..modules you must have seen the iframes used for realtime result display. In this tutorial I'm going to show you how to insert them into your module and how they function. what we..
Mister LG can create upload forms and test targets on file upload vulnerabilities
<?php
/* Changes your security settings for the HackSuite
Author: Remco Kouw
Site: http://www.hacksuite.com
Last Edit: 09-03-2015
*/
session_cache_limiter('nocache');
header('Expires: '.gmdate('r',0));
header('Content-type: application/json');
$_DYNAMIC_ROOT = "..";
$bWriteMe = false;
include_once("../header.php");
$sDest = "../vars.php";
$aDataR = array();
$aDataR['jresult'] = false;
$aDataR['jmessage'] = "an error occured";
// target files we need, so make sure they are present
$aFiles = array($_PATHS['functions_root']."/fwrite.php",$_PATHS['functions_root']."/get_file_data.php");
for($x=0;$x<count($aFiles);$x++){
if(!file_exists($aFiles[$x])){
$aDataR['jmessage'] = "Missing required file: ".$aFiles[$x];
die(json_encode($aDataR));
}
@include_once($aFiles[$x]);
}
if(!is_writable($sDest)){
$aDataR['jmessage'] = "Make sure the file vars.php in root is writable";
}
else{
$sData = GetFileData($sDest);
$sMD5 = md5($sData);
if(isset($_POST['iUpdateMe'])){
switch($_POST['iUpdateMe']){
/* change password access */
case"0":
if(!isset($_POST['iUpdate']) || $_POST['iUpdate']!=1){
$aDataR['jmessage'] = "You need to select the checkbox in order to make changes";
}
else{
if(!isset($_POST['sPass1']) || !isset($_POST['sPass2'])){
$aDataR['jmessage'] = "No passwords specified";
}
elseif($_POST['sPass1']==""){
$aDataR['jmessage'] = "Password hasn't been specified";
}
elseif($_POST['sPass1']!=$_POST['sPass2']){
$aDataR['jmessage'] = "Passwords don't match";
}
elseif(strlen($_POST['sPass1'])<6){
$aDataR['jmessage'] = "Password must at least be 6 characters long";
}
else{
if($_CONTEXT['ip_access']!=true && $_CONTEXT['pass_access']==true){
// stop right there, we need to have one form of security
$aDataR['jmessage'] = "You need to have at least one form of security";
}
else{
// update the settings
$sMD5 = md5($sData);
$sOld = "\$_CONTEXT['pass_access'] = ".($_CONTEXT['pass_access'] ? "true" : "false").";";
$sNew = "\$_CONTEXT['pass_access'] = ".($_CONTEXT['pass_access'] ? "false" : "true").";";
$sData = str_replace($sOld,$sNew,$sData);
if($_CONTEXT['pass_access']){
// if access is set then there must be a password in order to reach this page, that's why we can validate the password right away
if(sha1($_CONTEXT['pass_salt'].":".$_POST['sPass1'])==$_CONTEXT['pass_hash']){
// pass access will be disabled so remove the cookie
setcookie("thcauth_".substr($_CONTEXT['pass_hash'],0,5),$_CONTEXT['pass_hash'],(time()-1000),"/");
$bWriteMe = true;
}
else{
$aDataR['jmessage'] = "Invalid password specified";
}
}
else{
// see if there's a salt set
if($_CONTEXT['pass_salt']==0){
$sSalt = substr(md5(mt_rand(0,time())),0,10);
$sData = str_replace("\$_CONTEXT['pass_salt'] = 0;","\$_CONTEXT['pass_salt'] = \"".$sSalt."\";",$sData);
}
// set password hash if it isn't there yet
if($_CONTEXT['pass_hash']==0){
if(!isset($sSalt)){
$sSalt = $_CONTEXT['pass_salt'];
}
$sData = str_replace("\$_CONTEXT['pass_hash'] = 0;","\$_CONTEXT['pass_hash'] = \"".sha1($sSalt.":".$_POST['sPass1'])."\";",$sData);
}
$sMD5New = md5($sData);
if($sMD5New==$sMD5){
$aDataR['jmessage'] = "Nothing to update";
}
else{
if(isset($_COOKIE["thcauth_".substr($_CONTEXT['pass_hash'],0,5)])){
