..cool, we will make a new module and not just some new module, nope let's make a fully automatic injection script! This tutorial is the first step into making this. Let's first..
xAnalyze is a module that can search through corrupt data and configuration files in order to find the exact position of errors
<?php
/* Changes your security settings for the HackSuite
Author: Remco Kouw
Site: http://www.hacksuite.com
Last Edit: 09-03-2015
*/
session_cache_limiter('nocache');
header('Expires: '.gmdate('r',0));
header('Content-type: application/json');
$_DYNAMIC_ROOT = "..";
$bWriteMe = false;
include_once("../header.php");
$sDest = "../vars.php";
$aDataR = array();
$aDataR['jresult'] = false;
$aDataR['jmessage'] = "an error occured";
// target files we need, so make sure they are present
$aFiles = array($_PATHS['functions_root']."/fwrite.php",$_PATHS['functions_root']."/get_file_data.php");
for($x=0;$x<count($aFiles);$x++){
if(!file_exists($aFiles[$x])){
$aDataR['jmessage'] = "Missing required file: ".$aFiles[$x];
die(json_encode($aDataR));
}
@include_once($aFiles[$x]);
}
if(!is_writable($sDest)){
$aDataR['jmessage'] = "Make sure the file vars.php in root is writable";
}
else{
$sData = GetFileData($sDest);
$sMD5 = md5($sData);
if(isset($_POST['iUpdateMe'])){
switch($_POST['iUpdateMe']){
/* change password access */
case"0":
if(!isset($_POST['iUpdate']) || $_POST['iUpdate']!=1){
$aDataR['jmessage'] = "You need to select the checkbox in order to make changes";
}
else{
if(!isset($_POST['sPass1']) || !isset($_POST['sPass2'])){
$aDataR['jmessage'] = "No passwords specified";
}
elseif($_POST['sPass1']==""){
$aDataR['jmessage'] = "Password hasn't been specified";
}
elseif($_POST['sPass1']!=$_POST['sPass2']){
$aDataR['jmessage'] = "Passwords don't match";
}
elseif(strlen($_POST['sPass1'])<6){
$aDataR['jmessage'] = "Password must at least be 6 characters long";
}
else{
if($_CONTEXT['ip_access']!=true && $_CONTEXT['pass_access']==true){
// stop right there, we need to have one form of security
$aDataR['jmessage'] = "You need to have at least one form of security";
}
else{
// update the settings
$sMD5 = md5($sData);
$sOld = "\$_CONTEXT['pass_access'] = ".($_CONTEXT['pass_access'] ? "true" : "false").";";
$sNew = "\$_CONTEXT['pass_access'] = ".($_CONTEXT['pass_access'] ? "false" : "true").";";
$sData = str_replace($sOld,$sNew,$sData);
if($_CONTEXT['pass_access']){
// if access is set then there must be a password in order to reach this page, that's why we can validate the password right away
if(sha1($_CONTEXT['pass_salt'].":".$_POST['sPass1'])==$_CONTEXT['pass_hash']){
// pass access will be disabled so remove the cookie
setcookie("thcauth_".substr($_CONTEXT['pass_hash'],0,5),$_CONTEXT['pass_hash'],(time()-1000),"/");
$bWriteMe = true;
}
else{
$aDataR['jmessage'] = "Invalid password specified";
}
}
else{
// see if there's a salt set
if($_CONTEXT['pass_salt']==0){
$sSalt = substr(md5(mt_rand(0,time())),0,10);
$sData = str_replace("\$_CONTEXT['pass_salt'] = 0;","\$_CONTEXT['pass_salt'] = \"".$sSalt."\";",$sData);
}
// set password hash if it isn't there yet
if($_CONTEXT['pass_hash']==0){
if(!isset($sSalt)){
$sSalt = $_CONTEXT['pass_salt'];
}
$sData = str_replace("\$_CONTEXT['pass_hash'] = 0;","\$_CONTEXT['pass_hash'] = \"".sha1($sSalt.":".$_POST['sPass1'])."\";",$sData);
}
$sMD5New = md5($sData);
if($sMD5New==$sMD5){
$aDataR['jmessage'] = "Nothing to update";
}
else{
if(isset($_COOKIE["thcauth_".substr($_CONTEXT['pass_hash'],0,5)])){
