#!/usr/bin/perl # ------------------------------------------------------------------------ # ------------------------------------------------------------------------ # Infinity CGI Exploit Scanner v3.11 Beta # Copyright (C) 2000 Azrael, All Rights Reserved # ------------------------------------------------------------------------ # This script is to be used for educational use only. I (Azrael) accept # absolutely no responsibility for the information that may be possibly # attained through the use of this script and/or the actions that may # take place because of someone's usage of this script. # ------------------------------------------------------------------------ # Visit http://infinityproject.cjb.net for more updates on the scanner and/or # a better version available. # You can contact me at infinity@wwdg.com # ------------------------------------------------------------------------ # ------------------------------------------------------------------------ # How to setup the script: # - Make sure you got the scanner blocker script (dontscan.cgi) as well # - you need to chmod the script to 755 (u+rwx,g+rx,o+rx) # - you need to chmod 666 (a+rw) the scanner counter datafile if you enable counting # - you need to make the file explog.txt (or whatever you put in the config below) # - you need to chmod the file explog.txt (or whatever you put in config) to 666 (a+rw) # - you need to make the file dontscan.txt (or whatever you put in the config below) # - you need to chmod the file dontscan.txt (or whatever you put in the config) to 666 (a+rw) # - if you enable vulnerability loggin: # - you need to make the file vulnlog.txt (or whatever you put in the config below) # - you need to chmod the file vulnlog.txt (or whatever you ptu in teh config below) to 666 (a+rw) # Make sure perl 5.005 or higher is installed # Make sure the first line of this script points to the location of perl (which perl) # All questions should be directed to infinityproject.cjb.net wwwboard # ------------------------------------------------------------------------ # The form to put on your website: # # Infinity Exploit Scanner 3.11 Beta - CGI Version
#
# # ------------------------------------------------------------------------ # Setup Variables # ------------------------------------------------------------------------ $yoursiteaddy = "www.yourdoamin.com"; # Your website address # Customize the colors of the output. Remember, special characters like # @, ", | etc... need a \ before them. $bodycolors = ""; $specialcolors = "cccccef"; # colors of special text in the output $nslookuplocation = "/usr/bin/nslookup"; # Location of nslookup binary (which nslookup) $logvulns = 0; # Log vulnerabilities - 1 is yes, 0 is no. WARNING - This can get big! $countscans = 1; # Turn this to 1 if you want to enable the scanner counter # If you enable countscans to 1, you must specify the location of the data file to use $counterlocation = "/pathto/expcount.txt"; $exploglocation = "/pathto/explog.txt"; # logfile $dontscanlocation = "/pathto/dontscan.txt"; # blocked sites list $vulnloglocation = "/pathto/vulnlog.txt"; # vulnerability logfile # Error code headers to check for with Advanced Error Checking: @errchkingarray = ("404 Not Found", "404 Error", "302 Object Moved", "script produced no output", "Item was not found", "Error Occurred While Processing Request"); # ------------------------------------------------------------------------ use Socket; $| = 1; $isitdone = "0"; $errsfound = 0; &header(); print "\n"; } if($idsbypass eq "yes") { print "\n\n
\n"; } print "\n\n
