#!/usr/bin/perl
#
# @2001 m.eiszner <mei@websec.at>
# iisremote.pl
# todo: add proxy-support
#
################################################

use strict;
use LWP::UserAgent;
use HTTP::Request;
use HTTP::Request::Common;
use HTTP::Response;
use Getopt::Std;

## get options
##
use vars qw($opt_u $opt_n $opt_p $opt_c);
getopts("u:p:c:n:");

## vardecs
##
my $ucont = $opt_c || "0123456789";
my $url = $opt_u;
my $proxy = $opt_p;
my $name = $opt_n || "tst.txt";

my $ucl = length($ucont);
my $testdll = "test".(rand(1000)%1000).".dll";
my $testasp = "test".(rand(1000)%1000).".asp";
my $testtxt = "test".(rand(1000)%1000).".txt";
my $other = (rand(1000)%1000).(rand(1000)%1000);

## usage
##
if (!$url)
{
print "\nusage: $0 -u [url/Dir]\n\t-p [proxy] -c [remoteFilecontent]";
print "\n\t-n [remoteFilename]\n\n";
exit 1;
}

chomp($url);

## ok lets go

## find out whats our url is all about
##
($url .= "/") if($url !~ /\/$/);

## useragent without any redirects
##
my $ua = LWP::UserAgent->new(requests_redirectable => ['PUT']);
$ua->agent("Mozilla/4.0(compatible;MSIE 6.0;Windows NT 5.0)");
if ($proxy)
{
($proxy = "http://".$proxy) if ($proxy !~ /http:\/\// && $proxy !~ /https:\/\//);
$ua->proxy('http', $proxy);
}

print "URL: $url\n";

## options check
##

my $req = HTTP::Request->new("OPTIONS", $url);
my $res = $ua->request($req);
my $rhds = $res->headers;
print "options: ",(($res->code =~ /2\d\d/) ? "YES (Allow:".$rhds->header("Allow") .
" /Public:".$rhds->header("Public").")" : "NO" )," (",$res->code,")\n";


## read check
##
$res = $ua->request(GET $url.$testtxt);
print "read: ",(($res->code =~ /404/) ? "YES" : "NO" )," (",$res->code,")\n";

## propfind check
##
my $heads = HTTP::Headers->new( 'Content-Length' => "0" );
my $req = HTTP::Request->new("PROPFIND", $url, $heads);
$res = $ua->request($req);
print "propfind: ",(($res->code =~ /2\d\d/) ? "YES" : "NO" )," (",$res->code,")\n";

## execute check
##
my $res = $ua->request(GET $url.$testdll);
print "execute: ",(($res->code =~ /5\d\d/) ? "YES" : "NO" )," (",$res->code,")\n";

## write/put check
##
$res = $ua->request(PUT $url.$name, 'Content' => $ucont, 'Content-Length' => $ucl);
print "write: ",(($res->code =~ /2\d\d/) ? "YES" : "NO" )," (",$res->code,")\n";

## scripting check
##
my $res = $ua->request(GET $url.$testasp);
print "script: ",(($res->code =~ /404/) ? "YES" : "NO" )," (",$res->code,")\n";

## directory browsing
##
my $res = $ua->request(GET $url);
print "browsing: ",(($res->code !~ /403/) ? "YES" : "NO" )," (",$res->code,")\n";

## NTLM check
##
$res = $ua->request(GET $url, [ Authorization => "Negotiate TTTT|AAAAA=" ]);
print "ntlm: ",(($res->code =~ /401/) ? "YES" : "NO" )," (",$res->code,")\n";

## others
##
$res = $ua->request(GET $url.$other.".printer");
print "printer: ",$res->code,"\n";
$res = $ua->request(GET $url.$other.".idc");
print "idc: ",$res->code,"\n";
$res = $ua->request(GET $url.$other.".idq");
print "idq: ",$res->code,"\n";
$res = $ua->request(GET $url.$other.".ida");
print "ida: ",$res->code,"\n";
$res = $ua->request(GET $url.$other.".htr");
print "htr: ",$res->code,"\n";
$res = $ua->request(GET $url.$other.".htw");
print "htw: ",$res->code,"\n";
$res = $ua->request(GET $url.$other.".stm");
print "stm: ",$res->code,"\n";
$res = $ua->request(GET $url.$other.".shtm");
print "shtm: ",$res->code,"\n";
$res = $ua->request(GET $url.$other.".shtml");
print "shtml: ",$res->code,"\n";
$res = $ua->request(GET $url.$other.".php");
print "php: ",$res->code,"\n";
$res = $ua->request(GET $url.$other.".pl");
print "pl: ",$res->code,"\n";
print "\n";


#########################
## end main start subs
#########################