download cgi script

***phishphreek*** · October 4th, 2004, 08:40 PM

Is it possible to download a cgi script or view the script source if you know the name and location of the script on a webserver?

**ss2chef** · October 4th, 2004, 08:43 PM

If the webserver is configured for execute the script type, it should not list the script contents.

**valhallen** · October 4th, 2004, 09:09 PM

hmmmm am sure you could grab the file using something like teleport pro

v_Ln

***phishphreek*** · October 4th, 2004, 09:12 PM

I've tried a couple of things already. wget, just entering the CGI location into the browser, etc. Those just redirect me to the homepage... (first page of the site)

I'll try teleport pro and httrack when I get home. I'm just curious what a certain cgi does.
The filename peaked my interest.

***chsh*** · October 4th, 2004, 10:56 PM

Why not write the site maintainers then instead of just going out and trying to steal the script?
Sheesh, if it were a newbie to the site asking this they'd be negged off...

***Irongeek*** · October 4th, 2004, 11:13 PM

Normally Phish you should not be able to since a well configured server should not let you view the source and should only parse/run it and send the output to you. I remember there being a bug in some older versions of IIS that would reveal the source code to an asp file if you put an extra dot (.) on the end of the file name. Short of findings an exploit like that I think the only option (and best one anyway) is to email the maintainer of that site and ask him if you can have the source.

***phishphreek*** · October 5th, 2004, 01:08 AM

chsh: I understand your concern. This is for a wargame that I'm doing with a buddy. It is my buddies server and I do have authorization to try and grab the script. Or anything else I want for that matter. I'm not all that familiar with web security and I'm trying to learn more. How would you propose I go about it? I should have posted that in my original post but I was rushing around.

To everyone else, thanks for the responses. I should hope by now that people here won't mistake my questions for malicious intent. Have you ever had reason to think so before? I think not.

***Lansing_Banda*** · October 5th, 2004, 06:10 AM

Why not write the site maintainers then instead of just going out and trying to steal the script?
Sheesh, if it were a newbie to the site asking this they'd be negged off...

Yep, not much has changed since I have been gone.

Anyways, the only way to view a cgi-script is if the file isn't marked executable. If it is, then the file will run and give you its output.

What is your friends wargames site? Sounds like fun (if you can't pass it out I understand).

**Biju** · October 5th, 2004, 08:35 AM

Originally posted here by ss2chef
If the webserver is configured for execute the script type, it should not list the script contents.

Yes he is correct,By the way it is not possible coz alomost all scripts listed would have configured to execute alone.

***SirDice*** · October 5th, 2004, 10:11 AM

If it's your friends server (wargame) try shoving in unexpected input and see if it chokes. You may get some interresting error messages that will give you a clue what it does or how it's made.

If the webserver is properly configured and there are no known exploits there's no way to get the source of the cgi script.

Thread: download cgi script

Thread Tools

Display

download cgi script

Posting Permissions