/* Cgi Scan v3.1 - scans for vunerabil webbased servers */ /* Based on Ech0's cgi scanner - i thought it was crap :( */ /* Modified and re-written by Guilecool (### - ircNET - ImperialS) */ /* Most of these can be exploited via www.anonymiser.com */ /* phf isnt allow - others havent been tested by should */ /* work. */ /* Considering this scans a server for 44 vunerabilities */ /* only those exploits found are shown so you can track */ /* what is actually happening */ /* Thanks to ImPeRiAlS for helping me pull through the */ /* the hard times and made me continue to code :) */ /* Guilecool */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include void main(int argc, char *argv[]) { int sock,debugm=0; struct in_addr addr; struct sockaddr_in sin; struct hostent *he; unsigned long start; unsigned long end; unsigned long counter; char foundmsg[] = "200"; char *cgistr; char buffer[1024]; int count=0; int numin; char cgibuff[1024]; char *buff[50]; char *cginame[50]; buff[1] = "GET /cgi-bin/unlg1.1 HTTP/1.0\n\n"; buff[2] = "GET /cgi-bin/phf HTTP/1.0\n\n"; buff[3] = "GET /cgi-bin/Count.cgi HTTP/1.0\n\n"; buff[4] = "GET /cgi-bin/test-cgi HTTP/1.0\n\n"; buff[5] = "GET /cgi-bin/nph-test-cgi HTTP/1.0\n\n"; buff[6] = "GET /cgi-bin/php.cgi HTTP/1.0\n\n"; buff[7] = "GET /cgi-bin/handler HTTP/1.0\n\n"; buff[8] = "GET /cgi-bin/webgais HTTP/1.0\n\n"; buff[9] = "GET /cgi-bin/websendmail HTTP/1.0\n\n"; buff[10] = "GET /cgi-bin/webdist.cgi HTTP/1.0\n\n"; buff[11] = "GET /cgi-bin/faxsurvey HTTP/1.0\n\n"; buff[12] = "GET /cgi-bin/htmlscript HTTP/1.0\n\n"; buff[13] = "GET /cgi-bin/pfdispaly.cgi HTTP/1.0\n\n"; buff[14] = "GET /cgi-bin/perl.exe HTTP/1.0\n\n"; buff[15] = "GET /cgi-bin/wwwboard.pl HTTP/1.0\n\n"; buff[16] = "GET /cgi-bin/www-sql HTTP/1.0\n\n"; buff[17] = "GET /cgi-bin/view-source HTTP/1.0\n\n"; buff[18] = "GET /cgi-bin/campas HTTP/1.0\n\n"; buff[19] = "GET /cgi-bin/aglimpse HTTP/1.0\n\n"; buff[20] = "GET /cgi-bin/man.sh HTTP/1.0\n\n"; buff[21] = "GET /cgi-bin/AT-admin.cgi HTTP/1.0\n\n"; buff[22] = "GET /cgi-bin/filemail.pl HTTP/1.0\n\n"; buff[23] = "GET /cgi-bin/maillist.pl HTTP/1.0\n\n"; buff[24] = "GET /cgi-bin/jj HTTP/1.0\n\n"; buff[25] = "GET /cgi-bin/info2www HTTP/1.0\n\n"; buff[26] = "GET /cgi-bin/files.pl HTTP/1.0\n\n"; buff[27] = "GET /cgi-bin/finger HTTP/1.0\n\n"; buff[28] = "GET /cgi-bin/bnbform.cgi HTTP/1.0\n\n"; buff[29] = "GET /cgi-bin/survey.cgi HTTP/1.0\n\n"; buff[30] = "GET /cgi-bin/AnyForm2 HTTP/1.0\n\n"; buff[31] = "GET /cgi-bin/textcounter.pl HTTP/1.0\n\n"; buff[32] = "GET /cgi-bin/classifieds.cgi HTTP/1.0\n\n"; buff[33] = "GET /cgi-bin/environ.cgi HTTP/1.0\n\n"; buff[34] = "GET /_vti_pvt/service.pwd HTTP/1.0\n\n"; buff[35] = "GET /_vti_pvt/users.pwd HTTP/1.0\n\n"; buff[36] = "GET /_vti_pvt/authors.pwd HTTP/1.0\n\n"; buff[37] = "GET /_vti_pvt/administrators.pwd HTTP/1.0\n\n"; buff[38] = "GET /cgi-dos/args.bat HTTP/1.0\n\n"; buff[39] = "GET /cgi-win/uploader.exe HTTP/1.0\n\n"; buff[40] = "GET /search97.vts HTTP/1.0\n\n"; buff[41] = "GET /carbo.dll HTTP/1.0\n\n"; buff[42] = "GET /cgi-bin/fpexplore.exe HTTP/1.0\n\n"; buff[43] = "GET /cfdocs/expeval/openfile.cfm HTTP/1.0\n\n"; buff[44] = "GET /cgi-bin/whois_raw.cgi HTTP/1.0\n\n"; cginame[1] = "UnlG "; cginame[2] = "phf "; cginame[3] = "Count.cgi "; cginame[4] = "test-cgi "; cginame[5] = "nph-test-cgi "; cginame[6] = "php.cgi "; cginame[7] = "handler "; cginame[8] = "webgais "; cginame[9] = "websendmail "; cginame[10] = "webdist.cgi "; cginame[11] = "faxsurvey "; cginame[12] = "htmlscript "; cginame[13] = "pfdisplay "; cginame[14] = "perl.exe "; cginame[15] = "wwwboard.pl "; cginame[16] = "www-sql "; cginame[17] = "view-source "; cginame[18] = "campas "; cginame[19] = "aglimpse "; cginame[20] = "man.sh "; cginame[21] = "AT-admin.cgi "; cginame[22] = "filemail.pl "; cginame[23] = "maillist.pl "; cginame[24] = "jj "; cginame[25] = "info2www "; cginame[26] = "files.pl "; cginame[27] = "finger "; cginame[28] = "bnbform.cgi "; cginame[29] = "survey.cgi "; cginame[30] = "AnyForm2 "; cginame[31] = "textcounter.pl "; cginame[32] = "classifields.cgi "; cginame[33] = "environ.cgi "; cginame[34] = "service.pwd "; cginame[35] = "users.pwd "; cginame[36] = "authors.pwd "; cginame[37] = "administrators.pwd "; cginame[38] = "args.bat "; cginame[39] = "uploader.exe "; cginame[40] = "search97.vts "; cginame[41] = "carbo.dll "; cginame[42] = "fpexplore.exe "; cginame[43] = "openfile.cfm "; cginame[44] = "whois.cgi "; if (argc<2) { printf("\n _ _ __ ___ _ _ _ _ __ ___ _ _ _ _ __ ___ _ _ "); printf("\n( )_( )/. | / __)( )_( ) ( )_( )/. | / __)( )_( ) ( )_( )/. | / __)( )_( )"); printf("\n ) _ ((_ _)`__ ` ) _ ( ) _ ((_ _)`__ ` ) _ ( ) _ ((_ _)`__ ` ) _ ( "); printf("\n(_) (_) (_) (___/(_) (_) (_) (_) (_) (___/(_) (_) (_) (_) (_) (___/(_) (_)"); printf("\n Presents"); printf("\n [ Cgi Scanner ]"); printf("\n v3.1"); printf("\n ### - ImPeRiAlS KreW - Guilecool "); printf("\n"); printf("\nUsage: ./cgi www.server.com\n"); printf("\n"); exit(0); } if (argc>2) { if(strstr("-d",argv[2])) { debugm=1; } } if ((he=gethostbyname(argv[1])) == NULL) { herror("gethostbyname"); exit(0); } start=inet_addr(argv[1]); counter=ntohl(start); sock=socket(AF_INET, SOCK_STREAM, 0); bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length); sin.sin_family=AF_INET; sin.sin_port=htons(80); if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0) { perror("connect"); } printf("\n _ _ __ ___ _ _ _ _ __ ___ _ _ _ _ __ ___ _ _ "); printf("\n( )_( )/. | / __)( )_( ) ( )_( )/. | / __)( )_( ) ( )_( )/. | / __)( )_( )"); printf("\n ) _ ((_ _)`__ ` ) _ ( ) _ ((_ _)`__ ` ) _ ( ) _ ((_ _)`__ ` ) _ ( "); printf("\n(_) (_) (_) (___/(_) (_) (_) (_) (_) (___/(_) (_) (_) (_) (_) (___/(_) (_)"); printf("\n Presents"); printf("\n [ Cgi Scanner ]"); printf("\n v3.1"); printf("\n ### - ImPeRiAlS KreW - Guilecool "); printf("\n"); printf("\nCgi Scan v3.0"); printf("\n\nPress any key to continue\n\n"); getchar(); printf("\nReceiving Httpd Version\n\n"); send(sock, "HEAD / HTTP/1.0\n\n",17,0); recv(sock, buffer, sizeof(buffer),0); printf("%s",buffer); close(sock); printf("\n\nReceiving Cgi Details\n\n"); while(count++ < 43) { sock=socket(AF_INET, SOCK_STREAM, 0); bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length); sin.sin_family=AF_INET; sin.sin_port=htons(80); if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0) { perror("connect"); } for(numin=0;numin < 1024;numin++) { cgibuff[numin] = '\0'; } send(sock, buff[count],strlen(buff[count]),0); recv(sock, cgibuff, sizeof(cgibuff),0); cgistr = strstr(cgibuff,foundmsg); if( cgistr != NULL) { printf("%s :",cginame[count]); printf(" Found\n"); } } printf("\nScan Complete\n\n"); printf("\Guilecool -- ### impsrewl@hotmail.com\n\n"); }