Bekijk de volledige versie : httpd server to execute arbitrary cgi code

04-02-2005, 19:02

Has anyone been able to modifiy the default httpd server to execute arbitrary cgi code?

This is not a platforrm specific question, since the Belkin, Linksys, and Asus all seem to use the reference code from broadcom, but all have different methods enabled.

Belkin just seem to use apply.cgi
While Linksys uses gozila.cgi, apply.cgi and a few others.

What I like to be able to do is use proccgi (shell script cgi wrapper) to execute arbitrary code.

I've traced it down to httpd.c calls broadcom.c in the shared directory for the cgi functions. Of the different GPL released codes I looked looked at, all the broadcom.c source look different. The closest I've come is the latest Linksys firmware with this line still intact, but not defined:

grep internal broadcom.c
websUrlHandlerDefine("/internal.cgi", NULL, 0, internal_cgi, 0);

And for comparison of cgi handlers that are enabled:

grep \.cgi broadcom.c
validate_cgi(webs_t wp)
gozila_cgi(webs_t wp, char_t *urlPrefix, char_t *webDir, int arg, char_t *url, char_t *path, char_t *query)
apply_cgi(webs_t wp, char_t *urlPrefix, char_t *webDir, int arg,
if(value && !strcmp(value,"gozila_cgi")){
gozila_cgi(wp, urlPrefix, webDir, arg, url, path, query);
websUrlHandlerDefine("/apply.cgi", NULL, 0, apply_cgi, 0);
websUrlHandlerDefine("/internal.cgi", NULL, 0, internal_cgi, 0);
init_cgi(post_buf); //Added by Daniel(2004-07-29)
do_apply_cgi(char *url, webs_t stream)
init_cgi(query); //Added by Daniel(2004-07-29)
//init_cgi(query); //Masked by Daniel(2004-07-29)
apply_cgi(stream, NULL, NULL, 0, url, path, query);
init_cgi(NULL); //Added by Daniel(2004-07-29) for new cgi.c
{ "apply.cgi*", "text/html", no_cache, do_apply_post, do_apply_cgi, do_auth },
{ "upgrade.cgi*", "text/html", no_cache, do_upgrade_post, do_upgrade_cgi, do_auth },
{ "Gozila.cgi*", "text/html", no_cache, NULL, do_setup_wizard, do_auth },// for setup wizard
{ "restore.cgi**", "text/html", no_cache, do_upgrade_post, do_upgrade_cgi, do_auth },

My apologies if this is the wrong forum to ask. Just seems like the WL-500 custom firmwares are closest based on stock firmware. Every other firmware out there is either a complete repackaged or a CLOSED version of GPL, go figure.

Thanks in advance

04-02-2005, 19:32
This is a fake cgi handlers, I mean it's handled internally.
It's probably make sense to check original code - IIRC

04-02-2005, 19:49
Thanks Oleg.

The reason I want to implement the "fake" handler is because of space issues, if I can implement a fake proccgi handler, then there is no need to run another httpd server and all the default asp pages will still function correctly.

04-02-2005, 19:54
just fyi, the reference code is available in the siemens se505 gpl tarball.

04-02-2005, 21:05
Thanks. Getting the 505 code now.