#!/usr/bin/perl # ------------------------------------------------------------------------ # ------------------------------------------------------------------------ # Infinity CGI Exploit Scanner v3.11 Beta # Copyright (C) 2000 Azrael, All Rights Reserved # ------------------------------------------------------------------------ # This script is to be used for educational use only. I (Azrael) accept # absolutely no responsibility for the information that may be possibly # attained through the use of this script and/or the actions that may # take place because of someone's usage of this script. # ------------------------------------------------------------------------ # Visit http://infinityproject.cjb.net for more updates on the scanner and/or # a better version available. # You can contact me at infinity@wwdg.com # ------------------------------------------------------------------------ # ------------------------------------------------------------------------ # How to setup the script: # - Make sure you got the scanner blocker script (dontscan.cgi) as well # - you need to chmod the script to 755 (u+rwx,g+rx,o+rx) # - you need to chmod 666 (a+rw) the scanner counter datafile if you enable counting # - you need to make the file explog.txt (or whatever you put in the config below) # - you need to chmod the file explog.txt (or whatever you put in config) to 666 (a+rw) # - you need to make the file dontscan.txt (or whatever you put in the config below) # - you need to chmod the file dontscan.txt (or whatever you put in the config) to 666 (a+rw) # - if you enable vulnerability loggin: # - you need to make the file vulnlog.txt (or whatever you put in the config below) # - you need to chmod the file vulnlog.txt (or whatever you ptu in teh config below) to 666 (a+rw) # Make sure perl 5.005 or higher is installed # Make sure the first line of this script points to the location of perl (which perl) # All questions should be directed to infinityproject.cjb.net wwwboard # ------------------------------------------------------------------------ # The form to put on your website: # # Infinity Exploit Scanner 3.11 Beta - CGI Version

# # ------------------------------------------------------------------------ # Setup Variables # ------------------------------------------------------------------------ $yoursiteaddy = "www.yourdoamin.com"; # Your website address # Customize the colors of the output. Remember, special characters like # @, ", | etc... need a \ before them. $bodycolors = ""; $specialcolors = "cccccef"; # colors of special text in the output $nslookuplocation = "/usr/bin/nslookup"; # Location of nslookup binary (which nslookup) $logvulns = 0; # Log vulnerabilities - 1 is yes, 0 is no. WARNING - This can get big! $countscans = 1; # Turn this to 1 if you want to enable the scanner counter # If you enable countscans to 1, you must specify the location of the data file to use $counterlocation = "/pathto/expcount.txt"; $exploglocation = "/pathto/explog.txt"; # logfile $dontscanlocation = "/pathto/dontscan.txt"; # blocked sites list $vulnloglocation = "/pathto/vulnlog.txt"; # vulnerability logfile # Error code headers to check for with Advanced Error Checking: @errchkingarray = ("404 Not Found", "404 Error", "302 Object Moved", "script produced no output", "Item was not found", "Error Occurred While Processing Request"); # ------------------------------------------------------------------------ use Socket; $| = 1; $isitdone = "0"; $errsfound = 0; &header(); print "

Switching on Advanced Error Checking...OK\n
