#!/usr/bin/perl ############### # # HTTPD AnaL v1.0 by CrZ [crazy_einstein@yahoo.com] [LimpidByte: lbyte.void.ru] # # This tool helps to you find all forms, cgi and pl on target site # ############### use IO::Socket; unless(@ARGV > 1) { &usage; } sub usage { print "\nHTTPda v1.0 by CrZ [crazy_einstein\@yahoo.com] LimpidByte\n\n"; print "USAGE:\n"; print "$0 <-h host> [-p port] [-l logfilename] [-s]\n"; print "Where -s is option for visible search.\n\n"; print "Examples:\n"; print "$0 -h www.host.com\n"; print "$0 -h www.host.com -p 80 -l www.host.com.log\n\n"; exit; } $log="httpda.log"; @faker = ( "Accept: */*\n" . "Accept-Language: en-us\n" . "Accept-Encoding: deflate\n" . "User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)\n\n", "Accept: */*\n" . "Accept-Language: en-us\n" . "Accept-Encoding: deflate\n" . "User-Agent: Mozilla/4.0 (compatible; MSIE 4.0; Windows 95)\n\n", "Accept: */*\n" . "Accept-Language: en-us\n" . "Accept-Encoding: deflate\n" . "User-Agent: Mozilla/4.1 (compatible; MSIE 6.0; Windows 2000)\n\n", ); print "[begin...]"; # defualt settings ############ $port=80; $flg=0; $pathcount=1; $showpage="0"; $debug="disallow"; ############################### for($i=0;$i<=@ARGV;$i++) { if($ARGV[$i] eq "-h") { $host=$ARGV[$i+1]; $flg=1; } if($ARGV[$i] eq "-p") { $port=$ARGV[$i+1]; } if($ARGV[$i] eq "-l") { $log=$ARGV[$i+1]; } if($ARGV[$i] eq "-s") { $showpage="allow"; } } if($flg==0) { &usage; } @path="/"; @cgilist=""; @pathcpy=""; @cgilistcpy=""; @forms=""; $num=0; # adding tmp / link ############ $bla="/"; $#path++; $bla=~ s/\n//g; $path[$#path] = "$bla"; $pathcpy{$bla} = ""; ################################ open (LOGS, ">$log") || die "ERROR: Can't Create LOGS file\n"; print LOGS "\n\nResults for $host:\n"; print LOGS "-" x 11 ."\n"; print "\n[+] Connecting to $host: \n"; #while(1) { # foreach $link (@path) { # if($link ne "ERRRRRROR") { # $error=lets_fun($host,$port,$link); # } # } #} while(1) { if($num>$#path) { print "\n[+] DONE! EXIT!\n"; break; exit; } if($link ne "ERRRRRROR") { $error=lets_fun($host,$port,$path[$num++]); } } # Go to scan ################################## sub lets_fun { my ($host, $port, $link)=@_; my ($sock, @data, $error, $srv); $error=0; ### Connecting to host # print "\n[+] Connecting to $host: "; $sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => $host, PeerPort => $port ); if (!$sock) { $error=1; print "[-] ERROR: Could't connect\n"; exit; } # print "[+] Success!\n"; print $sock "GET $link HTTP/1.0\nHost: $host\n". $faker[int(rand($#faker))]; @data=<$sock>; close ($sock); # checking our page, we hope that it exist ;) ########## # print "Checking page: "; if ($data[0] =~ /200/) { # print "OK\n"; } else { if($data[0] =~ /301/) { $sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => $host, PeerPort => $port ); if (!$sock) { $error=1; print "[-] ERROR: Could't connect\n"; exit; } # print "[+] Success!\n"; $link.