______________________________________________________________ | | | Find PHP Shell's via Google - by hand or a tool |# | »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» |# | |# | by DiA/RRLF (c)2007 |# | www.vx-dia.de.vu :: DiA_hates_machine@gmx.de |# |______________________________________________________________|# ############################################################### _Overview___________________________________ | | | 1_Intro |# | 2_What to search? |# | 3_How to check? |# | 4_Gimme a script, please |# | 5_Additional search, "index of /" |# | 6_Outro |# |____________________________________________|# ############################################# .Disclaimer »»»»»»»»»» The author of this article is NOT responsible for possible damages in case of informations you getting here. You do your own things at your own risk, please don't do anything stupid for your own security. This document is for educational purpose only. If you do NOT agree this, please close this for your own pleasure! .1_Intro »»»»»»» Heya, this tutorial isn't about viruses nor worms (*. It's about searching google. What?! Yes, google, but we don't search for free pr0n, we search for PHP shell's, a backup, normal remote control or forgotten by an kiddie. First we check out what to search for, then how to see if this is a real shell (needed for the script) and finally a small perl script that do all the work for us. *) Indeed I needed this research for a malware project, so chill out homies ;). .2_What to search? »»»»»»»»»»»»»»»»» First of, this isn't such a great google hack, it's simply searching for known keywords, wich you can get from viewing the PHP shell in action or just look at the source code. So, this is the magic: Titles - Most PHP shell's have an unique title, or part of the title. So we use the google filter "intitle:". Examples - intitle:r57shell intitle:" - c99shell" intitle:"MyShell 1.1.0 build 20010923" URL's - People often use the original filename of the shell. Maybe for lazyness, maybe to recognize what's that file is about or to remember the url. Again, let's use a filter, "inurl:" Examples - inurl:r57.php inurl:c99.php Keywords - That's the simplest yet an effective search. We check the PHP shell for pretty unique strings, like the menu of an shell. Just put that in quotes and fire it up. Examples - "[ phpinfo ] [ php.ini ] [ cpu ] [ mem ] [ users ] [ tmp ] [ delete ]" "Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout" "[ Main Menu ] [ PHPKonsole ] [ Haxplorer ]" And that's pretty much it. Put all this method's together and you will find an pretty good amount of PHP shell's. For what purpose I don't care... researching, right?! .3_How to check? »»»»»»»»»»»»»»» It's obvious to see if the found PHP shell works if you do search'n click. But for a program we need something to check if a shell is there. And again, we just use keywords, strings that are pretty unique and should sort out unwanted websites. Of course, you also find sources of the shell's, wich include keywords too but simply get not parsed by PHP. Anyway, it's smoother to click on 20 links than on 20.000, no? .4_Gimme a script, please »»»»»»»»»»»»»»»»»»»»»»»» As clicking around is soo yesterday, we just can code a tool that search google for us and check if it found a real PHP shell (almost). Hard task? Not in perl, use the LWP::UserAgent and HTTP::Request module to get the HTML code, parse it, once for potential PHP shell links, and again to see if it's a good shell. Pretty much self explaining, play with it if you want. ---code start--- #!/usr/bin/perl use strict; use warnings; use LWP::UserAgent; usage() unless $ARGV[2]; my @searchTerm; my @checkTerm; if(lc($ARGV[0]) eq "r57") { push(@searchTerm, "inurl:r57.php"); push(@searchTerm, "\"[ phpinfo ] [ php.ini ] [ cpu ] [ mem ] [ users ] [ tmp ] [ delete ]\""); push(@searchTerm, "intitle:r57shell"); push(@checkTerm, "r57"); push(@checkTerm, "safe_mode"); } elsif(lc($ARGV[0]) eq "c99") { push(@searchTerm, "inurl:c99.php"); push(@searchTerm, "\"Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout\""); push(@searchTerm, "intitle:\" - phpshell\""); push(@searchTerm, "intitle:\" - c99shell\""); push(@checkTerm, "c99"); push(@checkTerm, "Safe-mode"); } elsif(lc($ARGV[0]) eq "mys") { push(@searchTerm, "\"Auto error traping enabled\""); push(@searchTerm, "intitle:\"MyShell 1.1.0 build 20010923\""); push(@checkTerm, "MyShell"); push(@checkTerm, "Echo commands"); } elsif(lc($ARGV[0]) eq "phs") { push(@searchTerm, "intitle:\"PHP Shell 1.5\""); push(@searchTerm, "intitle:\"PHP Shell 1.6\""); push(@searchTerm, "intitle:\"PHP Shell 1.7\""); push(@searchTerm, "\"Enable stderr-trapping?