..we will make a new module and not just some new module, nope let's make a fully automatic injection script! This tutorial is the first step into making this. Let's first explain what..
<?php
/* Configure maintenance scanner
Author: Remco Kouw
Site: http://www.hacksuite.com
Last Edit: 13-02-2015
*/
session_cache_limiter('nocache');
header('Expires: '.gmdate('r',0));
header('Content-type: application/json');
$_DYNAMIC_ROOT = "..";
include_once("../header.php");
$sDest = "../vars.php";
$aDataR = array();
$aDataR['jresult'] = false;
$aDataR['jmessage'] = "an error occured";
$aFiles = array($_PATHS['functions_root']."/fwrite.php",$_PATHS['functions_root']."/get_file_data.php",$_PATHS['data_root']."/monitor_files.php",$_PATHS['data_root']."/monitor_dirs.php",$_PATHS['functions_root']."/getfilebydir.php");
for($x=0;$x<count($aFiles);$x++){
if(!file_exists($aFiles[$x])){
$aDataR['jmessage'] = "Missing required file: ".$aFiles[$x];
die(json_encode($aDataR));
}
@include_once($aFiles[$x]);
}
// handler for INCLUDES_DIR/cc_filsize_check.php
if(isset($_POST['iTruncate'])){
// keeps track of which record in the ui we have to delete
$aDataR['jid'] = intval($_POST['iID']);
// because we use a dynamic root we need to change the path sent by json
$_POST['sTitle'] = trim($_POST['sTitle']);
$_POST['sTitle'] = "../".substr($_POST['sTitle'],strpos($_POST['sTitle'],"/",strrpos($_POST['sTitle'],"thc_hacksuite"))+1);
if(!in_array($_POST['sTitle'],$_CONTEXT['monitor_f'])){
// invalid file, possible file injection attempt or corrupt data
$aDataR['jmessage'] = "You can only truncate files from the whitelist";
}
else{
if(false===(WriteF($_POST['sTitle'],"","w"))){
$aDataR['jmessage'] = "Failed to truncate ".$_POST['sTitle'];
}
else{
$aDataR['jresult'] = true;
}
}
}
// handler for INCLUDES_DIR/cc_filesindir_check.php
elseif(isset($_POST['iDeleteFiles'])){
// keeps track of which record in the ui we have to delete
$aDataR['jid'] = intval($_POST['iID']);
// because we use a dynamic root we need to change the path sent by json
$_POST['sTitle'] = trim($_POST['sTitle']);
$_POST['sTitle'] = "../".substr($_POST['sTitle'],strpos($_POST['sTitle'],"/",strrpos($_POST['sTitle'],"thc_hacksuite"))+1);
if(!in_array($_POST['sTitle'],$_CONTEXT['monitor_d'])){
// invalid folder
$aDataR['jmessage'] = "You can only remove files in folders from the whitelist";
}
else{
$aFiles = GetFilesByDirectory($_POST['sTitle']);
for($x=0;$x<count($aFiles);$x++){
@unlink($_POST['sTitle']."/".$aFiles[$x]);
}
$aDataR['jresult'] = true;
}
}
// handler for INCLUDES_DIR/cc_function_check.php
elseif(isset($_POST['iDownloadFiles'])){
// keeps track of which record in the ui we have to delete
$aDataR['jid'] = intval($_POST['iID']);
$_POST['sFile'] = ExploitFilter($_POST['sFile'],0,1);
$sDest = $_PATHS['functions_root']."/".$_POST['sFile'];
if(!file_exists($sDest)){
// if the file isn't there, let's download it
if(!extension_loaded('curl')){
if(!@dl('curl.so')){
$aDataR['jmessage'] = "Unable to send curl request";
die(json_encode($aDataR));
}
}
$rCurl = curl_init();
curl_setopt($rCurl,CURLOPT_URL, "http://hacksuite.com/maintenance_functions.php?sFile=".$_POST['sFile']);
curl_setopt($rCurl,CURLOPT_HEADER, false);
curl_setopt($rCurl,CURLOPT_RETURNTRANSFER, true);
$sOutput = curl_exec($rCurl);
curl_close($rCurl);
// let's extract the data
$aData = @json_decode($sOutput);
if(isset($aData->jdata)){
if(!WriteF($sDest,$aData->jdata,"w")){
$aDataR['jmessage'] = "Failed to write function data";
}
else{
// success, update log_activity.php
$sNewD = "<?php\n";
$sNewD .= "/* Activity log\n\n";
$sNewD .= "Author: Remco Kouw\n";
$sNewD .= "Site: http://www.hacksuite.com\n";
$sNewD .= "Last Edit: ".date('d-m-Y',time())."\n";
$sNewD .= "*/\n";
$sNewD .= "if(!defined('IN_SCRIPT')){\n";
$sNewD .= "\texit;\n";
$sNewD .= "}\n";
$sNewD .= "\$_CONTEXT['useraccessdata'] = array();\n";
$sNewD .= "\$_CONTEXT['useraccessdata']['installed'] = ".$_CONTEXT['useraccessdata']['installed'].";\n";
$sNewD .= "\$_CONTEXT['useraccessdata']['last_update'] = ".time().";\n";
$sNewD .= "\$_CONTEXT['useraccessdata']['ip'] = array(\"".$_SERVER['REMOTE_ADDR']."\");\n";
$sNewD .= "\$_CONTEXT['useraccessdata']['last_scan'] = ".$_CONTEXT['useraccessdata']['last_scan'].";\n";
$sNewD .= "\$_CONTEXT['useraccessdata']['action'] = \"Updated function ".$_POST['sFile']."\";\n";
$sNewD .= "?>";
WriteF($_PATHS['log_root']."/log_activity.php",$sNewD,"w");
$aDataR['jresult'] = true;
}
}
else{
$aDataR['jmessage'] = "No file data found";
}
}
else{
$aDataR['jmessage'] = "File already exists";
}
}
// handler for evil code scan
elseif(isset($_POST['iShowSource'])){
$sLocationA = substr(trim($_POST['sFile']),strpos($_SERVER['REQUEST_URI'],"JSON"));
$sLocationA = "../".str_replace("/","\\",$sLocationA);
$aDataR['jdata'] = nl2br(str_replace("<","<",file_get_contents($sLocationA)));
$aDataR['jresult'] = true;
}
die(json_encode($aDataR));
?>