\n"; if($servertype eq "iis" or $servertype eq "pws" or $servertype eq "netscape" or $servertype eq "website" or $servertype eq "all") { &scan($host, $port, '200', 'OK', '/cfappman/', 'index.cfm', 'Cold Fusion Server hole'); &scan($host, $port, '200', 'OK', '/scripts/', 'CGImail.exe', 'CGImail.exe Hole'); &scan($host, $port, '200', 'OK', '/scripts/', 'fpcount.exe', 'FPCount.exe Hole'); &scan($host, $port, '200', 'OK', '/iissamples/exair/howitworks/', 'codebrws.asp', 'IIS Hole'); &scan($host, $port, '200', 'OK', '/iissamples/sdk/asp/docs/', 'codebrws.asp', 'IIS Hole'); &scan($host, $port, '200', 'OK', '/msads/samples/selector/', 'showcode.asp', 'IIS Hole'); &scan($host, $port, '200', 'OK', '/', '_AuthChangeUrl?', 'IIS acdg.htr mapping'); &scan($host, $port, '200', 'OK', '/', '....../autoexec.bat', 'PWS Win95/98 Remote File Viewing'); &scan($host, $port, '502', 'Proxy error', '/scripts/proxy/', 'w3proxy.dll', 'MS-Proxy Server v1.0 Hole'); ##################### # Phunky IDC stuff for RDS ODBC Hole &scan($host, $port, '200', 'OK', '/scrips/tools/', 'getdrvs.exe', 'IIS Remote File Creation'); &scan($host, $port, '200', 'OK', '/msadc/', 'msadcs.dll', 'RDS ODBC Hole - See www.wiretrip.net/rfp'); &scan($host, $port, '200', 'OK', '/scrips/tools/', 'newdsn.exe', 'Remote DSN/MS-Access Database Creation'); &scan($host, $port, '200', 'OK', '/', 'carbo.dll', 'Carbo.dll Hole'); &scan($host, $port, '200', 'OK', '/scripts/iisadmin', 'bdir.htr', 'IIS web password change'); if(&fastdircheck('/iisadmpwd/') eq "yes") { &scan($host, $port, '200', 'OK', '/iisadmpwd/', 'achg.htr', 'IIS web password change'); &scan($host, $port, '200', 'OK', '/iisadmpwd/', 'aexp.htr', 'IIS web password change'); &scan($host, $port, '200', 'OK', '/iisadmpwd/', 'aexp2.htr', 'IIS web password change'); &scan($host, $port, '200', 'OK', '/iisadmpwd/', 'aexp2b.htr', 'IIS web password change'); &scan($host, $port, '200', 'OK', '/iisadmpwd/', 'aexp3.htr', 'IIS web password change'); &scan($host, $port, '200', 'OK', '/iisadmpwd/', 'aexp4.htr', 'IIS web password change'); &scan($host, $port, '200', 'OK', '/iisadmpwd/', 'aexp4b.htr', 'IIS web password change'); &scan($host, $port, '200', 'OK', '/iisadmpwd/', 'anot.htr', 'IIS web password change'); &scan($host, $port, '200', 'OK', '/iisadmpwd/', 'anot3.htr', 'IIS web password change'); } if(&fastdircheck('/scripts/samples/') eq "yes") { &scan($host, $port, '200', 'OK', '/scripts/samples/', 'details.idc', 'ODBC msadcs.dll Hole Component - Detected exists and DSN connection made!'); &scan($host, $port, '500', 'Error performing query', '/scripts/samples/', 'details.idc', 'ODBC msadcs.dll Hole Component - Detected exists but DSN connection not made'); &scan($host, $port, '200', 'Error performing query', '/scripts/samples/', 'details.idc', 'ODBC msadcs.dll Hole Component - Detected does not exist and DSN connection not made'); &scan($host, $port, '200', 'OK', '/scripts/samples/', 'ctguestb.idc', 'ODBC msadcs.dll Hole Component - Used to prep details.idc for DSN connection'); &scan($host, $port, '500', 'Error performing query', '/scripts/samples/', 'ctguestb.idc', 'ODBC msadcs.dll - Exists but DSN connection not made'); } ##################### if(&fastdircheck('/cfdocs/') eq "yes") { &scan($host, $port, '200', 'OK', '/cfdocs/', 'cfmlsyntaxcheck.cfm', 'Cold Fusion Server hole'); if(&fastdircheck('/cfdocs/snippets/') eq "yes") { &scan($host, $port, '200', 'OK', '/cfdocs/snippets/', 'evaluate.cfm', 'Cold Fusion Server hole'); &scan($host, $port, '200', 'OK', '/cfdocs/snippets/', 'fileexists.cfm', 'Cold Fusion Server hole'); &scan($host, $port, '200', 'OK', '/cfdocs/snippets/', 'gettempdirectory.cfm', 'Cold Fusion Server hole'); &scan($host, $port, '200', 'OK', '/cfdocs/snippets/', 'viewexample.cfm', 'Cold Fusion Server hole'); } if(&fastdircheck('/cfdocs/expeval/') eq "yes") { &scan($host, $port, '200', 'OK', '/cfdocs/expeval/', 'openfile.cfm', 'Cold Fusion Server hole'); &scan($host, $port, '200', 'OK', '/cfdocs/expeval/', 'exprcalc.cfm', 'Cold Fusion Server hole'); &scan($host, $port, '200', 'OK', '/cfdocs/expeval/', 'sendmail.cfm', 'Cold Fusion Server hole'); } if(&fastdircheck('/cfdocs/examples/') eq "yes") { &scan($host, $port, '200', 'OK', '/cfdocs/examples/httpclient/', 'mainframeset.cfm', 'Cold Fusion Server hole'); &scan($host, $port, '200', 'OK', '/cfdocs/examples/cvbeans/', 'beaninfo.cfm', 'Cold Fusion Server hole'); &scan($host, $port, '200', 'OK', '/cfdocs/examples/parks/', 'detail.cfm', 'Cold Fusion Server hole'); } } } if($server eq "netware" or $server eq "netscape" or $servertype eq "all") { &scan($host, $port, '200', 'OK', '/scripts/', 'convert.bas', 'Novell Netware Remote File Reading'); } if($server eq "thttpd" or $servertype eq "all") { &scan($host, $port, '200', 'OK', '//', 'etc/passwd', 'Remote File Reading'); } if($servertype eq "website" or $servertype eq "all") { &scan($host, $port, '200', 'OK', '/cgi-dos/', 'args.bat', 'Website 1.x CMD exec'); &scan($host, $port, '200', 'OK', '/cgi-dos/', 'args.cmd', 'Website 1.x CMD exec'); &scan($host, $port, '200', 'OK', '/cgi-win/', 'uploader.exe', 'Website 1.x Upload'); &scan($host, $port, '200', 'OK', '/cgi-shl/', 'win-c-sample.exe', 'Website 1.x CMD exec'); } if($servertype eq "netscape" or $servertype eq "frontpage" or $servertype eq "all") { &scan($host, $port, '200', 'OK', '/_vti_pvt/', 'users.pwd', 'VTI PVT [users.pwd]'); &scan($host, $port, '200', 'OK', '/_vti_pvt/', 'administrators.pwd', 'VTI PVT [administrators.pwd]'); &scan($host, $port, '200', 'OK', '/_vti_pvt/', 'authors.pwd', 'VTI PVT [authors.pwd]'); &scan($host, $port, '200', 'OK', '/_vti_pvt/', 'service.pwd', 'VTI PVT [service.pwd]'); &scan($host, $port, '200', 'OK', '/', '_vti_inf.html', 'VTI INF [_vti_inf.html]'); &scan($host, $port, '200', 'OK', '/_vti_bin/', 'shtml.dll', 'VTI BIN [shtml.dll]'); &scan($host, $port, '200', 'OK', '/_vti_bin/', 'shtml.exe', 'VTI BIN [shtml.exe]'); } if($servertype eq "domino" or $servertype eq "all") { &scan($host, $port, '200', 'OK', '/', 'domcfg.nsf', 'Remote Server Config'); &scan($host, $port, '200', 'OK', '/', 'domlog.nsf', 'Remote Server Logs'); &scan($host, $port, '200', 'OK', '/', 'names.nsf', 'Remote Server Config'); &scan($host, $port, '200', 'OK', '/', 'log.nsf', 'Remote Server Config'); } if($servertype eq "neowebscript" or $servertype eq "all") { &scan($host, $port, '200', 'OK', '/neowebscript/test/', 'senvironment.nhtml', 'Neowebscript Environment Hole'); &scan($host, $port, '200', 'OK', '/neowebscript/tests/', 'load_webenv.nhtml', 'Neowebscript Environment Hole'); &scan($host, $port, '200', 'OK', '/neowebscript/tests/', 'mailtest.nhtml', 'Neowebscript Mail Hole'); } if($servertype eq "machttp" or $servertype eq "webstar" or $servertype eq "homedoor" or $servertype eq "netcloak" or $servertype eq "all") { &scan($host, $port, '200', 'OK', '/', 'WebSTART%20LOG', 'Remote Logfile Reading'); } &scan($host, $port, '200', 'OK', '/', 'search97.vts', 'Any file reading'); foreach $dirtoscan (@gooddirs) { &scan($host, $port, '200', 'OK', $dirtoscan, 'phf', 'PHF Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'Count.cgi', 'Count.cgi Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'test-cgi', 'test-cgi Hole - Remote DIR Listing'); &scan($host, $port, '200', 'OK', $dirtoscan, 'php.cgi', 'php.cgi - Remote File Reading'); &scan($host, $port, '200', 'OK', $dirtoscan, 'handler', 'SGI Handler Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'webgais', 'Webgais Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'websendmail', 'Websendmail Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'webdist.cgi', 'Webdist Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'faxsurvey', 'Faxsurvey Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'htmlscript', 'htmlscript Hole - Remote File Reading'); &scan($host, $port, '200', 'OK', $dirtoscan, 'pfdisplay.cgi', 'pfdispaly.cgi Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'perl.exe', 'perl.exe Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'wwwboard.pl', 'wwwboard.pl DoS Attack'); &scan($host, $port, '200', 'OK', $dirtoscan, 