diff --git a/pwnfind.pl b/pwnfind.pl new file mode 100755 index 0000000..6e72ed2 --- /dev/null +++ b/pwnfind.pl @@ -0,0 +1,167 @@ +#!/usr/bin/perl +# By NaN +use strict; +use warnings; +use Getopt::Long; + + +if($#ARGV < 1){ + print "PwnFind Usage: $0 [options] \n"; + print " -- OPTIONS --\n"; + print "-x [css,html,php5] Check following extensions as well as .php\n"; + print "-f [function1,function2] Add custom functions to search criteria\n"; + print "-t List file extensions in directory\n"; + exit(-1); +}else{ + my $src = ""; + my $dest = ""; + my $ext = "php"; + my $fnc = ""; + my $filetypes; + + if($#ARGV <= 1){ + $src = $ARGV[0]; + $dest = "pwnfind_results/".$ARGV[1]; + $ext = "php"; + }else{ + my $counter = 0; + foreach my $a(@ARGV) { + $counter++; + } + + $src = $ARGV[$counter-2]; + $dest = "pwnfind_results/".$ARGV[$counter-1]; + $ext = ''; + $fnc = ''; + GetOptions('x=s' => \$ext, + 'f=s' => \$fnc, + 't' => \$filetypes, + ); + $ext = "php,".$ext; + } + my @extvals = split(',', $ext); + my @extfncs = split(',', $fnc); + + if($filetypes){ + print "[+] Finding extensions in: $src\n"; + system("find $src -type f | sed 's\/.*\\.\/\/' | sort | uniq -c"); + exit(-1); + } + + unless(mkdir $dest) { + die "Unable to create $dest\n"; + } + + print "[i] Scanning for issues in: $src\n"; + print "[i] Storing results in: $dest\n"; + print "[i] Filetypes to look in: "; + foreach my $tryext (@extvals) { + print "$tryext, "; + } + print "\n"; + print "[i] Extra functions to find: "; + foreach my $tryfnc (@extfncs) { + print "$tryfnc, "; + } + print "\n"; + + foreach my $tryext (@extvals) { + print "[+] Extension: .$tryext\n"; + print " Locating request vars\n"; + system("find $src -name '*.$tryext' -print | xargs grep -n '_GET' >> $dest/request_vars_get.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n '_POST' >> $dest/request_vars_post.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n '_REQUEST' >> $dest/request_vars_reuest.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n '_FILES' >> $dest/request_vars_reuest.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n '_COOKIE' >> $dest/request_vars_cookie.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n '_SERVER' >> $dest/request_vars_server.txt"); + + print " Locating PHP object injection\n"; + system("find $src -name '*.$tryext' -print | xargs grep -n 'unserialize(' >> $dest/unserialize.txt"); + + print " Locating command execution\n"; + system("find $src -name '*.$tryext' -print | xargs grep -n 'exec(' >> $dest/cmd_exec_exec.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'system(' >> $dest/cmd_exec_system.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'passthru(' >> $dest/cmd_exec_passthru.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'shell_exec(' >> $dest/cmd_exec_shell_exec.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n '`' >> $dest/cmd_exec_backtick.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'popen(' >> $dest/cmd_exec_popen.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'proc_open(' >> $dest/cmd_exec_proc_open.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'pcntl_exec(' >> $dest/cmd_exec_pcntl_exec.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'url_exec' >> $dest/cmd_exec_url_exec.txt"); + + print " Locating PHP code execution\n"; + system("find $src -name '*.$tryext' -print | xargs grep -n 'eval(' >> $dest/code_exec_eval.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'assert(' >> $dest/code_exec_assert.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'preg_replace(' >> $dest/code_exec_preg_replace.txt"); # /e does eval() on match + system("find $src -name '*.$tryext' -print | xargs grep -n 'create_function(' >> $dest/code_exec_create_function.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'include(' >> $dest/code_exec_include.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'include_once(' >> $dest/code_exec_include.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'require(' >> $dest/code_exec_require.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'require_once(' >> $dest/code_exec_require.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'ReflectionFunction(' >> $dest/code_exec_reflectionfunction.txt"); + + print " Locating PHP info disclosure\n"; + system("find $src -name '*.$tryext' -print | xargs grep -n 'phpinfo(' >> $dest/info_disclosure_phpinfo.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'posix_mkfifo(' >> $dest/info_disclosure_posix_mkfifo.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'posix_getlogin(' >> $dest/info_disclosure_posix_getlogin.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'posix_ttyname(' >> $dest/info_disclosure_posix_ttyname.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'getenv(' > $dest/info_disclosure_getenv.