#!/usr/bin/perl -w
# option T
#Exploit:
#http://localhost/~kmaster/show.cgi?login=%2Fetc%2Fpasswd%00
BEGIN { $ENV{PATH} = '/usr/bin:/bin' }
delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; # Make %ENV safer =:-)
print "Content-type: text/html\n\n";
print "\n
Remote Command\n";
&ReadParse(*input);
print "";
$login = $input{'login'};
$login =~ s/([;<>\*\|`&\$!#\(\)\[\]\{\}:'"])/\\$1/g;
print "Login $login
\n";
print "Finger
\n";
$CMD= "/usr/bin/finger $login|";
open(FILE,"$CMD") || goto form;
while() {
print;
}
form:
print "\n";
print "\n";
print "";
exit(0);
sub ReadParse {
local (*in) = @_ if @_;
my ($i, $key, $val);
my $in_first;
my @in_second;
# Read in text
if (&MethGet) {
$in_first = $ENV{'QUERY_STRING'};
} elsif ($ENV{'REQUEST_METHOD'} eq "POST") {
read(STDIN,$in_first,$ENV{'CONTENT_LENGTH'});
}
@in_second = split(/&/,$in_first);
foreach $i (0 .. $#in_second) {
# Convert plus's to spaces
$in_second[$i] =~ s/\+/ /g;
# Split into key and value.
($key, $val) = split(/=/,$in_second[$i],2); # splits on the first =.
# Convert %XX from hex numbers to alphanumeric
$key =~ s/%(..)/pack("c",hex($1))/ge;
$val =~ s/%(..)/pack("c",hex($1))/ge;
# Associate key and value
$in{$key} .= "\0" if (defined($in{$key})); # \0 is the multiple separator
$in{$key} .= $val;
}
return length($#in_second);
}
sub MethGet {
return ($ENV{'REQUEST_METHOD'} eq "GET");
}