// let old cookie expire
setcookie("thcauth_".substr($_CONTEXT['pass_hash'],0,5),$_CONTEXT['pass_hash'],(time()-1000),"/");
}
$aDataR['jmessage'] = "Successfully updated password access settings";
$aDataR['jref'] = ($_CONTEXT['pass_access'] ? 0 : 1);
$bWriteMe = true;
}
}
}
}
}
break;
/* change ip access */
case"1":
if(!isset($_POST['iUpdate']) || $_POST['iUpdate']!=1){
$aDataR['jmessage'] = "You need to select the checkbox in order to make changes";
}
else{
if($_CONTEXT['ip_access']==true && $_CONTEXT['pass_access']!=true){
// stop right there, we need to have one form of security
$aDataR['jmessage'] = "You need to have at least one form of security";
}
else{
// update the settings
$sOld = "\$_CONTEXT['ip_access'] = ".($_CONTEXT['ip_access'] ? "true" : "false").";";
$sNew = "\$_CONTEXT['ip_access'] = ".($_CONTEXT['ip_access'] ? "false" : "true").";";
$sData = str_replace($sOld,$sNew,$sData);
$aDataR['jmessage'] = "Successfully updated ip access settings";
$aDataR['jref'] = ($_CONTEXT['ip_access'] ? 0 : 1);
$bWriteMe = true;
}
}
break;
/* allowed ip addresses */
case"2":
if(!isset($_POST['sIPS']) || $_POST['sIPS']==""){
$aDataR['jmessage'] = "No ip addresses to allow";
}
else{
$_POST['sIPS'] = str_replace(" ","",trim($_POST['sIPS']));
$bNotIP = false;
$sIP = "";
if(strpos($_POST['sIPS'],",")===false){
// single ip address
if(!@filter_var($_POST['sIPS'],FILTER_VALIDATE_IP,FILTER_FLAG_IPV4)){
$aDataR['jmessage'] = "Invalid ip address ".$_POST['sIPS'];
$bNotIP = true;
}
$sIP = "\"".$_POST['sIPS']."\"";
}
else{
// multiple ip addresses
$aIPS = explode(",",$_POST['sIPS']);
for($b=0;$b<count($aIPS);$b++){
if(!@filter_var($aIPS[$b],FILTER_VALIDATE_IP,FILTER_FLAG_IPV4)){
$aDataR['jmessage'] = "Invalid ip address: ".$aIPS[$b];
$bNotIP = true;
break;
}
$sIP .= ($b>0 ? "," : "")."\"".$aIPS[$b]."\"";
}
}
if(!$bNotIP){
$sOldIPS = "";
for($b=0;$b<count($_CONTEXT['ip_allowed']);$b++){
$sOldIPS .= ($b>0 ? "," : "")."\"".$_CONTEXT['ip_allowed'][$b]."\"";
}
$sOld = "\$_CONTEXT['ip_allowed'] = array(".$sOldIPS.");";
$sNew = "\$_CONTEXT['ip_allowed'] = array(".$sIP.");";
$sData = str_replace($sOld,$sNew,$sData);
$sMD5New = md5($sData);
if($sMD5New==$sMD5){
$aDataR['jmessage'] = "Nothing to update";
}
else{
$aDataR['jmessage'] = "Successfully updated ip whitelist";
$aDataR['jref'] = $_POST['sIPS'];
$bWriteMe = true;
}
}
}
break;
/* update password */
case"3":
if(!isset($_POST['sPassO'],$_POST['sPassN'])){
$aDataR['jmessage'] = "Expecting password variables to be sent";
}
else{
$_POST['sPassO'] = trim($_POST['sPassO']);
$_POST['sPassN'] = trim($_POST['sPassN']);
if($_POST['sPassO']==$_POST['sPassN']){
$aDataR['jmessage'] = "The old password can't be the same as the new password";
}
elseif(empty($_POST['sPassO'])){
$aDataR['jmessage'] = "Password can't be empty";
}
else{
if(strlen($_POST['sPassN'])<6){
$aDataR['jmessage'] = "Password must at least be 6 characters";
}
else{
if(sha1($_CONTEXT['pass_salt'].":".$_POST['sPassO'])!=$_CONTEXT['pass_hash']){
$aDataR['jmessage'] = "Specified password isn't your old password";
}
else{
$sData = str_replace("\$_CONTEXT['pass_hash'] = \"".$_CONTEXT['pass_hash']."\";","\$_CONTEXT['pass_hash'] = \"".sha1($_CONTEXT['pass_salt'].":".$_POST['sPassN'])."\";",$sData);
$sMD5New = md5($sData);
if($sMD5New==$sMD5){
$aDataR['jmessage'] = "Nothing to update";
}
else{
// let old cookie expire
setcookie("thcauth_".substr($_CONTEXT['pass_hash'],0,5),$_CONTEXT['pass_hash'],(time()-1000),"/");
