..we will make a new module and not just some new module, nope let's make a fully automatic injection script! This tutorial is the first step into making this. Let's first explain what..
Mister LG can create upload forms and test targets on file upload vulnerabilities
<?php
/*
JSON requests for:
1- sending users a notification email
2- removing tasks from tasks.php
Author: Remco Kouw
Site: http://www.hacksuite.com
Last Edit: 12-11-2014
*/
$_DYNAMIC_ROOT = "../../..";
include_once("../../../header.php");
include_once("header.php");
$cTHC = new THC();
$aDataR = array();
$aDataR['jresult'] = false;
$aDataR['jmessage'] = "Invalid request received.";
if(isset($_POST['sendemail'])){
/* send users an email */
$aData = @unserialize(file_get_contents("results/".$cTHC->ExploitFilter($_POST['sendemail'].".txt",0,1)));
if(!@is_array($aData['users'])){
$aDataR['jmessage'] = "No users found in the result file.";
}
else{
$sTemplateFile = "templates/email.txt";
if(!$sTemplate = @file_get_contents($sTemplateFile)){
$aDataR['jmessage'] = "Expecting template file in: ".$sTemplateFile;
}
else{
$iUsers = @count($aData['users']);
$iMails = 0;
for($x=0;$x<$iUsers;$x++){
if($aData['users'][$x][1]!=""){
@mail($aData['users'][$x][1],"Important security notification about your password",(str_replace("/user/",$aData['users'][$x][0],$sTemplate)));
$iMails++;
}
}
$aDataR['jmessage'] = "Mails sent: (".$iMails."/".$iUsers.")";
$aDataR['jresult'] = true;
}
}
}
elseif(isset($_GET['removetask'])){
/* remove a task and a result file */
$sTaskFile = "tasks.php";
$aData = $cTHC->RawToArray($sTaskFile);
$bFound = false;
$sBuffer = "";
for($x=0;$x<count($aData);$x++){
if($aData[$x][0]==$_GET['removetask']){
$bFound = true;
continue;
}
$sBuffer .= @implode("|",$aData[$x]);
}
if(!$bFound){
$aDataR['jmessage'] = "Failed to find task: ".$cTHC->ExploitFilter($_GET['removetask'],1);
}
else{
$sResultFile = "results/".$_GET['removetask'].".txt";
if(!@unlink($cTHC->ExploitFilter($sResultFile,0,1))){
$aDataR['jmessage'] = "Failed to remove results file: ".$sResultFile;
}
else{
if($bFound){
$aDataR['jresult'] = true;
$cTHC->WriteF($sTaskFile,$sBuffer,"w");
}
}
}
}
session_cache_limiter('nocache');
header('Expires: '.gmdate('r',0));
header('Content-type: application/json');
die(json_encode($aDataR));
?>