\n"; } if($idsbypass eq "yes") { print "\n\n
Entering IDS Bypass Mode...OK\n
\n"; } print "\n\n
Initiating Scan on $host\:$port...OK\n
\n"; if($servertype eq "iis" or $servertype eq "pws" or $servertype eq "netscape" or $servertype eq "website" or $servertype eq "all") { &scan($host, $port, '200', 'OK', '/cfappman/', 'index.cfm', 'Cold Fusion Server hole'); &scan($host, $port, '200', 'OK', '/scripts/', 'CGImail.exe', 'CGImail.exe Hole'); &scan($host, $port, '200', 'OK', '/scripts/', 'fpcount.exe', 'FPCount.exe Hole'); &scan($host, $port, '200', 'OK', '/iissamples/exair/howitworks/', 'codebrws.asp', 'IIS Hole'); &scan($host, $port, '200', 'OK', '/iissamples/sdk/asp/docs/', 'codebrws.asp', 'IIS Hole'); &scan($host, $port, '200', 'OK', '/msads/samples/selector/', 'showcode.asp', 'IIS Hole'); &scan($host, $port, '200', 'OK', '/', '_AuthChangeUrl?', 'IIS acdg.htr mapping'); &scan($host, $port, '200', 'OK', '/', '....../autoexec.bat', 'PWS Win95/98 Remote File Viewing'); &scan($host, $port, '502', 'Proxy error', '/scripts/proxy/', 'w3proxy.dll', 'MS-Proxy Server v1.0 Hole'); ##################### # Phunky IDC stuff for RDS ODBC Hole &scan($host, $port, '200', 'OK', '/scrips/tools/', 'getdrvs.exe', 'IIS Remote File Creation'); &scan($host, $port, '200', 'OK', '/msadc/', 'msadcs.dll', 'RDS ODBC Hole - See www.wiretrip.net/rfp'); &scan($host, $port, '200', 'OK', '/scrips/tools/', 'newdsn.exe', 'Remote DSN/MS-Access Database Creation'); &scan($host, $port, '200', 'OK', '/', 'carbo.dll', 'Carbo.dll Hole'); &scan($host, $port, '200', 'OK', '/scripts/iisadmin', 'bdir.htr', 'IIS web password change'); if(&fastdircheck('/iisadmpwd/') eq "yes") { &scan($host, $port, '200', 'OK', '/iisadmpwd/', 'achg.htr', 'IIS web password change'); &scan($host, $port, '200', 'OK', '/iisadmpwd/', 'aexp.htr', 'IIS web password change'); &scan($host, $port, '200', 'OK', '/iisadmpwd/', 'aexp2.htr', 'IIS web password change'); &scan($host, $port, '200', 'OK', '/iisadmpwd/', 'aexp2b.htr', 'IIS web password change'); &scan($host, $port, '200', 'OK', '/iisadmpwd/', 'aexp3.htr', 'IIS web password change'); &scan($host, $port, '200', 'OK', '/iisadmpwd/', 'aexp4.htr', 'IIS web password change'); &scan($host, $port, '200', 'OK', '/iisadmpwd/', 'aexp4b.htr', 'IIS web password change'); &scan($host, $port, '200', 'OK', '/iisadmpwd/', 'anot.htr', 'IIS web password change'); &scan($host, $port, '200', 'OK', '/iisadmpwd/', 'anot3.htr', 'IIS web password change'); } if(&fastdircheck('/scripts/samples/') eq "yes") { &scan($host, $port, '200', 'OK', '/scripts/samples/', 'details.idc', 'ODBC msadcs.dll Hole Component - Detected exists and DSN connection made!'); &scan($host, $port, '500', 'Error performing query', '/scripts/samples/', 'details.idc', 'ODBC msadcs.dll Hole Component - Detected exists but DSN connection not made'); &scan($host, $port, '200', 'Error performing query', '/scripts/samples/', 'details.idc', 'ODBC msadcs.dll Hole Component - Detected does not exist and DSN connection not made'); &scan($host, $port, '200', 'OK', '/scripts/samples/', 'ctguestb.idc', 'ODBC msadcs.dll Hole Component - Used to prep details.idc for DSN connection'); &scan($host, $port, '500', 'Error performing query', '/scripts/samples/', 'ctguestb.idc', 'ODBC msadcs.dll - Exists but DSN