Cgi Scanner v1.4 - Scan remote web servers for all commonly known and potentially exploitable CGI scripts. Some scripts are better (coded, designed, optimized, complete) than others, and this is one of those better scripts.
dc0275bf9f95eacf6fa93961e887a88e76513defa4b4cd2d0e9bc36694c40b14
/* Cgi Scanner v1.4
I got tired of looking at a ton of cgi hole scanners and none of
them had everything included, so I made one for all the kode kiddies
out there. I ripped some of this code from 9x's shell script they
echo'ed to netcat to update this, and some other code for storage
from someone elses broken version that looked for a few of these
already.
This will basicly ask a web server (Unix or NT) if they have these
programs open to the general public, and if they do, it tells you. I
could of made this exploit the holes as well, but I have to leave
something for you to do (well in the LoU released version it did
exploit them). Sometimes it will tell you that the files DO EXIST,
but you may not have access to them. By using another hole you may
be able to access them though. So if the scan returns that it found
something, don't instantly think you can exploit it. If they have
changed their '404' page it will also sometimes return a false reading.
To complie:
luser$ gcc cgiscan.c -o cgiscan
To use:
luser$ ./cgiscan somedomain.com (i.e. ./cgiscan antionline.com)
coded by Bronc Buster of LoU - Nov 1998
updated Jan 1999
[gH] uses this to preform all their eLe3t h4cKs, shouldn't you?
*/
#include <sys/types.h>
#include <netinet/in.h>
#include <string.h>
#include <netdb.h>
#include <ctype.h>
#include <arpa/nameser.h>
#include <strings.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#define MAX_SIZE 21 /* make this the size of temp[] if you change it */
int main(int argc, char *argv[])
{
int s;
struct in_addr addr;
struct sockaddr_in victem;
struct hostent *bad;
char foundmsg[] = "200";
char *cgistr;
char buffer[1024];
char cgibuff[1024];
int num,i=0;
char *temp[22];
char *name[22];
temp[1] = "GET /cgi-bin/phf HTTP/1.0\n\n";
temp[2] = "GET /cgi-bin/Count.cgi HTTP/1.0\n\n";
temp[3] = "GET /cgi-bin/test-cgi HTTP/1.0\n\n";
temp[4] = "GET /cgi-bin/php.cgi HTTP/1.0\n\n";
temp[5] = "GET /cgi-bin/handler HTTP/1.0\n\n";
temp[6] = "GET /cgi-bin/webgais HTTP/1.0\n\n";
temp[7] = "GET /cgi-bin/websendmail HTTP/1.0\n\n";
temp[8] = "GET /cgi-bin/webdist.cgi HTTP/1.0\n\n";
temp[9] = "GET /cgi-bin/faxsurvey HTTP/1.0\n\n";
temp[10] = "GET /cgi-bin/htmlscript HTTP/1.0\n\n";
temp[11] = "GET /cgi-bin/pfdispaly.cgi HTTP/1.0\n\n";
temp[12] = "GET /cgi-bin/perl.exe HTTP/1.0\n\n";
temp[13] = "GET /cgi-bin/wwwboard.pl HTTP/1.0\n\n";
temp[14] = "GET /cgi-bin/www-sql HTTP/1.0\n\n";
temp[15] = "GET /_vti_pvt/service.pwd HTTP/1.0\n\n";
temp[16] = "GET /_vti_pvt/users.pwd HTTP/1.0\n\n";
temp[17] = "GET /cgi-bin/aglimpse HTTP/1.0\n\n";
temp[18] = "GET /cgi-bin/man.sh HTTP/1.0\n\n";
temp[19] = "GET /cgi-bin/view-source HTTP/1.0\n\n";
temp[20] = "GET /cgi-bin/campas HTTP/1.0\n\n";
temp[21] = "GET /cgi-bin/nph-test-cgi HTTP/1.0\n\n";
name[1] = "phf";
name[2] = "Count.cgi";
name[3] = "test-cgi";
name[4] = "php.cgi";
name[5] = "handler";
name[6] = "webgais";
name[7] = "websendmail";
name[8] = "webdist.cgi";
name[9] = "faxsurvey";
name[10] = "htmlscript";
name[11] = "pfdisplay";
name[12] = "perl.exe";
name[13] = "wwwboard.pl";
name[14] = "www-sql";
name[15] = "service.pwd";
name[16] = "users.pwd";
name[17] = "aglimpse";
name[18] = "man.sh";
name[19] = "view-source";
name[20] = "campas";
name[21] = "nph-test-cgi";
if (argc!=2)
{
exit(printf("\nUsage : %s domain.com\n",argv[0]));
}
if ((bad=gethostbyname(argv[1])) == NULL)
{
exit(printf("Error getting hostname\n"));
}
printf("New web server hole and info scanner for elite kode kiddies\n");
printf("coded by Bronc Buster of LoU - Nov 1998\n");
printf("updated Jan 1999\n");
system("sleep 2");
s=socket(AF_INET, SOCK_STREAM, 0);
if(s<0) exit(printf("Socket error"));
bcopy(bad->h_addr, (char *)&victem.sin_addr, bad->h_length);
victem.sin_family=AF_INET;
victem.sin_port=htons(80);
if (connect(s, (struct sockaddr*)&victem, sizeof(victem))<0)
{
exit(printf("Connect error\n"));
}
printf("\nGetting HTTP version\n\n");
send(s, "HEAD / HTTP/1.0\n\n",17,0);
recv(s, buffer, sizeof(buffer),0);
printf("Version:\n%s",buffer);
close(s);
system("sleep 2");
while(i++ < MAX_SIZE)
{
s=socket(AF_INET, SOCK_STREAM, 0);
bcopy(bad->h_addr, (char *)&victem.sin_addr, bad->h_length);
victem.sin_family=AF_INET;
victem.sin_port=htons(80);
if (connect(s, (struct sockaddr*)&victem, sizeof(victem))<0)
{
exit(printf("Connect error\n"));
}
printf("Searching for %s : ",name[i]);
for(num=0; num<1024; num++)
{
cgibuff[num] = '\0';
}
send(s, temp[i],strlen(temp[i]),0);
recv(s, cgibuff, sizeof(cgibuff),0);
cgistr = strstr(cgibuff,foundmsg);
if(cgistr != NULL)
printf(" * * Found * * \n");
else
printf(". . Not Found . .\n");
close(s);
}
printf("\n[gH] - aka gLoBaL hElL - are lame kode kiddies\n");
return 0;
}
/* EOF */