<?php
error_reporting(0);
set_time_limit(0);
/**
 * Timthumb plugin scanner for WordPress.
 *
 * @version 1.00
 * @author Christian Ditaputratama <ditatompel@gmail.com>
 *
 * Timthumb plugin scanner for Wordpress.
 * optionally dump scan result to text file.
 * 
 * still very early release, just for testing and fun coding purpose :)
 * 
 *------------------------------------------------------------------------+
 * This program is free software; you can redistribute it and/or modify   |
 * it under the terms of the GNU General Public License version 2 as      |
 * published by the Free Software Foundation.                             |
 *                                                                        |
 * This program is distributed in the hope that it will be useful,        |
 * but WITHOUT ANY WARRANTY; without even the implied warranty of         |
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          |
 * GNU General Public License for more details.                           |
 *                                                                        |
 * This script are often used solely for informative, educational         |
 * purposes only. Author cannot be held responsible for any               |
 * damage and (or) (ab)use of this script.                                |
 * Please submit changes of the script so other people can use            |
 * them as well. This script is free to use, don't abuse.                 |
 *------------------------------------------------------------------------+
 */
$dirlist = 'timthumb.txt';

function doValidLink($link) {
	$validLink = preg_match("|^http(s)?://[a-z0-9-]+(.[a-z0-9-]+)*(:[0-9]+)?(/.*)?$|i", $link) ? $link : "http://" . $link;
	$link = $validLink[strlen($validLink)-1] == "/" ? $validLink : $validLink . "/";
    return $link;
}

function write($text) {
	global $fh;
	fwrite($fh, $text);
}

$greetz = "-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\n";
$greetz .=" Timthumb plugin scanner for WordPress\n";
$greetz .=" by ditatompel < ditatompel [at] gmail [dot] com >\n";
$greetz .=" Please send bug report to help improving this script.\n\n";
$greetz .=" Greetings for all members of devilzc0de.org, all Indonesian c0ders,\n";
$greetz .=" and all GNU Generation ;-)\n";
$greetz .=" Thanks to : 5ynL0rd who always inspire me, I glue you all my regards.\n";
$greetz .="-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\n";

if ( !is_file($dirlist) ) exit("[!] Error! please check directory your list!\n");

print $greetz;
if ( $argc < 2) {
	print_r("-----------------------------------------------------------------------------\n" . 
	"Usage     : php " . $argv[0] . " [target] [output]\n" .
	"target    : domain / url\n" .
	"output    : file name for Every [+] Wo0t! output will be saved to (optional)\n" .
	"Example 1 : php " . $argv[0] . " myhost.com\n" .
	"Example 2 : php ".$argv[0]." myhost.com scan_result.txt\n" .
	"-----------------------------------------------------------------------------\n");
	exit;
}

$url = doValidLink($argv[1]);
$output = $argv[2];

echo "\r\nChecking " . $url . "\r\n";

$check = get_headers($url, 1);
if ( empty($check)) {
	print_r("No repsond from server.\nmake sure your target url are correct!\n" .
	"Exiting...\n" .
	"-----------------------------------------------------------------------------\n");
	exit;
}
$serverInfo = $check['Server'];
if (preg_match('/301/', $check[0]) || preg_match('/302/', $check[0]) ) {
	$url = $check['Location'];
	$serverInfo = $check['Server'][0];
}

$additionalInfo = NULL;
if ( !empty($output) ) {
	$fh = fopen($output, 'w');
	$additionalInfo = $fh ? 'Every [+] Wo0t! output will be saved on ' . $output : '[!] Cannot write scan result to ' . $output;
}

$info = "-----------------------------------------------------------------------------\n";
$info .= "\tTarget : " . $url . "\n";
$info .= "\tStatus : " . $check[0] . "\n";
$info .= "\tServer : " . $serverInfo . "\n";
$info .= "\tStart Scan : " . date("Y-m-d H:i:s") . "\n";
$info .= "\t" . $additionalInfo . "\n";
$info .= "-----------------------------------------------------------------------------\n";

print_r($info);

if ( $fh ) {
	write($greetz);
	write($info);
}
foreach ( file($dirlist) as $tim => $thumb){
	$thumb = explode("\n", $thumb);
	$headers = get_headers($url . $thumb[0], 1);
	if ( !preg_match('/404/', $headers[0]) ) {
		$result = "[+] Wo0t! Found! " . $url . $thumb[0] . "\r\n";
		echo $result;
		if ( $fh ) write($result);
	}
	elseif (preg_match('/301/', $headers[0]) || preg_match('/302/', $headers[0]) ) {
		$result = "[+] Wo0t! " . $url . $thumb[0] . " Found! redirect to -> " . $headers['Location'] . "\r\n";
		echo $result;
		if ( $fh ) write($result);
	}
	else {
		echo "[-] NOT Found! " . $url . $thumb[0] . "\r\n";
	}
}
if ( !empty($output) ) {
	write("-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Finish scan " . $tim . " path -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n");
	fclose($fh);
}
echo "-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Finish scan " . $tim . " path -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n";
?>