CGI vulnerability has always been easy to be people ignore the problem, but also is widespread, and shortly before the break PCWEEK LINUX hack is to use the CGI a vulnerability. I myself know of and from a foreign site, it seems that some of the CGI vulnerabilities to write some use of CGI in the attack method.
A phf. cgi attack:
phf is familiar to everyone, it was meant to be used to update the PHONEBOOK, but many of the admins of it don't understand that contrast
Became vulnerability. In the browser input:
You can display the PASSWD document. In fact, you can also use a better command to achieve the purpose:
More than equal to the execution of the command:
cp /etc/passwd ~someuser/passwd
(With an ordinary can into the directory run the passwd)
Second, the php. cgi
In addition to the PHF outside, php also is a Common Vulnerability, php. cgi 2. 0beta10 or earlier versions, allows anyone to HTTP tube
Management Membership, reading system files, in the browser input:
You can see want to see the file.
In addition, the part of php. cgi you can also execute a shell, because it put 8k bytes bytes into 128bytes buffer,
Cause stack segment overflow, so that the attacker can be in the HTTP administrator executed.
But only with PHP as CGI script can be achieved, and in as the Apache modulus is not running. Want to check whether the run
As long as in the browser input:
If you see returns such words can run:
PHP/FI Version 2. 0b10
Third, the test-cgi problem
the test-cgi is also a often emerging vulnerabilities, in the browser input: