Khám phá thế giới Drupalgeddon từ tác giả Eyal Shalev qua Drupal 7

Khám phá thế giới Drupalgeddon từ tác giả Eyal Shalev qua Drupal 7


Two weeks ago, a highly critical (25/25 NIST rank) vulnerability, nicknamed Drupalgeddon 2 (SA-CORE-2018-002 / CVE-2018-7600), was disclosed by the Drupal security team. This vulnerability allowed an unauthenticated attacker to perform remote code execution on default or common Drupal installations.

>> Drupalgeddon - Thử injection Drupal 7 tại form tạo tài khoản và cái kết

>> Hot girl Mean Pich Rita và nhà tài phiệt Heng Sear

>> Lập trình Golang - Quản lý Dependency với Go module (P20)

>> 18,4 triệu người ở Mỹ tìm được việc làm trên Facebook năm 2011

Drupal is an open-source content management system (CMS) that is used by more than one million sites around the world (including governments, e-retail, enterprise organizations, financial institutions and more), all of which are vulnerable unless patched.

Until now details of the vulnerability were not available to the public, however, Check Point Research can now expand upon this vulnerability and reveal exactly how it works.

In brief, Drupal had insufficient input sanitation on Form API (FAPI) AJAX requests. As a result, this enabled an attacker to potentially inject a malicious payload into the internal form structure. This would have caused Drupal to execute it without user authentication. By exploiting this vulnerability an attacker would have been able to carry out a full site takeover of any Drupal customer.

The vulnerability existed on all Drupal versions from 6 to 8, though has since been patched to those who manually update their site. In this document we will showcase real life attack scenarios around an out-of-the-box installation of Drupal’s flagship product, Drupal 8.

Technical Details

The Vulnerability

To provide some background, Drupal’s Form API was introduced in Drupal 6 and allowed alteration of the form data during the form rendering process. This revolutionized the way markup processing was done.

In Drupal 7 the Form API was generalized to what is now known as “Renderable Arrays”. This extended API is used to represent the structure of most of the UI elements in Drupal, such as pages, blocks, nodes and more.

Renderable arrays contain metadata that is used in the rendering process. These renderable arrays are a key-value structure in which the property keys start with a hash sign (#). Please see below for an example:

‘#type’ => ‘markup’,
‘#markup’ => ‘<em>some text</em>’,
‘#prefix’ => ‘<div>’,
‘#suffix’ => ‘</div>’

Drupal’s Patch

The patch that Drupal published adds a single class called RequestSanitizer with a stripDangerousValues method that unsets all the items in an input array for keys that start with a hash sign. This method sanitizes input data in $_GET, $_POST & $_COOKIES during the very early stages of Drupal’s bootstrap (immediately after loading the site configurations).

We assume that one of the reasons that the patch was done in this way was to make it harder to find and exploit the vulnerability.

Finding an Attack Vector

Because of the above we focused on forms that are exposed to anonymous users.

There are a few of those forms available, one of which is the user registration form. This form contains multiple fields, as can be seen in the screenshot below.

Drupalgeddon - Thử injection Drupal 7 tại form tạo tài khoản và cái kết

Figure 1: The Drupal registration form.

We knew that we needed to inject a renderable array somewhere in the form structure, we just had to find out where.

As it happens, the “Email address” field does not sanitize the type of input that it receives. This allowed us to inject an array to the form array structure (as the value of the email field).

Drupalgeddon - Thử injection Drupal 7 tại form tạo tài khoản và cái kết

Figure 2: Injecting our renderable array into the mail input of the registration form.

Drupalgeddon - Thử injection Drupal 7 tại form tạo tài khoản và cái kết

Figure 3: Example of injected form renderable array.

Now all we needed was for Drupal to render our injected array. Since Drupal treats our injected array as a value and not as an element, we needed to trick Drupal into rendering it.

The situations in which Drupal renders arrays are as follows:

  1. Page load
  2. Drupal AJAX API – i.e. when a user fills an AJAX form, a request is made to Drupal which renders an HTML markup and updates the form.

After investigating possible attack vectors surrounding the above functionalities, because of the post-submission rendering process and the way Drupal implements it, we came to the conclusion that an AJAX API call is our best option to leverage an attack.

As part of the user registration form, the “Picture” field uses Drupal’s AJAX API to upload a picture into the server and replace it with a thumbnail of the uploaded image.

