Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Webhits.dll arbitrary file retrieval Vulnerability, hel Required

from [Maverick The Techie] Network Security [Permanent Link]
Subject: Webhits.dll arbitrary file retrieval Vulnerability, hel Required
Date: Sat, 26 Feb 2005 03:18:51 +0530 
Respected Members,

when i was doing a web server scan through Nikto on my website, it
reported that the files "/scripts/samples/search/qfullhit.htw" &
"/scripts/samples/search/qsumrhit.htw" are vulnerable to the
"Webhits.dll arbitrary file retrieval Vulnerability "

When i researched on Google, i found this bug's advisory by David
Litchfield and he says that "Even if you have no .htw files on your
system you"re probably
still vulnerable! A quick test to show if you are vulnerable:
go to http://YOUR_WEB_SERVER_ADDRESS_HERE/nosuchfile.htw
If you receive a message stating the "format of the QUERY_STRING
is invalid" you _are_ vulnerable."

when i typed this Url into IE,(www.acme.com/nosuchfile.htw) i got the
this response

"The format of QUERY_STRING is invalid." which proved that the web
server was vulnerable to this vulnerability.
so i tried to exploit it via netcat by reading the rest of the
advisory so i tried this in netcat

E:\nc11nt>nc -v -n 202.xx.xx.208 80
(UNKNOWN) [202.xx.xx.208] 80 (?) open
GET /scripts/samples/search/qfullhit.htw?ciwebhitsfile=/../../winnt/repair/sam._
&cirestriction=none&cihilitetype=full
HTTP/1.0 200 OK
Content-Type: text/html

<HTML>
<BODY>
<p><h3><center>The path specified is incorrect.<BR></center></h3><BR></BODY>
 </HTML>
E:\nc11nt>

Though, i could not retrieve the sam file hashes, i still got a HTTP
200 Ok message, now Nikto also says that there is a "Ws_ftp.log" file
on the server, now i dont have any clue on this file and its location
on the server, some admin say that it contains the FTP user id and
encrypted password which is way easy to crack!!,

now is there a way that i can access that log file through the above
vulnerability, or any other files for that matter coz whatever files i
have tried to access using the above way i have got nothing but HTTP
OK messages.
I request u all to kindly explain the method to exploit this bug and
access files, coz i am unable to exploit this vulnerability in a
proper way so unless i know how this bug is exploited, i cannot patch
it coz i want to know how to exploit it first before patching it so
that i can know all the avenues what a cracker can use to enter my web
server.
Any Help would be certainly appreciated.

-=Maverick_12210=-
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Webhits.dll arbitrary file retrieval Vulnerability, hel Required, Maverick The Techie <=
Previous by Date:  Coldfusion Path Disclosure Vulnerability, Help Required, Maverick The Techie
Next by Date:  anonymous irc connection via shell?, Dan Wozniak
Previous by Thread:  Coldfusion Path Disclosure Vulnerability, Help Required, Maverick The Techie
Next by Thread:  anonymous irc connection via shell?, Dan Wozniak
Indexes:  [Date] [Thread] [Top] [All Lists]