#!/usr/bin/php -q #!/usr/bin/php -q
/**
* Php Vulnerability Scanner by KingOfSka @ http://www.contropoterecrew.org
* still very early release, just for testing and coding purpose :)
*
* Changelog:
*
* 12/09/06 Version 0.1 : First "working" version, should work on "almost" site, report any bug to help me :)
* 25/09/06 0.2 : Better crawling, less bandwith/resource usage, speed improved, better vuln finding code
*
**/
print_r(
-------------------------------------------------------------------------------
Php Vulnerability Scanner by KingOfska @ http://contropotere.netsons.org
kingofska [at] gmail [dot] com
-------------------------------------------------------------------------------
);
if ($argc < 2) {
print_r(
Early release, please send bug report to help improving this script
--------------------------------------------------------------------------------
Usage: .$argv[0]. host [start_path][port][debug]
host: target server (ip/hostname)
path: path from which to start scanning, if none entered starts from /
port: port of the http server, default 80
Examples:
.$argv[0]. localhost /folder/script.php 81
--------------------------------------------------------------------------------
);
die;
}
$host= $argv[1]; // Insert the host site i.e. : www.website.com
$start_page = $argv[2]; // Insert the start page for the scan, if empty will start from index.*
$port = 80 ;
$additional_vars = array(id,page);
$locator = array("123",\;!--"
$debug = TRUE;
/** Compatibility for php < 5
* stripos() function made by rchillet at hotmail dot com
*
*/
if (!function_exists("stripos")) {
function stripos($str,$needle,$offset=0)
{
return strpos(strtolower($str),strtolower($needle),$offset);
}
}
/**
* Do not edit below unless you know what you do...
*/
$reqmade = 0 ;
$time_start = getmicrotime();
set_time_limit(0);
error_reporting(E_ERROR);
$checkedpages[]=;
$result[] = ;
$links[] = ;
$checkedlinks[] = ;
echo "Starting scan on $host:
Starting page: $start_page
";
$site_links = index_site();
$count = count($site_links);
echo "Starting to scan $count pages...
";
foreach($site_links as $cur){
echo "Testing: $cur
";
test_page($cur);
}
$time_end = getmicrotime();
$result[time] = substr($time_end - $time_start,0,4);
$result[connections] = $reqmade;
$result[scanned] = count($checkedpages);
echo "Report:";
foreach ($result[vuln] as $type=> $url){
echo "
$type vulnerability found:
";
$url = array_unique($url);
foreach($url as $cur){
echo "$cur
";
}
}
$server = get_server_info();
echo "
Additional infos:
";
echo "Site running on: ".$server[software]."
";
echo "Powered by: ".$server[powered]."
";
echo "Scan took ".$result[time]." seconds to scan ".$result[scanned]." pages using ".$result[connections]." connections
";
function index_site(){
global $start_page;
array($links);
$tmp = get_links($start_page,true);
foreach($tmp as $cur){
$tmp2 = get_links($cur,true);
$links = array_merge_recursive($links,$tmp2);
}
$links = array_unique(clean_array($links));
$links[] = $start_page;
sort($links);
return($links);
}
/**
* Testes a form using global vuln locator, both GET and POST method, and print result to screen
* @author KingOfSka
* @param array $form Form to test
* @return void
*/
function test_form($form){
$ret = ;
$tmp = ;
global $host,$port,$locator,$debug,$result ;
if($form[action][0] != / AND stripos($form[action],http://) === FALSE ){$form[action] = /.$form[action];}
if ($form[method] = get){
foreach($form[vars] as $current){
foreach($locator as $testing){
$testing = urlencode($testing);
$conn = fsockopen ("$host", $port, $errno, $errstr, 30);
if (!$conn) {
echo "$errstr ($errno)
";
} else {
if (!stripos(?,$data[action])){
$req = "GET ".$form[action]."?$current=$testing HTTP/1.0
Host: $host
Connection: Close
";
}else{
$req= "GET ".$form[action]."&$current=$testing HTTP/1.0
Host: $host
Connection: Close
";
}
if ($debug == TRUE){echo $req;}
fputs ($conn, $req);
while (!feof($conn)) {
$tmp .= fgets ($conn,128);
}
fclose ($conn);
do_test($tmp,$form[action],$current);
$tmp = ;
}
}
}
}else if ($form[method] = post){
foreach($form[vars] as $current){
foreach($locator as $testing){
$testing = urlencode($testing);
$conn = fsockopen ("$host", $port, $errno, $errstr, 30);
&nbs