$aDataR['jmessage'] = "Successfully updated your password";
$bWriteMe = true;
}
}
}
}
}
break;
/* update password hash */
case"4":
if(!isset($_POST['sHash']) || $_POST['sHash']==""){
$aDataR['jmessage'] = "No hash specified to update";
}
else{
$_POST['sHash'] = trim($_POST['sHash']);
if(!preg_match('/^[0-9a-f]{40}$/',$_POST['sHash'])){
$aDataR['jmessage'] = "Successfully updated your password";
}
else{
$sData = str_replace("\$_CONTEXT['pass_hash'] = \"".$_CONTEXT['pass_hash']."\";","\$_CONTEXT['pass_hash'] = \"".$_POST['sHash']."\";",$sData);
$sMD5New = md5($sData);
if($sMD5New==$sMD5){
$aDataR['jmessage'] = "Nothing to update";
}
else{
// let old cookie expire
setcookie("thcauth_".substr($_CONTEXT['pass_hash'],0,5),$_CONTEXT['pass_hash'],(time()-1000),"/");
$aDataR['jmessage'] = "Successfully updated your password hash";
$bWriteMe = true;
}
}
}
break;
/* update password salt */
case"5":
if(!isset($_POST['sSalt']) || $_POST['sSalt']==""){
$aDataR['jmessage'] = "No salt specified to update";
}
else{
$_POST['sSalt'] = trim($_POST['sSalt']);
if(strlen($_POST['sSalt'])<3){
$aDataR['jmessage'] = "You need a salt of at least 3 characters";
}
else{
$sData = str_replace("\$_CONTEXT['pass_salt'] = \"".$_CONTEXT['pass_salt']."\";","\$_CONTEXT['pass_salt'] = \"".$_POST['sSalt']."\";",$sData);
$sMD5New = md5($sData);
if($sMD5New==$sMD5){
$aDataR['jmessage'] = "Nothing to update";
}
else{
// let old cookie expire
setcookie("thcauth_".substr($_CONTEXT['pass_hash'],0,5),$_CONTEXT['pass_hash'],(time()-1000),"/");
$aDataR['jmessage'] = "Successfully updated your password salt";
$bWriteMe = true;
}
}
}
break;
/* update cookie life */
case"6":
if(!isset($_POST['iCookieLife']) || $_POST['iCookieLife']==""){
$aDataR['jmessage'] = "No cookie life value specified";
}
else{
$_POST['iCookieLife'] = @intval($_POST['iCookieLife']);
if(!is_int($_POST['iCookieLife']) || $_POST['iCookieLife']<600){
$aDataR['jmessage'] = "A valid value for cookie life is an integer value of at least 600 (seconds)";
}
else{
$sData = str_replace("\$_CONTEXT['cookielife'] = ".$_CONTEXT['cookielife'].";","\$_CONTEXT['cookielife'] = ".$_POST['iCookieLife'].";",$sData);
$sMD5New = md5($sData);
if($sMD5New==$sMD5){
$aDataR['jmessage'] = "Nothing to update";
}
else{
// update old cookie expiration date
setcookie("thcauth_".substr($_CONTEXT['pass_hash'],0,5),$_CONTEXT['pass_hash'],(time()+$_POST['iCookieLife']),"/");
$aDataR['jmessage'] = "Successfully updated cookie expiration date";
$aDataR['jref'] = $_POST['iCookieLife'];
$bWriteMe = true;
}
}
}
break;
/* update sleep after login fail */
case"7":
if(!isset($_POST['iSleepVal']) || $_POST['iSleepVal']==""){
$aDataR['jmessage'] = "No sleep value specified";
}
else{
$_POST['iSleepVal'] = @intval($_POST['iSleepVal']);
if(!is_int($_POST['iSleepVal']) || ($_POST['iSleepVal']<1 || $_POST['iSleepVal']>9)){
$aDataR['jmessage'] = "Choose a value between 1 and 9 (seconds)";
}
else{
$sData = str_replace("\$_CONTEXT['sleeptime'] = ".$_CONTEXT['sleeptime'].";","\$_CONTEXT['sleeptime'] = ".$_POST['iSleepVal'].";",$sData);
$sMD5New = md5($sData);
if($sMD5New==$sMD5){
$aDataR['jmessage'] = "Nothing to update";
}
else{
$aDataR['jmessage'] = "Successfully updated sleep time for login failures";
$aDataR['jref'] = $_POST['iSleepVal'];
$bWriteMe = true;
}
}
}
break;
/* login file location */
case"8":
if(!isset($_POST['sLoginFile']) || $_POST['sLoginFile']==""){
$aDataR['jmessage'] = "No login file value specified";
