#!/usr/bin/perl
#
# This is a ordinary CGI scanner, the only
# differance is that it read CGI vulns from
# a database file which can be used to your
# advantage if would like to scan for certain
# CGI flaws you can put it in a file and the 
# scanner would attemp them. 
#
# syntax:
# 
#  -p    :  specifies port.
#  -h    :  specifies host.
#  -d    :  specifies what file should be used as database.
#  -m    :  specifies if the scanner should mass scan.
#  -l    :  specifies if the scanner should log the scan.
#
# Example:
#
# perl cscan.pl -p 80 -h 127.0.0.1 -d cgi.database -l blah.log : Example of single scan
# perl cscan.pl -p 80 -m 127.0.0.1-255 -d cgi.database -l blah.log : Example of mass scan
#
# if -d is specified with out a database file it will use defualt db.
#
# That pretty much somes it up. Enjoy!
#
# Greets: NtWaK0, izik, sagi, Psydal, v0id, websk8ter, BrainStorm
#         RobBbot, GhQst, cr0n, NicotineX, omnis, skills, manipulat0r;
#         CraiK, antisane, JW23, Pneuma, wyze1, w3stside, ES!, *uNF*
#
# For more advance CGI scanning I recommend using 'Whisker' by rfp
# its a nice and powerfull.
#
# Any comments or improvements mail me. Btw I thought I would write
# a nice decent looking code. =P
# Seelan@comstat.co.za
# Iceburg.
# ComStat Security.
# Http://secruity.comstat.co.za - Http://www.comstat.co.za

use Socket;
use Getopt::Std;
getopts("p:h:d:l:m:", \%args);

print "::::::::::::::::::::::::::::::::::::::::\n";
print ":: Cscan.pl - CGI scanner by Iceburg  ::\n";
print "::          ComStat Security          ::\n";
print "::   http://security.comstat.co.za    ::\n";
print "::::::::::::::::::::::::::::::::::::::::\n";

if (!defined $args{h} && !defined $args{m}) {
print qq~

 -p    =  specifies port.
 -h    =  specifies host.
 -d    =  specifies what file should be used as database.
 -l    =  specifies if the scanner should log the scan.
 -m    =  specifies if the scanner should mass scan.

Check the script for Example scans.
~; exit;}

$log=0;
$port=$args{p};

if (defined $args{d}) {
if ($args{d} != 0) { $file = "cgi.ls"; }
else { $file=$args{d} }
open(DB, $file) || die "Can't open database.";
@cgilist = <DB>;
close (DB);
}

if (defined $args{l}) {
$log=1;
open(LOG, ">>$args{l}") || die "Cannot open log file.";
print LOG <<EOT
::::::::::::::::::::::::::::::::::::::::
:: Cscan.pl - CGI scanner by Iceburg  ::
::          ComStat Security          ::
::   http://security.comstat.co.za    ::
::::::::::::::::::::::::::::::::::::::::
EOT
;}


if (defined $args{h}) {
$host=$args{h};
&start;
}

if (defined $args{m}) {
$host = $args{m};
($s,$e) = split(/-/,$host);
($ia, $ib, $id, $ix) = split(/\./,$s);
print "Scaning from $s to $ia.$ib.$id.$e\n";
for($i=$ix; $i<=$e; $i++)
{
$host = "$ia.$ib.$id.$i";
&start
 }
}


sub start {
        print "\n Now scanning $host\n\n";
        if ($log) {print LOG "\n Now scanning $host\n\n";}
        foreach $cgilist (@cgilist)
{

        chomp $cgilist;
        print "Scanning - $cgilist :: ";
        $sl=$cgilist;
        &scan;
        }
}


sub scan {

my($iaddr,$paddr,$proto);

$iaddr = inet_aton($host) || die "Error: $!";
$paddr = sockaddr_in($port, $iaddr) || die "Error: $!";
$proto = getprotobyname('tcp') || die "Error: $!";

socket(SOCK, PF_INET, SOCK_STREAM, $proto) || &error("Failed to open socket: $!");
connect(SOCK, $paddr) || &error("Unable to connect: $!");
send(SOCK,"GET $sl HTTP/1.0\r\n\r\n",0);

	$check=<SOCK>;
	($http,$code,$blah) = split(/ /,$check);
        if($code == 200)
	{
                print "Found!\n";
                if ($log) {print LOG "$sl - Found!\n";}
	}
	else
	{
                print "Not Found!\n";

	}
        close(SOCK);
}

sub error
{
$error = shift(@_);
print "Error - $error\n";
exit;
}