connection not made'); } ##################### if(&fastdircheck('/cfdocs/') eq "yes") { &scan($host, $port, '200', 'OK', '/cfdocs/', 'cfmlsyntaxcheck.cfm', 'Cold Fusion Server hole'); if(&fastdircheck('/cfdocs/snippets/') eq "yes") { &scan($host, $port, '200', 'OK', '/cfdocs/snippets/', 'evaluate.cfm', 'Cold Fusion Server hole'); &scan($host, $port, '200', 'OK', '/cfdocs/snippets/', 'fileexists.cfm', 'Cold Fusion Server hole'); &scan($host, $port, '200', 'OK', '/cfdocs/snippets/', 'gettempdirectory.cfm', 'Cold Fusion Server hole'); &scan($host, $port, '200', 'OK', '/cfdocs/snippets/', 'viewexample.cfm', 'Cold Fusion Server hole'); } if(&fastdircheck('/cfdocs/expeval/') eq "yes") { &scan($host, $port, '200', 'OK', '/cfdocs/expeval/', 'openfile.cfm', 'Cold Fusion Server hole'); &scan($host, $port, '200', 'OK', '/cfdocs/expeval/', 'exprcalc.cfm', 'Cold Fusion Server hole'); &scan($host, $port, '200', 'OK', '/cfdocs/expeval/', 'sendmail.cfm', 'Cold Fusion Server hole'); } if(&fastdircheck('/cfdocs/examples/') eq "yes") { &scan($host, $port, '200', 'OK', '/cfdocs/examples/httpclient/', 'mainframeset.cfm', 'Cold Fusion Server hole'); &scan($host, $port, '200', 'OK', '/cfdocs/examples/cvbeans/', 'beaninfo.cfm', 'Cold Fusion Server hole'); &scan($host, $port, '200', 'OK', '/cfdocs/examples/parks/', 'detail.cfm', 'Cold Fusion Server hole'); } } } if($server eq "netware" or $server eq "netscape" or $servertype eq "all") { &scan($host, $port, '200', 'OK', '/scripts/', 'convert.bas', 'Novell Netware Remote File Reading'); } if($server eq "thttpd" or $servertype eq "all") { &scan($host, $port, '200', 'OK', '//', 'etc/passwd', 'Remote File Reading'); } if($servertype eq "website" or $servertype eq "all") { &scan($host, $port, '200', 'OK', '/cgi-dos/', 'args.bat', 'Website 1.x CMD exec'); &scan($host, $port, '200', 'OK', '/cgi-dos/', 'args.cmd', 'Website 1.x CMD exec'); &scan($host, $port, '200', 'OK', '/cgi-win/', 'uploader.exe', 'Website 1.x Upload'); &scan($host, $port, '200', 'OK', '/cgi-shl/', 'win-c-sample.exe', 'Website 1.x CMD exec'); } if($servertype eq "netscape" or $servertype eq "frontpage" or $servertype eq "all") { &scan($host, $port, '200', 'OK', '/_vti_pvt/', 'users.pwd', 'VTI PVT [users.pwd]'); &scan($host, $port, '200', 'OK', '/_vti_pvt/', 'administrators.pwd', 'VTI PVT [administrators.pwd]'); &scan($host, $port, '200', 'OK', '/_vti_pvt/', 'authors.pwd', 'VTI PVT [authors.pwd]'); &scan($host, $port, '200', 'OK', '/_vti_pvt/', 'service.pwd', 'VTI PVT [service.pwd]'); &scan($host, $port, '200', 'OK', '/', '_vti_inf.html', 'VTI INF [_vti_inf.html]'); &scan($host, $port, '200', 'OK', '/_vti_bin/', 'shtml.dll', 'VTI BIN [shtml.dll]'); &scan($host, $port, '200', 'OK', '/_vti_bin/', 'shtml.exe', 'VTI BIN [shtml.exe]'); } if($servertype eq "domino" or $servertype eq "all") { &scan($host, $port, '200', 'OK', '/', 'domcfg.nsf', 'Remote Server Config'); &scan($host, $port, '200', 'OK', '/', 'domlog.nsf', 'Remote Server Logs'); &scan($host, $port, '200', 'OK', '/', 'names.nsf', 'Remote Server Config'); &scan($host, $port, '200', 'OK', '/', 'log.nsf', 'Remote Server Config'); } if($servertype eq "neowebscript" or $servertype eq "all") { &scan($host, $port, '200', 'OK', '/neowebscript/test/', 'senvironment.nhtml', 'Neowebscript Environment Hole'); &scan($host, $port, '200', 'OK', '/neowebscript/tests/', 'load_webenv.nhtml', 'Neowebscript Environment Hole'); &scan($host, $port, '200', 