URL Bruteforce I guess

[I_Learning_I]

Well, first of all my code was for C/C++, not PHP
Anyhow, since it's mostly adapted, bigfile was meant to be the file that would have the whole response from the server, since sometimes the response is VERY big, it's better to loop and partially store it in another variable, which is what we're doing, storing in bigfile.

I just spotted an error in my code, although I did it right here, I still forgot a parameter in recv()/read() which was the size.

Code: [Select]

read(sockfd,buffer,255);
So, to explain:
sockfd would be the variable you earlier defined as socket.
buffer is the variable that will hold the data received from that socket
255 is the max size of the receive

Now we have to store what we received:
bigfile+=buffer;


But then you have to clear buffer otherwise you'll start having errors like this:
First reading:
Client Sends:
aaaaa

You receive:
aaaaa

Second Reading :
Client sends:
b

You receive:
baaaa


So after you have to clear buffer by doing bzero(buffer,256);

And I believe that's it.
Re-post if you require

[blk.Sith0]

Where would you put that little bit of code?

Also, error on this line. How do I convert this to PHP?

Code: [Select]

available[count] = $mycharset[$i] + $mycharset[$j];unexpected bracket.

[ande]

Where would you put that little bit of code?

Also, error on this line. How do I convert this to PHP?

Code: [Select]

available[count] = $mycharset[$i] + $mycharset[$j];unexpected bracket.

There is to little code in this topic. Let me try writing a simple bruteforce idea.

Code: [Select]

$charset = array ("a","b","c","d","e","f","g","h","i","j","k","l","m");
$datacount = array (0,0,0,0,0);

for($i=0;$i<50;$i++)
{
if($datacount[4]==sizeof($charset)-1)
{$datacount[4]=0;$datacount[3]+=1;}
if($datacount[3]==sizeof($charset)-1)
{$datacount[3]=0;$datacount[2]+=1;}
if($datacount[2]==sizeof($charset)-1)
{$datacount[2]=0;$datacount[1]+=1;}
if($datacount[1]==sizeof($charset)-1)
{$datacount[1]=0;$datacount[0]+=1;}
if($datacount[0]==sizeof($charset)-1)
{return -1;}
echo $charset[$datacount[0]].$charset[$datacount[1]].$charset[$datacount[2]].$charset[$datacount[3]].$charset[$datacount[4]];
$datacount[4]+=1;
echo("<br />");
}


[blk.Sith0]

What does the "{return -1;}" part do? What is it there for?

Also, why this? "$datacount[4]+=1;" Why add 1 to the datacount?
Well I see that it doesnt go to the next set (aaaaab), but why?

[ande]

What does the "{return -1;}" part do? What is it there for?

Also, why this? "$datacount[4]+=1;" Why add 1 to the datacount?
Well I see that it doesnt go to the next set (aaaaab), but why?

The return -1 will end the PHP script running. I placed the return -1 because when it reaches the end of the 5 letter chain this script wont be able to continue. Instead of doing -1 you could break; it instead to exit the loop and continue the code below.

The $datacount[4]+=1; is to get the next letter(s) representing the values in the datacount array. If you look above it you will see that there is some if statements that will make sure the datacount indexes dosent go out of range, when a index reaches the max value possible with a x charset it will increment the index above itself until it reaches the index 0 which is the highest index possible. When that one is full it will exit.

Example;
These numbers will represent the values of $datacount[0-4]:
0 0 0 0 0
this is the same as aaaaa represented as the chars in our charset variable because the first index(0 index) of our charset array is a. Next;
0 0 0 0 1
This is the same as aaaab represented as the chars in our charset variable because the second index(index 1) of our charset array is b. Etc

0 0 0 0 2 = aaaac
0 0 0 0 3 = aaaad
 
Additionally my example will only do 5 chars, no more, no less. In order to do so you need a way more complex algorithm.

[blk.Sith0]

Whats wrong with this when I try to make it eleven characters long?

