Parceiro: Camisetas Hacker

Camisetas para Nerds & Hackers

domingo, 20 de fevereiro de 2011

SCRIPT PHP Security-Shell RFI Scanner v1.0


Segurança Shell RFI Scanner v1.0 é um scan de rfi pra você scanner de plantão.


* Copyright (C) 2007 por pentest
* Http://security-sh3ll.com
* Este programa é software livre, pode redistribuí-lo e / ou modificá-
* Sob os termos da GNU General Public License conforme publicada pela
*
* Mas SEM NENHUMA GARANTIA, sem mesmo a garantia implícita de *COMERCIALIZAÇÃO ou ADEQUAÇÃO PARA UM DETERMINADO PROPÓSITO. Veja o * Licença Pública Geral GNU para obter mais detalhes.


/***************************************************************************
 *   PHP Security-Shell RFI Scanner v1.0                                   *
 *                                                                         *
 *   Copyright (C) 2007 by pentest                                         *
 *                                                                         *
 *   http://security-sh3ll.com                                             *
 *                                                                         *
 *   This program is free software; you can redistribute it and/or modify  *
 *   it under the terms of the GNU General Public License as published by  *
 *   the Free Software Foundation; either version 2 of the License, or     *
 *   (at your option) any later version.                                   *
 *                                                                         *
 *   This program is distributed in the hope that it will be useful,       *
 *   but WITHOUT ANY WARRANTY; without even the implied warranty of        *
 *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         *
 *   GNU General Public License for more details.                          *
 *                                                                         *
 ***************************************************************************/
 
    $escan_inc_regex   = array( '/include(_once)?.\$/ix', '/require(_once)?.\$/ix' );
    /* Regex to extract the names of variables */
    $escan_var_regex   = array( '/\Ainclude(_once)?./is', '/\Arequire(_once)?./is' );
    /* Array of file extensions to scan */
    $escan_valid_ext   = array( 'php' );
    /* Maximum size of a file to scan, scans all if 0 */
    $escan_max_size    = 0;
    /* Counter crawled directory */
    $escan_dir_count   = 0;
    /* Perpetual scanned files */
    $escan_file_count  = 0;
    /* Perpetual potential rfi found */
    $escan_match_count = 0;
    /*Perpetual crawled total bytes */
    $escan_byte_count  = 0;
 
    escan_banner();
 
 
    if( $argc < 2 ){
        escan_usage($argv[0]);
    }
    else{
 
        $stime = escan_get_mtime();
 
        escan_recurse_dir( realpath($argv[1]).DIRECTORY_SEPARATOR );
 
        $etime = escan_get_mtime();
 
        print "\n@ Scan report : \n\n" .
              "\t$escan_dir_count directory .\n".
              "\t$escan_file_count file .\n".
              "\t" . escan_format_size($escan_byte_count) . " .\n".
              "\t$escan_match_count Potential RFI .\n".
              "\t".($etime-$stime) . " Second Processing .\n\n";
    }
 
    /* A string formats in a magnitude expressed in bytes */
    function escan_format_size($bytes)
    {
        if( $bytes < 1024       ) return "$bytes bytes";
        if( $bytes < 1048576    ) return ($bytes / 1024) . " Kb";
        if( $bytes < 1073741824 ) return ($bytes / 1048576) . " Mb";
 
        return ($bytes / 1073741824) . " Gb";
    }
 
    /* Returns the timestamp in seconds */
    function escan_get_mtime()
    {
        list($usec, $sec) = explode(" ",microtime());
        return ((float)$usec + (float)$sec);
    }
 
    /* Extracts line of code inclusion */
    function escan_scan_line($content,$offset)
    {
        list( $line, $dummy ) = explode( ";" , substr($content,$offset,strlen($content)) );
 
        return $line.";";
    }
 
    /* Extract the variable name from line of code inclusion */
    function escan_parse_var( $line, $regex_id )
    {
        global $escan_var_regex;
 
        $vars       = preg_split($escan_var_regex[$regex_id],$line);
        $varname    = $vars[1];
        $delimiters = " .);";
 
        for( $i = 0; $i < strlen($varname); $i++ ){
            for( $j = 0; $j < strlen($delimiters); $j++ ){
                if($varname[$i] == $delimiters[$j]){
                    return substr( $varname, 0, $i );
                }
            }
        }
 
        return $varname;
    }
 
    /* Check if the variable $var is defined in $content before position $offset*/
    function escan_check_definitions($content,$offset,$var)
    {
        if( strpos( $var, "->" ) ){
            return 1;
        }
 
