The ‘CGI scanner’ or ‘web scanner’ has become one of the most indispensable tools in the world of web server hacking. Mercilessly searching out vulnerable programs on a server, these programs help pinpoint potential avenues for attack. These programs are brutally obvious, incredibly noisy and fairly accurate tools. However, the accomplished Google hacker knows there are more subtle and interesting ways to attempt the same task.
In order to accomplish its task, these scanners must know what exactly to search for on a web server. In most cases these tools are scanning web servers looking for vulnerable files or directories that may contain sample code or vulnerable files. Either way, the tools generally store these vulnerabilities in a file that is formatted like the following except:
/cgi-bin/cgiemail/uargg.txt
/random_banner/index.cgi
/random_banner/index.cgi
/cgi-bin/mailview.cgi
/cgi-bin/maillist.cgi
/cgi-bin/userreg.cgi
/iissamples/ISSamples/SQLQHit.asp
/iissamples/ISSamples/SQLQHit.asp
/SiteServer/admin/findvserver.asp
/scripts/cphost.dll
/cgi-bin/finger.cgi
How this technique can be used
The lines in a vulnerability file like the one shown above can serve as a roadmap for a Google hacker. Each line can be broken down and used in either an ‘index.of’ or an ‘inurl’ search to find vulnerable targets. For example, a Google search for ‘allinurl:/random_banner/index.cgi’ returns the results shown in Figure 1.
A hacker can take sites returned from this Google search, apply a bit of hacker ‘magic’ and eventually get the broken ‘random_banner’ program to cough up any file on that web server, including the password file as shown in Figure 2.
Of the many Google hacking techniques we’ve looked at, this technique is one of the best candidates for automation since the CGI scanner vulnerability files can be very large. The gooscan tool, written by j0hnny performs this and many other functions. Gooscan and automation is discussed later.