#! /usr/bin/perl # ============================================================================ # CGI 漏洞扫描软件 # ============================================================================
use Socket;
$version = "Cgi Scanner v1.0"; %exploits = ( "VTI PVT [service.pwd]" => "/_vti_pvt/service.pwd", "VTI PVT [administrators.pwd]" => "/_vti_pvt/administrators.pwd", "VTI BIN [shtml.exe]" => "/_vti_bin/shtml.exe", "un1g1.1" => "/cgi-bin/unlg1.1", "gH.cgi" => "/cgi-bin/gH.cgi", "nph-test-cgi(Bugtraq ID 686)" => "/cgi-bin/nph-test-cgi", "nph-publish" => "/cgi-bin/nph-publish", "Handler(Bugtraq ID 380)" => "/cgi-bin/handler", "Webdist.cgi(Bugtraq ID 374)" => "/cgi-bin/webdist.cgi", "faxsurvey" => "/cgi-bin/faxsurvey", "wwwboard.cgi" => "/cgi-bin/wwwboard.cgi", "campas" => "/cgi-bin/campas", "AT-admin.cgi" => "/cgi-bin/AT-admin.cgi", "filemail.pl" => "/cgi-bin/filemail.pl", "info2www" => "/cgi-bin/info2www", "files.pl" => "/cgi-bin/files.pl", "Finger" => "/cgi-bin/finger", "classifieds.cgi" => "/cgi-bin/classifieds.cgi", "environ.cgi" => "/cgi-bin/environ.cgi", "Webbbs.cgi(Bugtraq ID 803)" => "/cgi-bin/webbbs.cgi", "whois_raw.cgi(Bugtraq ID 304)" => "/cgi-bin/whois_raw.cgi", "Anyboard.cgi" => "/cgi-bin/AnyBoard.cgi", "/scripts/issadmin/bdir.htr" => "/scripts/issadmin/bdir.htr", "Msadc" => "/msadc/Samples/SELECTOR/showcode.asp", "/iisadmpwd/aexp2.htr" => "/iisadmpwd/aexp2.htr", "/iisadmpwd/anot3.htr" => "/iisadmpwd/anot3.htr", "5daydatacopier.cgi" => "/cgi-bin/day5datacopier.cgi", "passwd.txt" => "/cgi-bin/passwd.txt", "password" => "/cgi-bin/password", "/etc/group" => "/etc/group", "/~root" => "/~root", "Upload.pl" => "/cgi-bin/upload.pl", "formmail.pl" => "/cgi-bin/formmail.pl", "sendform.cgi" => "/cgi-bin/sendform.cgi", "_AuthChangeUrl" => "/cgi-bin/_AuthChangeUrl", "No-such-file.pl" => "/scripts/no-such-file.pl", "/......" => "/....../", "To long!" => "/.html/............./config.sys", "/_vti_pvt/shtml.exe" => "/_vti_pvt/shtml.exe", "/_vti_inf.html" => "/_vti_inf.html", "cgi-shl/win-c-sample.exe" => "/cgi-shl/win-c-sample.exe", "default.asp" => "/default.asp", "Server%20logfile" => "/server%20logfile", "dcmcfg.nsf" => "/domcfg.nsf/?open", "Webhits.exe" => "/scripts/samples/search/webhits.exe", "fpexplore.exe" => "/cgi-bin/fpexplore.exe", "gueryhit.htm" => "/samples/search/queryhit.htm", "ss.cfg" => "/ss.cfg", "visadmin.exe" => "/cgi-bin/visadmin.exe?user=guest", "input.bat(Bugtraq ID 762)" => "/cgi-bin/input.bat?|dir..\..\windows", "indes.asl::$DATA" => "/index.asp::$DATA", "//../../config.sys" => "//../../config.sys", "/../../config.sys" => "/../../config.sys", "main.asp%81" => "/main.asp%81", "/adsamples/config/site.csc" => "/adsamples/config/site.csc", "isn.dll" => "/scripts/iisadmin/ism.dll?http/dir", "Search.cgi(Bugtraq ID 921)" => "/cgi-bin/search.cgi", "bb-hist.sh(Bugtraq ID 142)" => "/cgi-bin/bb-hist.sh", "kcms_configure(Bugtraq ID 452)" => "/usr/openwin/bin/kcms_configure", "Bugtraq ID 162" => "/cgi-bin/s97_cgi s97r_cgi tasmgr", "ppdscgi.exe(Bugtraq ID 491)" => "/cgi-bin/ppdscgi.exe", "dfire.cgi(Bugtraq ID 564)" => "/cgi-bin/dfire.cgi", "guestbook.pl(Bugtraq ID 776)" => "/cgi-bin/guestbook.pl", "Anyform.cgi(Bugtraq ID 719)" => "/cgi-bin/AnyForm.cgi", "w3-msql(Bugtraq ID 591, 898)" => "/cgi-bin/w3-msql", "Bugtraq ID 770" => "/cgi-bin/tst.bat|type%20c:\file.txt", "Bugtraq ID 770" => "/cgi-bin/alibaba.pl|dir", "Bugtraq ID 770" => "/cgi-bin/tst.bat|type%20c:\file.txt", "status.cgi(Bugtraq ID 914)" => "/cgi-bin/status.cgi", "FormHandler 1.0, 2.0(Bugtraq ID 799, 798)" => "/cgi-bin/FormHandler.cgi", "webwho.pl(Bugtraq ID 892)" => "/cgi-bin/webwho.pl", "carbo.dll" => "/carbo.dll" );
&menu();
sub menu() {
