Hacking Fox.

Publicated on : 1179824116
This is just a walk in the park, really. Google's been on their servers before, due to some weird configuration setting. But well, it's nice to look a couple of months later to see what those foxtards actually did to secure it. Nothing right. So this stuff isn't very post worthy and only annoying, but I reckoned it might wake someone up who also serves up 10 year old Perl/CGI files. I mean what is wrong with these people if I can gain access to a huge user database by using my browser? so much for trusting Fox all your personal details! So what I'll do is going through the steps, I won't show the 100K user database because Google already has it. Ask Google, not me. It is probably public domain since 1997.



So, what up with this code?

EOM
 

dbmopen (%QUESTDATA, "../../quest", 0644);
 

while (($email, $data_str) = each(%QUESTDATA)) {
 

@data = split(/t/,$data_str);
 

$l_name = $data[0];
 

$f_name = $data[1];
 

$m_init = $data[2];
 

$case1 = $data[3];
 

$case2 = $data[4];
 

$case3 = $data[5];
 

$case4 = $data[6];
 

if ($case3 eq "yes") {
 

# print "$f_name $m_init $l_name <br> n";
 

$sortednames{$l_name} = "$f_name $m_init";
 

}
 

}
 

foreach $foo (sort keys(%sortednames)) {
 

print "$sortednames{$foo} $foo<br> n";
 

}
 

dbmclose(%QUESTDATA);
 

print <<"EOM";

or:

EOM
 


 

######################################################
 


 

dbmopen(%PLAYERDB, "players", 0666);
 


 

while (($email,$data) = each(%PLAYERDB)) {
 

($name,$t1,$t2,$t3,$t4,$t5,$t6) = split(/|/,$data);
 

if (($t1 eq "1") && ($t2 eq "1") && ($t3 eq "1") && ($t4 eq "1") && ($t5 eq "1") && ($t6 eq "1")) {
 

print "<P ALIGN="CENTER"><B><FONT COLOR="#FF9933" SIZE="+1">$name</B></FONT></P>";
 

}
 

}
 


 

dbmclose(%PLAYERDB);
 


 

#######################################################
 


 

print <<"EOM";

See, they use the function dbmopen and access a database or directory storing user data because NDBM is enabled. Thing is, you can access that db though your browser pretty simple. Just use: dbname.dir and you'll download the whole dir or dbname.pag to download the pagefile. Or even better: dbname.data for a complete database.

 

dbmopen (%QUESTDATA, "../../quest", 0644);
 


 

foxserver/foo/bar/../../quest.dir
 

foxserver/foo/bar/../../quest.pag
 

foxserver/foo/bar/../../quest.data
 


 

dbmopen(%PLAYERDB, "players", 0666);
 


 

foxserver/players.dir
 

foxserver/players.pag
 

foxserver/players.data
 

They have old php3 configurations running, giving me complete PHP code access whenever I want to. A screenie below for proof of a simple PHP injection:







Indeed, top secret eh?







Then I got bored, it's so annoying to stumble upon this.