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'get_current_user(' >> $dest/info_disclosure_get_current_user.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'proc_get_status(' >> $dest/info_disclosure_proc_get_status.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'get_cfg_var(' > $dest/info_disclosure_get_cfg_var.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'disk_free_space(' >> $dest/info_disclosure_disk_space.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'disk_total_space(' >> $dest/info_disclosure_disk_space.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'diskfreespace(' >> $dest/info_disclosure_disk_space.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'getcwd(' > $dest/info_disclosure_getcwd.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'getlastmo(' >> $dest/info_disclosure_getlastmo.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'getmygid(' >> $dest/info_disclosure_getmygid.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'getmyinode(' >> $dest/info_disclosure_getmyinode.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'getmypid(' >> $dest/info_disclosure_getids.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'getmyuid(' >> $dest/info_disclosure_getids.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'show_source(' >> $dest/info_disclosure_show_source.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'escapeshellarg(' >> $dest/info_disclosure_escape_shell.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'escapeshellcmd(' >> $dest/info_disclosure_escape_shell.txt"); + + print " Locating PHP undesirable functions\n"; + system("find $src -name '*.$tryext' -print | xargs grep -n 'extract(' >> $dest/undesirable_extract.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'parse_str(' >> $dest/undesirable_parse_str.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'putenv(' >> $dest/undesirable_putenv.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'ini_set(' >> $dest/undesirable_ini_set.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'mail(' >> $dest/undesirable_mail.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'header(' >> $dest/undesirable_header.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'proc_nice(' >> $dest/undesirable_proc.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'proc_terminate(' >> $dest/undesirable_proc.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'proc_close(' >> $dest/undesirable_proc.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'fsockopen(' >> $dest/undesirable_sockets.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'preg_replace(' >> $dest/undesirable_preg_replace.txt"); + + print " Locating PHP filesystem functions\n"; + system("find $src -name '*.$tryext' -print | xargs grep -n 'fopen(' >> $dest/filesystem_fopen.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'tmpfile(' >> $dest/filesystem_tmpfile.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'bzopen(' >> $dest/filesystem_fbzopen.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'gzopen(' >> $dest/filesystem_gzopen.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'copy(' >> $dest/filesystem_copy.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'file_put_contents(' >> $dest/filesystem_file_put_contents.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'file_get_contents(' >> $dest/filesystem_file_get_contents.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'move_uploaded_files(' >> $dest/filesystem_move_uploaded_files.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'rename(' >> $dest/filesystem_rename.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'symlink(' >> $dest/filesystem_symlink.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'touch(' >> $dest/filesystem_touch.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'readfile(' >> $dest/filesystem_readfile.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'readlink(' >> $dest/filesystem_readlink.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'gzfile(' >> $dest/filesystem_gzfile.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'readgzfile(' >> $dest/filesystem_readgzfile.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'exif_read_data(' >> $dest/filesystem_exif_data.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'read_exif_data(' >> $dest/filesystem_exif_data.txt"); + system("find $src -name '*.$tryext' -print | xargs grep -n 'get_meta_tags(' >> $dest/filesystem_exif_data.txt"); + + foreach my $tryfnc (@extfncs) { + print " Locating custom function $tryfnc()\n"; + system("find $src -name '*.$tryext' -print | xargs grep -n '$tryfnc(' >> $dest/custom_func_$tryfnc.txt"); + } + } + + print "[+] Removing empty files\n"; + system("find $dest -size 0 -print0 |xargs -0 rm"); +} +