#!/usr/bin/perl -w
# option T
#Exploit:
#http://localhost/~kmaster/show.cgi?login=%2Fetc%2Fpasswd%00
BEGIN { $ENV{PATH} = '/usr/bin:/bin' }
delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};   # Make %ENV safer =:-)
print "Content-type: text/html\n\n";
print "<HTML>\n<HEAD><TITLE>Remote Command</TITLE></HEAD>\n";
&ReadParse(*input);
print "<BODY>";
$login = $input{'login'};
$login =~ s/\0//g;
$login =~ s/([<>\*\|`&\$!#\(\)\[\]\{\}:'\n])/\\$1/g;
print "Login $login<BR>\n";
print "Finger<BR>\n";
$CMD= "/usr/bin/finger \"$login\"|";
open(FILE,"$CMD") || goto form;
while(<FILE>) {
  print;
}

form:
print "<form action=\"$ENV{'SCRIPT_NAME'}\">\n<input type=texte name=login>\n </form>\n";
print "</BODY>\n";
print "</HTML>";
exit(0);

sub ReadParse {
  local (*in) = @_ if @_;
  my ($i, $key, $val);
  my $in_first;
  my @in_second;

  # Read in text
  if (&MethGet) {
    $in_first = $ENV{'QUERY_STRING'};
  } elsif ($ENV{'REQUEST_METHOD'} eq "POST") {
    read(STDIN,$in_first,$ENV{'CONTENT_LENGTH'});
  }

  @in_second = split(/&/,$in_first);

  foreach $i (0 .. $#in_second) {
    # Convert plus's to spaces
    $in_second[$i] =~ s/\+/ /g;

    # Split into key and value.  
    ($key, $val) = split(/=/,$in_second[$i],2); # splits on the first =.

    # Convert %XX from hex numbers to alphanumeric
    $key =~ s/%(..)/pack("c",hex($1))/ge;
    $val =~ s/%(..)/pack("c",hex($1))/ge;

    # Associate key and value
    $in{$key} .= "\0" if (defined($in{$key})); # \0 is the multiple separator
    $in{$key} .= $val;

  }

  return length($#in_second); 
}

sub MethGet {
  return ($ENV{'REQUEST_METHOD'} eq "GET");
}