// let old cookie expire
setcookie("thcauth_".substr($_CONTEXT['pass_hash'],0,5),$_CONTEXT['pass_hash'],(time()-1000),"/");
}
$aDataR['jmessage'] = "Successfully updated password access settings";
$aDataR['jref'] = ($_CONTEXT['pass_access'] ? 0 : 1);
$bWriteMe = true;
}
}
}
}
}
break;
/* change ip access */
case"1":
if(!isset($_POST['iUpdate']) || $_POST['iUpdate']!=1){
$aDataR['jmessage'] = "You need to select the checkbox in order to make changes";
}
else{
if($_CONTEXT['ip_access']==true && $_CONTEXT['pass_access']!=true){
// stop right there, we need to have one form of security
$aDataR['jmessage'] = "You need to have at least one form of security";
}
else{
// update the settings
$sOld = "\$_CONTEXT['ip_access'] = ".($_CONTEXT['ip_access'] ? "true" : "false").";";
$sNew = "\$_CONTEXT['ip_access'] = ".($_CONTEXT['ip_access'] ? "false" : "true").";";
$sData = str_replace($sOld,$sNew,$sData);
$aDataR['jmessage'] = "Successfully updated ip access settings";
$aDataR['jref'] = ($_CONTEXT['ip_access'] ? 0 : 1);
$bWriteMe = true;
}
}
break;
/* allowed ip addresses */
case"2":
if(!isset($_POST['sIPS']) || $_POST['sIPS']==""){
$aDataR['jmessage'] = "No ip addresses to allow";
}
else{
$_POST['sIPS'] = str_replace(" ","",trim($_POST['sIPS']));
$bNotIP = false;
$sIP = "";
if(strpos($_POST['sIPS'],",")===false){
// single ip address
if(!@filter_var($_POST['sIPS'],FILTER_VALIDATE_IP,FILTER_FLAG_IPV4)){
$aDataR['jmessage'] = "Invalid ip address ".$_POST['sIPS'];
$bNotIP = true;
}
$sIP = "\"".$_POST['sIPS']."\"";
}
else{
// multiple ip addresses
$aIPS = explode(",",$_POST['sIPS']);
for($b=0;$b<count($aIPS);$b++){
if(!@filter_var($aIPS[$b],FILTER_VALIDATE_IP,FILTER_FLAG_IPV4)){
$aDataR['jmessage'] = "Invalid ip address: ".$aIPS[$b];
$bNotIP = true;
break;
}
$sIP .= ($b>0 ? "," : "")."\"".$aIPS[$b]."\"";
}
}
if(!$bNotIP){
$sOldIPS = "";
for($b=0;$b<count($_CONTEXT['ip_allowed']);$b++){
$sOldIPS .= ($b>0 ? "," : "")."\"".$_CONTEXT['ip_allowed'][$b]."\"";
}
$sOld = "\$_CONTEXT['ip_allowed'] = array(".$sOldIPS.");";
$sNew = "\$_CONTEXT['ip_allowed'] = array(".$sIP.");";
$sData = str_replace($sOld,$sNew,$sData);
$sMD5New = md5($sData);
if($sMD5New==$sMD5){
$aDataR['jmessage'] = "Nothing to update";
}
else{
$aDataR['jmessage'] = "Successfully updated ip whitelist";
$aDataR['jref'] = $_POST['sIPS'];
$bWriteMe = true;
}
}
}
break;
/* update password */
case"3":
if(!isset($_POST['sPassO'],$_POST['sPassN'])){
$aDataR['jmessage'] = "Expecting password variables to be sent";
}
else{
$_POST['sPassO'] = trim($_POST['sPassO']);
$_POST['sPassN'] = trim($_POST['sPassN']);
if($_POST['sPassO']==$_POST['sPassN']){
$aDataR['jmessage'] = "The old password can't be the same as the new password";
}
elseif(empty($_POST['sPassO'])){
$aDataR['jmessage'] = "Password can't be empty";
}
else{
if(strlen($_POST['sPassN'])<6){
$aDataR['jmessage'] = "Password must at least be 6 characters";
}
else{
if(sha1($_CONTEXT['pass_salt'].":".$_POST['sPassO'])!=$_CONTEXT['pass_hash']){
$aDataR['jmessage'] = "Specified password isn't your old password";
}
else{
$sData = str_replace("\$_CONTEXT['pass_hash'] = \"".$_CONTEXT['pass_hash']."\";","\$_CONTEXT['pass_hash'] = \"".sha1($_CONTEXT['pass_salt'].":".$_POST['sPassN'])."\";",$sData);
$sMD5New = md5($sData);
if($sMD5New==$sMD5){
$aDataR['jmessage'] = "Nothing to update";
}
else{
// let old cookie expire
setcookie("thcauth_".substr($_CONTEXT['pass_hash'],0,5),$_CONTEXT['pass_hash'],(time()-1000),"/");