'OK', '/neowebscript/tests/', 'mailtest.nhtml', 'Neowebscript Mail Hole'); } if($servertype eq "machttp" or $servertype eq "webstar" or $servertype eq "homedoor" or $servertype eq "netcloak" or $servertype eq "all") { &scan($host, $port, '200', 'OK', '/', 'WebSTART%20LOG', 'Remote Logfile Reading'); } &scan($host, $port, '200', 'OK', '/', 'search97.vts', 'Any file reading'); foreach $dirtoscan (@gooddirs) { &scan($host, $port, '200', 'OK', $dirtoscan, 'phf', 'PHF Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'Count.cgi', 'Count.cgi Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'test-cgi', 'test-cgi Hole - Remote DIR Listing'); &scan($host, $port, '200', 'OK', $dirtoscan, 'php.cgi', 'php.cgi - Remote File Reading'); &scan($host, $port, '200', 'OK', $dirtoscan, 'handler', 'SGI Handler Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'webgais', 'Webgais Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'websendmail', 'Websendmail Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'webdist.cgi', 'Webdist Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'faxsurvey', 'Faxsurvey Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'htmlscript', 'htmlscript Hole - Remote File Reading'); &scan($host, $port, '200', 'OK', $dirtoscan, 'pfdisplay.cgi', 'pfdispaly.cgi Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'perl.exe', 'perl.exe Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'wwwboard.pl', 'wwwboard.pl DoS Attack'); &scan($host, $port, '200', 'OK', $dirtoscan, 'nph-test-cgi', 'nph-test-cgi Hole - Remote DIR Listing'); &scan($host, $port, '200', 'OK', $dirtoscan, 'view-source', 'view-source Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'campas', 'campas Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'aglimpse', 'aglimpse Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'man.sh', 'man.sh Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'AT-admin.cgi', 'AT-admin.cgi Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'filemail.pl', 'filemail.pl Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'maillist.pl', 'maillist.pl Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'jj', 'jj Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'info2www', 'info2www Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'rwwwshell.pl', 'THC - Backdoor'); &scan($host, $port, '200', 'OK', $dirtoscan, 'nph-publish', 'nph-publish Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'www-sql', 'www-sql - Remote File Viewing'); &scan($host, $port, '200', 'OK', $dirtoscan, 'files.pl', 'files.pl Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'finger', 'Finger Hole - DoS Attack'); &scan($host, $port, '200', 'OK', $dirtoscan, 'bnbform.cgi', 'bnbform.cgi Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'survey.cgi', 'survey.cgi Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'AnyForm2', 'AnyForm2 Hole - Remote File Emailing'); &scan($host, $port, '200', 'OK', $dirtoscan, 'textcounter.pl', 'textcounter.pl Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'classifieds.cgi', 'classifieds.cgi Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'environ.cgi', 'environ.cgi Hole - Show Environmental Vars'); &scan($host, $port, '200', 'OK', $dirtoscan, 'wrap', 'wrap Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'cgiwrap', 'cgiwrap Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'guestbook.cgi', 