dexter@aeron7.com

Perl Script Injection

Collecting Information

Global structure

The first thing we have to do is to get as much information as we can about this portal. We immediately notice that the portal is based on a frameset with:

  • internet.pl: controller
  • page.pl?page=<something>: page that is called from the controller

Read files

In addition, by clicking on student work > Joey Simons > Sign my guestbook, we see a form. Here is the source code

<html><head><title></title></head>

<body bgcolor=”#ffffff” text=”#000000″>

<form action=”../cgi-bin/guest.pl”>

<input type=”hidden” name=”action” value=”write”>

Message:

<input type=”text” name=”text” size=50>

<input type=”submit” value=”submit”>

</form>

</body></html>

We notice that:

  • form action is “../cgi-bin/guest.pl”, a perl script inside cgi-bin/
  • there is a hidden field named action, which value is “write”. We suppose that it exists a value “read” to read files.

Access hard drive

The main controller (internet.pl) is not protected. Indeed, it is possible to request the hard drive content by injecting “file://” instead of “http://”. We discover a new form, named “heartlandadminpanel.html” in C:\WEB\HTML:1

Here is what it looks like (http://www.hackthissite.org/missions/realistic/12/heartlandadminpanel.html)2

By viewing the source code of this page, we notice that the form action is

cgi-bin/heartlandadminpanel.pl

Our first mission is to find valid credential to access the protected content.

Step 1: Find valid credential

Using our *fake* file editor, we are going to view the content of cgi-bin/heartlandadminpanel.pl file. To do so, we are going to enter this address in our URL bar:

http://www.hackthissite.org/missions/realistic/12/cgi-bin/guest.pl?action=read&file=heartlandadminpanel.pl

  • action=read is our supposition, since there is a “write” method, “read” is likely to work
  • file=heartlandadminpanel.pl: we are going to suppose that there is a “file” parameter. Since the guest.pl script is already hosted in the cgi-bin/ directory, we can directly request heartlandadminpanel.pl file

Here is what it produces:

3

The source code of the page gives us the information we are looking for:4

Step 2: Delete list

Access this page:

http://www.hackthissite.org/missions/realistic/12/heartlandadminpanel.html

And log in with:

  • username: jbardus
  • password: heartlandnetworkadministrator

5

Click on “clear all” button and you’re done!

About the Author

Aloha, I'm Amit Ghosh, a web entrepreneur and avid blogger. Bitten by entrepreneurial bug, I got kicked out from college and ended up being millionaire and running a digital media company named Aeron7 headquartered at Lithuania.

Related Posts

Basic Mission 1   I can call you a pretty dumb as per you are now viewing the walkthrough for...

Basic Mission 2   I can again call you a pretty dumb as per you are now again viewing the walk...

Basic Mission 3   Have a look at the source code of that page and have you noticed the form section?...

Leave a Reply