[B! cgi] ionisã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

ionis id:ionis

cgiã«é–¢ã™ã‚‹ionisã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯ (6)

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

${{author_name}}$
{{author_name}}{{created}}
{{ #comment }}{{ comment }}{{ /comment }}
- {{ label }}

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

BASHã®è„†å¼±æ€§ã§CGIã‚¹ã‚¯ãƒªãƒ—ãƒˆã«ã‚¢ãƒ¬ã•ã›ã¦ã¿ã¾ã—ãŸ
ç’°å¢ƒå¤‰æ•°ã«ä»•è¾¼ã¾ã‚ŒãŸã‚³ãƒ¼ãƒ‰ã‚’å®Ÿè¡Œã—ã¦ã—ã¾ã†BASHã®è„†å¼±æ€§ãŒ CGIã‚¹ã‚¯ãƒªãƒ—ãƒˆã«å½±éŸ¿ã‚’ä¸Žãˆã‚‹ã‹è©¦ã—ã¦ã¿ãŸã‚‰çµæžœã¯æ‚²æƒ¨ãªæ„Ÿã˜ã« Tweet 2014å¹´9æœˆ25æ—¥ å¶‹ç”°å¤§è²´ ã“ã®è¨˜äº‹ã¯2014å¹´ã®ã‚‚ã®ã§ã™ æœã‹ã‚‰ Bash specially-crafted environment variables code injection attack ãªã‚‹ã‚‚ã®ã§é¨’ãŽã«ãªã£ã¦ã„ãŸã®ã§ã€ã•ã£ããæ‰‹å…ƒã® Apacheã§è©¦ã—ã¦ã¿ã¾ã—ãŸã€‚ /hoge.cgiã¨ã„ã†URIã§å®Ÿè¡Œã•ã‚Œã‚‹ã‚ˆã†ã«ã€ä¸€è¡Œã®ãƒ¡ãƒƒã‚»ãƒ¼ã‚¸ã‚’å‡ºåŠ›ã™ã‚‹ã ã‘ã® CGIã‚¹ã‚¯ãƒªãƒ—ãƒˆã‚’è¨ç½®ã—ã¾ã™ã€‚ã„ã£ã‘ã‚“ã€ãªã‚“ã®å…¥åŠ›ã‚‚ã‚¯ãƒ©ã‚¤ã‚¢ãƒ³ãƒˆå´ã‹ã‚‰å—ã‘ä»˜ã‘ã¦ã„ãªã„ãŸã‚å±é™ºã®ã‚ã‚Šã‚ˆã†ã‚‚ãªãè¦‹ãˆã¾ã™ã€‚ #!/bin/sh echo "Content-type: text/plain" echo echo "Hi! I'm an ordinary CGI script w
ionis 2014/09/25
Linux

ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£

å®Ÿé¨“

bash

cgi
ãƒªãƒ³ã‚¯
CGIç‰ˆPHPã«å¯¾ã™ã‚‹é”æ³•å°‘å¥³ã‚¢ãƒ‘ãƒƒãƒãƒžã‚®ã‚«æ”»æ’ƒã‚’è¦³æ¸¬ã—ã¾ã—ãŸ
æ˜¨å¤œã«ã€é”æ³•å°‘å¥³ã‚¢ãƒ‘ãƒƒãƒâ˜†ãƒžã‚®ã‚«æ”»æ’ƒã‚’è¦³æ¸¬ã—ã¾ã—ãŸã€‚é”æ³•å°‘å¥³ã‚¢ãƒ‘ãƒƒãƒâ˜†ãƒžã‚®ã‚«ã¨ã¯ã€PoCã®ã‚½ãƒ¼ã‚¹ã‚³ãƒ¼ãƒ‰ã«Â Apache Magica by Kingcope ã¨ã‚³ãƒ¡ãƒ³ãƒˆã•ã‚Œã¦ã„ã‚‹ã“ã¨ã«ç”±æ¥ã—ã¦ã„ã¾ã™ï¼ˆã¨ã„ã†ã‹ã€ç§ãŒãã†è¨³ã—ã¾ã—ãŸwï¼‰ã€‚ ã“ã‚Œã¯10æœˆ29æ—¥ã«PoCãŒç™ºè¡¨ã•ã‚ŒãŸPHP-CGIæ”»æ’ƒ(CVE-2012-1823)ã®å¤‰ç¨®ã§ã™ã€‚å¾“æ¥ã®PHP-CGIæ”»æ’ƒã¯ã€CGIç‰ˆPHPãŒå‹•ä½œã™ã‚‹ç’°å¢ƒã§ã€PHPã‚¹ã‚¯ãƒªãƒ—ãƒˆï¼ˆä¸èº«ã¯ãªã‚“ã§ã‚‚ã‚ˆã„ï¼‰ã«å¯¾ã™ã‚‹æ”»æ’ƒã§ã—ãŸãŒã€é”æ³•å°‘å¥³ã‚¢ãƒ‘ãƒƒãƒãƒžã‚®ã‚«ã®æ–¹ã¯ã€/cgi-bin/ã«ç½®ã‹ã‚ŒãŸPHPå‡¦ç†ç³»ï¼ˆphp-cgiãªã©ï¼‰ã«ç›´æŽ¥æ”»æ’ƒã™ã‚‹ã‚‚ã®ã§ã™ã€‚ CGIç‰ˆPHPã‚’è¨ç½®ã™ã‚‹æ–¹æ³•ã¯è¤‡æ•°ã‚ã‚Šã¾ã™ãŒã€ã‚ˆãä½¿ã‚ã‚Œã‚‹æ–¹æ³•ã¨ã—ã¦Apacheã®ãƒªãƒ€ã‚¤ãƒ¬ã‚¯ãƒˆã«ã‚ˆã‚ŠPHPã‚¹ã‚¯ãƒªãƒ—ãƒˆã‚’PHPå‡¦ç†ç³»ã«å®Ÿè¡Œã•ã›ã‚‹æ–¹æ³•ãŒã‚ã‚Šã¾ã™ã€‚ã“ã®å ´åˆã€/cgi-bin/php-cgiãªã©ã¨ã—ã¦PHPå‡¦ç†ç³»ã‚’å…¬é–‹
ionis 2014/01/08
ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£

