关联漏洞
标题:
Drupal 安全漏洞
(CVE-2018-7600)
描述:Drupal是Drupal社区所维护的一套用PHP语言开发的免费、开源的内容管理系统。 Drupal中带有默认或通用模块配置的多个子系统存在安全漏洞。远程攻击者可利用该漏洞执行任意代码。以下版本受到影响:Drupal 7.58之前版本,8.3.9之前的8.x版本,8.4.6之前的8.4.x版本,8.5.1之前的8.5.x版本。
描述
A Rust implementation of the CVE-2018-7600 exploit targeting vulnerable Drupal 7 installations (<= 7.57)
介绍
# CVE-2018-7600 - Drupal 7 Remote Code Execution
[](https://www.rust-lang.org/)[](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7600)
A Rust implementation of the CVE-2018-7600 exploit targeting vulnerable Drupal 7 installations (<= 7.57). This CLI reproduces this following PoC flow: it poisons a cached renderable form via the user/password path, extracts a `form_build_id`, then triggers the cached payload through the file/ajax endpoint to achieve remote code execution via a PHP function invocation.
## Vulnerability Overview
CVE-2018-7600 is a remote code execution vulnerability affecting Drupal 7 (and Drupal 8 in a different context). In Drupal 7 the issue stems from insufficient sanitization when certain renderable arrays are cached and later rendered. By injecting specially crafted render metadata into an endpoint that is cached, an attacker can cause arbitrary PHP functions to run when the cached data is later rendered or requested.
### Technical Details
- The exploit abuses Drupal's render system and cache to insert a renderable array whose `#post_render` callback is an arbitrary PHP function (for example `passthru`).
- The PoC flow typically posts to `?q=user/password` with the crafted renderable array parameters so Drupal caches the poisoned form.
- After poisoning and receiving a `form_build_id`, the PoC triggers the payload by calling `/file/ajax/name/#value/<form_build_id>` with the `form_build_id` in the POST body. When Drupal renders the cached element, the `#post_render` callback executes with attacker-controlled markup, enabling command execution.
### Description
This Rust CLI constructs performs the two-step sequence (poison then trigger) against a target Drupal 7 site request parameters, parses the HTML response for `form_build_id`, and then triggers the `file/ajax` endpoint to execute the function specified by the attacker.
Because the client disables certificate verification (to mirror the original PoC which passed `verify=False`), the tool will work against targets using self-signed or otherwise invalid TLS certs. This behaviour can be changed in the source if you prefer to require valid certificates.
## Usage
Basic usage (default command is `whoami`, default function is `passthru`):
```zsh
cargo run -- -u http://target.com/
```
Run a custom command and function:
```zsh
cargo run -- -u http://target.com/ -c "whoami" -f "passthru"
```
Use an HTTP/S proxy (format: `http://127.0.0.1:8080/`):
```zsh
cargo run -- -u http://target.com/ -p http://127.0.0.1:8080/
```
CLI options summary:
- `-u`, `target`: URL of the target Drupal site (e.g. `http://target.com/`).
- `-c`, `--command`: Command to execute on target (default: `whoami`).
- `-f`, `--function`: PHP function to use as the attack vector (default: `passthru`).
- `-p`, `--proxy`: Optional proxy URL to route requests through.
Example full flow:
1. Poison the `user/password` form, inserting `#post_render` callback and `#markup` containing the command.
2. Parse the response to find `form_build_id` inside `form#user-pass`.
3. POST to `?q=file/ajax/name/#value/<form_build_id>` with the `form_build_id` to trigger rendering and execute the command.
## Disclaimer
This tool is for educational and authorized penetration testing purposes only. Use responsibly and only on systems you own or have explicit permission to.
文件快照
[4.0K] /data/pocs/a80e499471fc506980d1888be15a5454856a65b9
├── [ 59K] Cargo.lock
├── [ 240] Cargo.toml
├── [3.5K] README.md
└── [4.0K] src
└── [4.1K] main.rs
1 directory, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。