..we will make a new module and not just some new module, nope let's make a fully automatic injection script! This tutorial is the first step into making this. Let's first explain what..
Mister LG can create upload forms and test targets on file upload vulnerabilities
<?php
/*
AntiEvil output window
Author: Remco Kouw
Site: http://www.hacksuite.com
Last Edit: 16-03-2015
*/
set_time_limit(0);
// set variable to be able to save a task
$_MODULE_C = "thc_ae";
include_once("../../Includes/screen_header.php");
$sDest = $_PATHS['module_default_root']."/plugins.php";
(!IsThere($sDest) ? include_once($_PATHS['end']) : include_once($sDest));
include_once($_PATHS['style_root']."/screen.php");
// options
$sOptions = "<b>logging:</b> ".($_CONTEXT['log']==true ? "on" : "off")."<br>\n";
$sOptions .= "<b>silence:</b> ".($_CONTEXT['silent']==true ? "on" : "off")."<br>\n";
$sOptions .= "<b>verbose:</b> ".($_CONTEXT['verbose']==true ? "on" : "off")."\n";
include_once($_PATHS['functions_root']."/scrn.php");
if(isset($_POST['submit'])){
switch($_POST['submit']){
case"Discover":
// go through all plugins and see which and if plugins can be loaded
$iLoad = 0;
if(!is_dir($_POST['sRoot']) || (substr($_POST['sRoot'],0,strlen($_SERVER['DOCUMENT_ROOT'])))!=$_SERVER['DOCUMENT_ROOT']){
die(Screen($sOut."<b id=h7>Invalid directory or above root</b>".$sEnd."<br>\n",$_CONTEXT['verbose'],$_CONTEXT['silent']));
}
foreach($_CONTEXT['thcaeplugs'] as $sKey=>$aValues){
if(isset($_POST[$sKey])){
$iLoad++;
include_once($_PATHS['module_default_root']."/plugins/".$aValues[1]);
}
}
if(!$iLoad){
die(Screen($sOut."<b id=h7>No plug-ins loaded</b>".$sEnd."<br>\n",$_CONTEXT['verbose'],$_CONTEXT['silent']));
}
include_once($_PATHS['includes_root']."/task_start.php");
echo Screen($sOut,$_CONTEXT['verbose'],$_CONTEXT['silent']);
echo Screen("<br>\n<b>Plugins initialized, preparing scan on documents</b><p>\n",$_CONTEXT['verbose'],$_CONTEXT['silent']);
flush();
ob_flush();
echo Screen("<br>\n<b>Running scan on localhost..</b><p>\n",$_CONTEXT['verbose'],$_CONTEXT['silent']);
// spit fire...
flush();
ob_flush();
break;
default:
// default template
echo $sOut;
echo $sOptions;
echo $sEnd;
exit;
}
}
else{
echo $sOut;
echo $sOptions;
echo $sEnd;
exit;
}
$oIterator = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($_POST['sRoot']),RecursiveIteratorIterator::CHILD_FIRST);
// go through the folder
$iIssues = 0;
$iDirs = 0;
$iFiles = 0;
$_CONTEXT['parse'] = array();
foreach($oIterator as $oPath){
$sFileData = "";
if($oPath->isDir()){
$iDirs++;
if(isset($_POST['folders']) && in_array($oPath->getBasename(),$_CONTEXT['thcaeplugs']['folders'])){
// folders
$iIssues++;
echo Screen("Found suspicious folder <b>".$oPath->getBasename()."</b> in ".$oPath->__toString()."<br />\n",$_CONTEXT['verbose'],$_CONTEXT['silent']);
flush();
ob_flush();
}
}
else{
$iFiles++;
$sExt = (@substr($oPath->getExtension(),0,3)=="php" ? "php" : $oPath->getExtension());
if(isset($_POST['backdoors']) && in_array($oPath->getFilename(),$_CONTEXT['thcaeplugs']['shells'])){
// shells
$iIssues++;
echo Screen("Found possible shell <b>".$oPath->getFilename()."</b> in ".$oPath->__toString()."<br />\n",$_CONTEXT['verbose'],$_CONTEXT['silent']);
flush();
ob_flush();
}
if(isset($_POST['malicious']) && isset($_CONTEXT['thcaeplugs'][$sExt]) && in_array($sExt,$_CONTEXT['thcaeplugs']['browsable'])){
// code
if(filesize($oPath->__toString())>0){
$sFileData = file_get_contents($oPath->__toString());
for($x=0;$x<count($_CONTEXT['thcaeplugs'][$sExt]);$x++){
$iPos = strpos($sFileData,$_CONTEXT['thcaeplugs'][$sExt][$x]);
if(is_int($iPos)){
$iIssues++;
echo Screen("Found possible evil code in ".$oPath->__toString()."<br />\n<blockquote>".substr($sFileData,$iPos,(strpos($sFileData,"\n",$iPos)-$iPos))."</blockquote>",$_CONTEXT['verbose'],$_CONTEXT['silent']);
flush();
ob_flush();
}
}
}
}
if(isset($_POST['time'])){
// time
$iTimeSearch = $oPath->getMTime();
if($iTimeE>=$iTimeSearch && $iTimeS<=$iTimeSearch){
$iIssues++;
echo Screen("Found changed/created file ".$oPath->__toString()." from ".date($_CONTEXT['time_pattern'].' H:i:s',$iTimeSearch)."<br />\n",$_CONTEXT['verbose'],$_CONTEXT['silent']);
flush();
ob_flush();
}
}
if(isset($_POST['remote']) && in_array($sExt,array("html","htm","php"))){
// remote js, embed and iframes
if($sFileData==""){
$sFileData = file_get_contents($oPath->__toString());
}
// get remote src
for($a=0;$a<count($_CONTEXT['thcaeplugs']['regexes']);$a++){
preg_match_all($_CONTEXT['thcaeplugs']['regexes'][$a],$sFileData,$aTemp);
if(isset($aTemp[0][0]) && !empty($aTemp[0][0])){
for($i=0;$i<count($aTemp[0]);$i++){
$aTemp[0][$i] = str_replace(" ","",str_replace("'","\"",stripslashes($aTemp[0][$i])));
preg_match_all('/src="([^"]*)"/is',$aTemp[0][$i],$aTemp2);
if(isset($aTemp2[1][0]) && $aTemp2[1][0]!=""){
if(substr($aTemp2[1][0],0,7)=="http://" && substr($aTemp2[1][0],0,strlen("http://".$_SERVER['HTTP_HOST']))!="http://".$_SERVER['HTTP_HOST']){
$iIssues++;
echo Screen("Found possible remote thread in ".$oPath->__toString()."<br />\n<blockquote>".$aTemp2[1][0]."</blockquote>",$_CONTEXT['verbose'],$_CONTEXT['silent']);
flush();
ob_flush();
}
}
}
}
}
}
}
}
echo Screen("<p><b>issues found:</b> ".$iIssues.", <b>folders:</b> ".$iDirs.", <b>files:</b> ".$iFiles."</p>",$_CONTEXT['verbose'],$_CONTEXT['silent']);
// update entry in background task file
include_once($_PATHS['includes_root']."/task_end.php");
echo $sEnd;
?>