PHP

cgi
ãƒªãƒ³ã‚¯
CGIç‰ˆPHPã«ãƒªãƒ¢ãƒ¼ãƒˆã‹ã‚‰ã‚¹ã‚¯ãƒªãƒ—ãƒˆå®Ÿè¡Œã‚’è¨±ã™è„†å¼±æ€§(CVE-2012-1823)
CGIç’°å¢ƒã§PHPã‚’å‹•ä½œã•ã›ã¦ã„ã‚‹ã‚µã‚¤ãƒˆã«ã¯ã€ãƒªãƒ¢ãƒ¼ãƒˆã‹ã‚‰ã‚¹ã‚¯ãƒªãƒ—ãƒˆå®Ÿè¡Œã‚’è¨±ã—ã¦ã—ã¾ã†è„†å¼±æ€§ãŒã‚ã‚Šã¾ã™ã€‚php.netã‹ã‚‰æä¾›ã•ã‚Œã¦ã„ã‚‹ä¿®æ£ãƒªãƒªãƒ¼ã‚¹(PHP 5.3.12 / PHP 5.4.2)ã¯ä¸å®Œå…¨ãªãŸã‚ã€è©²å½“ã™ã‚‹ã‚µã‚¤ãƒˆã¯è‡³æ€¥å›žé¿ç–ã‚’å°Žå…¥ã™ã‚‹ã“ã¨ã‚’æŽ¨å¥¨ã—ã¾ã™ã€‚ æ¦‚è¦ CGIã®ä»•æ§˜ã¨ã—ã¦ã€ã‚¯ã‚¨ãƒªæ–‡å—åˆ—ã«ç‰å·ã‚’å«ã‚ãªã„å ´åˆã¯ã€ã‚¯ã‚¨ãƒªæ–‡å—åˆ—ãŒCGIã‚¹ã‚¯ãƒªãƒ—ãƒˆã®ã‚³ãƒžãƒ³ãƒ‰ãƒ©ã‚¤ãƒ³å¼•æ•°ã¨ã—ã¦æŒ‡å®šã•ã‚Œã¾ã™ã€‚ ä¾‹ãˆã°ã€http://example.jp/test.cgi?foo+bar+bazã¨ã„ã†å‘¼ã³å‡ºã—ã«å¯¾ã—ã¦ã¯ã€test.cgiã¯ä»¥ä¸‹ã®ã‚³ãƒžãƒ³ãƒ‰ãƒ©ã‚¤ãƒ³ã§å‘¼ã³å‡ºã•ã‚Œã¾ã™ã€‚ test.cgi foo bar baz ã“ã®ä»•æ§˜ã‚’æ‚ªç”¨ã—ã¦ã€CGIç‰ˆã®PHPã«ã‚³ãƒžãƒ³ãƒ‰ãƒ©ã‚¤ãƒ³å¼•æ•°ã¨ã—ã¦PHPã®ã‚ªãƒ—ã‚·ãƒ§ãƒ³ã‚’æŒ‡å®šã§ãã¾ã™ã€‚ä¾‹ãˆã°ã€http://example.jp/test.php?-s ã¨ã„ã†ãƒªã‚¯ã‚¨ã‚¹ãƒˆã¯ã€-s
ionis 2014/01/08
PHP

ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£

é–‹ç™º

cgi
ãƒªãƒ³ã‚¯
CGIã§Railsã‚’ã¾ã¨ã‚‚ã«å‹•ã‹ã™ - Blog by Sadayuki Furuhashi
æ™®é€šã«Ruby on Railsã‚’CGIï¼ˆdispatch.cgiï¼‰ã§å‹•ã‹ã™ã¨é…ã™ãŽã¦ã‚„ã£ã¦ã‚‰ã‚Œã¾ã›ã‚“ãŒã€gateway.cgiã‚’ä½¿ã†ã¨ã€ãã“ãã“ã®é€Ÿåº¦ã§å‹•ãã‚ˆã†ã«ãªã‚Šã¾ã™ã€‚ æœ€åˆã«ä»•æŽ›ã‘ã‚’ç´¹ä»‹ã—ã¦ã—ã¾ã†ã¨ã€1å›žç›®ã®ã‚¢ã‚¯ã‚»ã‚¹ãŒã‚ã£ãŸã¨ãã«å¸¸é§ãƒ—ãƒã‚»ã‚¹ã‚’èµ·å‹•ã—ã€2å›žç›®ä»¥é™ã®ã‚¢ã‚¯ã‚»ã‚¹ã¯ãã®å¸¸é§ãƒ—ãƒã‚»ã‚¹ã«å‡¦ç†ã•ã›ã‚‹ã‚ˆã†ã«ãªã£ã¦ã„ã¾ã™ã€‚CGIè‡ªä½“ã¯å¸¸é§ãƒ—ãƒã‚»ã‚¹ã«å‡¦ç†ã‚’æŠ•ã’ã‚‹ã ã‘ãªã®ã§è»½ã„ã€ã¨ã„ã†ã‚ã‘ã§ã™ã€‚ãŸã ã—ã€ï¼‘å›žç›®ã®ã‚¢ã‚¯ã‚»ã‚¹ã¯é€šå¸¸é€šã‚ŠCGIã§å‹•ä½œã•ã›ãŸãã‚‰ã„ã®é…ã•ã§ã™ã€‚ å¸¸é§ãƒ—ãƒã‚»ã‚¹ã¯ä¸€å®šæ™‚é–“ã‚¢ã‚¯ã‚»ã‚¹ãŒãªã„ã¨è‡ªå‹•çš„ã«çµ‚äº†ã™ã‚‹ã®ã§ï¼ˆæ¬¡ã®ã‚¢ã‚¯ã‚»ã‚¹ãŒã‚ã£ãŸã¨ãã«ã¾ãŸèµ·å‹•ã™ã‚‹ï¼‰ã€ã„ã‚ã„ã‚åˆ¶é™ã®ã‚ã‚‹ç’°å¢ƒã§ã‚‚ä½¿ãˆã‚‹ã€ã‹ã‚‚ã—ã‚Œã¾ã›ã‚“ã€‚ ã•ã¦ã€ãã®gateway.cgiã§ã™ãŒã€Railsã®æ¨™æº–ãƒ‘ãƒƒã‚±ãƒ¼ã‚¸ã®ä¸ã«å«ã¾ã‚Œã¦ã„ã¾ã™ã€‚ã¾ã experimentalã‚‰ã—ã„ã§ã™ãŒã€å¤šå°‘ãƒ‘ãƒƒãƒã‚’å½“ã¦ã‚‹ã¨å‹•ãã¾ã™ã€‚ ä½¿ã„æ–¹ã¯â†“ã“
ionis 2008/05/16
ruby