\""); push(@checkTerm, "PHP Shell"); push(@checkTerm, "Choose new working"); } elsif(lc($ARGV[0]) eq "phm") { push(@searchTerm, "\"PHPShell by Macker\""); push(@searchTerm, "\"[ Main Menu ] [ PHPKonsole ] [ Haxplorer ]\""); push(@checkTerm, "Haxplorer"); push(@checkTerm, "PHPKonsole"); } elsif(lc($ARGV[0]) eq "rem") { push(@searchTerm, "intitle:\"phpRemoteView: \""); push(@searchTerm, "\"REMVIEW TOOLS\""); push(@checkTerm, "phpRemoteView"); push(@checkTerm, "perms"); } if(!@searchTerm) { print "Error: [shell to find] is a unknown shell\n" and die; } my $outputOn; if(lc($ARGV[1]) eq "on") { $outputOn = 1; } elsif(lc($ARGV[1]) eq "off") { $outputOn = 0; } else { print "Error: [screen output] must be \"on\" or \"off\"\n" and die; } my $outputFile; if(index(lc($ARGV[2]), ".htm") > 0) { $outputFile = $ARGV[2]; } else { print "Error: [output HTML file] must be *.htm or *.html\n" and die; } open(FILEHANDLE, ">$outputFile"); print FILEHANDLE "PHP Shell's\n"; close FILEHANDLE; my $userAgent = LWP::UserAgent->new; $userAgent->agent("User-Agent=Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.5) Gecko/20061201 Firefox/2.0.0.5"); my @resultLinks; foreach(@searchTerm) { print "[*] Query for \"$_\"\n" if($outputOn == 1); my $isLastPage = 0; for(my $gPage = 0; ; $gPage++) { if($isLastPage == 1) { last; } my $gRequest = HTTP::Request->new(GET => "http://www.google.de/search?q=$_&start=$gPage"."0"); my $gResource = $userAgent->request($gRequest); if($gResource->is_success) { my @gContent = split("
", $gResource->content); if(@gContent < 10) { $isLastPage = 1; }; for(my $gPiece = 1; $gPiece < @gContent; $gPiece++) { my $shellLink = substr($gContent[$gPiece], index($gContent[$gPiece], "href=\"") + 6); $shellLink = substr($shellLink, 0, index($shellLink, "\"")); print "[*] Check status of site \"$shellLink\"\n" if($outputOn == 1); my $sRequest = HTTP::Request->new(GET => $shellLink); my $sResource = $userAgent->request($sRequest); if($sResource->is_success) { if(index($sResource->content, $checkTerm[0]) != -1 && index($sResource->content, $checkTerm[1]) != -1) { open(FILEHANDLE, ">>$outputFile"); print FILEHANDLE "Link: $shellLink
\n"; print FILEHANDLE "Search Term: $_

\n"; close FILEHANDLE; print "[+] Found shell: $shellLink\n" if($outputOn == 1); } else { print "[-] No shell\n" if($outputOn == 1); } } else { print "[-] Offline\n" if($outputOn == 1); } } sleep 20; #wait 20 seconds so google dont think we are a bot } else { print "Unable to query google\n" and die; } } } open(FILEHANDLE, ">>$outputFile"); print FILEHANDLE "

Find PHP Shells via Google - by DiA/RRLF
"; close FILEHANDLE; sub usage { print qq( Find PHP Shells via Google - by DiA/RRLF (http://www.vx-dia.de.vu) Usage: perl $0 [shell to find] [screen output] [output HTML file] [shell to find] can be: r57 - find r57shell c99 - find c99shell mys - find MyShell phs - find PHP Shell phm - find PHPShell (Macker) rem - find phpRemoteView [screen output] can be: on - every step the script doas get printed on the screen off - no output, the script just writes to the output file [output HTML file] must be: *.htm or *.html Example: perl $0 c99 on c99shells.htm perl $0 mys off manyshells.htm ) and exit; } ---code end--- .5_Additional search, "index of /" »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» OK, this one you can try at home. It's like the "inurl:" way, we search for filenames. But for this time we search in directory index's. So, give google this querys for example: "index of /" c99.php or "index of /" r57.php Click on the found links, and you will reach directorys where the "index.htm/html/php" is missing, but directory listing is enabled. Click on "c99.php" for example and see what happen ;). This also works for any kind of stuff, pr0n, mp3, even movies. .6_Outro »»»»»»» Nothing more to say, but thanks to google. Powerful search engine, wich can track down the stupidness and lazyness of admin's and wannabe's. Have fun googling, good night! DiA/RRLF - 09.08.2007