Underc0de

Programación Scripting => Perl => Mensaje iniciado por: @ed33x en Enero 27, 2011, 08:53:05 PM

Título: RFI-Scanner
Publicado por: @ed33x en Enero 27, 2011, 08:53:05 PM
Código (perl) [Seleccionar]
/*
   RFI Scanner By DiGitalX ([email protected])
   Date: 6/4/2007 -- MicroSystem Team
*/

#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <stdio.h>

//#define _DEBUG //debug mode (for me :D)
#define DEBUG_ROOT "output"

//put the vuln functions here
//functions that if a var is in its arguments then possible RFI occurs
//IMPORTANT: keep this order
char* vuln[] = {
   "include_once", "include", "require_once", "require", NULL
};

//global
BOOL bShortDis = FALSE;

void usage(char* app)
{
   printf("usage: [-s] %s <root-directory>\n", app);
   printf("\t-s\tshort display mode\n");
}

void banner(void)
{
   printf("RFI Scanner By DiGitalX ([email protected])\n");
   printf("Date: 6/4/2007 -- MicroSystem Team\n\n");
}

//return: FALSE if EOF reached, TRUE otherwise
BOOL freadline(FILE* f, char* line, int size)
{
   int b, i = 0;

   //zero line
   memset(line, 0, size);

   do {
      //read one byte
      b = fgetc(f);
      //check if EOF
      if (b == EOF) return FALSE;
      //check if newline cha reached or line is full
      if ((b == '\n') || (i == 1023)) return TRUE;
      *line++ = b; //fill line
      i++; //increment counter
   } while (1);

   return 1; /* unreachable code */
}

BOOL php_scanfile(char* file)
{
   char line[1024], line2[1024];
   int linenum = 0;
   BOOL notend;
   char* tmp, *tmp2, *x;

   //open file
   FILE* f = fopen(file, "rb");
   //check
   if (f == NULL)
      return FALSE;

   do {
      //opened, then read line by line
      notend = freadline(f, line, sizeof(line));
      linenum++;

      //lower the line
      strcpy(line2, line);
      CharLower(line2);

      for (int i = 0; vuln[i] != NULL; i++) {
         //now line contains one line of code, search for RFI functions
         //include, include_once, require, require_once
         tmp = strstr(line2, vuln[i]);
         if (tmp != NULL) {
            //line contains vuln function maybe RFI.
            //check if function
            tmp += strlen(vuln[i]); //skip function name
            while (*tmp != '(') {
               //check if end of line reached or someother char (not whitespace means not function)
               if (*tmp == '\0') goto next; //then goto next vuln function
               //check if there's crap between vuln function and the first '(' reached
               //if so then it's not a vuln function maybe comment or var or string or something else
               if ((*tmp != ' ') && (*tmp != '\t')) goto next; //just dun bother and goto next vuln function
               tmp++; //keep incrementing tmp until catching '(' [opening parentheses of the vuln function]
            }
            //check for var inside this function
            tmp2 = tmp; //set tmp2 at begin of include function
            while (*tmp2 != ')') {
               tmp2++; //keep incrementing tmp2 until catching ')' [closing parentheses of the include function]
               //check if end of line reached
               if (*tmp2 == '\0') goto next; //then goto next vuln function
            }
            x = tmp; //set x at begin of include function
            while ((*x != '$') && (x < tmp2)) x++; //keep incrementing x until catching a var inside include functino or include function closing parentheses
            //check which condition just holded
            if (*x == '$') {
               //BINGO, possible RFI cought :D
               printf("possible RFI at line: %u", linenum);
               //if bShortDis then provide filename
               if (bShortDis) printf(" in \"%s\"\n", file);
               else printf("\n"); //otherwise just newline
               break; //break off the for loop
            }
         }
         next:
      }
     
      if (!notend) break; //NOT not end == end :D
   } while (1);

   fclose(f);
   return TRUE;
}

void php_search(void) {
   WIN32_FIND_DATA wfd;
   HANDLE fh;
   char lpBuffer[320];
   char *lpFilePart;

   fh = FindFirstFile("*.*",&wfd);
   if (fh != INVALID_HANDLE_VALUE) {
      do {
         // skip '.' and '..' dirs
         if (wfd.cFileName[0] == '.') continue;
         // if dir enter it
         if (wfd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) {
            if (SetCurrentDirectory(wfd.cFileName) == TRUE) {
               php_search(); // recursive call
               SetCurrentDirectory("..");
            }
            continue;
         }
         // otherwise carry on our process
         if (GetFullPathName(wfd.cFileName,320,lpBuffer,&lpFilePart) == 0) continue;
         CharLower(lpBuffer);
         // checking if the extension of the file is php
         if (memcmp(&lpBuffer[lstrlen(lpBuffer)-3],"php",3) == 0) {
            //skip if bShortDis is set
            if (!bShortDis) printf("Scanning %s...\n", lpBuffer);
            php_scanfile(lpBuffer);
         }
      } while (FindNextFile(fh,&wfd) == TRUE);
      FindClose(fh); // closing find handle
   }
}

BOOL begin_rfi_scan(char* root)
{
   //first set the root dir as current dir
   if (!SetCurrentDirectory(root))
      return FALSE;

   //begin the hunting for php files
   printf("Beginning Hunting RFI Vulnerabilities...\n");
   //if -s is given then inform user that mode is activated
   if (bShortDis) printf("Short Display Mode Activated\n");
   php_search();
   printf("Finished of Hunting.\n");

   return TRUE;
}

int main(int argc, char** argv)
{
   int pos = 1; //root position in cmd line

   //show banner
   banner();

   #ifndef _DEBUG
   //check if root dir is given in the cmd line
   if (argc < 2) {
      //show usage screen and exit
      usage(argv[0]);
      return 1;
   }
   #endif

   //-s switch is specified
   if (strcmp(argv[1], "-s") == 0) {
      bShortDis = TRUE; //set flag
      pos = 2; //change root position in cmd line
   }

   //root dir is given good, then scan all the files inside this root directory
   #ifndef _DEBUG
   if (!begin_rfi_scan(argv[pos])) {
   #else
   if (!begin_rfi_scan(DEBUG_ROOT)) {
   #endif
      printf("Error: initializing RFI Scanner... Try Again");
      return 1;
   }

   return 0;
} [/quote]

[quote]Es un simple scanner-RFI que escanea archivos -php o posibles vulnerabilidades como include(),require()...etc y luego chekea si hay alguna variable en los argumentos de la funcion.
Si la hay muestra el resultado para que tu chekes si hay una RFI/LFI muy feliz xD!

*Nota:
Podes poner un monton de scripts php inside a folder y cocorrer el scanner contra el mismo.

El scaner scanneara todo el directorio root (dentro de la lina cmd) y te provera cada pusible funcion bugg junto con la linea y nombre del script