#!/usr/bin/perl
# By 0xRoM
use strict;
use warnings;
use Getopt::Long;
if($#ARGV < 1){
print "PwnFind Usage: $0 [options] </local/path/to/src> <FolderNameToStoreResults>\n";
print " -- OPTIONS --\n";
print "-x [css,html,php5] Check following extensions as well as .php\n";
print "-f [function1,function2] Add custom functions to search criteria\n";
print "-t List file extensions in directory\n";
exit(-1);
}else{
my $src = "";
my $dest = "";
my $ext = "php";
my $fnc = "";
my $filetypes;
if($#ARGV <= 1){
$src = $ARGV[0];
$dest = "pwnfind_results/".$ARGV[1];
$ext = "php";
}else{
my $counter = 0;
foreach my $a(@ARGV) {
$counter++;
}
$src = $ARGV[$counter-2];
$dest = "pwnfind_results/".$ARGV[$counter-1];
$ext = '';
$fnc = '';
GetOptions('x=s' => \$ext,
'f=s' => \$fnc,
't' => \$filetypes,
);
$ext = "php,".$ext;
}
my @extvals = split(',', $ext);
my @extfncs = split(',', $fnc);
if($filetypes){
print "[+] Finding extensions in: $src\n";
system("find $src -type f | sed 's\/.*\\.\/\/' | sort | uniq -c");
exit(-1);
}
unless(mkdir $dest) {
die "Unable to create $dest\n";
}
print "[i] Scanning for issues in: $src\n";
print "[i] Storing results in: $dest\n";
print "[i] Filetypes to look in: ";
foreach my $tryext (@extvals) {
print "$tryext, ";
}
print "\n";
print "[i] Extra functions to find: ";
foreach my $tryfnc (@extfncs) {
print "$tryfnc, ";
}
print "\n";
foreach my $tryext (@extvals) {
print "[+] Extension: .$tryext\n";
print " Locating request vars\n";
system("find $src -name '*.$tryext' -print | xargs grep -n '_GET' >> $dest/request_vars_get.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n '_POST' >> $dest/request_vars_post.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n '_REQUEST' >> $dest/request_vars_reuest.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n '_FILES' >> $dest/request_vars_reuest.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n '_COOKIE' >> $dest/request_vars_cookie.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n '_SERVER' >> $dest/request_vars_server.txt");
print " Locating PHP object injection\n";
system("find $src -name '*.$tryext' -print | xargs grep -n 'unserialize(' >> $dest/unserialize.txt");
print " Locating SSRF\n";
system("find $src -name '*.$tryext' -print | xargs grep -n 'file_get_contents(' >> $dest/ssrf.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'fopen(' >> $dest/ssrf.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'fsockopen(' >> $dest/ssrf.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'curl_exec(' >> $dest/ssrf.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'parse_url(' >> $dest/ssrf.txt");
print " Locating command execution\n";
system("find $src -name '*.$tryext' -print | xargs grep -n 'exec(' >> $dest/cmd_exec_exec.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'system(' >> $dest/cmd_exec_system.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'passthru(' >> $dest/cmd_exec_passthru.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'shell_exec(' >> $dest/cmd_exec_shell_exec.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n '`' >> $dest/cmd_exec_backtick.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'popen(' >> $dest/cmd_exec_popen.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'proc_open(' >> $dest/cmd_exec_proc_open.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'pcntl_exec(' >> $dest/cmd_exec_pcntl_exec.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'url_exec' >> $dest/cmd_exec_url_exec.txt");
print " Locating PHP code execution\n";
system("find $src -name '*.$tryext' -print | xargs grep -n 'eval(' >> $dest/code_exec_eval.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'assert(' >> $dest/code_exec_assert.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'preg_replace(' >> $dest/code_exec_preg_replace.txt"); # /e does eval() on match
system("find $src -name '*.$tryext' -print | xargs grep -n 'create_function(' >> $dest/code_exec_create_function.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'include(' >> $dest/code_exec_include.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'include_once(' >> $dest/code_exec_include.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'require(' >> $dest/code_exec_require.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'require_once(' >> $dest/code_exec_require.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'ReflectionFunction(' >> $dest/code_exec_reflectionfunction.txt");
print " Locating PHP info disclosure\n";