cgi

tips

webé–‹ç™º
ãƒªãƒ³ã‚¯
Apache Tutorial CGI ã«ã‚ˆã‚‹å‹•çš„ã‚³ãƒ³ãƒ†ãƒ³ãƒ„ - Apache HTTP ã‚µãƒ¼ãƒ
CGI (Common Gateway Interface) ã¯ã€ã‚¦ã‚§ãƒ–ã‚µãƒ¼ãƒãŒ ã‚³ãƒ³ãƒ†ãƒ³ãƒ„ç”Ÿæˆã‚’ã™ã‚‹å¤–éƒ¨ãƒ—ãƒã‚°ãƒ©ãƒ ã¨å”èª¿ã—ã¦å‹•ä½œã™ã‚‹ãŸã‚ã®æ–¹æ³•ã‚’ å®šç¾©ã—ã¦ã„ã¾ã™ã€‚ãã®ãƒ—ãƒã‚°ãƒ©ãƒ ã¯ã—ã°ã—ã° CGI ãƒ—ãƒã‚°ãƒ©ãƒ ã‚„ CGI ã‚¹ã‚¯ãƒªãƒ—ãƒˆã¨å‘¼ã°ã‚Œã¾ã™ã€‚CGI ã¯ã€ã‚¦ã‚§ãƒ–ã‚µã‚¤ãƒˆã«å‹•çš„ãª ã‚³ãƒ³ãƒ†ãƒ³ãƒ„ã‚’ç½®ããŸã‚ã®æœ€ã‚‚ç°¡å˜ã§ä¸€èˆ¬çš„ãªæ–¹æ³•ã§ã™ã€‚ã“ã®ãƒ‰ã‚ãƒ¥ãƒ¡ãƒ³ãƒˆã¯ã€ Apache ã‚¦ã‚§ãƒ–ã‚µãƒ¼ãƒã§ CGI ã‚’è¨å®šã—ã€ CGI ãƒ—ãƒã‚°ãƒ©ãƒ ã‚’æ›¸ãå§‹ã‚ã‚‹ãŸã‚ã®å…¥é–€æ›¸ã¨ãªã‚‹ã§ã—ã‚‡ã†ã€‚ CGI ã‚’è¨±å¯ã™ã‚‹ã‚ˆã†ã« Apache ã‚’è¨å®šã™ã‚‹ CGI ãƒ—ãƒã‚°ãƒ©ãƒ ã‚’æ£ã—ãå‹•ä½œã•ã›ã‚‹ã«ã¯ã€CGI ã‚’è¨±å¯ã™ã‚‹ã‚ˆã†ã« Apache ã®è¨å®šã‚’è¡Œã†å¿…è¦ãŒã‚ã‚Šã¾ã™ã€‚ ã“ã‚Œã‚’è¡Œãªã†ãŸã‚ã®æ–¹æ³•ãŒã„ãã¤ã‹ã‚ã‚Šã¾ã™ã€‚ ScriptAlias ScriptAlias ãƒ‡ã‚£ãƒ¬ã‚¯ãƒ†ã‚£ãƒ–ã‚’ä½¿ç”¨ã—ã¦ã€ CGI ãƒ—ãƒã‚°ãƒ©ãƒ ç”¨ã®ç‰¹åˆ¥ãªåˆ¥ãƒ‡ã‚£ãƒ¬ã‚¯ãƒˆãƒªã‚’ Apach
ionis 2008/05/02
apache

