Untitled

<?php
// defines
  $charset = Array('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','1','2','3','4','5','6','7','8','9','0','-','_');
  $wordlist = Array();
  $param_file = './params.txt';
  $separator = '_';
  $words = Array();
  $maxlen = $_GET['length'];
  $def_length=0;
  $site = $_GET['url'];
  $count = 0;
  $type = $_GET['type'];
  $symbol = $_GET['sym'];
  $arr = $_GET['arr'];
  $max_len_of_url=2048;
  $proxy = 'http://127.0.0.1:8080';
  $headers[] = 'User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)';
  //$headers[] = 'Authorization: Basic QXZndXI6Q29tcDI0Mg==';

function getlen($site_check)
{
	global $proxy,$headers;
	$ch = curl_init();
    curl_setopt($ch, CURLOPT_URL,$site_check);
	curl_setopt($ch,CURLOPT_HTTPHEADER,$headers);
	curl_setopt($ch, CURLOPT_FAILONERROR, 0);
	curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
	curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
	curl_setopt($ch, CURLOPT_TIMEOUT, 30);
	curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
	curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
	$length = strlen(curl_exec($ch));
    curl_close($ch);
    return $length;
}

function check($site_check,$from,$to)
{
    global $def_length,
    	$words,$site,$symbol,$content,$arr;
	$curr_len = getlen($site_check);
    if ($curr_len<>$def_length)
    {
    	 echo '<b>[+] Find <a href='.$site_check.'>smth</a> Try to detect.</b><br>';
    	 flush();
    	 $site_1 = $site;
    	 $site_2 = $site;

    	 if ($to-1-$from > 0)
    	 {
    	 	for ($i=$from;$i<=$to-1;$i++)
    	 	{
                if ($i<=$from+(($to-$from)/2) - 1)
                	{$site_1 .= $words[$i].'='.$symbol.'&';}
                else
                	{$site_2 .= $words[$i].'='.$symbol.'&';}
    	 	}
         check($site_1 ,$from,(int)($from+(($to-$from)/2)));
    	 check($site_2 ,(int)($from+(($to-$from)/2)),$to);
    	 flush();
    	 }
    	 else
    	 {
    	 	echo '<b>[+] Find! <a href='.$site_check.'>'.$site_check.'</a></b><br>';
    	 }
    }
}


function recurse($width, $position, $base_string)
{
	global $charset,$site_new,$site,$words,$count, $values,$type,$separator,$wordlist,$symbol,$max_len_of_url,$arr;

		for ($i = 0; $i < count($charset); ++$i)
		{
			// anee aeeia niiauaiey iaiuoa o?aaoaiie - aa?ai neiaie e ?aeo?neaii aucuaaai naie naay
			if ($position  < $width - 1)
			{
				recurse($width, $position + 1, $base_string . $charset[$i]);
			}
			    // eiaaa ?aeo?neaiua auciau caeai?eaa?ony, aica?auaainy ia oaa iacaa ii ?eneo neiaieia e auaiaei
			    if (!in_array($base_string.$charset[$i],$values))
			    {
			    $words[$count] = $base_string.$charset[$i].(($arr==1)?'[]':'');
			    $count++;
			    $site_new .= $base_string . $charset[$i].(($arr==1)?'[]':'').'='.$symbol.'&';
			    }

	        if ((strlen($site_new)+strlen($base_string)+4)>$max_len_of_url)
	        {
	        	check($site_new,0,$count);$site_new = $site;$count = 0;
	        }
		}
	if (($position == 0) && ($site_new != $site))
	{check($site_new,0,$count);}
}

    if (empty($_GET['url']) || empty($_GET['length']) || empty($_GET['type']) || empty($_GET['sym']))
    {
    	echo '<b>[+] Use http://'.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'].'?url=&lt;url&gt;&type=&lt;type of attack&gt;&length=&lt;max len&gt;&sym=&lt;parameter value&gt;<br> </b>
    		<b>	url examples:</b> <br/> http://site.com/index.php <br/> http://site.com/index.php?param=123 <br/> http://site.com/index.php?param=123%26param2=q <br/>
    		<b>	types of attack:<br/>  </b>
    			1 - only bruteforce<br/>
    			2 - only wordlist<br/>
    			3 - word+separator+brute values<br/>
    			&arr=1 - try [] postfix values<br/>
    			</b>';
        exit;
    }

	if (strpos($site,'?')>0)
		{$site=$site.'&';}
	else
		{$site=$site.'?';}
	$site_new = $site;
    // iaeaai ana ia?aiao?u
    preg_match_all("/[\?&]?([^&?=]+)=([a-zA-Z0-9\-_\.%]+)&/",
    $site,
    $out, PREG_PATTERN_ORDER);
    $values = $out[1];

    echo '<b>[+] Analyze <a href='.$site.'>'.$site.'</a></b><br>';
    flush();

    if ($type >=2)
    {
	    $file = fopen($param_file,"r");
	    if(!file)
	    {
	      echo("<b>[+] Error: wordlist not exists - ".$param_file.'</b></br>');
	    }
	    else
	    {
	      while ($wordlist[] = trim(fgets($file)))
	      {}
	      unset  ($wordlist[count($wordlist)-1]);
	      echo "<b>[+] Wordlist loaded...".count($wordlist)." words.</b><br/>";
	    }

    }
    // ii?aaaeei aaoieoiua cia?aiey
	$def_length = getlen($site);
	switch ($type) {
    case 1:
        recurse($maxlen, 0, '');
        break;
    case 2:
    	unset($charset);
    	$charset[] = '';
        for ($j = 0; $j < count($wordlist);$j++)
			{
				if (!in_array($wordlist[$j],$values))
			    {
			    $words[$count] = $wordlist[$j].(($arr==1)?'[]':'');
			    $count++;
			    $site_new .= $wordlist[$j].(($arr==1)?'[]':'').'='.$symbol.'&';
			    }

	        if ((strlen($site_new)+strlen($base_string)+4)>2048)
	        {
	        	check($site_new,0,$count);$site_new = $site;$count = 0;
	        }
		}
		if ($site_new != $site)
		{check($site_new,0,$count);}

        break;
    case 3:
    	if (!in_array('',$charset))
    		{$charset[count($charset)]='';}
        for ($j = 0; $j < count($wordlist);$j++)
			{recurse($maxlen, 0, $wordlist[$j].$separator);}
        break;
	}


    echo '<b>[+] Done</b><br>';

?>