Drupalgeddon - Thử injection Drupal 7 tại form tạo tài khoản và cái kết

Figure 4: Form used to upload a picture using AJAX API.

Diving into the AJAX file upload callback revealed that it uses a GET parameter to locate the part of the form that needs to be updated in the client.

Drupalgeddon - Thử injection Drupal 7 tại form tạo tài khoản và cái kết

Figure 5: The AJAX ‘upload file’ callback function code.

After pointing element_parents to the part of the form that contained our injected array, Drupal successfully rendered it.

Weaponizing Drupalgeddon 2

Now, all we had to do is to inject a malicious render array that uses one of Drupal’s rendering callback to execute code on the system.

There were several properties we could have injected:

  • #access_callback
    Used by Drupal to determine whether or not the current user has access to an element.
  • #pre_render
    Manipulates the render array before rendering.
  • #lazy_builder
    Used to add elements in the very end of the rendering process.
  • #post_render
    Receives the result of the rendering process and adds wrappers around it.

For our POC to work, we chose the #lazy_builder element as the one being injected into the mail array. Combined with the AJAX API callback functionality, we could direct Drupal to render our malicious array.

This allowed us to take control over the administrator’s account, install a malicious backdoor module and finally execute arbitrary commands on the server.

Drupalgeddon - Thử injection Drupal 7 tại form tạo tài khoản và cái kết

Figure 6: injecting malicious command into one of Drupal’s rendering callbacks.

Drupalgeddon - Thử injection Drupal 7 tại form tạo tài khoản và cái kết

Figure 7: Successfully executing shell commands using the malicious module.


After seeing earlier publications on Twitter and several security blogs, it was apparent that there was much confusion among the community regarding this vulnerability announcement, with some even doubting the severity of it. As a result, we considered it worthwhile to looking deeper into.

The research however was challenging as we were starting from a very large attack surface since the patch blurred the real attack vectors. To expedite our findings, we were fortunate to be joined by experts in the Drupal platform. The final results highlight how easy it is for organization to be exposed through no fault of their own, but rather through the third party platforms they use every day.

Bạn thấy bài viết này như thế nào?: 
Average: 3.5 (10 votes)
Ảnh của Tommy Tran

Tommy Tran owner Express Magazine

Drupal Developer having 9+ year experience, implementation and having strong knowledge of technical specifications, workflow development. Ability to perform effectively and efficiently in team and individually. Always enthusiastic and interseted to study new technologies

  • Skype ID: tthanhthuy
  • Phone/Zalo: (+84) 944 225 212
  • WhatsApp: (+84) 944 225 212
  • Line Messenger: (+84) 944 225 212
  • Email: [email protected]
  • Telegram Messenger: https:/

Bình luận (1)

Ảnh của admin 2
admin 2 (chưa được kiểm chứng)- Mar 29, 2020 02:19 PM Reply



Add Comment

Plain text

  • No HTML tags allowed.
  • Các địa chỉ web và email sẽ tự động được chuyển sang dạng liên kết.
  • Tự động ngắt dòng và đoạn văn.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
2 + 1 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.

Tìm kiếm bất động sản





Dich vu khu trung tphcm

Dich vu diet chuot tphcm

Dich vu diet con trung

Quảng Cáo Bài Viết


Hướng dẫn code entity reference trong custom entities (no bundles)

Entities are a big boon to Drupal, just that the learning curve is a bit longer than CCKs and nodes. I've read a lot about how these entities work but the more I read, the more complex they sound.



Ngày 8.9.2019, đã diễn ra sự kiện MarTech Talks #04 tại MPLEX Studio & Theatre, 62 Trần Quang Khải, Phường Tân Định, Quận 1, TP.HCM của Asia Mar Tech Group (Đơn vị chủ quản của chuỗi MarTechTalks)

Ryu Sera ca sĩ Hàn Quốc cho biết ép mặc váy xẻ tà cao và nội y

Ryu Sera ca sĩ Hàn Quốc cho biết ép mặc váy xẻ tà cao và nội y

Nhiều ca sĩ Hàn Quốc cho biết họ bị công ty quản lý ép mặc đồ sexy. Khi không thực hiện theo, họ bị đuổi khỏi nhóm.



Wordpress Freelancer


Wordpress Freelancer