domingo, 20 de fevereiro de 2011

SCRIPT PHP Security-Shell RFI Scanner v1.0


Segurança Shell RFI Scanner v1.0 é um scan de rfi pra você scanner de plantão.


* Copyright (C) 2007 por pentest
* Http://security-sh3ll.com
* Este programa é software livre, pode redistribuí-lo e / ou modificá-
* Sob os termos da GNU General Public License conforme publicada pela
*
* Mas SEM NENHUMA GARANTIA, sem mesmo a garantia implícita de *COMERCIALIZAÇÃO ou ADEQUAÇÃO PARA UM DETERMINADO PROPÓSITO. Veja o * Licença Pública Geral GNU para obter mais detalhes.


/***************************************************************************
 *   PHP Security-Shell RFI Scanner v1.0                                   *
 *                                                                         *
 *   Copyright (C) 2007 by pentest                                         *
 *                                                                         *
 *   http://security-sh3ll.com                                             *
 *                                                                         *
 *   This program is free software; you can redistribute it and/or modify  *
 *   it under the terms of the GNU General Public License as published by  *
 *   the Free Software Foundation; either version 2 of the License, or     *
 *   (at your option) any later version.                                   *
 *                                                                         *
 *   This program is distributed in the hope that it will be useful,       *
 *   but WITHOUT ANY WARRANTY; without even the implied warranty of        *
 *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         *
 *   GNU General Public License for more details.                          *
 *                                                                         *
 ***************************************************************************/
 
    $escan_inc_regex   = array( '/include(_once)?.\$/ix', '/require(_once)?.\$/ix' );
    /* Regex to extract the names of variables */
    $escan_var_regex   = array( '/\Ainclude(_once)?./is', '/\Arequire(_once)?./is' );
    /* Array of file extensions to scan */
    $escan_valid_ext   = array( 'php' );
    /* Maximum size of a file to scan, scans all if 0 */
    $escan_max_size    = 0;
    /* Counter crawled directory */
    $escan_dir_count   = 0;
    /* Perpetual scanned files */
    $escan_file_count  = 0;
    /* Perpetual potential rfi found */
    $escan_match_count = 0;
    /*Perpetual crawled total bytes */
    $escan_byte_count  = 0;
 
    escan_banner();
 
 
    if( $argc < 2 ){
        escan_usage($argv[0]);
    }
    else{
 
        $stime = escan_get_mtime();
 
        escan_recurse_dir( realpath($argv[1]).DIRECTORY_SEPARATOR );
 
        $etime = escan_get_mtime();
 
        print "\n@ Scan report : \n\n" .
              "\t$escan_dir_count directory .\n".
              "\t$escan_file_count file .\n".
              "\t" . escan_format_size($escan_byte_count) . " .\n".
              "\t$escan_match_count Potential RFI .\n".
              "\t".($etime-$stime) . " Second Processing .\n\n";
    }
 
    /* A string formats in a magnitude expressed in bytes */
    function escan_format_size($bytes)
    {
        if( $bytes < 1024       ) return "$bytes bytes";
        if( $bytes < 1048576    ) return ($bytes / 1024) . " Kb";
        if( $bytes < 1073741824 ) return ($bytes / 1048576) . " Mb";
 
        return ($bytes / 1073741824) . " Gb";
    }
 
    /* Returns the timestamp in seconds */
    function escan_get_mtime()
    {
        list($usec, $sec) = explode(" ",microtime());
        return ((float)$usec + (float)$sec);
    }
 
    /* Extracts line of code inclusion */
    function escan_scan_line($content,$offset)
    {
        list( $line, $dummy ) = explode( ";" , substr($content,$offset,strlen($content)) );
 
        return $line.";";
    }
 
    /* Extract the variable name from line of code inclusion */
    function escan_parse_var( $line, $regex_id )
    {
        global $escan_var_regex;
 
        $vars       = preg_split($escan_var_regex[$regex_id],$line);
        $varname    = $vars[1];
        $delimiters = " .);";
 
        for( $i = 0; $i < strlen($varname); $i++ ){
            for( $j = 0; $j < strlen($delimiters); $j++ ){
                if($varname[$i] == $delimiters[$j]){
                    return substr( $varname, 0, $i );
                }
            }
        }
 
        return $varname;
    }
 
    /* Check if the variable $var is defined in $content before position $offset*/
    function escan_check_definitions($content,$offset,$var)
    {
        if( strpos( $var, "->" ) ){
            return 1;
        }
 
