J2TEAM Security: A must-have extension for Chrome users. Install now!
Trang chủ
Code
Local Attack

Private host scan script

Code:
<html>
<head>
    <title></title>
</head>
<body>
    <h1></h1>
    <form action="?" method="GET">
        <input type="text" name="host" value="<?PHP echo isset($_GET['host']) ? $_GET['host'] : 'www.example.com'; ?>" />
        <input type="submit" value="mandale gas" />
    </form>
    <br><br>
    <?PHP analizar($_GET['host']); ?>
</body>
</html>
<?PHP
//reversedns bing ()
//reversedns gigablast ()
//whoishostingthis ()
//google/bing/otros dorks
//dns lookups ()
//transferencias de zona
//brute force de subdominios ()
function analizar($host){
    error_reporting(999999999);
    error_reporting(0);
    set_time_limit(0);

    echo 'Host: '. htmlentities($host, ENT_QUOTES, 'UTF-8').'<br>';
    echo '<table><tr><td>IP</td><td>Reverse</td><td>Long ip</td><td>ISP</td><td>Ciudad</td><td>Region</td><td>Pais</td></tr>';
    $ip = gethostbynamel($host);
    foreach ($ip as $this_ip){
        $reverse = gethostbyaddr($this_ip);
        if ( $reverse == $this_ip ) {
            $reverse = '';
        }
        echo '<tr><td>'.htmlentities($this_ip, ENT_QUOTES, 'UTF-8').'</td>';
        echo '<td>'.htmlentities($reverse, ENT_QUOTES, 'UTF-8').'</td>';
        echo '<td>'.htmlentities(sprintf("%u", ip2long(trim($this_ip))), ENT_QUOTES, 'UTF-8').'</td>';
        $temp = file_get_contents("http://www.melissadata.com/lookups/iplocation.asp?ipaddress=".$this_ip);
//            print_R($temp);
        preg_match("@<tr class='tdresul01'><td class='columresult'>ISP</td><td align='left'><b>([^&]+)&nbsp;</b></td></tr>@",$temp,$match);
        echo '<td>' . htmlentities($match[1], ENT_QUOTES, 'UTF-8') . '</td>';
        preg_match("@<tr><td class='columresult'>City</td><td align='left'><b>(.+)</b></td></tr>@",$temp,$match);
        echo '<td>' . htmlentities($match[1], ENT_QUOTES, 'UTF-8') . '</td>';
        preg_match("@<tr class='tdresul01'><td class='columresult'>State or Region</td><td align='left'><b>(.+)</b></td></tr>@",$temp,$match);
        echo '<td>' . htmlentities($match[1], ENT_QUOTES, 'UTF-8') . '</td>';
        preg_match("@<tr><td class='columresult'>Country</td><td align='left'><b>(.+)</b></td></tr>@",$temp,$match);
        echo '<td>' . htmlentities($match[1], ENT_QUOTES, 'UTF-8') . '</td></tr>';
    }
   echo '</table><br>';
  