Code: [Select]

$charset = array ("a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z","0","1","2","3","4","5","6","7","8","9","/");
$datacount = array (0,0,0,0,0,0,0,0,0,0,0);

$i=0;
for($i=0;$i<100;$i++)
{
    if($datacount[11]==sizeof($charset)-1)
{$datacount[11]=0;$datacount[10]+=1;}
    if($datacount[10]==sizeof($charset)-1)
{$datacount[10]=0;$datacount[9]+=1;}
    if($datacount[9]==sizeof($charset)-1)
{$datacount[9]=0;$datacount[8]+=1;}
    if($datacount[8]==sizeof($charset)-1)
{$datacount[8]=0;$datacount[7]+=1;}
    if($datacount[7]==sizeof($charset)-1)
{$datacount[7]=0;$datacount[6]+=1;}
    if($datacount[6]==sizeof($charset)-1)
{$datacount[6]=0;$datacount[5]+=1;}
    if($datacount[5]==sizeof($charset)-1)
{$datacount[5]=0;$datacount[4]+=1;}
if($datacount[4]==sizeof($charset)-1)
{$datacount[4]=0;$datacount[3]+=1;}
if($datacount[3]==sizeof($charset)-1)
{$datacount[3]=0;$datacount[2]+=1;}
if($datacount[2]==sizeof($charset)-1)
{$datacount[2]=0;$datacount[1]+=1;}
if($datacount[1]==sizeof($charset)-1)
{$datacount[1]=0;$datacount[0]+=1;}
if($datacount[0]==sizeof($charset)-1)
{return -1;}
echo $charset[$datacount[0]].$charset[$datacount[1]].$charset[$datacount[2]].$charset[$datacount[3]].$charset[$datacount[4]].$charset[$datacount[5]].$charset[$datacount[6]].$charset[$datacount[7]].$charset[$datacount[8]].$charset[$datacount[9]].$charset[$datacount[10]].$charset[$datacount[11]];
$datacount[11]+=1;
echo("<br />");
 }


Not sure why the formatting looks weird up there, it looks fine in on my end. Undefined offset in lines 8 and 32, and 33.

[ande]

Whats wrong with this when I try to make it eleven characters long?

Code: [Select]

$charset = array ("a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z","0","1","2","3","4","5","6","7","8","9","/");
$datacount = array (0,0,0,0,0,0,0,0,0,0,0);

$i=0;
for($i=0;$i<100;$i++)
{
    if($datacount[11]==sizeof($charset)-1)
{$datacount[11]=0;$datacount[10]+=1;}
    if($datacount[10]==sizeof($charset)-1)
{$datacount[10]=0;$datacount[9]+=1;}
    if($datacount[9]==sizeof($charset)-1)
{$datacount[9]=0;$datacount[8]+=1;}
    if($datacount[8]==sizeof($charset)-1)
{$datacount[8]=0;$datacount[7]+=1;}
    if($datacount[7]==sizeof($charset)-1)
{$datacount[7]=0;$datacount[6]+=1;}
    if($datacount[6]==sizeof($charset)-1)
{$datacount[6]=0;$datacount[5]+=1;}
    if($datacount[5]==sizeof($charset)-1)
{$datacount[5]=0;$datacount[4]+=1;}
if($datacount[4]==sizeof($charset)-1)
{$datacount[4]=0;$datacount[3]+=1;}
if($datacount[3]==sizeof($charset)-1)
{$datacount[3]=0;$datacount[2]+=1;}
if($datacount[2]==sizeof($charset)-1)
{$datacount[2]=0;$datacount[1]+=1;}
if($datacount[1]==sizeof($charset)-1)
{$datacount[1]=0;$datacount[0]+=1;}
if($datacount[0]==sizeof($charset)-1)
{return -1;}
echo $charset[$datacount[0]].$charset[$datacount[1]].$charset[$datacount[2]].$charset[$datacount[3]].$charset[$datacount[4]].$charset[$datacount[5]].$charset[$datacount[6]].$charset[$datacount[7]].$charset[$datacount[8]].$charset[$datacount[9]].$charset[$datacount[10]].$charset[$datacount[11]];
$datacount[11]+=1;
echo("<br />");
 }


Not sure why the formatting looks weird up there, it looks fine in on my end. Undefined offset in lines 8 and 32, and 33.