=$link. "/"; print $sock "GET $link HTTP/1.0\nHost: $host\n". $faker[int(rand($#faker))]; @data=<$sock>; close ($sock); } else { # print "Not success answer (not 200OK)\n"; $error=1; } } ### IIS filter # print "Checking web server: "; foreach (@data){ if (/^server:/i){ $_ =~ s/\r//g; $srv=$_; } } if ($srv =~ /IIS/) { print "IIS not supported yet! Sorry! Exit...\n"; $error=1; exit; } $sdata = join('',@data); if($showpage eq "allow") { print "\n[Checking page $link]"; } # open (LOGS, ">>$log") || die "ERROR: Can't Create LOGS file\n"; # print LOGS "[PAGE=$link]\n- - - - - - FORMS - - - - - -\n"; # searching for forms ################### while ($sdata =~ s/()|(<\/form>)|()//is) { if(exists $forms{$&} ) { $nope=1; } else { print "\n$&"; open (LOGS, ">>$log") || die "ERROR: Can't Create LOGS file\n"; print LOGS "$&\n"; $forms{$&} = ""; } } # print "\n- - - - - - SCRIPTS - - - - - -\n"; # open (LOGS, ">>$log") || die "ERROR: Can't Create LOGS file\n"; # print LOGS "\n- - - - - - SCRIPTS - - - - - -\n"; # searching for links ################### while ( ($sdata =~ s/javascript.+?\((("(.+?)")|('(.+?)')).+?\)//is) || ($sdata =~ s/]))).*?>//is) || ($sdata =~ s/]))).*?>//is) || ($sdata =~ s/]))).*?>//is) ) { if($debug eq "allow") { print "FOUND: $+\n"; } $tmp=$+; if ($+ =~ /(\.cgi)|(\.pl)/i) { if($debug eq "allow") { print "Recv script: $tmp\n"; } $bla=linkfucker($host,$link,$tmp); if($debug eq "allow") { print "script after linkfucker: $tmp\n"; } if($bla ne "ERRRRRROR") { if( exists $cgilistcpy{$bla} ) { $nope=1; } else { $#cgilist++; $cgilist[$#cgilist] = "$bla"; print "\nscript: $bla"; $cgilistcpy{$bla} = ""; open (LOGS, ">>$log") || die "ERROR: Can't Create LOGS file\n"; print LOGS "script: $bla\n"; } } } else { if($debug eq "allow") { print "Recv link: $tmp\n"; } $bla=linkfucker($host,$link,$tmp); if($debug eq "allow") { print "link after linkfucker: $tmp\n"; } if($bla ne "ERRRRRROR") { if( exists $pathcpy{$bla} ) { $nope=1; } else { $#path++; $bla=~ s/\n//g; $path[$#path] = "$bla"; $pathcpy{$bla} = ""; } } } } # print "\n- - - - - - END - - - - - -\n"; # open (LOGS, ">>$log") || die "ERROR: Can't Create LOGS file\n"; # print LOGS "\n- - - - - - END - - - - - -\n"; return ($error); } # function that works\analises with found links ########################## sub linkfucker { $host= $_[0]; $link= $_[1]; $a= $_[2]; # print "non a: $a\n"; if($a =~ /(\")/i) { $a = $a."\">"; } if($a =~ /(\')/i) { $a = $a."'>"; } if( ($a =~ s/]))).*?>//is) || ($a =~ s/]))).*?>//is) ) {$a = $+;} if($a =~ /(\/\.pl)|(\()|(\))|(<)|(>)|(\")|(\')|(;)|(\.jpg)|(\.mpg)|(\.jpeg)|(\.bmp)|(\.pdf)|(\.avi)|(\.mpeg)|(\.doc)|(\.xls)|(\.gif)|(\@)|(,)|(\.exe)|(\.rar)|(\.tar)|(\.gz)|(\.bz)|(\.zip)|(\.arj)|(\.rpm)/i ) { return "ERRRRRROR"; } # printf "a: $a\n"; if ($a =~ m|^http://|i) { if ($a !~ s|^http://$host||i) {return "ERRRRRROR";} if ($a eq "") {return "/";} } if ($a =~ m|^/|) {return $a;} $link =~ m|.*/|; return $&.$a; }