'guestbook.cgi Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'edit.pl', 'edit.pl Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'perlshop.cgi', 'perlshop.cgi Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'rguest.exe', 'rguest.exe Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'whois_raw.cgi', 'whois_raw.cgi Hole - Remote Command Execution'); &scan($host, $port, '200', 'OK', $dirtoscan, 'whois.cgi', 'Remote Command Execution'); &scan($host, $port, '200', 'OK', $dirtoscan, 'day5datacopier.cgi', 'IRIX remote exec'); &scan($host, $port, '200', 'OK', $dirtoscan, 'day5datanotifier.cgi', 'IRIX remote exec'); &scan($host, $port, '200', 'OK', $dirtoscan, 'dumpenv.pl', 'Sambar environment reading'); &scan($host, $port, '200', 'OK', $dirtoscan, 'upload.pl', 'Sambar server upload exploit'); &scan($host, $port, '200', 'OK', $dirtoscan, '/session/adminlogin?RCpage=/sysadmin/index.stm', 'Sambar r00ting'); &scan($host, $port, '200', 'OK', $dirtoscan, 'flexform.cgi', 'flexform.cgi Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'flexform', 'flexform Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'LWGate.cgi', 'LWGate.cgi Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'lwgate.cgi', 'lwgate.cgi Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'download.cgi', 'download.cgi Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'nlog-smb.pl', 'nlog-smb.pl Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'webmap.cgi', 'webmap.cgi Hole'); } &footer(); sub header() { print "$ENV{'SERVER_PROTOCOL'} 200 OK\n"; print "Server: $ENV{'SERVER_SOFTWARE'}\n"; print "Content-type: text/html\n\n"; print "$bodycolors"; # print ""; print "[ Infinity Scanner 3.11 Beta - CGI Exploit Scanner ]
\n"; print "The Infinity Project: http://infinityproject.cjb.net\n"; print " Script Written by Azrael
\n"; print "
Exploit Scanner hosted by: $yoursiteaddy\n
"; @values = split(/\&/,$ENV{'QUERY_STRING'}); foreach $i (@values) { ($varname, $mydata) = split(/=/,$i); $FORM{$varname} = $mydata; } $host = "$FORM{'host'}"; $port = "$FORM{'port'}"; $errchk = "$FORM{'errchk'}"; $idsbypass = "$FORM{'idsbypass'}"; $host =~ tr/+/ /; $host =~ tr/\%/a/; $host =~ tr/\;/b/; $host =~ tr//d/; $host =~ tr/\|/e/; $host =~ tr/\&/f/; $host =~ tr/\^/g/; $host =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; $badstring1 = "\.html"; $badstring2 = "http\://"; $badstring3 = "infinityzone.cjb.net"; $badstring4 = "cjb\.net"; $badstring5 = "infinityproject.cjb.net"; if(lc($host) =~ lc($badstring1)) { &dienice("The Scanner can't scan HTML files. There are no exploits for them!"); } if(lc($host) =~ lc($badstring2)) { &dienice("Don't Enter the http:// part of the server! Just enter foobar.com or www.foobar.com (substitute your server in for that)."); } if(lc($host) =~ lc($badstring3)) { &dienice("You best not be trying to scan [ The Infinity Zone ]!"); } if(lc($host) =~ lc($badstring4)) { &dienice("You are not allowed to scan cjb.net! Anyway, don't you realize that the subdomains in their network are not really on their network but rather its just a mask! Arg, some people!"); } if(lc($host) =~ lc($badstring5)) { &dienice("You best not be trying to scan [ The Infinity Project ]!"); } $hostname = `$nslookuplocation $host`; if(lc($hostname) =~ ".gov") { &dienice("No scanning .gov sites!"); } if(lc($hostname) =~ ".mil") { &dienice("No scanning .mil sites!"); } if(lc($hostname) =~ ".GOV") { &dienice("No scanning .GOV sites!"); } if(lc($hostname) =~ ".MIL") { &dienice("No scanning .MIL sites!"); } open(DONTSCAN, "$dontscanlocation") or &dienice("Couldn't open the list of sites to not scan.