'nph-test-cgi', 'nph-test-cgi Hole - Remote DIR Listing'); &scan($host, $port, '200', 'OK', $dirtoscan, 'view-source', 'view-source Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'campas', 'campas Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'aglimpse', 'aglimpse Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'man.sh', 'man.sh Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'AT-admin.cgi', 'AT-admin.cgi Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'filemail.pl', 'filemail.pl Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'maillist.pl', 'maillist.pl Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'jj', 'jj Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'info2www', 'info2www Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'rwwwshell.pl', 'THC - Backdoor'); &scan($host, $port, '200', 'OK', $dirtoscan, 'nph-publish', 'nph-publish Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'www-sql', 'www-sql - Remote File Viewing'); &scan($host, $port, '200', 'OK', $dirtoscan, 'files.pl', 'files.pl Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'finger', 'Finger Hole - DoS Attack'); &scan($host, $port, '200', 'OK', $dirtoscan, 'bnbform.cgi', 'bnbform.cgi Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'survey.cgi', 'survey.cgi Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'AnyForm2', 'AnyForm2 Hole - Remote File Emailing'); &scan($host, $port, '200', 'OK', $dirtoscan, 'textcounter.pl', 'textcounter.pl Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'classifieds.cgi', 'classifieds.cgi Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'environ.cgi', 'environ.cgi Hole - Show Environmental Vars'); &scan($host, $port, '200', 'OK', $dirtoscan, 'wrap', 'wrap Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'cgiwrap', 'cgiwrap Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'guestbook.cgi', 'guestbook.cgi Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'edit.pl', 'edit.pl Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'perlshop.cgi', 'perlshop.cgi Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'rguest.exe', 'rguest.exe Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'whois_raw.cgi', 'whois_raw.cgi Hole - Remote Command Execution'); &scan($host, $port, '200', 'OK', $dirtoscan, 'whois.cgi', 'Remote Command Execution'); &scan($host, $port, '200', 'OK', $dirtoscan, 'day5datacopier.cgi', 'IRIX remote exec'); &scan($host, $port, '200', 'OK', $dirtoscan, 'day5datanotifier.cgi', 'IRIX remote exec'); &scan($host, $port, '200', 'OK', $dirtoscan, 'dumpenv.pl', 'Sambar environment reading'); &scan($host, $port, '200', 'OK', $dirtoscan, 'upload.pl', 'Sambar server upload exploit'); &scan($host, $port, '200', 'OK', $dirtoscan, '/session/adminlogin?RCpage=/sysadmin/index.stm', 'Sambar r00ting'); &scan($host, $port, '200', 'OK', $dirtoscan, 'flexform.cgi', 'flexform.cgi Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'flexform', 'flexform Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'LWGate.cgi', 'LWGate.cgi Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'lwgate.cgi', 'lwgate.cgi Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'download.cgi', 'download.cgi Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'nlog-smb.pl', 'nlog-smb.pl Hole'); &scan($host, $port, '200', 'OK', $dirtoscan, 'webmap.cgi', 'webmap.cgi Hole'); } &footer(); sub header() { print "$ENV{'SERVER_PROTOCOL'} 200 OK\n"; print "Server: $ENV{'SERVER_SOFTWARE'}\n"; print "Content-type: text/html\n\n"; print "$bodycolors"; # print "
"; print "[ Infinity Scanner 3.11 Beta - CGI Exploit Scanner ]\n";
print "The Infinity Project: http://infinityproject.cjb.net\n";
print "
Script Written by Azrael
\n"; print "
Exploit Scanner hosted by: $yoursiteaddy\n
";
@values = split(/\&/,$ENV{'QUERY_STRING'});
foreach $i (@values) {
($varname, $mydata) = split(/=/,$i);
$FORM{$varname} = $mydata;
