ScriptFinder.py, Searches for file contains dangerous command

Misi om2 semua… Ketemu lagi dengan saya… :ngakak:

Ane lagi belajar python nih om… Nah ini tools pertama yang ane.
Ni tools gunanya untuk mencari “command2” berbahaya yang mungkin bisa dimanfaatkan oleh attacker untuk mendapatkan “akses lebih” dalam sebuah sistem.
Inspirasi dan beberapa line dari tools buatan om d3hydr8 darkc0de. (sitenya boleh mati, tp semangat tetap masih membara :bangga:)

Sekalian kado ultah buat om Ketek tanda terima kasih saya secara pribari atas dedikasinya buat Indonesia. :bangga:

Happy Birthday om, makasih udah share ilmu2nya. :smangat:

Nah langsung aja nih codenya :

#!/usr/bin/python
""" ScriptFinder 1.1 < ditatompel [at] gmail [dot] com >
Searches for file contains dangerous command

Inspired from tools created by d3hydr8[at]gmail[dot]com
greetz to d3hydr8, 5ynL0rd all members of devilzc0de[dot]org,
ex darkc0de.com, all Indonesian c0ders, and all GNU Generation ;-)

PS : Happy Birthday ketek, Revres Tanur or whatever nickname gonna be :p
PF : ?? Oct ???? - ?? Oct 2011 """


import sys, re

def halo():
	print "\n" + "-+-"*30 + "\n\tScriptFinder 1.1 < ditatompel [at] gmail [dot] com >"
	print "\tSearches for file contains dangerous command"
	print "\tGreetz to all members of devilzc0de[dot]org, ex darkc0de.com, all Indonesian c0ders,"
	print "\tand all GNU Generation ;-)\n" + "-+-"*30+"\n"

def usage():
	print "\tUsage: python " + sys.argv[0] + " <dir>"
	print "\tExample: python " + sys.argv[0] + " /home/ditatompel/public_html\n"
	sys.exit(1)

#Original from d3hydr8[at]gmail[dot]com
def Walk( root, recurse=0, pattern='*', return_folders=0 ):
	import fnmatch, os, string

	result = []

	try:
		names = os.listdir(root)
	except os.error:
		return result

	pattern = pattern or '*'
	pat_list = string.splitfields( pattern , ';' )

	for name in names:
		fullname = os.path.normpath(os.path.join(root, name))

		for pat in pat_list:
			if fnmatch.fnmatch(name, pat):
				if os.path.isfile(fullname) or (return_folders and os.path.isdir(fullname)):
					result.append(fullname)
				continue
		if recurse:
			if os.path.isdir(fullname) and not os.path.islink(fullname):
				result = result + Walk( fullname, recurse, pattern, return_folders )
		
	return result

def search(files, auto=0):
	
	if auto:
		searchstring = danger
	else:
		searchstring = specificstring
	
	print "\n[+] Searching:", len(files), "files"
	print "\n" + "-+-"*20 + "\n[+] files containing '" + searchstring + "' under " + sys.argv[1] + "\n"+"-+-"*20+"\n"
	love.write("\n"+"-+-"*20)
	love.write("\n[+] files containing '%s' under '%s' \n" % (searchstring, sys.argv[1]) )
	love.write("-+-"*20+"\n")
	
	for file in files:
		num = 0
		
		try:
			text = open(file, "r").readlines()
			
			for line in text:
				num +=1
				if re.search(searchstring.lower(), line.lower()):
					print "[!] File:",file,"on Line:",num,"\n[!] Code:",line
					love.write("""[!] File: %s on Line %s \n[!] Code: %s \n""" % (file, num, line.replace("\t","")) )
		
		except(IOError):
 			pass
	
	print "[+] Done\n"

halo()

actions = [
	"base64_decode", # many php shell use this but may generate false positive result, remove this if necessary. Especially when using recursive scan.
	"exec",
	"eval", # may generate false positive result, remove this if necessary. Especially when using recursive scan.
	"escapeshellarg",
	"escapeshellcmd",
	"fpaththru",
	"getmy", # getmypid, getmygid, getmyuid, etc
	"gzinflate",
	"gzuncompress",
	"ini_alter",
	"leak",
	"mDbl8VndvJj2", # encoded devshell.asp 
	"php_uname",
	"posix_", # any posix_* function
	"proc_", # any proc_* function
	"popen",
	"passthru",
	"pcntl_exec",
	"socket_accept",
	"socket_bind",
	"socket_clear_error",
	"socket_close",
	"socket_connect",
	"set_time_limit",
	"shell_exec",
	"system", # may generate false positive result, remove this if necessary. Especially when using recursive scan.
	"show_source",
	"xrunexploit" # source function on devshell.*
	]