}
else{
$_POST['sLoginFile'] = trim($_POST['sLoginFile']);
if(!function_exists("ExploitFilter")){
include_once($_PATHS['functions_root']."/exploitfilter.php");
}
if(ExploitFilter($_POST['sLoginFile'],false,true)!=$_POST['sLoginFile']){
$aDataR['jmessage'] = "Special characters are not allowed";
}
elseif($_POST['sLoginFile']==$_CONTEXT['login_file']){
$aDataR['jmessage'] = "You are already using that login file location";
}
else{
if(file_exists($_PATHS['root']."/".$_POST['sLoginFile'])){
$aDataR['jmessage'] = "Can't create the file because it already exist";
}
else{
if(!@rename($_PATHS['root']."/".$_CONTEXT['login_file'],$_PATHS['root']."/".$_POST['sLoginFile'])){
$aDataR['jmessage'] = "Failed to rename file to: ".$_POST['sLoginFile'];
}
else{
$sData = str_replace("\$_CONTEXT['login_file'] = \"".$_CONTEXT['login_file']."\";","\$_CONTEXT['login_file'] = \"".$_POST['sLoginFile']."\";",$sData);
$sMD5New = md5($sData);
if($sMD5New==$sMD5){
$aDataR['jmessage'] = "Nothing to update";
}
else{
$aDataR['jmessage'] = "Successfully updated login file location";
$aDataR['jref'] = $_POST['sLoginFile'];
$bWriteMe = true;
}
}
}
}
}
break;
/* redirect after login failure */
case"9":
$_POST['sUrl'] = trim($_POST['sUrl']);
$aUrl = @parse_url($_POST['sUrl']);
if(!isset($aUrl['host']) || $aUrl['host']==""){
$aDataR['jmessage'] = "Invalid url specified";
}
else{
$sData = str_replace("\$_CONTEXT['redirect_fail_login'] = \"".$_CONTEXT['redirect_fail_login']."\";","\$_CONTEXT['redirect_fail_login'] = \"".$_POST['sUrl']."\";",$sData);
$sMD5New = md5($sData);
if($sMD5New==$sMD5){
$aDataR['jmessage'] = "Nothing to update";
}
else{
$aDataR['jmessage'] = "Successfully updated redirect website location";
$aDataR['jref'] = $_POST['sUrl'];
$bWriteMe = true;
}
}
break;
/* reset access to suite */
case"10":
if(!isset($_POST['iReset']) || $_POST['iReset']==""){
$aDataR['jmessage'] = "You need to select the checkbox in order to reset the access";
}
else{
// as we have several types let's just file() the content and edit it the easy way
$aFile = file($sDest);
// default vars.php values
$_CONTEXT['defconnect'] = array();
$_CONTEXT['defconnect']['ip_access'] = "false";
$_CONTEXT['defconnect']['ip_allowed'] = "array()";
$_CONTEXT['defconnect']['pass_access'] = "false";
$_CONTEXT['defconnect']['pass_hash'] = "0";
$_CONTEXT['defconnect']['pass_salt'] = "0";
$_CONTEXT['defconnect']['sleeptime'] = "3";
$_CONTEXT['defconnect']['cookielife'] = "86400";
$_CONTEXT['defconnect']['login_file'] = "\"login.php\"";
$_CONTEXT['defconnect']['redirect_fail_login'] = "\"http://www.google.com\"";
$sBuffer = "";
for($x=0;$x<count($aFile);$x++){
$bFound = false;
foreach($_CONTEXT['defconnect'] as $sKey=>$sValue){
if(strpos($aFile[$x],"\$_CONTEXT['".$sKey."']")===0){
$sBuffer .= "\$_CONTEXT['".$sKey."'] = ".$sValue.";\n";
$bFound = true;
break;
}
}
if(!$bFound){
$sBuffer .= $aFile[$x];
}
}
$sMD5New = md5($sBuffer);
if($sMD5New==$sMD5){
$aDataR['jmessage'] = "Nothing to update";
}
else{
$sData = $sBuffer;
// destroy cookie
@setcookie("thcauth_".substr($_CONTEXT['pass_hash'],0,5),$_CONTEXT['pass_hash'],(time()-1000),"/");
$aDataR['jmessage'] = "Successfully reset the environment, you will be redirected back to setup.php";
$aDataR['jredirect'] = 1;
$bWriteMe = true;
}
}
break;
default:
}
}
else{
$aDataR['jmessage'] = "Invalid action specified";
}
}
if($bWriteMe){
WriteF($sDest,$sData,"w");
$aDataR['jresult'] = true;
}
echo json_encode($aDataR);
?>