$aDataR['jmessage'] = "Successfully updated your password";
$bWriteMe = true;
}
}
}
}
}
break;
/* update password hash */
case"4":
if(!isset($_POST['sHash']) || $_POST['sHash']==""){
$aDataR['jmessage'] = "No hash specified to update";
}
else{
$_POST['sHash'] = trim($_POST['sHash']);
if(!preg_match('/^[0-9a-f]{40}$/',$_POST['sHash'])){
$aDataR['jmessage'] = "Successfully updated your password";
}
else{
$sData = str_replace("\$_CONTEXT['pass_hash'] = \"".$_CONTEXT['pass_hash']."\";","\$_CONTEXT['pass_hash'] = \"".$_POST['sHash']."\";",$sData);
$sMD5New = md5($sData);
if($sMD5New==$sMD5){
$aDataR['jmessage'] = "Nothing to update";
}
else{
// let old cookie expire
setcookie("thcauth_".substr($_CONTEXT['pass_hash'],0,5),$_CONTEXT['pass_hash'],(time()-1000),"/");
$aDataR['jmessage'] = "Successfully updated your password hash";
$bWriteMe = true;
}
}
}
break;
/* update password salt */
case"5":
if(!isset($_POST['sSalt']) || $_POST['sSalt']==""){
$aDataR['jmessage'] = "No salt specified to update";
}
else{
$_POST['sSalt'] = trim($_POST['sSalt']);
if(strlen($_POST['sSalt'])<3){
$aDataR['jmessage'] = "You need a salt of at least 3 characters";
}
else{
$sData = str_replace("\$_CONTEXT['pass_salt'] = \"".$_CONTEXT['pass_salt']."\";","\$_CONTEXT['pass_salt'] = \"".$_POST['sSalt']."\";",$sData);
$sMD5New = md5($sData);
if($sMD5New==$sMD5){
$aDataR['jmessage'] = "Nothing to update";
}
else{
// let old cookie expire
setcookie("thcauth_".substr($_CONTEXT['pass_hash'],0,5),$_CONTEXT['pass_hash'],(time()-1000),"/");
$aDataR['jmessage'] = "Successfully updated your password salt";
$bWriteMe = true;
}
}
}
break;
/* update cookie life */
case"6":
if(!isset($_POST['iCookieLife']) || $_POST['iCookieLife']==""){
$aDataR['jmessage'] = "No cookie life value specified";
}
else{
$_POST['iCookieLife'] = @intval($_POST['iCookieLife']);
if(!is_int($_POST['iCookieLife']) || $_POST['iCookieLife']<600){
$aDataR['jmessage'] = "A valid value for cookie life is an integer value of at least 600 (seconds)";
}
else{
$sData = str_replace("\$_CONTEXT['cookielife'] = ".$_CONTEXT['cookielife'].";","\$_CONTEXT['cookielife'] = ".$_POST['iCookieLife'].";",$sData);
$sMD5New = md5($sData);
if($sMD5New==$sMD5){
$aDataR['jmessage'] = "Nothing to update";
}
else{
// update old cookie expiration date
setcookie("thcauth_".substr($_CONTEXT['pass_hash'],0,5),$_CONTEXT['pass_hash'],(time()+$_POST['iCookieLife']),"/");
$aDataR['jmessage'] = "Successfully updated cookie expiration date";
$aDataR['jref'] = $_POST['iCookieLife'];
$bWriteMe = true;
}
}
}
break;
/* update sleep after login fail */
case"7":
if(!isset($_POST['iSleepVal']) || $_POST['iSleepVal']==""){
$aDataR['jmessage'] = "No sleep value specified";
}
else{
$_POST['iSleepVal'] = @intval($_POST['iSleepVal']);
if(!is_int($_POST['iSleepVal']) || ($_POST['iSleepVal']<1 || $_POST['iSleepVal']>9)){
$aDataR['jmessage'] = "Choose a value between 1 and 9 (seconds)";
}
else{
$sData = str_replace("\$_CONTEXT['sleeptime'] = ".$_CONTEXT['sleeptime'].";","\$_CONTEXT['sleeptime'] = ".$_POST['iSleepVal'].";",$sData);
$sMD5New = md5($sData);
if($sMD5New==$sMD5){
$aDataR['jmessage'] = "Nothing to update";
}
else{
$aDataR['jmessage'] = "Successfully updated sleep time for login failures";
$aDataR['jref'] = $_POST['iSleepVal'];
$bWriteMe = true;
}
}
}
break;
/* login file location */
case"8":
if(!isset($_POST['sLoginFile']) || $_POST['sLoginFile']==""){
$aDataR['jmessage'] = "No login file value specified";
