts password is:

http://www.foobar.com/cgi-bin/advert/adpassword.txt

When you have decrypted the password visit:

http://www.foobar.com/cgi-bin/advert/ads_admin.pl to login as script administrator

-->WWWBoard Script

WWWBoard is another webbased Bullentin Board

The password to the script can be found in a file called "password.txt" (wouldn't you know!)

Just do a search for cgi-bin/wwwebboard or webboard/password.txt

-->Mailmachine Script

Mailmachine.cgi is a webbased mailinglist. You should look for the file addresses.txt which lists all