<?php
/* Tools & Design 2013
Author: Remco Kouw
Site: http://www.hacksuite.com
*/

// set variable to be able to save a task
$_MODULE_C = "thc_ii";
include("../Includes/screen_header.php");
$_PATHS['injectlog'] = $_PATHS['module_default_root']."/logs/default.php";
include($_PATHS['style_root']."/screen.php");
include($_PATHS['functions_root']."/fwrite.php");
include($_PATHS['module_default_root']."/inject.php");
include($_PATHS['functions_root']."/scrn.php");
// options
$sOptions = "<b>logging:</b> ".($_CONTEXT['log']==true ? "on" : "off")."<br>\n";
$sOptions .= "<b>silence:</b> ".($_CONTEXT['silent']==true ? "on" : "off")."<br>\n";
$sOptions .= "<b>verbose:</b> ".($_CONTEXT['verbose']==true ? "on" : "off")."\n";
if(isset($_POST['submit'])){
    switch($_POST['submit']){
        // scan
        case"Scan":
        echo $sOut;
        $_POST['iAttackType'] = ($_POST['iAttackType']!=1 ? 0 : 1);
        if($_POST['iAttackType']==0){
            // set static post variables to determine which variables to poison
            $_STATIC = array("iAttackType","sTarget","sUseFile","aExploits","submit");
            $_POISON = array();
            foreach($_POST as $sKey=>$mValue){
                if(!in_array($sKey,$_STATIC)){
                    $_POISON[] = $sKey;
                }
            }
            if(false==($iPoison = @count($_POISON))){
                // no variables selected to poison
                die(Screen("<br>\n<b>No variables selected to poison</b><p>\n",$_CONTEXT['verbose'],$_CONTEXT['silent']));
            }
        }
        else{
            $sDest = $_PATHS['module_default_root']."/urls/".ExploitFilter($_POST['sUseFile'],0,1);
            if(!file_exists($sDest)){
                // file doesn't exist
                die(Screen("<br>\n<b>Log file doesn't exist</b><p>\n",$_CONTEXT['verbose'],$_CONTEXT['silent']));
            }
            if(filesize($sDest)==0){
                // target file is empty
                die(Screen("<br>\n<b>Target file is empty</b><p>\n",$_CONTEXT['verbose'],$_CONTEXT['silent']));
            }
        }
        if(false==($iExploits = @count($_POST['aExploits']))){
            // no exploits selected
            die(Screen("<br>\n<b>No exploits selected</b><p>\n",$_CONTEXT['verbose'],$_CONTEXT['silent']));
        }
        // used for creating the exploiturl and initialize the attack
        @include($_PATHS['module_default_root']."/func_exploiturl.php");
        @include($_PATHS['module_default_root']."/func_payloadsend.php");
        @include($_PATHS['module_default_root']."/func_parseresponse.php");
        // buffer for logging
        $sBuffer = "";
        // generate a unique scan id
        $sID = substr(md5(time()),0,10);
        include("../Includes/task_start.php");
        echo Screen("<br>\n<b>Running..</b><p>\n",$_CONTEXT['verbose'],$_CONTEXT['silent']);
        // spit fire...
        flush();
        ob_flush();
        if($_POST['iAttackType']==1){
            // mass scan
            @include($_PATHS['functions_root']."/exploit_filter.php");
            $aFile = file($sDest);
            for($x=0;$x<count($aFile);$x++){
                if($aFile[$x]!=""){
                    // parse url, attack it, send exploit and parse response
                    foreach($_CONTEXT['inject'] as $sKey=>$aExploitP){
                        $sUrl = ExploitUrl(trim($aFile[$x]),$_CONTEXT['inject'],$sKey);
                        $aResponse = PayloadSend($sUrl,$_CONTEXT['curloptions']);
                        $sBuffer .= $sID."|".time()."|".trim($aFile[$x])."|".$sKey."|";
                        $bResult = ParseResponse($aResponse['data'],$_CONTEXT['inject'][$sKey]['response']);
                        $sBuffer .= ($bResult ? 1 : 0)."\n";
                        echo Screen("<br>\n".$aFile[$x]." ".($bResult ? "could be" : "isn't")." exploitable with ".$sKey."\n",$_CONTEXT['verbose'],$_CONTEXT['silent']);
                    }
                }
            }
        }
        else{
            // single scan
            for($x=0;$x<$iExploits;$x++){
                $sUrl = ExploitUrl($_POST['sTarget'],$_CONTEXT['inject'],$_POST['aExploits'][$x],$_POISON);
                $aResponse = PayloadSend($_POST['sTarget'],$_CONTEXT['curloptions']);
                $sBuffer .= $sID."|".time()."|".$_POST['sTarget']."|".$_POST['aExploits'][$x]."|";
                $bResult = ParseResponse($aResponse['data'],$_CONTEXT['inject'][$_POST['aExploits'][$x]]['response']);
                $sBuffer .= ($bResult ? 1 : 0)."\n";
                echo Screen("<br>\n".$_POST['sTarget']." ".($bResult ? "could be" : "isn't")." exploitable with ".$_POST['aExploits'][$x]."\n",$_CONTEXT['verbose'],$_CONTEXT['silent']);
            }
        }
        if($_POST['iLogType']==1){
            WriteF($_PATHS['injectlog'],$sBuffer,"a");
        }
        break;
        // dump log
        case"Dump Log":
        echo $sOut;
        @include($_PATHS['functions_root']."/raw_to_array.php");
        if(false==($aKeys = RawToArray($_PATHS['injectlog']))){
            echo"<b id=h7>[no logs found]</b>";
        }
        else{
            $sThisSession = "";
            for($x=0;$x<count($aKeys);$x++){
                if($x==0){
                    $sThisSession = $aKeys[$x][0];
                    echo"<p><b>session ".$sThisSession."</b><br />\n";
                }
                elseif($sThisSession!=$aKeys[$x][0]){
                    $sThisSession = $aKeys[$x][0];
                    echo"</p><p><b>session ".$sThisSession."</b><br />\n";
                }
                echo "<b>[".date('d-m-Y H:i:s',$aKeys[$x][1])."]</b> (".$aKeys[$x][2].") inject ".$aKeys[$x][3].", result ".(trim($aKeys[$x][4])==1 ? "<b id=\"h6\">SUCCESS</b>" : "<b id=\"h7\">FAILED</b>")."<br>\n";
            }
            echo"</p>";
        }
        echo $sEnd;
        exit;
        break;
        // clean logfile
        case"Truncate Log":
        echo $sOut;
        echo (WriteF($_PATHS['injectlog'],"","w")==true ? "Successfully deleted old entries." : "Failed to delete old entries.");
        echo $sEnd;
        exit;
        break;
        // just show index
        default:
        echo $sOut;
        echo $sOptions;
        echo $sEnd;
        exit;
    }
}
else{
    echo $sOut;
    echo $sOptions;
    echo $sEnd;
    exit;
}
// update entry in background task file
include($_PATHS['includes_root']."/task_end.php");
echo $sEnd;
?>