\n"); @dontscanlist = ; close(DONTSCAN); @hostnameresults = `$nslookuplocation $host`; foreach $badsite (@dontscanlist) { chomp($badsite); if(lc($host) =~ lc($badsite)) { &dienice("That site is protected from being scanned."); } foreach $badsitehostname (@hostnameresults) { chomp($badsitehostname); if(lc($badsitehostname) =~ lc($badsite) and lc($badsitehostname) !~ lc($host)) { &dienice("That site is protected from being scanned."); } if(lc($badsitehostname) =~ lc(".gov")) { &dienice("That site is protected from being scanned."); } if(lc($badsitehostname) =~ lc(".mil")) { &dienice("That site is protected from being scanned."); } } } ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time); # $hour++; # if ($hour == 25) { $hour = 1; } # $mon++; # if ($mon == 13) { $mon = 1; } open(EXLOG, ">>$exploglocation") or &dienice("Couldn't open explog.txt for writing. Please make sure the file exists and is writable.\n"); print EXLOG "$ENV{'REMOTE_HOST'}\|$ENV{'REMOTE_ADDR'}\|$host\:$port\|$hour\:$min\:$sec on $mon/$mday/$year\n"; close(EXLOG); $serverIP = inet_aton($host); $serverAddr = sockaddr_in($port, $serverIP); $number = 0; socket(CLIENT, PF_INET, SOCK_STREAM, getprotobyname('tcp')); if(connect(CLIENT, $serverAddr)) { send(CLIENT,"GET Infinity.Exploit.Scanner..block.your.site.at..$yoursiteaddy..from.scans...tollphree.scan HTTP/1.0\n\n",0); } close(CLIENT); if($countscans == 1) { open(COUNT,"+<$counterlocation") || die "Couldn't open file: $counterlocation\n"; $hits = ; $hits = $hits + 1; seek (COUNT,0,0); print COUNT $hits; truncate COUNT, tell COUNT; close COUNT; print "There have been $hits scans with this scanner"; print "
\n\n"; } else { print "\n\n"; } } sub footer() { if($number == 0) { print "No Vulnerabilities Found\n"; } else { if($errchk eq "yes") { if($logvulns == 1 and $#vulnArray < 35) { open(VULNLOG, ">>$vulnloglocation") or &dienice("Couldn't open the vuln log for writing. Please make sure the file exists and is writable.\n"); print VULNLOG "Scanned $host\:$port at $hour\:$min\:$sec on $mon/$mday/$year\n\n"; foreach $vulnInArray (@vulnArray) { print VULNLOG "Location: $vulnInArray\|$host\:$port\|$usingErrChking\|$ENV{'REMOTE_HOST'}\|$ENV{'REMOTE_ADDR'}\n"; } print VULNLOG "\n"; close(VULNLOG); } } } print "
Finished scanning $host on port $port

"; print " Many thanks to rain.forest.puppy for the new ideas (see whisker). Check out his site! [ Infinity Scanner 3.11 Beta - CGI Exploit Scanner ] Copyright 2000 Azrael, All Rights Reserved."; print " "; } sub pingserver() { ($host, $port) = @_; print " Looking Up $host..."; if(!gethostbyname($host)) { print "FAILED"; &footer(); exit; } else { print "OK"; } } sub fingerprint() { ($host, $port) = @_; print " Fingerprinting for Valid Extensions...OK "; @extstocheck = (".cfm", ".cgi", ".sh", ".exe", ".htr", ".pl"); foreach $extcheck (@extstocheck) { socket(CLIENT, PF_INET, SOCK_STREAM, getprotobyname('tcp')); connect(CLIENT, $serverAddr); send(CLIENT,"GET sflj02wulsjdflkj203ursljf$extcheck HTTP/1.0\n\n",0); $check=; @output=; close(CLIENT); ($http,$code,$therest) = split(/ /,$check); print "Checking $extcheck..."; if($code eq "200") { print "FAILED - Results for this extension may be invalid "; } else { print "PASSED "; } } print " "; } sub