system("find $src -name '*.$tryext' -print | xargs grep -n 'phpinfo(' >> $dest/info_disclosure_phpinfo.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'posix_mkfifo(' >> $dest/info_disclosure_posix_mkfifo.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'posix_getlogin(' >> $dest/info_disclosure_posix_getlogin.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'posix_ttyname(' >> $dest/info_disclosure_posix_ttyname.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'getenv(' > $dest/info_disclosure_getenv.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'get_current_user(' >> $dest/info_disclosure_get_current_user.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'proc_get_status(' >> $dest/info_disclosure_proc_get_status.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'get_cfg_var(' > $dest/info_disclosure_get_cfg_var.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'disk_free_space(' >> $dest/info_disclosure_disk_space.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'disk_total_space(' >> $dest/info_disclosure_disk_space.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'diskfreespace(' >> $dest/info_disclosure_disk_space.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'getcwd(' > $dest/info_disclosure_getcwd.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'getlastmo(' >> $dest/info_disclosure_getlastmo.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'getmygid(' >> $dest/info_disclosure_getmygid.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'getmyinode(' >> $dest/info_disclosure_getmyinode.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'getmypid(' >> $dest/info_disclosure_getids.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'getmyuid(' >> $dest/info_disclosure_getids.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'show_source(' >> $dest/info_disclosure_show_source.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'escapeshellarg(' >> $dest/info_disclosure_escape_shell.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'escapeshellcmd(' >> $dest/info_disclosure_escape_shell.txt");
print " Locating PHP undesirable functions\n";
system("find $src -name '*.$tryext' -print | xargs grep -n 'extract(' >> $dest/undesirable_extract.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'parse_str(' >> $dest/undesirable_parse_str.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'putenv(' >> $dest/undesirable_putenv.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'ini_set(' >> $dest/undesirable_ini_set.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'mail(' >> $dest/undesirable_mail.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'header(' >> $dest/undesirable_header.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'proc_nice(' >> $dest/undesirable_proc.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'proc_terminate(' >> $dest/undesirable_proc.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'proc_close(' >> $dest/undesirable_proc.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'fsockopen(' >> $dest/undesirable_sockets.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'preg_replace(' >> $dest/undesirable_preg_replace.txt");
print " Locating PHP filesystem functions\n";
system("find $src -name '*.$tryext' -print | xargs grep -n 'fopen(' >> $dest/filesystem_fopen.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'tmpfile(' >> $dest/filesystem_tmpfile.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'bzopen(' >> $dest/filesystem_fbzopen.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'gzopen(' >> $dest/filesystem_gzopen.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'copy(' >> $dest/filesystem_copy.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'file_put_contents(' >> $dest/filesystem_file_put_contents.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'file_get_contents(' >> $dest/filesystem_file_get_contents.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'move_uploaded_files(' >> $dest/filesystem_move_uploaded_files.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'rename(' >> $dest/filesystem_rename.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'symlink(' >> $dest/filesystem_symlink.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'touch(' >> $dest/filesystem_touch.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'readfile(' >> $dest/filesystem_readfile.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'readlink(' >> $dest/filesystem_readlink.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'gzfile(' >> $dest/filesystem_gzfile.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'readgzfile(' >> $dest/filesystem_readgzfile.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'exif_read_data(' >> $dest/filesystem_exif_data.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'read_exif_data(' >> $dest/filesystem_exif_data.txt");
system("find $src -name '*.$tryext' -print | xargs grep -n 'get_meta_tags(' >> $dest/filesystem_exif_data.txt");
foreach my $tryfnc (@extfncs) {
print " Locating custom function $tryfnc()\n";
system("find $src -name '*.$tryext' -print | xargs grep -n '$tryfnc(' >> $dest/custom_func_$tryfnc.txt");
}
}
print "[+] Removing empty files\n";
system("find $dest -size 0 -print0 |xargs -0 rm");
}
root