#!/usr/bin/perl # By 0xRoM use strict; use warnings; use Getopt::Long; if($#ARGV < 1){ print "PwnFind Usage: $0 [options] </local/path/to/src> <FolderNameToStoreResults>\n"; print " -- OPTIONS --\n"; print "-x [css,html,php5] Check following extensions as well as .php\n"; print "-f [function1,function2] Add custom functions to search criteria\n"; print "-t List file extensions in directory\n"; exit(-1); }else{ my $src = ""; my $dest = ""; my $ext = "php"; my $fnc = ""; my $filetypes; if($#ARGV <= 1){ $src = $ARGV[0]; $dest = "pwnfind_results/".$ARGV[1]; $ext = "php"; }else{ my $counter = 0; foreach my $a(@ARGV) { $counter++; } $src = $ARGV[$counter-2]; $dest = "pwnfind_results/".$ARGV[$counter-1]; $ext = ''; $fnc = ''; GetOptions('x=s' => \$ext, 'f=s' => \$fnc, 't' => \$filetypes, ); $ext = "php,".$ext; } my @extvals = split(',', $ext); my @extfncs = split(',', $fnc); if($filetypes){ print "[+] Finding extensions in: $src\n"; system("find $src -type f | sed 's\/.*\\.\/\/' | sort | uniq -c"); exit(-1); } unless(mkdir $dest) { die "Unable to create $dest\n"; } print "[i] Scanning for issues in: $src\n"; print "[i] Storing results in: $dest\n"; print "[i] Filetypes to look in: "; foreach my $tryext (@extvals) { print "$tryext, "; } print "\n"; print "[i] Extra functions to find: "; foreach my $tryfnc (@extfncs) { print "$tryfnc, "; } print "\n"; foreach my $tryext (@extvals) { print "[+] Extension: .$tryext\n"; print " Locating request vars\n"; system("find $src -name '*.$tryext' -print | xargs grep -n '_GET' >> $dest/request_vars_get.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n '_POST' >> $dest/request_vars_post.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n '_REQUEST' >> $dest/request_vars_reuest.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n '_FILES' >> $dest/request_vars_reuest.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n '_COOKIE' >> $dest/request_vars_cookie.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n '_SERVER' >> $dest/request_vars_server.txt"); print " Locating PHP object injection\n"; system("find $src -name '*.$tryext' -print | xargs grep -n 'unserialize(' >> $dest/unserialize.txt"); print " Locating SSRF\n"; system("find $src -name '*.$tryext' -print | xargs grep -n 'file_get_contents(' >> $dest/ssrf.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'fopen(' >> $dest/ssrf.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'fsockopen(' >> $dest/ssrf.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'curl_exec(' >> $dest/ssrf.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'parse_url(' >> $dest/ssrf.txt"); print " Locating command execution\n"; system("find $src -name '*.$tryext' -print | xargs grep -n 'exec(' >> $dest/cmd_exec_exec.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'system(' >> $dest/cmd_exec_system.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'passthru(' >> $dest/cmd_exec_passthru.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'shell_exec(' >> $dest/cmd_exec_shell_exec.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n '`' >> $dest/cmd_exec_backtick.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'popen(' >> $dest/cmd_exec_popen.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'proc_open(' >> $dest/cmd_exec_proc_open.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'pcntl_exec(' >> $dest/cmd_exec_pcntl_exec.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'url_exec' >> $dest/cmd_exec_url_exec.txt"); print " Locating PHP code execution\n"; system("find $src -name '*.$tryext' -print | xargs grep -n 'eval(' >> $dest/code_exec_eval.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'assert(' >> $dest/code_exec_assert.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'preg_replace(' >> $dest/code_exec_preg_replace.txt"); # /e does eval() on match system("find $src -name '*.$tryext' -print | xargs grep -n 'create_function(' >> $dest/code_exec_create_function.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'include(' >> $dest/code_exec_include.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'include_once(' >> $dest/code_exec_include.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'require(' >> $dest/code_exec_require.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'require_once(' >> $dest/code_exec_require.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'ReflectionFunction(' >> $dest/code_exec_reflectionfunction.txt"); print " Locating PHP info disclosure\n"; system("find $src -name '*.$tryext' -print | xargs grep -n 'phpinfo(' >> $dest/info_disclosure_phpinfo.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'posix_mkfifo(' >> $dest/info_disclosure_posix_mkfifo.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'posix_getlogin(' >> $dest/info_disclosure_posix_getlogin.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'posix_ttyname(' >> $dest/info_disclosure_posix_ttyname.