#!/usr/bin/perl
#
# This is a ordinary CGI scanner, the only
# differance is that it read CGI vulns from
# a database file which can be used to your
# advantage if would like to scan for certain
# CGI flaws you can put it in a file and the
# scanner would attemp them.
#
# syntax:
#
# -p : specifies port.
# -h : specifies host.
# -d : specifies what file should be used as database.
# -m : specifies if the scanner should mass scan.
# -l : specifies if the scanner should log the scan.
#
# Example:
#
# perl cscan.pl -p 80 -h 127.0.0.1 -d cgi.database -l blah.log : Example of single scan
# perl cscan.pl -p 80 -m 127.0.0.1-255 -d cgi.database -l blah.log : Example of mass scan
#
# if -d is specified with out a database file it will use defualt db.
#
# That pretty much somes it up. Enjoy!
#
# Greets: NtWaK0, izik, sagi, Psydal, v0id, websk8ter, BrainStorm
# RobBbot, GhQst, cr0n, NicotineX, omnis, skills, manipulat0r;
# CraiK, antisane, JW23, Pneuma, wyze1, w3stside, ES!, *uNF*
#
# For more advance CGI scanning I recommend using 'Whisker' by rfp
# its a nice and powerfull.
#
# Any comments or improvements mail me. Btw I thought I would write
# a nice decent looking code. =P
# Seelan@comstat.co.za
# Iceburg.
# ComStat Security.
# Http://secruity.comstat.co.za - Http://www.comstat.co.za
use Socket;
use Getopt::Std;
getopts("p:h:d:l:m:", \%args);
print "::::::::::::::::::::::::::::::::::::::::\n";
print ":: Cscan.pl - CGI scanner by Iceburg ::\n";
print ":: ComStat Security ::\n";
print ":: http://security.comstat.co.za ::\n";
print "::::::::::::::::::::::::::::::::::::::::\n";
if (!defined $args{h} && !defined $args{m}) {
print qq~
-p = specifies port.
-h = specifies host.
-d = specifies what file should be used as database.
-l = specifies if the scanner should log the scan.
-m = specifies if the scanner should mass scan.
Check the script for Example scans.
~; exit;}
$log=0;
$port=$args{p};
if (defined $args{d}) {
if ($args{d} != 0) { $file = "cgi.ls"; }
else { $file=$args{d} }
open(DB, $file) || die "Can't open database.";
@cgilist = <DB>;
close (DB);
}
if (defined $args{l}) {
$log=1;
open(LOG, ">>$args{l}") || die "Cannot open log file.";
print LOG <<EOT
::::::::::::::::::::::::::::::::::::::::
:: Cscan.pl - CGI scanner by Iceburg ::
:: ComStat Security ::
:: http://security.comstat.co.za ::
::::::::::::::::::::::::::::::::::::::::
EOT
;}
if (defined $args{h}) {
$host=$args{h};
&start;
}
if (defined $args{m}) {
$host = $args{m};
($s,$e) = split(/-/,$host);
($ia, $ib, $id, $ix) = split(/\./,$s);
print "Scaning from $s to $ia.$ib.$id.$e\n";
for($i=$ix; $i<=$e; $i++)
{
$host = "$ia.$ib.$id.$i";
&start
}
}
sub start {
print "\n Now scanning $host\n\n";
if ($log) {print LOG "\n Now scanning $host\n\n";}
foreach $cgilist (@cgilist)
{
chomp $cgilist;
print "Scanning - $cgilist :: ";
$sl=$cgilist;
&scan;
}
}
sub scan {
my($iaddr,$paddr,$proto);
$iaddr = inet_aton($host) || die "Error: $!";
$paddr = sockaddr_in($port, $iaddr) || die "Error: $!";
$proto = getprotobyname('tcp') || die "Error: $!";
socket(SOCK, PF_INET, SOCK_STREAM, $proto) || &error("Failed to open socket: $!");
connect(SOCK, $paddr) || &error("Unable to connect: $!");
send(SOCK,"GET $sl HTTP/1.0\r\n\r\n",0);
$check=<SOCK>;
($http,$code,$blah) = split(/ /,$check);
if($code == 200)
{
print "Found!\n";
if ($log) {print LOG "$sl - Found!\n";}
}
else
{
print "Not Found!\n";
}
close(SOCK);
}
sub error
{
$error = shift(@_);
print "Error - $error\n";
exit;
} |