ScriptFinder.py, Searches for file contains dangerous command

[ditatompel]

Misi om2 semua.. Ketemu lagi dengan saya..

Ane lagi belajar python nih om.. Nah ini tools pertama yang ane.
Ni tools gunanya untuk mencari "command2" berbahaya yang mungkin bisa dimanfaatkan oleh attacker untuk mendapatkan "akses lebih" dalam sebuah sistem.
Inspirasi dan beberapa line dari tools buatan om d3hydr8 darkc0de. (sitenya boleh mati, tp semangat tetap masih membara )

Sekalian kado ultah buat om Ketek tanda terima kasih saya secara pribari atas dedikasinya buat Indonesia.

Happy Birthday om, makasih udah share ilmu2nya.

Spoiler for: Berikut SSnya

Nah langsung aja nih codenya :

Code:

#!/usr/bin/python
""" ScriptFinder 1.1 < ditatompel [at] gmail [dot] com >
Searches for file contains dangerous command

Inspired from tools created by d3hydr8[at]gmail[dot]com
greetz to d3hydr8, 5ynL0rd all members of devilzc0de.org,
ex darkc0de.com, all Indonesian c0ders, and all GNU Generation ;-)

PS : Happy Birthday ketek, Revres Tanur or whatever nickname gonna be :p
PF : ?? Oct ???? - ?? Oct 2011 """


import sys, re

def halo():
    print "\n" + "-+-"*30 + "\n\tScriptFinder 1.1 < ditatompel [at] gmail [dot] com >"
    print "\tSearches for file contains dangerous command"
    print "\tGreetz to all members of devilzc0de.org, ex darkc0de.com, all Indonesian c0ders,"
    print "\tand all GNU Generation ;-)\n" + "-+-"*30+"\n"

def usage():
    print "\tUsage: python " + sys.argv[0] + " <dir>"
    print "\tExample: python " + sys.argv[0] + " /home/ditatompel/public_html\n"
    sys.exit(1)

#Original from d3hydr8[at]gmail[dot]com
def Walk( root, recurse=0, pattern='*', return_folders=0 ):
    import fnmatch, os, string

    result = []

    try:
        names = os.listdir(root)
    except os.error:
        return result

    pattern = pattern or '*'
    pat_list = string.splitfields( pattern , ';' )

    for name in names:
        fullname = os.path.normpath(os.path.join(root, name))

        for pat in pat_list:
            if fnmatch.fnmatch(name, pat):
                if os.path.isfile(fullname) or (return_folders and os.path.isdir(fullname)):
                    result.append(fullname)
                continue
        if recurse:
            if os.path.isdir(fullname) and not os.path.islink(fullname):
                result = result + Walk( fullname, recurse, pattern, return_folders )
        
    return result

def search(files, auto=0):
    
    if auto:
        searchstring = danger
    else:
        searchstring = specificstring
    
    print "\n[+] Searching:", len(files), "files"
    print "\n" + "-+-"*20 + "\n[+] files containing '" + searchstring + "' under " + sys.argv[1] + "\n"+"-+-"*20+"\n"
    love.write("\n"+"-+-"*20)
    love.write("\n[+] files containing '%s' under '%s' \n" % (searchstring, sys.argv[1]) )
    love.write("-+-"*20+"\n")
    
    for file in files:
        num = 0
        
        try:
            text = open(file, "r").readlines()
            
            for line in text:
                num +=1
                if re.search(searchstring.lower(), line.lower()):
                    print "[!] File:",file,"on Line:",num,"\n[!] Code:",line
                    love.write("""[!] File: %s on Line %s \n[!] Code: %s \n""" % (file, num, line.replace("\t","")) )
        
        except(IOError):
            pass
    
    print "[+] Done\n"

halo()

actions = [
    "base64_decode", # many php shell use this but may generate false positive result, remove this if necessary. Especially when using recursive scan.
    "exec",
    "eval", # may generate false positive result, remove this if necessary. Especially when using recursive scan.
    "escapeshellarg",
    "escapeshellcmd",
    "fpaththru",
    "getmy", # getmypid, getmygid, getmyuid, etc
    "gzinflate",
    "gzuncompress",
    "ini_alter",
    "leak",
    "mDbl8VndvJj2", # encoded devshell.asp
    "php_uname",
    "posix_", # any posix_* function
    "proc_", # any proc_* function
    "popen",
    "passthru",
    "pcntl_exec",
    "socket_accept",
    "socket_bind",
    "socket_clear_error",
    "socket_close",
    "socket_connect",
    "set_time_limit",
    "shell_exec",
    "system", # may generate false positive result, remove this if necessary. Especially when using recursive scan.
    "show_source",
    "xrunexploit" # source function on devshell.*
    ]

minus_r = 1

if len(sys.argv) < 2:
    usage()

recdir = raw_input("Recursive ? ( Y/n ): ")
mode = raw_input("Full scan Mode (Y/n): ")