fastdircheck() { ($fastdircheck) = @_; socket(CLIENT, PF_INET, SOCK_STREAM, getprotobyname('tcp')); connect(CLIENT, $serverAddr); send(CLIENT,"GET $fastdircheck HTTP/1.0\n\n",0); $check=; @output=; close(CLIENT); ($http,$code,$therest) = split(/ /,$check); if($code eq "200" or $code eq "403" or $code eq "302") { $ifgotit = "yes"; } else { $ifgotit = "no" }; return($ifgotit); } sub determinedirs () { ($host, $port) = @_; print " Determining Valid CGI Directories..."; @dirstocheck = ("/cgis/", "/cgi-bin/", "/cgi/", "/cgibin/", "/cgi-local/", "/cgilocal/", "/cgi-win/", "/cgiwin/"); foreach $dircheck (@dirstocheck) { socket(CLIENT, PF_INET, SOCK_STREAM, getprotobyname('tcp')); connect(CLIENT, $serverAddr); send(CLIENT,"GET $dircheck HTTP/1.0\n\n",0); $check=; @output=; close(CLIENT); ($http,$code,$therest) = split(/ /,$check); if($code eq "200" or $code eq "403" or $code eq "302") { push(@gooddirs, "$dircheck"); } } if ($#gooddirs >= 0) { print "OK "; } else { print "NONE FOUND "; } foreach $founddir (@gooddirs) { print "Found Directory: $founddir "; } print " "; } sub determineservertype() { ($host, $port) = @_; print " Determining Server Type..."; socket(CLIENT, PF_INET, SOCK_STREAM, getprotobyname('tcp')); if(connect(CLIENT, $serverAddr)) { send(CLIENT,"HEAD / HTTP/1.0\n\n",0); @serveroutput=; close(CLIENT); $servertype = ""; foreach $line (@serveroutput) { if($line =~ "Server\:") { $serverresponseline = $line; if(lc($line) =~ "iis") { $servertype = "iis"; } if(lc($line) =~ "apache") { $servertype = "apache"; } if(lc($line) =~ "netscape") { $servertype = "netscape"; } if(lc($line) =~ "website") { $servertype = "website"; } if(lc($line) =~ "netware") { $servertype = "netware"; } if(lc($line) =~ "neowebscript") { $servertype = "neowebscript"; } if(lc($line) =~ "thttpd") { $servertype = "thttpd"; } if(lc($line) =~ "machttp") { $servertype = "machttp"; } if(lc($line) =~ "webstar") { $servertype = "webstar"; } if(lc($line) =~ "homedoor") { $servertype = "homedoor"; } if(lc($line) =~ "netcloak") { $servertype = "netcloak"; } if(lc($line) =~ "netpresenz") { $servertype = "netpresenz"; } if(lc($line) =~ "domino") { $servertype = "domino"; } if(lc($line) =~ "sambar") { $servertype = "sambar"; } if(lc($line) =~ "zeus") { $servertype = "zeus"; } if(lc($line) =~ "alibaba") { $servertype = "alibaba"; } if(lc($line) =~ "frontpage") { $servertype = "frontpage"; } if(lc($line) =~ "quid") { $servertype = "quid"; } if(lc($line) =~ "teamtrack") { $servertype = "teamtrack"; } if(lc($line) =~ "dwhttpd") { $servertype = "dwhttpd"; } if(lc($line) =~ "icq") { $servertype = "icq"; } if(lc($line) =~ "folkweb") { $servertype = "folkweb"; } if(lc($line) =~ "fnord") { $servertype = "fnord"; } if(lc($line) =~ "serverseven") { $servertype = "serverseven"; } if(lc($line) =~ "stronghold") { $servertype = "stronghold"; } if(lc($line) =~ "agranat-emweb") { $servertype = "agranat-emweb"; } if(lc($line) =~ "ncsa") { $servertype = "ncsa"; } if(lc($line) =~ "cern") { $servertype = "cern"; } if(lc($line) =~ "process") { $servertype = "process"; } if(lc($line) =~ "rushhour") { $servertype = "rushhour"; } if(lc($line) =~ "aolserver") { $servertype = "aolserver"; } if(lc($line) =~ "commerce-builder") { $servertype = "commerce-builder"; } if(lc($line) =~ "wn") { $servertype = "wn"; } if(lc($line) =~ "oracle") { $servertype = "oracle"; } if(lc($line) =~ "emwac") { $servertype = "emwac"; } if(lc($line) =~ "webquest") { $servertype = "webquest"; } if(lc($line) =~ "open-market-webserver") { $servertype = "open-market-webserver"; } if(lc($line) =~ "open-market-secure-webserver") { $servertype = "open-market-secure-webserver"; } if(lc($line) =~ "goserve") { $servertype = "goserve"; } if(lc($line) =~ "plexus") { $servertype = "plexus"; } if(lc($line) =~ "eit") { $servertype = "eit"; } if(lc($line) =~ "spry") { $servertype = "spry"; } if(lc($line) =~ "osu") { $servertype = "osu"; } if(lc($line) =~ "roxen") { $servertype = "roxen"; } if(lc($line) =~ "phttpd") { $servertype = "phttpd"; } if(lc($line) =~ "falcon") { $servertype = "falcon"; } if(lc($line) =~ "mathopd") { $servertype = "mathopd"; } if(lc($line) =~ "boa") { $servertype = "boa"; } if(lc($line) =~ "javawebserver") { $servertype = "javawebserver"; } if(lc($line) =~ "zbserver") { $servertype = "zbserver"; } if(lc($line) =~ "frontier") { $servertype = "frontier"; } if(lc($line) =~ "gosite") { $servertype = "gosite"; } if(lc($line) =~ "aserve") { $servertype = "aserve"; } if(lc($line) =~ "os2httpd") { $servertype = "os2httpd"; } if(lc($line) =~ "powerweb") { $servertype = "powerweb"; } if(lc($line) =~ "boulevard") { $servertype = "boulevard"; } if(lc($line) =~ "webforone") { $servertype = "webforone"; } if(lc($line) =~ "webshare") { $servertype = "webshare"; } if(lc($line) =~ "enterpriseweb") { $servertype = "enterpriseweb"; } if(lc($line) =~ "cosmos") { $servertype = "cosmos"; } if(lc($line) =~ "glaci") { $servertype = "glaci"; } if(lc($line) =~ "cl-http") { $servertype = "cl-http"; } if(lc($line) =~ "i/net") { $servertype = "i/net"; } if(lc($line) =~ "webdisk") { $servertype = "webdisk"; } if(lc($line) =~ "hyperwave") { $servertype = "hyperwave"; } if(lc($line) =~ "telefinder") { $servertype = "telefinder"; } if(lc($line) =~ "viking") { $servertype = "viking"; } if(lc($line) =~ "omnihttpd") { $servertype = "omnihttpd"; } if(lc($line) =~ "xitami") { $servertype = "xitami"; } if(lc($line) =~ "avenida") { $servertype = "avenida"; } if(lc($line) =~ "spinnaker") { $servertype = "spinnaker"; } if(lc($line) =~ "wildcat") { $servertype = "wildcat"; } if(lc($line) =~ "vqserver") { $servertype = "vqserver"; } } } if($servertype eq "") { $servertype = "all"; print "FAILED"; } else { print "OK $serverresponseline "; } } else { &dienice("Unable to connect to host"); } } sub scan() { ($host, $port, $errorcode, $extratext, $thedir, $thehole, $holeinfo) = @_; print " "; socket(CLIENT, PF_INET, SOCK_STREAM, getprotobyname('tcp')); gethostbyname($host) or print "No IP address"; if(!gethostbyname($host)) { print " Can't Resolve DNS/IP\n"; } if(connect(CLIENT, $serverAddr)) { $thewholeenchelada = "$thedir$thehole"; if($idsbypass eq "yes") { $thewholeenchelada =~ s/([-a-zA-Z0-9.])/sprintf("%%%x",ord($1))/ge; } send(CLIENT,"GET $thewholeenchelada HTTP/1.0\n\n",0); $check=; @output=; ($http,$code,$therest) = split(/ /,$check); if("$code" =~ "$errorcode" && "$therest" =~ "$extratext") { print " Vulnerability Found: $holeinfo\n Location: $thedir$thehole\n\n"; if($errchk eq "yes") { $errsfound = 0; foreach $lineof (@output) { foreach $errtochk (@errchkingarray) { if($lineof =~ $errtochk) { print " Warning: Error Code \"$errtochk\" ! Results may be invalid.\n\n"; $errsfound++; } } } } $number++; if($errsfound == 0) { push(@vulnArray, "$thedir$thehole"); } } } print ""; close (CLIENT); } sub dienice() { ($msg) = @_; print "\n\nError:\n$msg"; exit; }