CGI vulnerability Exploitation

CGI vulnerability Exploitation

CGI vulnerabilities are the easiest part for network administrators. I tested the vulnerabilities on this website,
Let me briefly talk about some common vulnerabilities. General principle, solution. If not fully written, please refer to some documents.
1. Name :? PageServices Vulnerability
This vulnerability is available on many websites. However, a lot of people have scanned it and do not know how to use it. Let's just talk about it here ,!
This shows the page list.
The method is URL /? PageServices
You can also try it like this!
/? WP-CS-dump /? WP-ver-info /? WP-HTML-rend /? WP-USR-prop /? WP-ver-diff /? WP-verify-link /? WP-start-ver /? WP-stop-ver /? WP-uncheckout
If you are lucky, you can still get the user name and password! (The premise is that all the files are in plain text, and the MD5 password is useless)
2 Name: fpcount.exe Vulnerability
If you use NT as the operating platform of your webserver and only install the SP3 patch, the intruders can use this CGI program to perform DoS attacks, so that your IIS service is denied access.
Solution: delete or remove fpcount.exe from your web directory.

3. Name:/_ vti_bin/shtml. dll Vulnerability
Attackers exploit this file to increase the CPU usage of your system to 100%.
Attack method:
Exposed path: http: // target host/_ vti_bin/shtml. dll/something.html
The following information is returned:
Cannot open C: inetpubwwwrootpostinfo1.html: no such file or folder.
HTML. DLL input a nonexistent file on the FrontPage extention server/Windows2000 Server to obtain the local path information of the web directory. however, if we request a file that is not an HTML, shtml, or ASP suffix, we will get different information. in addition, shtml. DLL identifies and processes long file names with HTML suffixes. By using this, it can perform DoS attacks on the IIS server, enabling the CPU usage of the target server to reach 100%, all Application Log spaces are consumed. The system reports that the application log is full within several minutes.
Solution: Remove _ vti_bin/shtml. dll from your web directory.
4 name: shtml.exe Vulnerability
Description: An Attack Vulnerability. If you use front page as your webserver, intruders can use IUSR _ If you submit a link similar to this, you can stop the FrontPage Server Extensions response:
Http: // target host IP Address/_ vti_bin/shtml.exe/com1.htm
Http: // target host IP Address/_ vti_bin/shtml.exe/prn.htm
Solution: Remove or delete shtml.exe from your web directory.
5. Name: NULL. HTW Vulnerability
Due to this vulnerability, the maximum capability of null. HTW is to leak source code.
Therefore, the best practice is to leak the global. Asa file, which usually carries important content such as the name and password.
The null. HTW function obtains three variables from user input:
Ciwebhitsfile, cirestriction, cihilitetype
You can use the following methods to pass variables to obtain the source code, such as default. asp:
Http: // www. Target machine. com/null. HTW? Ciwebhitsfile =/default. asp % 20 & % 20
Cirestriction = none % 20 & % 20 & cihilitetype = full. A valid. HTW file is not required because the virtual file is already stored in the memory.
Because the 'null. htw' file is not a real system ing file, it is just a virtual file stored in the system memory. Even if you have deleted all the real. HTW files from your system, the requests to the null. HTW file are handled by webhits. DLL by default. Therefore, IIS still receives the vulnerability threat.
Solution: If the functions provided by Webhits are required by the system, download the corresponding patch. If not, use the MMC management tool of IIS to remove the. HTW image file.
Microsoft has released patches for the problem :,
6 name: X. HTW or qfullhit. HTW or iirturnh. HTW
Description: There is an application ing HTW ---> webhits. dll on iis4.0, which is used for the Index Server click function. Although you do not run Index Server, the ing is still valid. This application ing vulnerability allows intruders to read files, database files, and ASP source code on the local hard disk.
An attacker can use the following methods to access the file content in the system:
Http: // target host IP/iissamples/ISSamples/OOP/qfullhit. HTW? Ciwebhitsfile =/.../../winnt/win. ini & cirestriction = none & cihilitetype = full
After webhits. dll is connected to ../, you can access files outside the Web virtual directory,
Enter this address in the browser to obtain the web log files of the given date on the server. Common. HTW sample files in the system are:/iissamples/ISSamples/OOP/qfullhit. HTW.

/Iissamples/ExAir/search/qfullhit. HTW

Solution:

Webhits. DLL is an ISAPI application to process requests, open files and return results. When the user controls the ciwebhitsfile parameter, it is passed. HTW, they can request any file, the result is to view the ASP source code and other script file content. To check whether this vulnerability exists, you can request the following entries:

Http: // target host IP Address/nosuchfile. HTW

If you obtain the following information from the server:

"The format of QUERY_STRING is invalid ."

This vulnerability may exist.

This vulnerability is mainly because webhits. dll is associated with the. HTW file ing, so you only need to cancel this ing to avoid this vulnerability.