Code: [Select]

<?php

$charset = array ("a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z","0","1","2","3","4","5","6","7","8","9","/");
$datacount = array (0,0,0,0,0,0,0,0,0,0,0);

$i=0;
for($i=0;$i<10000;$i++)
{
    if($datacount[10]==sizeof($charset)-1)
{$datacount[10]=0;$datacount[9]+=1;}
    if($datacount[9]==sizeof($charset)-1)
{$datacount[9]=0;$datacount[8]+=1;}
    if($datacount[8]==sizeof($charset)-1)
{$datacount[8]=0;$datacount[7]+=1;}
    if($datacount[7]==sizeof($charset)-1)
{$datacount[7]=0;$datacount[6]+=1;}
    if($datacount[6]==sizeof($charset)-1)
{$datacount[6]=0;$datacount[5]+=1;}
    if($datacount[5]==sizeof($charset)-1)
{$datacount[5]=0;$datacount[4]+=1;}
if($datacount[4]==sizeof($charset)-1)
{$datacount[4]=0;$datacount[3]+=1;}
if($datacount[3]==sizeof($charset)-1)
{$datacount[3]=0;$datacount[2]+=1;}
if($datacount[2]==sizeof($charset)-1)
{$datacount[2]=0;$datacount[1]+=1;}
if($datacount[1]==sizeof($charset)-1)
{$datacount[1]=0;$datacount[0]+=1;}
if($datacount[0]==sizeof($charset)-1)
{return -1;}
echo $charset[$datacount[0]].$charset[$datacount[1]].$charset[$datacount[2]].$charset[$datacount[3]].$charset[$datacount[4]].$charset[$datacount[5]].$charset[$datacount[6]].$charset[$datacount[7]].$charset[$datacount[8]].$charset[$datacount[9]].$charset[$datacount[10]];
$datacount[10]+=1;
echo("<br />");
 }

?>

Arrays start at 0 not at 1. 0-10 is 11. Index 11 of a array with 11 indexes is not 11 but 10.

[blk.Sith0]

Oh duh.
Another problem though, its not using the slash in the charset. "/"
I think theres a special way youre supposed to put a slash, and I know you said to do this //
However, that when they were all together, and not an array, with each one quoted. So how do I put a slash in my character set?

[ande]

Oh duh.
Another problem though, its not using the slash in the charset. "/"
I think theres a special way youre supposed to put a slash, and I know you said to do this //
However, that when they were all together, and not an array, with each one quoted. So how do I put a slash in my character set?

Dooh, seams I fucked up on that one. Remove the -1 in all of the "if($datacount[NUM]==sizeof($charset)-1)"

[blk.Sith0]

Well, ten juicy dollars to the first person that makes this for me.

[ande]

Well, ten juicy dollars to the first person that makes this for me.

I almost have dude. Nobody here knows exactly how you want it, if you want anyone to give it a go you at least have to specify things a bit more.

[blk.Sith0]

Just enter every combination of an 11 character code (a-z, 0-9, and /) into a URL field. But it always ends with an = sign. So site.com/users/aaaaaaaaaaa= all the way to site.com/users////////////=.

Then only log it (the entire link) if it sees the words "High School".
Oh oh, better idea. Make it log to a text file, right? However the text file will look like this.

Code: [Select]

<a href="site.com/users/a8fj48/47sh=">Last, First</a>
<a href="site.com/users/0f9n2nfjaw1=">Last, First</a>
<a href="site.com/users/a8fj48/472b=">Last, First</a>

You see where I'm going with this? You see? So Ill have a nice little html file that will have Everyone's logged name as a link to their page.

Now to get the name, that part might be hard. But its in the same place every time:

Code: [Select]

<div class="StudentHeader"><span class="StudentName">Last, First</span>
Also, it probably needs to clear its own cookies every time, at least thats what you have to do using a browser, I dont know if you need to do it in PHP or not. Because if you dont clear your cookies, then it doesnt matter what you put in the code field, it will just keep getting you the last successful one.

And uh, I think thats all, its https if that matters.

[ande]

Okay.. I could make it for you. But am not going to bother, because 11 chars with all lowerletters and the slash is 11^28 combinations. Which is 144209936106499234037676064081 request to the server. Even if you have 1000 requests pr second to that server it will take more than 4967549055696760431 years to complete.

[blk.Sith0]

But if I get 2 computers going at the same time, then its only 2.48377453 x 10^18 years. which is only 9.06577703 × 10^20 days. I have time.

[Satan911]

No you don't

That's why dictionary attacks are better in this situation rather than bruteforcing.