minus_r = 1

if len(sys.argv) < 2:
	usage()

recdir = raw_input("Recursive ? ( Y/n ): ")
mode = raw_input("Full scan Mode (Y/n): ")

if mode.lower() != "y":
	specificstring = raw_input("String to search: ")

ext = raw_input("Specific File extension to scan ( <return> to scan all extension ) : ")
filelog = raw_input("logfile ( default sf.log ): ")

if filelog == "":
	filelog = "sf.log"

if recdir.lower() != "y":
	minus_r = 0

love = open(filelog, "w")
love.write("-+-"*30 + "\n\tScriptFinder 1.1 < ditatompel [at] gmail [dot] com >\n")
love.write("\tGreetz for all members of devilzc0de[dot]org, ex darkc0de.com, all Indonesian c0ders,\n\tand all GNU Generation ;-)\n"+"-+-"*30+"\n")

if mode.lower() == "y":
	print "\n[+] FULL SCAN MODE ENABLED...\n[+]", len(actions),"dangerous commands loaded\n[+] Target Dir:",sys.argv[1]
	print "[+] Logfile will be saved to: " + filelog
	love.write("""
	[+] FULL SCAN MODE ENABLED...
	[+] %s danger commands loaded
	[+] Target Dir: %s\n""" % (len(actions), sys.argv[1]) )
	for danger in actions :
		if ext == "":
			files = Walk(sys.argv[1], minus_r, '*', 1)
		else:
			files = Walk(sys.argv[1], minus_r, '*.'+ext+';')
		search(files, 1)
	print "[+] Logfile saved to " + filelog

else:
	print "\n[+] Target Dir: " + sys.argv[1] + "\n[+] String to search: " + specificstring
	print "[+] Logfile will be saved to: " + filelog
	love.write("""
	[+] Target Dir: %s
	[+] String to search %s\n""" % (sys.argv[1], specificstring ) )
	if ext == "":
		files = Walk(sys.argv[1], minus_r, '*', 1)
	else:
		files = Walk(sys.argv[1], minus_r, '*.'+ext+';')
	search(files)
	print "[+] Logfile saved to " + filelog

nah klo pusing ga ada syntax highlight nya bisa diliat di blog ane

Karena ni ulet tipe sensitif, download langsung aja filenya di https://ls-la.ditatompel.crayoncreative.net/scripts/python/scanners/sf-1.1.py

Cara penggunaannya:

python sf-1.1.py /path/to/dir

Trus nanti ada interaktif tanya jawab gitu deh…

Recursive: untuk scan semua sub directory dari direktori yang sudah ditentukan sebelumnya
Full scan Mode: untuk scan semua command yang dianggap bahaya. Klo dijawab “Y”, command2 diambil dari actions array. Klo full scan modenya dijawab “n”, nanti om bakalan ditanya buat tentuin “command” apa yang mau di scan.
Specific File extension to scan: tipe file yang ingin di scan. Misal php / pl / dll. Kalau kosong brati semua file ikut di scan, termasuk jpg, gif, dll
logfile: tempat nyimpen hasil scan. Klo kosong nama filenya jadi sf.log

Moga2 berguna untuk para sysadmin, maaf klo codingnya kacau. :dead

Ane cabut dulu om2 sekalian… :hore:

wes… mantep ni tool. anak2 devilzc0der makin hebat aja :mantap:

hakakakkaa… i know you so well

keren nih om dita… :mantap:
ajarin ane dong om kodingnya… :asik:

ijin ane coba y… smiley_beer

:hore::hore: makasih mbak 2 tompel

mantap codingnya :mantap:

ijin pasang dlu ah :hmm:

Silahken om… :smangat:

Ane cowo tulen om… :mewek:

Yu mari om… :ngakak:

bagus pythonnya mas DITA!!!
gitu ngakunya cewek!!!hufttttt :nohope:
tapi sob lu tadi ngasih gua rep kenapa gua nggak bisa -,-!

Tool nya super kang…!!
tapi bleum ada dasar nya di Gw… !!
masih newbietol…!!:smangat: tapi tepat :smangat: untuk :belajar:

:ngakak: Ane masih belajar tantee… :belajar:
Tante share lagi dong tutorial python-nya? :smangat:

:asik: Mari sama2 belajar om… :smangat:

beuh keren bg dit :mantap:

file nya nggak ada gan…

Iya, download aja di sini om

Jadi lebih semangat belajar pyton ni…!!!

:belajar: :belajar: :belajar: :belajar:

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.