Is it possible to download a cgi script or view the script source if you know the name and location of the script on a webserver?
Printable View
Is it possible to download a cgi script or view the script source if you know the name and location of the script on a webserver?
If the webserver is configured for execute the script type, it should not list the script contents.
hmmmm am sure you could grab the file using something like teleport pro
v_Ln
I've tried a couple of things already. wget, just entering the CGI location into the browser, etc. Those just redirect me to the homepage... (first page of the site)
I'll try teleport pro and httrack when I get home. I'm just curious what a certain cgi does.
The filename peaked my interest. :)
Why not write the site maintainers then instead of just going out and trying to steal the script?
Sheesh, if it were a newbie to the site asking this they'd be negged off...
Normally Phish you should not be able to since a well configured server should not let you view the source and should only parse/run it and send the output to you. I remember there being a bug in some older versions of IIS that would reveal the source code to an asp file if you put an extra dot (.) on the end of the file name. Short of findings an exploit like that I think the only option (and best one anyway) is to email the maintainer of that site and ask him if you can have the source.
chsh: I understand your concern. This is for a wargame that I'm doing with a buddy. It is my buddies server and I do have authorization to try and grab the script. Or anything else I want for that matter. I'm not all that familiar with web security and I'm trying to learn more. How would you propose I go about it? I should have posted that in my original post but I was rushing around.
To everyone else, thanks for the responses. I should hope by now that people here won't mistake my questions for malicious intent. Have you ever had reason to think so before? I think not.
Yep, not much has changed since I have been gone.Quote:
Why not write the site maintainers then instead of just going out and trying to steal the script?
Sheesh, if it were a newbie to the site asking this they'd be negged off...
Anyways, the only way to view a cgi-script is if the file isn't marked executable. If it is, then the file will run and give you its output.
What is your friends wargames site? Sounds like fun (if you can't pass it out I understand).
Yes he is correct,By the way it is not possible coz alomost all scripts listed would have configured to execute alone.Quote:
Originally posted here by ss2chef
If the webserver is configured for execute the script type, it should not list the script contents.
If it's your friends server (wargame) try shoving in unexpected input and see if it chokes. You may get some interresting error messages that will give you a clue what it does or how it's made.
If the webserver is properly configured and there are no known exploits there's no way to get the source of the cgi script.