}
else{
$_POST['sLoginFile'] = trim($_POST['sLoginFile']);
if(!function_exists("ExploitFilter")){
include_once($_PATHS['functions_root']."/exploitfilter.php");
}
if(ExploitFilter($_POST['sLoginFile'],false,true)!=$_POST['sLoginFile']){
$aDataR['jmessage'] = "Special characters are not allowed";
}
elseif($_POST['sLoginFile']==$_CONTEXT['login_file']){
$aDataR['jmessage'] = "You are already using that login file location";
}
else{
if(file_exists($_PATHS['root']."/".$_POST['sLoginFile'])){
$aDataR['jmessage'] = "Can't create the file because it already exist";
}
else{
if(!@rename($_PATHS['root']."/".$_CONTEXT['login_file'],$_PATHS['root']."/".$_POST['sLoginFile'])){
$aDataR['jmessage'] = "Failed to rename file to: ".$_POST['sLoginFile'];
}
else{
$sData = str_replace("\$_CONTEXT['login_file'] = \"".$_CONTEXT['login_file']."\";","\$_CONTEXT['login_file'] = \"".$_POST['sLoginFile']."\";",$sData);
$sMD5New = md5($sData);
if($sMD5New==$sMD5){
$aDataR['jmessage'] = "Nothing to update";
}
else{
$aDataR['jmessage'] = "Successfully updated login file location";
$aDataR['jref'] = $_POST['sLoginFile'];
$bWriteMe = true;
}
}
}
}
}
break;
/* redirect after login failure */
case"9":
$_POST['sUrl'] = trim($_POST['sUrl']);
$aUrl = @parse_url($_POST['sUrl']);
if(!isset($aUrl['host']) || $aUrl['host']==""){
$aDataR['jmessage'] = "Invalid url specified";
}
else{
$sData = str_replace("\$_CONTEXT['redirect_fail_login'] = \"".$_CONTEXT['redirect_fail_login']."\";","\$_CONTEXT['redirect_fail_login'] = \"".$_POST['sUrl']."\";",$sData);
$sMD5New = md5($sData);
if($sMD5New==$sMD5){
$aDataR['jmessage'] = "Nothing to update";
}
else{
$aDataR['jmessage'] = "Successfully updated redirect website location";
$aDataR['jref'] = $_POST['sUrl'];
$bWriteMe = true;
}
}
break;
/* reset access to suite */
case"10":
if(!isset($_POST['iReset']) || $_POST['iReset']==""){
$aDataR['jmessage'] = "You need to select the checkbox in order to reset the access";
}
else{
// as we have several types let's just file() the content and edit it the easy way
$aFile = file($sDest);
// default vars.php values
$_CONTEXT['defconnect'] = array();
$_CONTEXT['defconnect']['ip_access'] = "false";
$_CONTEXT['defconnect']['ip_allowed'] = "array()";
$_CONTEXT['defconnect']['pass_access'] = "false";
$_CONTEXT['defconnect']['pass_hash'] = "0";
$_CONTEXT['defconnect']['pass_salt'] = "0";
$_CONTEXT['defconnect']['sleeptime'] = "3";
$_CONTEXT['defconnect']['cookielife'] = "86400";
$_CONTEXT['defconnect']['login_file'] = "\"login.php\"";
$_CONTEXT['defconnect']['redirect_fail_login'] = "\"http://www.google.com\"";
$sBuffer = "";
for($x=0;$x<count($aFile);$x++){
$bFound = false;
foreach($_CONTEXT['defconnect'] as $sKey=>$sValue){
if(strpos($aFile[$x],"\$_CONTEXT['".$sKey."']")===0){
$sBuffer .= "\$_CONTEXT['".$sKey."'] = ".$sValue.";\n";
$bFound = true;
break;
}
}
if(!$bFound){
$sBuffer .= $aFile[$x];
}
}
$sMD5New = md5($sBuffer);
if($sMD5New==$sMD5){
$aDataR['jmessage'] = "Nothing to update";
}
else{
$sData = $sBuffer;
// destroy cookie
@setcookie("thcauth_".substr($_CONTEXT['pass_hash'],0,5),$_CONTEXT['pass_hash'],(time()-1000),"/");
$aDataR['jmessage'] = "Successfully reset the environment, you will be redirected back to setup.php";
$aDataR['jredirect'] = 1;
$bWriteMe = true;
}
}
break;
default:
}
}
else{
$aDataR['jmessage'] = "Invalid action specified";
}
}
if($bWriteMe){
WriteF($sDest,$sData,"w");
$aDataR['jresult'] = true;
}
echo json_encode($aDataR);
?>