CGI Secrets

Introduction

CGI (Common Gateway Interface) is a server-to-program interface with which a web server can call (execute) a CGI based program (or CGI Script) to handle requests rather than the server handling the requests itself. In this scenario, the web server generally handles all network and protocol related tasks, while the CGI Script handles generating (or gathering) and then providing the actual web content. However, the CGI Script can do more than just generate web content. It can executable system commands, create files, access databases, and do pretty much anything else a program can do.

The CGI support in NetworkActiv Web Server has been designed to support not only standard CGI applications, but also has been designed to support something else...

With NetworkActiv CGI support, you can run non CGI applications such as ping, tracert, netstat, and many other command prompt based tools directly from your web browser! This allows for a host of applications and uses, including remote network diagnostics, online network utility services, and remote administration.

Getting started

First, you need the tool that can make this happen... NetworkActiv Web Server

Notice: Failure to follow these steps correctly, and/or careless setup and usage of CGI can allow others to executable commands on your computer and possibly even gain control of it. I will let you know what steps to be careful about and what is not a safe idea, but nonetheless, proceed at your own risk. I can not be held responsible if something goes wrong.

Enabling the CGI support:

  1. Create a new folder on your hard drive. For example, C:\My CGI Bin\ .
  2. Startup the server (that is, run the
  3. Click the Preferences button (located at the right side of the main dialog).
  4. At the lower-right of the Preferences dialog there is a big button entitled Configure CGI, PHP, and other server-side scripting handlers... Click this button.
  5. At the upper-right of the Server-Side Scripting Configuration dialog is an outlined box entitled CGI-Bin Configuration. Within this box is a checkbox option entitled Enable the CGI-Bin. Check (click and enable) this option.
  6. If you wish, you may specify a different alias path for the CGI-BIN, but this is not necessary... The default of cgi-bin is fine, and is the standard.
  7. Click the Choose folder button (located to the lower-right of the CGI-Bin Configuration box).
  8. Find and choose the folder that you created at step 1.
  9. Now, click the Advanced / Security options button (located at the lower right of the Server-Side Scripting Configuration dialog).
  10. On the Advanced Options dialog, find and check (enable by clicking) the checkbox entitled Allow output to page from StdError stream....
  11. Locate the Default Content-Type... text entry field and replace the existing text with "text/plain" (excluding the quotation marks).
  12. Click the OK button (that on the Advanced options dialog).
  13. Click the OK button (that on the Server-Side Scripting Configuration dialog).
  14. Click the OK button (that on the Preferences dialog).

Continuing:

Before starting the server (via the Start button), make sure that nothing is in your newly created (and chosen) CGI-BIN folder (that from step 1 of the previous section).

Deciding what you want to do

There are two basic things I will explain how to accomplish here. The first being, how to execute specific tools, such as ping, tracert, and netstat. The second being, how to enable general command execution capabilities.

If you wish to run specific tools such as ping, trancert, and netstat, see the section titled
Running specific tools.

If you wish to enable general command execution capabilities, see the section titled
Enabling general command execution.

Running specific tools

To run specific tools such as ping, tracert, and netstat, via the CGI support, you need to first copy the executable file for each of these into your newly created CGI-BIN folder. You can do this with Windows Explorer or My Computer. Notice, you can NOT just normal drag these files into your CGI-BIN folder because Windows will just create a shortcut to them. You need to either Right-Drag (that is, drag with the right mouse button instead of the left one) and choose Copy Here, or you need to copy and paste the files.

Depending on your operating system, these files are located in either
C:\WINNT\System32\ (Windows NT/2000/XP/2003), or
C:\Windows\ (Windows 98 and possibly ME).

After you have copied the tools that you want to run via CGI to your CGI-BIN folder, you can execute these commands via a web browser.

For example, if your server's URL was http://192.168.0.1/, you would access http://192.168.0.1/cgi-bin/ping.exe?-n+3+192.168.0.1 to use the ping command (replacing the parameter(s) to the command with whatever you like of course). Notice that the parameters are separated by plus signs (+'s) rather than by spaces like at the command prompt.

Dealing with lame browsers:

With some lame browsers (such as IE), you can not readily enter a URL like /ping.exe?www.networkactiv.com because it will try to save the result as a .com file rather than displaying it!, to get around this problem, you can simply replace the dots (.'s) with %2E's.
For the previous example, this would be:
http://192.168.0.1/cgi-bin/ping.exe?-n+3+www%2Enetworkactiv%2Ecom

Enabling general command execution

Notice: Because the following essentially provides remote command execution and system control via a web browser, it is highly recommended that you first set a good password on your server. This can be done via the Security options dialog, accessible via the main dialog's Security options button.

To enable general command execution capabilities, you need to first create a batch file. This can be done using a simple text editing program such as Notepad or Wordpad.

Creating the batch file:

  1. Open up either Notepad or Wordpad.
  2. Paste the following bold text into the new text document: %1 %2 %3 %4 %5 %6 %7 %8 %9
  3. Make sure that the new text document does not contain ANY blank lines. This file should only have one line, that is, the one with the above bold text. If you wish to be extra clean, make sure that there are no spaces or tabs before or after the text (this does not include the inner spaces, these are required).
  4. It is now time to save the new batch file document. This must be done with care to make sure that it gets saved in the correct format and with the correct file extension. To begin, go to File->Save as.
  5. Browse to the location (the folder) that you have created to be your CGI-BIN folder.
  6. On the Save As dialog, first go to the drop down box entitled Save as type and choose either Text Document - MS-DOS Format or All Files (depending on which program you are using). If using Notepad, also choose ANSI from the Encoding dropdown box.
  7. Now, enter Run.bat as the file name and click the Save button.

Accessing the batch file:

At this point, you should be able to access the batch file via your web browser.

For example, if your server's URL was http://192.168.0.1/, you would access
http://192.168.0.1/cgi-bin/Run.bat?ping -n 3 192.168.0.1
This would allow you to use the ping command (replacing the parameter(s) to the command with whatever you like of course). Note that you can put either spaces or +'s inbetween parameters. Spaces are recommended because they technically keep all of the parameters on %1, therefore allowing for an unlimited number of them.

Dealing with lame browsers:

With some lame browsers (such as IE), it will try to save the result as a file (pops up a file save dialog) rather than displaying it!, to get around this problem in general, you need to specify what is known as the PATH_INFO in CGI, this is the path after the script path but before the query string.

For example, instead of the following URL:
http://192.168.0.1/cgi-bin/Run.bat?ping -n 3 192.168.0.1
You would enter:
http://192.168.0.1/cgi-bin/Run.bat/SomeText?ping -n 3 192.168.0.1

Note that another problem can occur if you are using a lame browser, if the end of the whole path being submitted looks like a file name, it pops up a file save dialog rather than displaying the result. To get around this problem, you can simply replace the dots (.'s) with %2E's.
For example:
http://192.168.0.1/cgi-bin/Run.bat/x?ping -n 3 www%2Enetworkactiv%2Ecom

Conclusion

Though you might have thought that CGI was only useful for special purpose applications and requires special CGI scripts and knowledge of programming and scripting languages, you can use CGI without downloading any special programs or scripts and there are many cool things that you can do with CGI using what is already available on your system. All it takes is a little bit of understanding of how CGI works and just how easy it is to use.

The time is now!

Show your friends, family, and co-workers your new found server skills!