(From Wang dox)
What is it?
CGI Vulnerability Scan is a tool to check a web site for various
CGI exploits which might be present. CGI exploits usually appear
as a result of bad coding by third party CGI script developers.
When someone finds a CGI script which has a hole in it (i.e. it
allows someone to exploit it to their advantage) they will
usually spread the word. Once this knowledge is in the open,
crackers will check web sites for the vulnerability and then
exploit them. Since their are so many, it is no wonder that
there are millions of web sites out there on the net just waiting
to be attacked.
Some CGI holes will allow the crackers to download the password
files from your web server. These can then be cracked which
will effectively give the cracker admin access to your web
server. In other words, they will be in control. Other CGI holes
might allow the cracker to crash your web site, or give him
some other personal advantage.
This program can be used to scan web sites for a number of CGI
vulnerabilities. If any are found, they will be logged. The
intention of this program is so that web site admins can check
their own sites to make sure they are secure. If you use this
on a web site that you do not have permission to scan - I will
take no responsiblity.
What features does it have?
CGI vulnerability scanner includes:
* The ability to let you choose which exploits to scan for
* Comes with 480+ exploits already detailed
* Comes with 40+ exploits fully explained
* You can easily add new exploits to scan for into the data file
* End of scan report, and ability to show the exploits details
* You can easily add your own exploit details into the data file
* Proxy server support. Allows you to scan through a proxy
* Result logging and saving
How can I add new exploits as they appear?
The file Data.txt stores all of the CGI hole information.
The format is:
EXPLOIT NAME > URL EXTENSION
To get a better idea of how to add more, simply open the file
and have a look at the pre-entered ones.
How do I add new descriptions?
The file Descrip.txt is for storing exploit descriptions, which can
be shown if any exploits are found on the target server. The exploit
should be entered in the following format:
-<>-
[EXPLOIT NAME]
[DETAILS]
-<>-
The "-<>-" marks the beginning and the end of an exploit. The exploit
name MUST appear directly under the first "-<>-" and IT MUST be the
same as the exploits name in the data.txt file.
The file must end with a "-<>--<>-" - this ends the last exploit in
the file.
The best way to see how it works is to look at the exploits already
entered into the Descrip.txt.
|