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'getenv(' > $dest/info_disclosure_getenv.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'get_current_user(' >> $dest/info_disclosure_get_current_user.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'proc_get_status(' >> $dest/info_disclosure_proc_get_status.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'get_cfg_var(' > $dest/info_disclosure_get_cfg_var.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'disk_free_space(' >> $dest/info_disclosure_disk_space.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'disk_total_space(' >> $dest/info_disclosure_disk_space.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'diskfreespace(' >> $dest/info_disclosure_disk_space.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'getcwd(' > $dest/info_disclosure_getcwd.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'getlastmo(' >> $dest/info_disclosure_getlastmo.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'getmygid(' >> $dest/info_disclosure_getmygid.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'getmyinode(' >> $dest/info_disclosure_getmyinode.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'getmypid(' >> $dest/info_disclosure_getids.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'getmyuid(' >> $dest/info_disclosure_getids.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'show_source(' >> $dest/info_disclosure_show_source.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'escapeshellarg(' >> $dest/info_disclosure_escape_shell.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'escapeshellcmd(' >> $dest/info_disclosure_escape_shell.txt"); print " Locating PHP undesirable functions\n"; system("find $src -name '*.$tryext' -print | xargs grep -n 'extract(' >> $dest/undesirable_extract.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'parse_str(' >> $dest/undesirable_parse_str.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'putenv(' >> $dest/undesirable_putenv.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'ini_set(' >> $dest/undesirable_ini_set.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'mail(' >> $dest/undesirable_mail.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'header(' >> $dest/undesirable_header.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'proc_nice(' >> $dest/undesirable_proc.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'proc_terminate(' >> $dest/undesirable_proc.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'proc_close(' >> $dest/undesirable_proc.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'fsockopen(' >> $dest/undesirable_sockets.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'preg_replace(' >> $dest/undesirable_preg_replace.txt"); print " Locating PHP filesystem functions\n"; system("find $src -name '*.$tryext' -print | xargs grep -n 'fopen(' >> $dest/filesystem_fopen.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'tmpfile(' >> $dest/filesystem_tmpfile.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'bzopen(' >> $dest/filesystem_fbzopen.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'gzopen(' >> $dest/filesystem_gzopen.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'copy(' >> $dest/filesystem_copy.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'file_put_contents(' >> $dest/filesystem_file_put_contents.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'file_get_contents(' >> $dest/filesystem_file_get_contents.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'move_uploaded_files(' >> $dest/filesystem_move_uploaded_files.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'rename(' >> $dest/filesystem_rename.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'symlink(' >> $dest/filesystem_symlink.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'touch(' >> $dest/filesystem_touch.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'readfile(' >> $dest/filesystem_readfile.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'readlink(' >> $dest/filesystem_readlink.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'gzfile(' >> $dest/filesystem_gzfile.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'readgzfile(' >> $dest/filesystem_readgzfile.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'exif_read_data(' >> $dest/filesystem_exif_data.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'read_exif_data(' >> $dest/filesystem_exif_data.txt"); system("find $src -name '*.$tryext' -print | xargs grep -n 'get_meta_tags(' >> $dest/filesystem_exif_data.txt"); foreach my $tryfnc (@extfncs) { print " Locating custom function $tryfnc()\n"; system("find $src -name '*.$tryext' -print | xargs grep -n '$tryfnc(' >> $dest/custom_func_$tryfnc.txt"); } } print "[+] Removing empty files\n"; system("find $dest -size 0 -print0 |xargs -0 rm"); }