  //dns
    $resultado_dns = dns_get_record($host, DNS_ANY, $authdns);
    foreach ($resultado_dns as $dns){
        if ($dns["type"]=="A"){
            echo "[".$dns["host"]."] ".$dns["type"]." => ".$dns["ip"]." (ttl ".$dns["ttl"].")".'<br>';
        }elseif ($dns["type"]=="MX"){
            echo "[".$dns["host"]."] ".$dns["type"]." => ".$dns["target"]." (".$dns["pri"].") (ttl ".$dns["ttl"].")".'<br>';
        }elseif (($dns["type"]=="CNAME") or ($dns["type"]=="NS") or ($dns["type"]=="PTR")){
            echo "[".$dns["host"]."] ".$dns["type"]." => ".$dns["target"]." (ttl ".$dns["ttl"].")".'<br>';
        }elseif ($dns["type"]=="TXT"){
            echo "[".$dns["host"]."] ".$dns["type"]." => ".$dns["txt"]." (ttl ".$dns["ttl"].")".'<br>';
        }elseif ($dns["type"]=="HINFO"){
            echo "[".$dns["host"]."] ".$dns["type"]." => CPU: ".$dns["cpu"]." OS: ".$dns["os"]." (ttl ".$dns["ttl"].")".'<br>';
        }elseif ($dns["type"]=="SOA"){
            echo "[".$dns["host"]."] ".$dns["type"]." => ".$dns["mname"]." - Email: ".$dns["rname"]." - Serial: ".$dns["serial"]." - Refresh: ".$dns["refresh"]." - Retry: ".$dns["retry"]." - Expire: ".$dns["expire"]." - Minimum-ttl: ".$dns["minimum-ttl"]." (ttl ".$dns["ttl"].")".'<br>';
        }elseif ($dns["type"]=="AAA"){
            echo "[".$dns["host"]."] ".$dns["type"]." => ".$dns["ipv6"]." (ttl ".$dns["ttl"].")".'<br>';
        }elseif ($dns["type"]=="A6"){
            echo "[".$dns["host"]."] ".$dns["type"]." => ".$dns["masklen"]." - ".$dns["ipv6"]." - ".$dns["chain"]." - "." (ttl ".$dns["ttl"].")".'<br>';
        }elseif ($dns["type"]=="SRV"){
            echo "[".$dns["host"]."] ".$dns["type"]." => ".$dns["pri"]." - ".$dns["weight"]." - ".$dns["target"].":".$dns["port"]." (ttl ".$dns["ttl"].")".'<br>';
        }elseif ($dns["type"]=="NAPTR"){
            echo "[".$dns["host"]."] ".$dns["type"]." => ".$dns["order"]." - ".$dns["pref"]." - ".$dns["flags"]." - ".$dns["services"]." - ".$dns["regex"]." - ".$dns["replacement"]." (ttl ".$dns["ttl"].")".'<br>';
        }else{
            echo "<br>";
        }
    }
    
    foreach ($authdns as $this_authdns) {
        echo "[".$dns["host"]."] ".$dns["type"]." => ".$dns["target"]." - ".$dns["class"]." (ttl ".$dns["ttl"].")".'<br>';
    }

    $temp = file_get_contents("http://www.whoishostingthis.com/".$host);
    preg_match('@<a href="http://www.whoishostingthis.com/linkout/?.*";[^>]*?>([^<]+)</a>@i',$temp,$match);
    echo '<br>Hosted by: ' . (isset($match[1]) ? $match[1] : 'Unknown') . '<br>';


    //reverse dns (bing)
    echo '<table><tr><td>IP</td><td>Bing (confirmados)</td><td>Bing(Sin confirmar)</td><td>GigaBlast (confirmados)</td><td>GigaBlast (sin confirmar)</td><td>Total (confirmados)</td><td>Total (sin confirmar)</td></tr>';
    foreach ($ip as $this_ip) {
        echo '<tr><td>'.$this_ip.'</td>';
        //Bing
        $offset = 0;
        $confirmed_domains_bing = array();
        $no_confirmed_domains_bing = array();
        $url_dns = array();
        $pasado = null;
        do{
            unset($url_dns); 
            $url = 'http://api.search.live.net/json.aspx?AppId=7066FAEB6435DB963AE3CD4AC79CBED8B962779C&Query=IP:'.$this_ip.'&Sources=web&Web.Offset='.$offset;
            $data  = json_decode(file_get_contents($url));
            
            foreach($data->SearchResponse->Web->Results as $value){
                $dms = parse_url($value->Url, PHP_URL_HOST);
                if ( (!in_array ($dms, $confirmed_domains_bing)) and (!in_array ($dms, $no_confirmed_domains_bing)) ){
                    if ( in_array($this_ip, gethostbynamel($dms)) ) {
                        $confirmed_domains_bing[] = $dms;
                    }else{
                        $no_confirmed_domains_bing[] = $dms;
                    }
                }
                $url_dns[] = $dms;
            }
            
            if ($offset % 4 == 0 ) {
                $actual = $url_dns;
            }else{
                $pasado = $url_dns;
            }
            $offset = $offset + 10;
           
        }while ($actual != $pasado);
    
        sort($confirmed_domains_bing);
        sort($no_confirmed_domains_bing);
        echo '<td><textarea cols="30" rows="15">'.sizeof($confirmed_domains_bing)."\n".htmlentities(implode("\n", $confirmed_domains_bing), ENT_QUOTES, 'UTF-8').'</textarea></td><td><textarea cols="30" rows="15">'.sizeof($no_confirmed_domains_bing)."\n".htmlentities(implode("\n", $no_confirmed_domains_bing), ENT_QUOTES, 'UTF-8').'</textarea></td>';

        //Reverse dns Giga Blast
        $offset = 0;
        $confirmed_domains_gigablast = array();
        $no_confirmed_domains_gigablast = array();
        $pasado = null;
        for($i=0; $i<10;$i++){
            $links = file_get_contents('http://www.gigablast.com/search?q=ip:'.urlencode($this_ip).'&n=50&sc=0&dr=0&raw=1&nrt=110&spell=0&s='.($i*50));
            $links = explode("\n", $links);
            unset($links[0], $links[sizeof($links)]);
            foreach ($links as $link) {
                $dms = parse_url($link, PHP_URL_HOST);
                if ( (!in_array ($dms, $confirmed_domains_gigablast)) and (!in_array ($dms, $no_confirmed_domains_gigablast)) ){
                    if ( in_array($this_ip, gethostbynamel($dms)) ) {
                        $confirmed_domains_gigablast[] = $dms;
                    }else{
                        $no_confirmed_domains_gigablast[] = $dms;
                    }
                }
            }
        }
       
        sort($confirmed_domains_gigablast);
        sort($no_confirmed_domains_gigablast);
        echo '<td><textarea cols="30" rows="15">'.sizeof($confirmed_domains_gigablast)."\n".htmlentities(implode("\n", $confirmed_domains_gigablast), ENT_QUOTES, 'UTF-8').'</textarea></td><td><textarea cols="30" rows="15">'.sizeof($no_confirmed_domains_gigablast)."\n".htmlentities(implode("\n", $no_confirmed_domains_gigablast), ENT_QUOTES, 'UTF-8').'</textarea></td>';
        
        $confirmed_domains = array_unique(array_merge($confirmed_domains_bing, $confirmed_domains_gigablast));
        sort($confirmed_domains);
        $no_confirmed_domains = array_unique(array_merge($no_confirmed_domains_bing, $no_confirmed_domains_gigablast));
        sort($no_confirmed_domains);
        echo '<td><textarea cols="30" rows="15">'.sizeof($confirmed_domains)."\n".htmlentities(implode("\n", $confirmed_domains), ENT_QUOTES, 'UTF-8').'</textarea></td><td><textarea cols="30" rows="15">'.sizeof($no_confirmed_domains)."\n".htmlentities(implode("\n", $no_confirmed_domains), ENT_QUOTES, 'UTF-8').'</textarea></td></tr>';
    }
    echo '</table>';
    
    //sub domain brute force
    echo '<br><br>Bruteando subdominios:<br>';
    $subdomains = file_get_contents('subdomains.txt');
    $subdomains = explode("\n", $subdomains);
    foreach($subdomains as $subdomain){
        if(gethostbyname($subdomain.'.'.$host) != $subdomain.'.'.$host){
            echo $subdomain.'.'.$host.'<br>';
        }
    }
}







?>
Leader at J2TEAM. Website: https://j2team.dev/

Đăng nhận xét

Cảm ơn bạn đã đọc bài viết!

- Bạn có gợi ý hoặc bình luận xin chia sẻ bên dưới.

- Hãy viết tiếng Việt có dấu nếu có thể!