if mode.lower() != "y":
    specificstring = raw_input("String to search: ")

ext = raw_input("Specific File extension to scan ( <return> to scan all extension ) : ")
filelog = raw_input("logfile ( default sf.log ): ")

if filelog == "":
    filelog = "sf.log"

if recdir.lower() != "y":
    minus_r = 0

love = open(filelog, "w")
love.write("-+-"*30 + "\n\tScriptFinder 1.1 < ditatompel [at] gmail [dot] com >\n")
love.write("\tGreetz for all members of devilzc0de.org, ex darkc0de.com, all Indonesian c0ders,\n\tand all GNU Generation ;-)\n"+"-+-"*30+"\n")

if mode.lower() == "y":
    print "\n[+] FULL SCAN MODE ENABLED...\n[+]", len(actions),"dangerous commands loaded\n[+] Target Dir:",sys.argv[1]
    print "[+] Logfile will be saved to: " + filelog
    love.write("""
    [+] FULL SCAN MODE ENABLED...
    [+] %s danger commands loaded
    [+] Target Dir: %s\n""" % (len(actions), sys.argv[1]) )
    for danger in actions :
        if ext == "":
            files = Walk(sys.argv[1], minus_r, '*', 1)
        else:
            files = Walk(sys.argv[1], minus_r, '*.'+ext+';')
        search(files, 1)
    print "[+] Logfile saved to " + filelog

else:
    print "\n[+] Target Dir: " + sys.argv[1] + "\n[+] String to search: " + specificstring
    print "[+] Logfile will be saved to: " + filelog
    love.write("""
    [+] Target Dir: %s
    [+] String to search %s\n""" % (sys.argv[1], specificstring ) )
    if ext == "":
        files = Walk(sys.argv[1], minus_r, '*', 1)
    else:
        files = Walk(sys.argv[1], minus_r, '*.'+ext+';')
    search(files)
    print "[+] Logfile saved to " + filelog

nah klo pusing ga ada syntax highlight nya bisa diliat di blog ane

Karena ni ulet tipe sensitif, download langsung aja filenya di http://ls-la.ditatompel.crayoncreative.n.../sf-1.1.py

Cara penggunaannya:

Code:

python sf-1.1.py /path/to/dir

Trus nanti ada interaktif tanya jawab gitu deh...

Recursive: untuk scan semua sub directory dari direktori yang sudah ditentukan sebelumnya
Full scan Mode: untuk scan semua command yang dianggap bahaya. Klo dijawab "Y", command2 diambil dari actions array. Klo full scan modenya dijawab "n", nanti om bakalan ditanya buat tentuin "command" apa yang mau di scan.
Specific File extension to scan: tipe file yang ingin di scan. Misal php / pl / dll. Kalau kosong brati semua file ikut di scan, termasuk jpg, gif, dll
logfile: tempat nyimpen hasil scan. Klo kosong nama filenya jadi sf.log

Moga2 berguna untuk para sysadmin, maaf klo codingnya kacau.

Ane cabut dulu om2 sekalian...

[mariachi]

wes... mantep ni tool. anak2 devilzc0der makin hebat aja

[chaer.newbie]

hakakakkaa... i know you so well

[selfdefense]

keren nih om dita....
ajarin ane dong om kodingnya....

ijin ane coba y.... smiley_beer

[mywisdom]

makasih mbak 2 tompel

[Wayc0de]

mantap codingnya

ijin pasang dlu ah

[ditatompel]

(10-17-2011 12:36 AM)selfdefense Wrote:  keren nih om dita....
ajarin ane dong om kodingnya....

ijin ane coba y.... smiley_beer

Silahken om..

(10-17-2011 09:10 AM)mywisdom Wrote:   makasih mbak 2 tompel

Ane cowo tulen om..

(10-17-2011 09:35 AM)Wayc0de Wrote:  mantap codingnya

ijin pasang dlu ah

Yu mari om...

[alessandra]

bagus pythonnya mas DITA!!!!
gitu ngakunya cewek!!!hufttttt
tapi sob lu tadi ngasih gua rep kenapa gua nggak bisa -,-!

[jackerp]

Tool nya super kang...!!
tapi bleum ada dasar nya di Gw.... !!
masih newbietol....!! tapi tepat untuk

[ditatompel]

(02-29-2012 03:42 AM)alessandra Wrote:  bagus pythonnya mas DITA!!!!
gitu ngakunya cewek!!!hufttttt
tapi sob lu tadi ngasih gua rep kenapa gua nggak bisa -,-!

Ane masih belajar tantee..
Tante share lagi dong tutorial python-nya?

(02-29-2012 02:12 PM)jackerp Wrote:  Tool nya super kang...!!
tapi bleum ada dasar nya di Gw.... !!
masih newbietol....!! tapi tepat untuk

Mari sama2 belajar om...