cgi

è¨å®š
ãƒªãƒ³ã‚¯
RubyCGI.org
æ›¸ç±ã€ŒRuby/GTKãƒ—ãƒã‚°ãƒ©ãƒŸãƒ³ã‚°å…¥é–€ã€ ã€ŒRuby/GTKãƒ—ãƒã‚°ãƒ©ãƒŸãƒ³ã‚°å…¥é–€ã€ã«ã¤ã„ã¦ã®ãƒšãƒ¼ã‚¸ æ›¸ç±ã€ŒRubyã«ã‚ˆã‚‹CGIãƒ—ãƒã‚°ãƒ©ãƒŸãƒ³ã‚°ã€ ã€ŒRubyã«ã‚ˆã‚‹CGIãƒ—ãƒã‚°ãƒ©ãƒŸãƒ³ã‚°ã€ã«ã¤ã„ã¦ã®ãƒšãƒ¼ã‚¸ Rubyã§CGIã‚’ä½œã‚ã† [2005-03-04] Rubyã§CGIã‚’ä½œã‚‹ã“ã¨ã«ã¤ã„ã¦ã®è§£èª¬ ãƒªãƒ³ã‚¯é›† [2003-06-29] Rubyã§CGIãƒ—ãƒã‚°ãƒ©ãƒ ã‚’çµ„ã‚€ã¨ãã«å½¹ã«ç«‹ã¤ã¨æ€ã‚ã‚Œã‚‹ãƒªãƒ³ã‚¯é›† ãƒ„ãƒ¼ãƒ«ãªã© ä»Šã¾ã§ã«ä½œã£ãŸãƒ„ãƒ¼ãƒ«ãªã© dangoãƒ©ã‚¤ãƒ–ãƒ©ãƒª ã‚µãƒ¼ãƒãƒ¼ã‚’Rubyã€ã‚¯ãƒ©ã‚¤ã‚¢ãƒ³ãƒˆã‚’Flashã«ã—ã¦ã€ãƒªã‚¢ãƒ«ã‚¿ã‚¤ãƒ é€šä¿¡ã‚’è¡Œã†ãŸã‚ã®dangoãƒ•ãƒ¬ãƒ¼ãƒ ãƒ¯ãƒ¼ã‚¯ã§ã™ã€‚ ã¡ã‚‡ã£ã¨è‡ªå·±ç´¹ä»‹ è‡ªå·±ç´¹ä»‹ã§ã™ æ—¥è¨˜ ãƒžã‚¸ã‚·ãƒ£ãƒ³ãƒžã‚¹ã‚¿ãƒ¼ï¼’ æœ€çµ‚æ›´æ–°æ—¥æ™‚ã¯ãŸã¶ã‚“ [2005-05-05] ã§ã™ã€‚
ionis 2008/05/01
ruby

cgi

ãƒ—ãƒã‚°ãƒ©ãƒŸãƒ³ã‚°
ãƒªãƒ³ã‚¯
1