        $chunk = substr($content,0,$offset);
        $regex = "/".preg_quote($var,"/")."\s*=/ix";
        preg_match( $regex, $chunk,$matches );
 
        return count($matches);
    }
 
    /* $file the file to check for potential rfi */
    function escan_parse_file($file)
    {
        global $escan_inc_regex;
        global $escan_max_size;
        global $escan_file_count;
        global $escan_match_count;
        global $escan_byte_count;
 
        $fsize = filesize($file);
 
        if( $escan_max_size && $fsize > $escan_max_size ) return;
 
        $escan_file_count++;
        $escan_byte_count += $fsize;
 
        $content = @file_get_contents($file);
 
        for( $i = 0; $i < count($escan_inc_regex); $i++ ){
            if( preg_match_all( $escan_inc_regex[$i], $content, $matches, PREG_OFFSET_CAPTURE ) ){
 
                $nmatch = count($matches[0]);
 
                for( $j = 0; $j < $nmatch; $j++ ){
                    $offset = $matches[0][$j][1];
                    $line   = escan_scan_line($content,$offset);
                    $var    = escan_parse_var($line,$i);
 
                    if( escan_check_definitions($content,$offset,$var) == 0 )
                    {
                        $escan_match_count++;
                        print "@ $file - \n\t- '$var' The position $offset .\n";
                    }
                }
            }
        }
    }
 
    /* Returns the file extension $fname */
    function escan_get_file_ext($fname)
    {
        if( strchr($fname,'.') ){
            return substr($fname,strrpos($fname,'.')+1);
        }
        else{
            return "";
        }
    }
 
    /* Check if file $fname is a valid extension */
    function escan_isvalid_ext($fname)
    {
        global $escan_valid_ext;
 
        for( $i = 0; $i < count($escan_valid_ext); $i++ ){
            if(strstr(escan_get_file_ext($fname),$escan_valid_ext[$i])){
                return true;
            }
        }
 
        return false;
    }
 
    /* That function scans directories recursively */
    function escan_recurse_dir($dir)
    {
        global $escan_dir_count;
 
        $escan_dir_count++;
 
        if( $cdir = @dir($dir) ){
            while( $entry = $cdir->read() ){
                if( $entry != '.' && $entry != '..' ){
                    if( is_dir($dir.$entry) ){
                        escan_recurse_dir($dir.$entry.DIRECTORY_SEPARATOR);
                    }
                    else{
                        if( escan_isvalid_ext($dir.$entry) ){
                            escan_parse_file($dir.$entry);
                        }
                    }
                }
            }
 
            $cdir->close();
        }
    }
 
    function escan_banner()
    {
        print "*-----------------------------------------------------*\n" .
              "*   PHP Security-Shell RFI Scanner v1.0  by pentest   *\n" .
              "*                                                     *\n" .
              "*             http://security-sh3ll.com               *\n" .
              "*-----------------------------------------------------*\n\n";
    }
 
    function escan_usage($pname)
    {
        print "Use : php $pname \n";
    }
?>

8 comentários:

  1. Gostaria se possível um exemplo de uso desse script.

    Obrigado.

    ResponderExcluir
  2. Hospeda ele em um server que suporta php que coloca umas strings de buscas como index.php?pag= algo assim que ele vai buscar possiveis vul. ele é antigo então pode estar defasado seu modelo de busca

    ResponderExcluir
  3. em que linha se coloca a string de busca ?

    ResponderExcluir
  4. tentei no wampserver, mas deu erro nessa linha:

    if( $argc < 2 ){
    escan_usage($argv[0]);
    }

    ResponderExcluir
  5. I do not even understand how I finished up here, but I thought this put up was once great.
    I do not know who you’re however definitely you’re going to a well-known blogger for those who are not
    already. Cheers!

    ResponderExcluir
  6. Wow, wonderful blog layout! How long have you been blogging for?

    you make blogging look easy. The overall look of your
    site is excellent, as well as the content!

    ResponderExcluir
  7. whoah this blog is great i like reading your posts. Keep up the great work!
    You recognize, many persons are hunting around for this info, you could aid
    them greatly.

    ResponderExcluir

............