From: Dawes, Rogan (ZA - Johannesburg) (rdawes@deloitte.co.za)
Date: Thu Dec 19 2002 - 02:32:34 EST
I remember finding this on a netware server that I was auditing.
Essentially, it is a path mapping that executes the rest of the line as a
perl filename.
E.g. /perl/mycgi.pl actually executes "perl -- ${root}/mycgi.pl".
And /perl/dir/mycgi.pl executes "perl -- ${root}/dir/mycgi.pl"
I'm guessing about the "--", but that is what I'd do. It would also explain
why the rest of your options "-h", etc failed.
One thing you could try, which I've just noticed in the perlrun manpage:
Try POSTing your program to the following URL
/perl/-
Might be equivalent to:
0 $ echo 'print "hello world\n";' | perl -- -
hello world
0 $
You would obviously have to think about encoding your program to pass HTTP
%-encoding rules, and substitute spaces with +, etc. There were some nice
suggestions on this list a while back as to how to write a perl program
without any spaces in it - I've not got time to search for it though :-)
Good luck. Let us know if it works.
Rogan
P.S. One thing you may want to do is print a blank line before any other
output. Otherwise you may be writing headers, rather than body.
-----Original Message-----
From: Ralph Los [mailto:RLos@enteredge.com]
Sent: 18 December 2002 10:29 PM
To: Pen-test@securityfocus.com
Subject: Re-opening an old thread: NetWare-Enterprise-Web-Server/5.1 --As
sistence requested.
Sensitivity: Confidential
Hey - let me re-open a thread again, if you folks don't mind. I've found a
server at one of our pen-test clients with this NetWare HTTP/HTTPS server.
I've been trying to figure out a way to make it tango, but have been having
some problems. Here's what I've tried and where I left off, maybe someone
can toss some suggestions out.
Attempt: http://address/perl/-v
Result: NetWare port Copyright 1998 Novell Corporation.
All rights reserved.
Attempt: http://address/perl/-h
Result: Page not found
Attempt: http://address/perl/-e%20print%20%22hello%20world%22;
Result: IE just hangs there "DONE"
Attempt: http://address/perl/-e%20print%201;
Result: IE just hangs there "DONE"
So what's up? Is this box "patched" against this form of attack somehow?
Could someone throw me another idea maybe?
Thanks a bunch.
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:26 EDT