Yahoo Answers is shutting down on May 4th, 2021 (Eastern Time) and beginning April 20th, 2021 (Eastern Time) the Yahoo Answers website will be in read-only mode. There will be no changes to other Yahoo properties or services, or your Yahoo account. You can find more information about the Yahoo Answers shutdown and how to download your data on this help page.
Trending News
POST cgi-bin/php... I found this in a Wireshark trace and was wondering what it is?
I have been using Wireshark to capture Ehternet traces while I develop a web interface for a micro, and came across the trace below. BTW I have my router set up to forward port 80 to the micro, and can monitor traffic to / from the micro. I put spaces in the gibberish so YA doesnt truncate it, so ignore the spaces in the below message.
POST /cgi-bin/php/ %63%67%69%6E /%70%68%70?%2D%64 +%61%6C%75
%6F%6E+%2D%64 +%6D%6F%64+%2D %64+%73%75%68% 6F%6E%3D%6F
%6E+%2D%64 +%75%6E%63%74% 73%3D%22%22+%2D %64+%64%6E
%65+%2D%64+% 61%75%74%6F% 5F%70%72%%74+% 2D%64+%63%67
%69%2E%66% 6F%72%63%65% 5F%72%65%64%69%72 %65%63%74%3D
%30+%2D%64+ %74%5F%3D%30 +%2D%64+%75%74 +%2D%6E HTTP/1.1\x0d\x0a
Host:localhost\x0d\x0a
Content-Type: text/html\x0d\x0a
Content-Length:1\x0d\x0a\x0d\x0a
a\x0d\x0a
Is there any way to decode what this is? Im assuming its some kind of PHP script or something.
Any ideas on what it is? I have no doubt its from some hacker, but I'm just curious as to what exactly they are trying to do.
EDIT: Obviously Fred. "POST" gave it away. I'm wondering if the %63%67%69%6E... part has any meaning. I know nothing about php.
EDIT: Obviously Fred. "POST" gave it away. I'm wondering if the %63%67%69%6E... part has any meaning. I know nothing about php.
EDIT: Obviously Fred. "POST" gave it away. I'm wondering if the %63%67%69%6E... part has any meaning. I know nothing about php.
2 Answers
- djbckrLv 57 years agoFavorite Answer
That's a URL encoded string that converts to:
cgin/php?-d aluon -d mod -d suhon=on -d uncts="" -d dne -d auto_prt -d cgi.force_redirect=0 -d t_=0 -d ut -n
The + signs are spaces, the %xx are hexadecimal ascii codes. There appears to be an error in this encoded string - %72%%74 - the two % in a row is a problem. Once I took that out, I came up with the above string.
An HTTP post cannot contain spaces, they have to be encoded either with + or %20 (both work)
http://meyerweb.com/eric/tools/dencoder/
http://en.wikipedia.org/wiki/Percent-encoding
The \x0d\x0a are carriage return/line feed characters, a standard part of the HTTP protocol. You shouldn't have to worry much about that as most systems handle that automatically.