        $chunk = substr($content,0,$offset);
        $regex = "/".preg_quote($var,"/")."\s*=/ix";
        preg_match( $regex, $chunk,$matches );
 
        return count($matches);
    }
 
    /* $file the file to check for potential rfi */
    function escan_parse_file($file)
    {
        global $escan_inc_regex;
        global $escan_max_size;
        global $escan_file_count;
        global $escan_match_count;
        global $escan_byte_count;
 
        $fsize = filesize($file);
 
        if( $escan_max_size && $fsize > $escan_max_size ) return;
 
        $escan_file_count++;
        $escan_byte_count += $fsize;
 
        $content = @file_get_contents($file);
 
        for( $i = 0; $i < count($escan_inc_regex); $i++ ){
            if( preg_match_all( $escan_inc_regex[$i], $content, $matches, PREG_OFFSET_CAPTURE ) ){
 
                $nmatch = count($matches[0]);
 
                for( $j = 0; $j < $nmatch; $j++ ){
                    $offset = $matches[0][$j][1];
                    $line   = escan_scan_line($content,$offset);
                    $var    = escan_parse_var($line,$i);
 
                    if( escan_check_definitions($content,$offset,$var) == 0 )
                    {
                        $escan_match_count++;
                        print "@ $file - \n\t- '$var' The position $offset .\n";
                    }
                }
            }
        }
    }
 
    /* Returns the file extension $fname */
    function escan_get_file_ext($fname)
    {
        if( strchr($fname,'.') ){
            return substr($fname,strrpos($fname,'.')+1);
        }
        else{
            return "";
        }
    }
 
    /* Check if file $fname is a valid extension */
    function escan_isvalid_ext($fname)
    {
        global $escan_valid_ext;
 
        for( $i = 0; $i < count($escan_valid_ext); $i++ ){
            if(strstr(escan_get_file_ext($fname),$escan_valid_ext[$i])){
                return true;
            }
        }
 
        return false;
    }
 
    /* That function scans directories recursively */
    function escan_recurse_dir($dir)
    {
        global $escan_dir_count;
 
        $escan_dir_count++;
 
        if( $cdir = @dir($dir) ){
            while( $entry = $cdir->read() ){
                if( $entry != '.' && $entry != '..' ){
                    if( is_dir($dir.$entry) ){
                        escan_recurse_dir($dir.$entry.DIRECTORY_SEPARATOR);
                    }
                    else{
                        if( escan_isvalid_ext($dir.$entry) ){
                            escan_parse_file($dir.$entry);
                        }
                    }
                }
            }
 
            $cdir->close();
        }
    }
 
    function escan_banner()
    {
        print "*-----------------------------------------------------*\n" .
              "*   PHP Security-Shell RFI Scanner v1.0  by pentest   *\n" .
              "*                                                     *\n" .
              "*             http://security-sh3ll.com               *\n" .
              "*-----------------------------------------------------*\n\n";
    }
 
    function escan_usage($pname)
    {
        print "Use : php $pname \n";
    }
?>

7 comentários:

  1. Gostaria se possível um exemplo de uso desse script.

    Obrigado.

    ResponderExcluir
  2. Hospeda ele em um server que suporta php que coloca umas strings de buscas como index.php?pag= algo assim que ele vai buscar possiveis vul. ele é antigo então pode estar defasado seu modelo de busca

    ResponderExcluir
  3. em que linha se coloca a string de busca ?

    ResponderExcluir
  4. tentei no wampserver, mas deu erro nessa linha:

    if( $argc < 2 ){
    escan_usage($argv[0]);
    }

    ResponderExcluir
  5. I do not even understand how I finished up here, but I thought this put up was once great.
    I do not know who you’re however definitely you’re going to a well-known blogger for those who are not
    already. Cheers!

    ResponderExcluir
  6. whoah this blog is great i like reading your posts. Keep up the great work!
    You recognize, many persons are hunting around for this info, you could aid
    them greatly.

    ResponderExcluir

............