#!/usr/bin/perl5.00405 ####################################### # Filename: http.saint # ####################################### # This module contains SAINT-US code from WWDSI which is regulated in # accordance with the distribution file LICENSE.WWDSI. # # This routine was developed with the assistance of Advanced Research # Corporation (r). require 'config/paths.pl'; require 'perl/misc.pl'; # Array of all the strings to send to the server on the port @cgi_red_1=("GET /cgi-bin/phf?QALIAS=x%0Aset\n", "GET /cgi-bin/webdist.cgi?distloc=;set\n", "GET /cgi-bin/campas%%0Aset%%OA\n", "GET /cgi-bin/handler/useless_shit;set?data=Download\n", "GET /cgi-bin/htmlscript?../../../../..set\n\n", "GET /cgi-bin/icat?set\n\n", "GET /cgi-bin/php.cgi?set\n", "GET /cgi-bin/count.cgi\n", "GET /cgi-bin/jj?set\n", "GET /cgi-bin/pfdispaly?../../../../..set\n\n", "GET /cgi-bin/pfdispaly.cgi?../../../../..set\n\n", "GET /cgi-bin/faxsurvey?/bin/set\n\n"); @cgi_red_2=("GET /cgi-bin/info2www", "GET /cgi-bin/textcounter.pl", "GET /cgi-bin/glimpse", "GET /cgi-bin/aglimpse", "GET /cgi-bin/webgais", "GET /cgi-bin/perl", "GET /cgi-bin/perl.exe", "GET /cgi-bin/www-sql", "GET /cgi-bin/view_source", "GET /cgi-bin/websendmail"); @cgi_red_3=("GET /cgi-bin/csh", "GET /cgi-bin/bash", "GET /cgi-bin/zsh", "GET /cgi-bin/ash", "GET /cgi-bin/ksh", "GET /cgi-bin/sh", "GET /cgi-bin/tcsh"); @cgi_brown=("GET /cgi-bin/test-cgi", "GET /cgi-bin/dumpenv.pl", "GET /cgi-bin/nph-test-cgi", "GET /cgi-bin/wwwboard.pl", "GET /cgi-bin/wwwboard.cgi", "GET /cgi-bin/wwwboard", "GET /cgi-bin/wrap", "GET /cgi-bin/wrap.pl", "GET /cgi-bin/wrap.cgi", "GET /cgi-bin/finger", "GET /cgi-bin/finger.pl", "GET /cgi-bin/finger.cgi"); #What to remove for printing cgi program $cgi_rm = "GET \/cgi-bin\/"; if ($#ARGV < 0) { die "Usage: $ARGV[0] target\n"; } $target = "$ARGV[1]"; $port ="$ARGV[0]"; if($ARGV[0] =~ /\:/) { # $port = $ARGV[0]; $port =~ s/\:TCP//; } else { open(SERVICES, $SERVICES) or die "$0: cannot open $SERVICES: $!\n"; while() { $port_name{$1} = $2 if /(\S+)\s+([0-9]+)\/tcp/; } $port = $port_name{$ARGV[0]} if $port_name{$ARGV[0]}; } if (!$port) { $port = getservbyname($ARGV[0], "tcp"); } # Look at bad cgi's foreach $cgi_test (@cgi_red_1) { $args = "-bs \"$cgi_test\" $target $port"; die "Can't open $TCP_SCAN: $!\n" unless open(SCAN, "$TCP_SCAN $args|"); while() { if (/PATH/) { $service = $ARGV[0]; $status = "a"; $trustee = "ANY\@ANY"; $service_output = "http cgi access"; $trusted = "ANY\@ANY"; $cgi_test=~ s/$cgi_rm//i; do { chop $cgi_test; } until ($cgi_test !~ /\n/ && $cgi_test !~ /\?/); $text = "Unauthorized Access via Web Server ($cgi_test)"; $severity = "us"; &saint_print(); } } close(SCAN); } # Look at not so bad cgi's foreach $cgi_test (@cgi_brown) { $args = "-bs \"$cgi_test HTTP/1.0\n\n\" $target $port"; die "Can't open $TCP_SCAN: $!\n" unless open(SCAN, "$TCP_SCAN $args|"); while() { if (/200/) { $service = $ARGV[0]; $status = "a"; $trustee = "ANY\@ANY"; $service_output = "http cgi info"; $trusted = "ANY\@ANY"; $cgi_test=~ s/$cgi_rm//i; $text = "CGI Gives Information about System ($cgi_test)"; $severity = "zcio"; &saint_print(); } } close(SCAN); } # Look at bad other cgi's foreach $cgi_test (@cgi_red_2) { $args = "-bs \"$cgi_test HTTP/1.0\n\n\" $target $port"; die "Can't open $TCP_SCAN: $!\n" unless open(SCAN, "$TCP_SCAN $args|"); while() { if (/200/) { $service = $ARGV[0]; $status = "a"; $trustee = "ANY\@ANY"; $service_output = "http cgi access"; $trusted = "ANY\@ANY"; $cgi_test=~ s/$cgi_rm//i; $text = "Unauthorized Access via Web Server ($cgi_test)"; $severity = "us"; &saint_print(); } } close(SCAN); } # Look at cgi's that might be the shell interpreters foreach $cgi_test (@cgi_red_3) { $args = "-bs \"$cgi_test HTTP/1.0\n\n\" $target $port"; die "Can't open $TCP_SCAN: $!\n" unless open(SCAN, "$TCP_SCAN $args|"); while() { if (/200/) { $service = $ARGV[0]; $status = "a"; $trustee = "ANY\@ANY"; $service_output = "http cgi shells"; $trusted = "ANY\@ANY"; $cgi_test=~ s/$cgi_rm//i; $text = "($cgi_test) is present in the cgi-bin directory"; $severity = "ns"; &saint_print(); } } close(SCAN); }