}
$host = "$FORM{'host'}";
$port = "$FORM{'port'}";
$errchk = "$FORM{'errchk'}";
$idsbypass = "$FORM{'idsbypass'}";
$host =~ tr/+/ /;
$host =~ tr/\%/a/;
$host =~ tr/\;/b/;
$host =~ tr//d/;
$host =~ tr/\|/e/;
$host =~ tr/\&/f/;
$host =~ tr/\^/g/;
$host =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
$badstring1 = "\.html";
$badstring2 = "http\://";
$badstring3 = "infinityzone.cjb.net";
$badstring4 = "cjb\.net";
$badstring5 = "infinityproject.cjb.net";
if(lc($host) =~ lc($badstring1)) { &dienice("The Scanner can't scan HTML files. There are no exploits for them!"); }
if(lc($host) =~ lc($badstring2)) { &dienice("Don't Enter the http:// part of the server! Just enter foobar.com or www.foobar.com (substitute your server in for that)."); }
if(lc($host) =~ lc($badstring3)) { &dienice("You best not be trying to scan [ The Infinity Zone ]!"); }
if(lc($host) =~ lc($badstring4)) { &dienice("You are not allowed to scan cjb.net! Anyway, don't you realize that the subdomains in their network are not really on their network but rather its just a mask! Arg, some people!"); }
if(lc($host) =~ lc($badstring5)) { &dienice("You best not be trying to scan [ The Infinity Project ]!"); }
$hostname = `$nslookuplocation $host`;
if(lc($hostname) =~ ".gov") { &dienice("No scanning .gov sites!"); }
if(lc($hostname) =~ ".mil") { &dienice("No scanning .mil sites!"); }
if(lc($hostname) =~ ".GOV") { &dienice("No scanning .GOV sites!"); }
if(lc($hostname) =~ ".MIL") { &dienice("No scanning .MIL sites!"); }
open(DONTSCAN, "$dontscanlocation") or &dienice("Couldn't open the list of sites to not scan.\n");
@dontscanlist = No Vulnerabilities Found\n"; }
else {
if($errchk eq "yes") {
if($logvulns == 1 and $#vulnArray < 35) {
open(VULNLOG, ">>$vulnloglocation") or &dienice("Couldn't open the vuln log for writing. Please make sure the file exists and is writable.\n");
print VULNLOG "Scanned $host\:$port at $hour\:$min\:$sec on $mon/$mday/$year\n\n";
foreach $vulnInArray (@vulnArray) {
print VULNLOG "Location: $vulnInArray\|$host\:$port\|$usingErrChking\|$ENV{'REMOTE_HOST'}\|$ENV{'REMOTE_ADDR'}\n";
}
print VULNLOG "\n";
close(VULNLOG);
}
}
}
print "
\n\n";
}
else { print "
\n\n"; }
}
sub footer() {
if($number == 0) { print "
Many thanks to rain.forest.puppy for the new ideas (see whisker). Check out his site!
[ Infinity Scanner 3.11 Beta - CGI Exploit Scanner ] Copyright 2000 Azrael, All Rights Reserved."; print "
"; } sub pingserver() { ($host, $port) = @_; print "
"; } } sub fingerprint() { ($host, $port) = @_; print "
";
}
sub fastdircheck() {
($fastdircheck) = @_;
socket(CLIENT, PF_INET, SOCK_STREAM, getprotobyname('tcp'));
connect(CLIENT, $serverAddr);
send(CLIENT,"GET $fastdircheck HTTP/1.0\n\n",0);
$check= ";
}
sub determineservertype() {
($host, $port) = @_;
print " "; }
else { print "OK "; }
}
else { &dienice("Unable to connect to host"); }
}
sub scan() {
($host, $port, $errorcode, $extratext, $thedir, $thehole, $holeinfo) = @_;
print " $msg";
exit;
}
"; }
else { print "NONE FOUND
"; }
foreach $founddir (@gooddirs) {
print "
";
}
print "";
socket(CLIENT, PF_INET, SOCK_STREAM, getprotobyname('tcp'));
gethostbyname($host) or print "No IP address";
if(!gethostbyname($host)) { print "
";
close (CLIENT);
}
sub dienice() {
($msg) = @_;
print "\n\nError:\n
Can't Resolve DNS/IP\n"; }
if(connect(CLIENT, $serverAddr)) {
$thewholeenchelada = "$thedir$thehole";
if($idsbypass eq "yes") { $thewholeenchelada =~ s/([-a-zA-Z0-9.])/sprintf("%%%x",ord($1))/ge; }
send(CLIENT,"GET $thewholeenchelada HTTP/1.0\n\n",0);
$check=
Location: $thedir$thehole\n\n";
if($errchk eq "yes") {
$errsfound = 0;
foreach $lineof (@output) {
foreach $errtochk (@errchkingarray) {
if($lineof =~ $errtochk) { print "
Warning: Error Code \"$errtochk\" ! Results may be invalid.\n\n"; $errsfound++; }
}
}
}
$number++;
if($errsfound == 0) { push(@vulnArray, "$thedir$thehole"); }
}
}
print "