..cool, we will make a new module and not just some new module, nope let's make a fully automatic injection script! This tutorial is the first step into making this. Let's first..
THC Sscan is a very versatile tool for scanning (html) files
<?php
/* Returns and installs setup.php files in Apps
Author: Remco Kouw
Site: http://www.hacksuite.com
Last Edit: 16-11-2014
*/
session_cache_limiter('nocache');
header('Expires: '.gmdate('r',0));
header('Content-type: application/json');
$_DYNAMIC_ROOT = "..";
include_once("../header.php");
$aDataR = array();
$aDataR['jresult'] = false;
@include_once("../Data/extra.php");
if(isset($_POST['sInstallApp'])){
if(!isset($_POST['sInstallApp'])){
$aDataR['jmessage'] = "No app specified to install";
}
else{
// since we are all paranoid hackers, let's make sure the file is valid
$sApp = str_replace("\/","/",ExploitFilter($_POST['sInstallApp'],0,1));
if(substr($sApp,0,4)!="Apps" && substr($sApp,(strlen($sApp)-9))=="setup.php"){
$aDataR['jmessage'] = "Invalid setup location specified to install";
}
else{
// include setup file to see if the data is valid
include_once("../".$sApp);
if(!isset($aProperties['name'])){
$aDataR['jmessage'] = "Invalid setup location specified to install";
}
else{
$bExists = false;
for($x=0;$x<count($aExtra);$x++){
if($aExtra[$x][0]==$aProperties['name']){
$bExists = true;
}
}
if($bExists){
// make sure we don't install anything more than once
$aDataR['jmessage'] = "App has already been installed";
}
else{
// function for overwriting existing app library
@include_once("../Functions/fwrite.php");
if(!function_exists("WriteF")){
$aDataR['jmessage'] = "Can't write data file";
}
else{
// install apps
$sTemplate = "<?php\n";
$sTemplate .= "/*\n";
$sTemplate .= "Installed apps\n\n";
$sTemplate .= "Author: Remco Kouw\n";
$sTemplate .= "Site: http://www.hacksuite.com\n";
$sTemplate .= "Last Edit: ".date('d-m-Y',time())."\n";
$sTemplate .= "*/\n";
$sTemplate .= "if(!defined('IN_SCRIPT')){\n";
$sTemplate .= "\texit;\n";
$sTemplate .= "}\n";
$sTemplate .= "\$aExtra = array();\n";
// amount of installed products
$iInstalledPaths = count($aExtra);
// go through the $aReadyToInstall array to see which setups are already installed
for($x=0;$x<$iInstalledPaths;$x++){
$sTemplate .= "\$aExtra[".$x."] = array(\"".$aExtra[$x][0]."\",\"".$aExtra[$x][1]."\");\n";
}
$sTemplate .= "\$aExtra[".$iInstalledPaths."] = array(\"".$aProperties['name']."\",\"Apps/".$aProperties['location']."\");\n";
$sTemplate .= "?>";
// install
if(false===($bResult = WriteF("../Data/extra.php",$sTemplate,"w"))){
$aDataR['jmessage'] = "Failed to write data to file";
}
else{
$sDest = "../Logs/log_activity.php";
if(!file_exists($sDest)){
$aDataR['jmessage'] = "Activity log file doesn't exist";
}
elseif(!is_writable($sDest)){
$aDataR['jmessage'] = "Activity log file isn't writable";
}
else{
@include_once($sDest);
$sTemplate = "<?php\n";
$sTemplate .= "/* Activity log\n\n";
$sTemplate .= "Author: Remco Kouw\n";
$sTemplate .= "Site: http://www.hacksuite.com\n";
$sTemplate .= "Last Edit: ".date('d-m-Y',time())."\n";
$sTemplate .= "*/\n";
$sTemplate .= "if(!defined('IN_SCRIPT')){\n\t";
$sTemplate .= "exit;\n";
$sTemplate .= "}\n";
$sTemplate .= "\$_CONTEXT['useraccessdata'] = array();\n";
$sTemplate .= "\$_CONTEXT['useraccessdata']['installed'] = ".$_CONTEXT['useraccessdata']['installed'].";\n";
$sTemplate .= "\$_CONTEXT['useraccessdata']['last_update'] = ".time().";\n";
$sTemp = "";
for($x=0;$x<count($_CONTEXT['useraccessdata']['ip']);$x++){
if($x!=0){
$sTemp .= ",";
}
$sTemp .= "\"".$_CONTEXT['useraccessdata']['ip'][$x]."\"";
}
if(!in_array($_SERVER['REMOTE_ADDR'],$_CONTEXT['useraccessdata']['ip'])){
// this ip is not used for installing stuff yet, so let's log it
$sTemp = ($sTemp=="" ? "\"".$_SERVER['REMOTE_ADDR']."\"" : $sTemp.",\"".$_SERVER['REMOTE_ADDR']."\"");
}
$sTemplate .= "\$_CONTEXT['useraccessdata']['ip'] = array(".$sTemp.");\n";
$sTemplate .= "\$_CONTEXT['useraccessdata']['last_scan'] = ".$_CONTEXT['useraccessdata']['last_scan'].";\n";
$sTemplate .= "\$_CONTEXT['useraccessdata']['action'] = \"installed ".$aProperties['name']."\";\n";
$sTemplate .= "?>";
// file is writable...what can go wrong?
WriteF($sDest,$sTemplate,"w");
$aDataR['jresult'] = true;
$aDataR['jmessage'] = "Successfully installed application";
}
}
}
}
}
}
}
}
else{
// find new apps
$iterator = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($_PATHS['root']."/Apps"),RecursiveIteratorIterator::CHILD_FIRST);
$aReadyToInstall = array();
foreach($iterator as $path){
if(!$path->isDir()){
if($path->getFilename()=="setup.php"){
$aReadyToInstall[] = str_replace("\\","/",str_replace("../","",$path->getPathname()));
}
}
}
// how many products are ready to be installed
$iReadyToInstall = count($aReadyToInstall);
if(!$iReadyToInstall){
// nothing to install
$aDataR['jmessage'] = "No new products";
}
else{
// new setup buffer
$aSetups = array();
// amount of installed products
$iInstalledPaths = count($aExtra);
// go through the $aReadyToInstall array to see which setups are already installed
for($x=0;$x<$iReadyToInstall;$x++){
// which are installed
$bInstalled = false;
for($y=0;$y<$iInstalledPaths;$y++){
if($aExtra[$y][1]."/setup.php"==$aReadyToInstall[$x]){
$bInstalled = true;
break;
}
}
if(!$bInstalled){
$aSetups[] = $aReadyToInstall[$x];
}
}
if(false==($iSetups = count($aSetups))){
$aDataR['jmessage'] = "No new products";
}
else{
// build selection menu
$aDataR['jresult'] = true;
$aDataR['jmessage'] = "\n<select name=\"sInstallApp\">\n";
for($x=0;$x<$iSetups;$x++){
// get the name of the app
include_once("../".$aSetups[$x]);
if(!isset($aProperties['name'])){
$aProperties['name'] = "no name defined";
}
$aDataR['jmessage'] .= "<option value=\"".$aSetups[$x]."\">".$aProperties['name']."</option>\n";
}
$aDataR['jmessage'] .= "</select>\n";
}
}
}
echo json_encode($aDataR);
?>