print "\n\n"; print " $version\n\n"; print " Based on source code of [ Infinity Scanner v1.3 ]\n\n"; print " 1) Cgi Sonar\n"; print " 2) About Cgi Sonar\n"; print " 3) Exploit Info\n"; print " 4) Help\n"; print " 5) Exit\n"; print "Command: "; chop($selection=);
if($selection == "1") { &cgiscanner() } if($selection == "2") { &infomessage() } if($selection == "3") { &exploitinfo() } if($selection == "4") { &helpmessage() } if($selection == "5") { &exitcgisonar() }
else { &menu() } }
sub cgiscanner() {
if($usehostlist eq "yes") { &exploituselist(); } else { &exploitnouselist(); }
}
sub exploituselist() { print "\nServerlist Filename: "; chop($hostlist=); open(INF,"$hostlist") or &dienice("Can‘t open $hostlist"); @hostsarray = ; close(INF); print "\nEnable Logging?(Saved as gotcha.log) [yes or no]: "; chop($storelogs=); foreach $host (@hostsarray) { chop($host) &cgiscannerloop("$host"); } &menu(); }
sub exploitnouselist() { print "\nHost: "; chop($host=); print "\nEmable Logging?(Saved as gotcha.log) [yes or no]: "; chop($storelogs=); &cgiscannerloop("$host"); &menu(); }
sub cgiscannerloop() {
$host = "@_"; $serverIP = inet_aton($host); $serverAddr = sockaddr_in(80, $serverIP); $number = 0;
print "\n\nChecking $host for known exploits:\n\n";
foreach $key (keys %exploits) {
socket(CLIENT, PF_INET, SOCK_STREAM, getprotobyname(‘tcp‘)); gethostbyname($host) or print "Ack! No Ip Address was entered\n"; if(!gethostbyname($host)) { print "Can‘t Resolve host!\n"; } else { if(connect(CLIENT, $serverAddr)) { send(CLIENT,"GET $exploits{$key} HTTP/1.0\n\n",0); $check=; ($http,$code,$therest) = split(/ /,$check); if($code == 200) { print "Exploit Found: $key\nLocation: $exploits{$key}\n\n"; $number++; if($storelogs eq "yes") { open(GOTCHA, ">>gotcha.log") or &dienice("Couldn‘t open gotcha.log for writing. Please make sure the file exists and is writable.\n"); print GOTCHA "Exploit Found: $key\nServer: $host\nLocation: $exploits{$key}\n\n"; close(GOTCHA); }
} else { if($verbosemode eq "y") { print "$key Exploits Not Found\n"; } } } close (CLIENT);
} } if($number == 0) { print "No exploitable holes found on host $host\n"; } }
sub infomessage() { print" Cgi Scanner v1.0 by Maxview\n\n";
chop($uselessvariable=); }
sub exploitinfo() { print" Exploit Info\n\n"; print" If you are having trouble finding info on the exploits found\n"; print" on a certain host you have scanned... I strongly suggest you \n"; print" look for info on the exploits found on a host at the following\n"; print" sites... http://www., www.rootshell.com, or\n"; print" http://packetstorm.... If you are confused about\n"; print" the Bugtraq ID‘s... Then simply go to http://www.\n"; print" /level2/bottom.html?go=vulnerabilities and click on the Bugtraq ID\n"; print" tab and type in the ID number in the blank box... All the info\n"; print" you will need will be in the newly loaded page...\n\n"; print "Press enter to continue..."; chop($uselessvariable=); }
sub helpmessage() { print" Help\n\n"; print" Cgi Scanner command‘s\n\n"; print" 1) Cgi Scanner- Scans for known Cgi exploits on a remote host...\n"; print" 2) About Cgi Scanner- Informs you about Cgi Scanner...\n"; print" 3) Help- Informs you on certain aspects of Cgi Scanner...\n"; print" 4) Exit- It simply exits you out of the Cgi Scanner...\n\n"; print" Sub command‘s\n\n"; print" Host:- Allows you to type in the IP of the host you wish\n"; print" to scan (e.g. 127.0.0.1)...\n"; print" Enable Logging- Logs exploits found, Host IP, etc...\n"; print" Thank you for using Cgi Scanner\n\n"; print "Press enter to continue..."; chop($uselessvariable=); }
sub exitcgisonar() { exit 1; }
程序看上去很复杂,但实际上和C语言编写的漏洞扫描其原理是一样的,都是先通过Socket与服务器建立连接,然后发送Get请求查询指定的文件是否存在,如果存在则报告文件的位置。这个程序中定义了很多种不同的漏洞,作为学习者应该努力掌握这些漏洞的原理和利用方法。
|