#!/usr/bin/php -q #!/usr/bin/php -q
* Php Vulnerability Scanner by KingOfSka @ http://www.contropoterecrew.org
* still very early release, just for testing and coding purpose :)
* Changelog:
* 12/09/06 Version 0.1 : First "working" version, should work on "almost" site, report any bug to help me :)
* 25/09/06 0.2 : Better crawling, less bandwith/resource usage, speed improved, better vuln finding code
Php Vulnerability Scanner by KingOfska @ http://contropotere.netsons.org
kingofska [at] gmail [dot] com
if ($argc < 2) {
Early release, please send bug report to help improving this script
Usage: .$argv[0]. host [start_path][port][debug]
host: target server (ip/hostname)
path: path from which to start scanning, if none entered starts from /
port: port of the http server, default 80
.$argv[0]. localhost /folder/script.php 81
$host= $argv[1]; // Insert the host site i.e. : www.website.com
$start_page = $argv[2]; // Insert the start page for the scan, if empty will start from index.*
$port = 80 ;
$additional_vars = array(id,page);
$locator = array("123",\;!--"
$debug = TRUE;
/** Compatibility for php < 5
* stripos() function made by rchillet at hotmail dot com
if (!function_exists("stripos")) {
function stripos($str,$needle,$offset=0)
return strpos(strtolower($str),strtolower($needle),$offset);
* Do not edit below unless you know what you do...
$reqmade = 0 ;
$time_start = getmicrotime();
$result[] = ;
$links[] = ;
$checkedlinks[] = ;
echo "Starting scan on $host:
Starting page: $start_page
$site_links = index_site();
$count = count($site_links);
echo "Starting to scan $count pages...
foreach($site_links as $cur){
echo "Testing: $cur
$time_end = getmicrotime();
$result[time] = substr($time_end - $time_start,0,4);
$result[connections] = $reqmade;
$result[scanned] = count($checkedpages);
echo "Report:";
foreach ($result[vuln] as $type=> $url){
echo "
$type vulnerability found:
$url = array_unique($url);
foreach($url as $cur){
echo "$cur
$server = get_server_info();
echo "
Additional infos:
echo "Site running on: ".$server[software]."
echo "Powered by: ".$server[powered]."
echo "Scan took ".$result[time]." seconds to scan ".$result[scanned]." pages using ".$result[connections]." connections
function index_site(){
global $start_page;
$tmp = get_links($start_page,true);
foreach($tmp as $cur){
$tmp2 = get_links($cur,true);
$links = array_merge_recursive($links,$tmp2);
$links = array_unique(clean_array($links));
$links[] = $start_page;
* Testes a form using global vuln locator, both GET and POST method, and print result to screen
* @author KingOfSka
* @param array $form Form to test
* @return void
function test_form($form){
$ret = ;
$tmp = ;
global $host,$port,$locator,$debug,$result ;
if($form[action][0] != / AND tripos($form[action],http://) === FALSE ){$form[action] = /.$form[action];}
if ($form[method] = get){
foreach($ form[vars] as $current){
foreach($locator as $testing){
$testing = urlencode($testing);
$conn = fsockopen ("$host", $port, $errno, $errstr, 30 );
if (!$conn) {
echo "$errstr ($errno)
} else {
if (!stripos(?,$data[action])){
$req = "GET ".$form[action]."?$current=$testing HTTP/1.0
ホスト: $host
接続: 閉じる
$req= "GET ".$form[action]."&$current=$testing HTTP/1.0
ホスト: $host
接続: 閉じる
if ($debug == TRUE){echo $req;}
fputs ($conn, $req);
while (!feof($conn)) {
$tmp .= fgets ($conn, 128);
fclose ($conn);
do_test($tmp,$form[action], $current);
$tmp = ;
foreach($form[vars] as $current){
foreach($locator as $testing){
$testing = urlencode($testing);
$conn = fsockopen ("$host", $port, $errno, $errstr, 30);