OPPapers.com

Raja

1.1 Disclaimer:

In no way does the author of this tutorial or Neworder encourage any sort of illegal activities
This tutorial's only purpose is to inform and teach about security problems regarding CGI-Scripts
and possible solutions to these problems. The author nor Neworder can be held responsible for anything you do with regards to the knowledge in this tutorial. Be a true hacker, learn and
help others (to learn).

1.2 Introduction:

Some time ago I ended up in some CGI-BIN directory, somewhere on the web. I had seen CGI-BIN directories before, but to be honest I never really knew what they did or what they were there for. Probably out of boredom, I started browsing the subdirectories and saw that these dirs contained all sorts of different scripts. CGI-Scripts. I was rather intrigued when I also found a file named password.txt and another file which contained a username and password combination. Could it be that this kind of information was just lying around here, for anyone to see? The answer is yes. So I decided to read some papers on CGI, perl and CGI-Security. I found out that what I had been doing was a simple sort of.....CGI-Hacking.

1.3 What are CGI-Scripts?

I know you probably can't wait to start learning to hack CGI-Scripts, but first you will have to know a little bit about the CGI-Scripts themself. CGI stands for Common Gateway Interface. CGI-Scripts allow web pages to communicate and interact with executeable programs on the server. For example: When you subscribe to a mailinglist (newsletter) your email-address will be added to some mailinglist so you wil receive a weekly or daily e-mail. This process
is fully automatic. No webmaster has to go and add all these email-addresses to some list. A CGI-Script does this for him. Another example is a Bulletin Board script. When a visitor posts a message on a bulletin board, a CGI script will turn this message into a nice looking html page, containing the posted message.

1.4 Hacking...