关联漏洞
标题:
Drupal 安全漏洞
(CVE-2018-7600)
描述:Drupal是Drupal社区所维护的一套用PHP语言开发的免费、开源的内容管理系统。 Drupal中带有默认或通用模块配置的多个子系统存在安全漏洞。远程攻击者可利用该漏洞执行任意代码。以下版本受到影响:Drupal 7.58之前版本,8.3.9之前的8.x版本,8.4.6之前的8.4.x版本,8.5.1之前的8.5.x版本。
介绍
# CVE-2018-7600
## Table of contents:
1. [CVE summary](#CVE-summary)
2. [Prerequisites](#Prerequisites)
3. [CVE Analyse](#CVE-Analyse)
4. [Mitigation](#Mitigation)
## CVE summary
- An attacker could call a Drupal Form API Ajax Request containing the call_user_func auto do function
- Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1
## Prerequisites
- In this lab, I use:
* Ubuntu 20.04( PHP 7.2, MariaDB )
* The Drupal version I use in this lab is 8.3.8
* Visual Studio Code for debugging
* Kali 23.4 for running exploit Drupal
## CVE Analyse
- We find the keys that use call_user_func are #pre_render, #post_render, #access_callback, #submit, #lazy_builder, #validate
- The task now is to find which param the user submitted has a render, can change the key, and receive the #post_render key, to call it out.
- When resizing the picture server call drupal API
- The &$array function included here is the array of default elements when sent, let's try debugging without code:
- Suppose you modify the value of mail when uploading:
- When calling the getValue($array, $parents) method, the process is as follows:
$ref prohibits references to $array.
First loop: $ref reference to $array['a'].
Second of the loop: $ref reference to $array['a']['b'].
Third of the loop: $ref reference to $array['a']['b']['c'].
The end result, $ref will be referenced to the value 42.
```
$array = [
'a' => [
'b' => [
'c' => 42
]
]
];
$parents = ['a', 'b', 'c'];
```
- After receiving $form value from func getValue. $form will become an argument for the Render function
- The definition of call_user_func
- The result when I use file exploit:
## Mitigation
- Patch
** Drupal developers have published a patch, adding a RequestSanitizer class with a stripDangerousValues method to remove all input elements of the array whose keys begin with “#”. This method cleans input in $_GET, $_POST, and $_COOKIES.
** Drupal 8.6.5
/core/lib/Drupal/Core/DrupalKernel.php
/core/lib/Drupal/Core/Security/RequestSanitizer.php
** The stripDangerousValues function verifies all the input parameters one by one, the first elements of the input array have a value starting with “#” and the values not whitelisted are removed.
文件快照
[4.0K] /data/pocs/4abb02276b88caaf2d02cdc5309d9a406be6158b
├── [1.3K] Drupal_Payload.py
└── [3.9K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。