..will make a new module and not just some new module, nope let's make a fully automatic injection script! This tutorial is the first step into making this. Let's first explain what we're..
THC Sscan is a very versatile tool for scanning (html) files
<?php
/*
Handler for Inject It
Author: Remco Kouw
Site: http://www.hacksuite.com
Last Edit: 13-04-2015
*/
// set variable to be able to save a task
$_MODULE_C = "thc_ii";
include_once("../../Includes/screen_header.php");
$_PATHS['injectlog'] = $_PATHS['module_default_root']."/logs/default.php";
include_once($_PATHS['style_root']."/screen.php");
include_once($_PATHS['functions_root']."/fwrite.php");
include_once($_PATHS['module_default_root']."/inject.php");
include_once($_PATHS['functions_root']."/scrn.php");
// options
$sOptions = "<b>logging:</b> ".($_CONTEXT['log']==true ? "on" : "off")."<br>\n";
$sOptions .= "<b>silence:</b> ".($_CONTEXT['silent']==true ? "on" : "off")."<br>\n";
$sOptions .= "<b>verbose:</b> ".($_CONTEXT['verbose']==true ? "on" : "off")."\n";
if(isset($_POST['submit'])){
switch($_POST['submit']){
// scan
case"Scan":
echo $sOut;
$_POST['iAttackType'] = ($_POST['iAttackType']!=1 ? 0 : 1);
if($_POST['iAttackType']==0){
// set static post variables to determine which variables to poison
$_STATIC = array("iAttackType","sTarget","sUseFile","aExploits","submit");
$_POISON = array();
foreach($_POST as $sKey=>$mValue){
if(!in_array($sKey,$_STATIC)){
$_POISON[] = $sKey;
}
}
if(false==($iPoison = @count($_POISON))){
// no variables selected to poison
die(Screen("<br>\n<b>No variables selected to poison</b><p>\n",$_CONTEXT['verbose'],$_CONTEXT['silent']));
}
}
else{
$sDest = $_PATHS['module_default_root']."/urls/".ExploitFilter($_POST['sUseFile'],0,1);
if(!file_exists($sDest)){
// file doesn't exist
die(Screen("<br>\n<b>Log file doesn't exist</b><p>\n",$_CONTEXT['verbose'],$_CONTEXT['silent']));
}
if(filesize($sDest)==0){
// target file is empty
die(Screen("<br>\n<b>Target file is empty</b><p>\n",$_CONTEXT['verbose'],$_CONTEXT['silent']));
}
}
if(false==($iExploits = @count($_POST['aExploits']))){
// no exploits selected
die(Screen("<br>\n<b>No exploits selected</b><p>\n",$_CONTEXT['verbose'],$_CONTEXT['silent']));
}
// used for creating the exploiturl and initialize the attack
@include_once($_PATHS['module_default_root']."/func_exploiturl.php");
@include_once($_PATHS['module_default_root']."/func_payloadsend.php");
@include_once($_PATHS['module_default_root']."/func_parseresponse.php");
// buffer for logging
$sBuffer = "";
// generate a unique scan id
$sID = substr(md5(time()),0,10);
include_once($_PATHS['includes_root']."/task_start.php");
echo Screen("<br>\n<b>Running..</b><p>\n",$_CONTEXT['verbose'],$_CONTEXT['silent']);
// spit fire...
flush();
ob_flush();
if($_POST['iAttackType']==1){
// mass scan
@include_once($_PATHS['functions_root']."/exploit_filter.php");
$aFile = file($sDest);
for($x=0;$x<count($aFile);$x++){
if($aFile[$x]!=""){
// parse url, attack it, send exploit and parse response
foreach($_CONTEXT['inject'] as $sKey=>$aExploitP){
$sUrl = ExploitUrl(trim($aFile[$x]),$_CONTEXT['inject'],$sKey);
$aResponse = PayloadSend($sUrl,$_CONTEXT['curloptions']);
$sBuffer .= $sID."|".time()."|".trim($aFile[$x])."|".$sKey."|";
$bResult = ParseResponse($aResponse['data'],$_CONTEXT['inject'][$sKey]['response']);
$sBuffer .= ($bResult ? 1 : 0)."\n";
echo Screen("<br>\n".$aFile[$x]." ".($bResult ? "could be" : "isn't")." exploitable with ".$sKey."\n",$_CONTEXT['verbose'],$_CONTEXT['silent']);
}
}
}
}
else{
// single scan
for($x=0;$x<$iExploits;$x++){
$sUrl = ExploitUrl($_POST['sTarget'],$_CONTEXT['inject'],$_POST['aExploits'][$x],$_POISON);
$aResponse = PayloadSend($_POST['sTarget'],$_CONTEXT['curloptions']);
$sBuffer .= $sID."|".time()."|".$_POST['sTarget']."|".$_POST['aExploits'][$x]."|";
$bResult = ParseResponse($aResponse['data'],$_CONTEXT['inject'][$_POST['aExploits'][$x]]['response']);
$sBuffer .= ($bResult ? 1 : 0)."\n";
echo Screen("<br>\n".$_POST['sTarget']." ".($bResult ? "could be" : "isn't")." exploitable with ".$_POST['aExploits'][$x]."\n",$_CONTEXT['verbose'],$_CONTEXT['silent']);
}
}
if($_POST['iLogType']==1){
WriteF($_PATHS['injectlog'],$sBuffer,"a");
}
break;
// dump log
case"Dump Log":
echo $sOut;
@include_once($_PATHS['functions_root']."/raw_to_array.php");
if(false==($aKeys = RawToArray($_PATHS['injectlog']))){
echo"<b id=h7>[no logs found]</b>";
}
else{
$sThisSession = "";
for($x=0;$x<count($aKeys);$x++){
if($x==0){
$sThisSession = $aKeys[$x][0];
echo"<p><b>session ".$sThisSession."</b><br />\n";
}
elseif($sThisSession!=$aKeys[$x][0]){
$sThisSession = $aKeys[$x][0];
echo"</p><p><b>session ".$sThisSession."</b><br />\n";
}
echo"<b>[".date($_CONTEXT['time_pattern'].' H:i:s',$aKeys[$x][1])."]</b> (".$aKeys[$x][2].") inject ".$aKeys[$x][3].", result ".(trim($aKeys[$x][4])==1 ? "<b id=\"h6\">SUCCESS</b>" : "<b id=\"h7\">FAILED</b>")."<br>\n";
}
echo"</p>";
}
echo $sEnd;
exit;
break;
// clean logfile
case"Truncate Log":
echo $sOut;
echo (WriteF($_PATHS['injectlog'],"","w")==true ? "Successfully deleted old entries." : "Failed to delete old entries.");
echo $sEnd;
exit;
break;
// just show index
default:
echo $sOut;
echo $sOptions;
echo $sEnd;
exit;
}
}
else{
echo $sOut;
echo $sOptions;
echo $sEnd;
exit;
}
// update entry in background task file
include_once($_PATHS['includes_root']."/task_end.php");
echo $sEnd;
?>