A simple CGI scanner with debug and exploit download features IF any CGI holes are found.
e533b785b2d55e28383517756cadb2230163a627288b3dfa82acd8d564c856f4/* A simple CGIs scanner with debug and exploit download feature IF any
CGI was found :)
< Coded by CKS from ech0 security >
Special thankz to fdisk & stanly :) "THankz guys"
*/
#include <stdio.h>
#include <fcntl.h>
#include <netinet/in.h>
#include <signal.h>
#include <string.h>
#include <netdb.h>
#include <ctype.h>
#include <arpa/nameser.h>
#include <strings.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/stat.h>
main(int argc, char *argv[])
{
int sock,debugm=0;
struct in_addr addr;
struct sockaddr_in sin;
struct hostent *he;
unsigned long start;
unsigned long end;
unsigned long counter;
char askfortxt[10];
char foundmsg[] = "200";
char *cgistr;
char buffer[1024];
int count=0;
int numin;
char cgibuff[1024];
char *buff[50]; /* Don't u think 50 is enought? */
char *cginame[50]; /* Don't u think 50 is enought? */
buff[1] = "GET /cgi-bin/phf HTTP/1.0\n\n";
buff[2] = "GET /cgi-bin/Count.cgi HTTP/1.0\n\n";
buff[3] = "GET /cgi-bin/test-cgi HTTP/1.0\n\n";
buff[4] = "GET /cgi-bin/php.cgi HTTP/1.0\n\n";
buff[5] = "GET /cgi-bin/handler HTTP/1.0\n\n";
buff[6] = "GET /cgi-bin/webgais HTTP/1.0\n\n";
buff[7] = "GET /cgi-bin/websendmail HTTP/1.0\n\n";
buff[8] = "GET /cgi-bin/webdist.cgi HTTP/1.0\n\n";
buff[9] = "GET /cgi-bin/faxsurvey HTTP/1.0\n\n";
buff[10] = "GET /cgi-bin/htmlscript HTTP/1.0\n\n";
buff[11] = "GET /cgi-bin/pfdisplay.cgi HTTP/1.0\n\n";
buff[12] = "GET /cgi-bin/perl.exe HTTP/1.0\n\n";
buff[13] = "GET /cgi-bin/wwwboard.pl HTTP/1.0\n\n";
buff[14] = "GET /cgi-bin/finger HTTP/1.0\n\n";
buff[15] = "GET /cgi-bin/bnbform.cgi HTTP/1.0\n\n";
buff[16] = "GET /cgi-bin/survey.cgi HTTP/1.0\n\n";
buff[17] = "GET /cgi-bin/classifieds.cgi HTTP/1.0\n\n";
buff[18] = "GET /cgi-bin/textcounter.pl HTTP/1.0\n\n";
cginame[1] = "phf";
cginame[2] = "Count.cgi";
cginame[3] = "test-cgi";
cginame[4] = "php.cgi";
cginame[5] = "handler";
cginame[6] = "webgais";
cginame[7] = "websendmail";
cginame[8] = "webdist.cgi";
cginame[9] = "faxsurvey";
cginame[10] = "htmlscript";
cginame[11] = "pfdisplay";
cginame[12] = "perl.exe";
cginame[13] = "wwwboard.pl";
cginame[14] = "finger";
cginame[15] = "bnbform.cgi";
cginame[16] = "survey.cgi";
cginame[17] = "classifieds.cgi";
cginame[18] = "textcounter.pl";
if (argc<2)
{
printf("\nusage : %s host ",argv[0]);
printf("\n Or : %s host -d for debug mode\n\n",argv[0]);
exit(0);
}
if (argc>2)
{
if(strstr("-d",argv[2]))
{
debugm=1;
}
}
if ((he=gethostbyname(argv[1])) == NULL)
{
herror("gethostbyname");
exit(0);
}
printf("\n\n\t\t [Ech0's CGI Scanner] By CKS\n\n\n");
start=inet_addr(argv[1]);
counter=ntohl(start);
sock=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
sin.sin_family=AF_INET;
sin.sin_port=htons(80);
if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
{
perror("connect");
}
printf("\n\n\t [ Press any key to check out the httpd version...... ]\n");
getchar();
send(sock, "HEAD / HTTP/1.0\n\n",17,0);
recv(sock, buffer, sizeof(buffer),0);
printf("%s",buffer);
close(sock);
printf("\n\t [ Press any key to search 4 CGI stuff...... ]\n");
getchar();
while(count++ < 18) /* Change 18 to how many buff[?] u have above */
{
sock=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
sin.sin_family=AF_INET;
sin.sin_port=htons(80);
if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
{
perror("connect");
}
printf("\nSearching for %s : ",cginame[count]);
for(numin=0;numin < 1024;numin++)
{
cgibuff[numin] = '\0';
}
send(sock, buff[count],strlen(buff[count]),0);
recv(sock, cgibuff, sizeof(cgibuff),0);
cgistr = strstr(cgibuff,foundmsg);
if( cgistr != NULL)
{
printf("Found !! ;)");
buff[count] = "EXIST";
}
else
printf("Not Found");
if(debugm==1)
{
printf("\n\n ------------------------\n %s \n ------------------------\n",cgibuff);
printf("Press any key to continue....\n");
getchar();
}
close(sock);
}
printf("\n\n");
count=0;
while(count++ < 18)
{
if(strstr(buff[count],"EXIST") != NULL)
{
printf("Do u wanna get the exploit infoz on %s ? (y/n) : ",cginame[count]);
scanf("%s",askfortxt);
if (strstr(askfortxt,"y") != NULL)
gettextfile(count);
else if(strstr(askfortxt,"Y") != NULL)
gettextfile(count);
}
}
}
gettextfile(int cginum)
{
int sock1;
int chk4eof=1;
struct in_addr addr;
struct sockaddr_in sin;
struct hostent *he;
char webserv[]="165.21.101.33";
char getcmd[200];
char txtbuff[2048];
char filename[100];
FILE *cgitxt;
fd_set readfds;
sock1=socket(AF_INET, SOCK_STREAM, 0);
sin.sin_family=AF_INET;
sin.sin_port=htons(80);
sin.sin_addr.s_addr=inet_addr(webserv);
if (connect(sock1, (struct sockaddr*)&sin, sizeof(sin))!=0)
{
perror("connect");
printf("You are not online or maybe my ISP's webserver is down :(\n");
exit(1);
}
printf("To what filename u wanna save it to : ");
scanf("%s",filename);
cgitxt = fopen(filename,"a");
sprintf(getcmd,"GET /~cksss/cgiexp/cgi%d.txt\n\n",cginum);
send(sock1, getcmd,strlen(getcmd),0);
FD_ZERO(&readfds);
FD_SET(sock1, &readfds);
while(chk4eof)
{
select(sock1+1, &readfds, NULL, NULL, NULL);
if(FD_ISSET(sock1,&readfds))
{
chk4eof=recv(sock1, txtbuff, sizeof(txtbuff),0x4);
fwrite(txtbuff,chk4eof,1,cgitxt);
}
}
fclose(cgitxt);
close(sock1);
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed