Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2018-7600 PoC — Drupal 安全漏洞

Source
https://github.com/raytran54/CVE-2018-7600
Associated Vulnerability
Title:Drupal 安全漏洞 (CVE-2018-7600)
Description:Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
Readme
# CVE-2018-7600

## Table of contents:
1. [CVE summary](#CVE-summary)
2. [Prerequisites](#Prerequisites)
3. [CVE Analyse](#CVE-Analyse)
4. [Mitigation](#Mitigation)
## CVE summary
- An attacker could call a Drupal Form API Ajax Request containing the call_user_func auto do function
- Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1
## Prerequisites
- In this lab, I use:
  
   * Ubuntu 20.04(  PHP 7.2, MariaDB )
   * The Drupal version I use in this lab is 8.3.8
   * Visual Studio Code for debugging
   * Kali 23.4 for running exploit Drupal

## CVE Analyse

- We find the keys that use call_user_func are #pre_render, #post_render, #access_callback, #submit, #lazy_builder, #validate
![image](https://github.com/raytran54/CVE-2018-7600/assets/89938940/320b972a-4984-443a-8498-7193001bf8ee)
- The task now is to find which param the user submitted has a render, can change the key, and receive the #post_render key, to call it out.
![image](https://github.com/raytran54/CVE-2018-7600/assets/89938940/e975d4d5-f61e-45f6-874b-ca86600b5267)
- When resizing the picture server call drupal API
![image](https://github.com/raytran54/CVE-2018-7600/assets/89938940/82378e8c-93ed-4eb0-876c-23790e6c8205)
- The &$array function included here is the array of default elements when sent, let's try debugging without code:
![image](https://github.com/raytran54/CVE-2018-7600/assets/89938940/f153b852-bbab-4982-bea2-dd5d9ab5394a)
![image](https://github.com/raytran54/CVE-2018-7600/assets/89938940/cdbf8857-4241-4016-b349-558adfe16a62)
- Suppose you modify the value of mail when uploading:
![image](https://github.com/raytran54/CVE-2018-7600/assets/89938940/4ab77690-fc5b-4906-aecb-7f1d53ff397c)
![image](https://github.com/raytran54/CVE-2018-7600/assets/89938940/ac953c84-c271-4e99-b7f0-2da66199a644)

![image](https://github.com/raytran54/CVE-2018-7600/assets/89938940/c0380a53-a941-4962-a348-b2c3a55fb3b0)
- When calling the getValue($array, $parents) method, the process is as follows:

$ref prohibits references to $array. 

First loop: $ref reference to $array['a'].

Second of the loop: $ref reference to $array['a']['b'].

Third of the loop: $ref reference to $array['a']['b']['c'].

The end result, $ref will be referenced to the value 42.
```
$array = [
    'a' => [
        'b' => [
            'c' => 42
        ]
    ]
];
$parents = ['a', 'b', 'c'];
```
- After receiving $form value from func getValue. $form will become an argument for the Render function

![image](https://github.com/raytran54/CVE-2018-7600/assets/89938940/6fa34ddf-99b4-4262-a283-939993165c6f)
![image](https://github.com/raytran54/CVE-2018-7600/assets/89938940/fcc3c937-7c53-449b-9dda-930122c7579f)
![image](https://github.com/raytran54/CVE-2018-7600/assets/89938940/910eca0e-a1f2-43d4-bb5c-8facbdd8bd65)
- The definition of call_user_func

![image](https://github.com/raytran54/CVE-2018-7600/assets/89938940/48429f44-e8c1-488a-9abb-5b8b52f54e55)

- The result when I use file exploit:

![image](https://github.com/raytran54/CVE-2018-7600/assets/89938940/7d10858d-5d2b-40d8-82a2-1b22abe7c522)

## Mitigation

- Patch
** Drupal developers have published a patch, adding a RequestSanitizer class with a stripDangerousValues ​​method to remove all input elements of the array whose keys begin with “#”. This method cleans input in $_GET, $_POST, and $_COOKIES.
  
** Drupal 8.6.5
/core/lib/Drupal/Core/DrupalKernel.php
![image](https://github.com/raytran54/CVE-2018-7600/assets/89938940/b770d9ad-35a2-4228-9393-dafeeffd4d28)
/core/lib/Drupal/Core/Security/RequestSanitizer.php
![image](https://github.com/raytran54/CVE-2018-7600/assets/89938940/c51b8588-d61b-4ae4-8359-f3253cc2b1e2)
![image](https://github.com/raytran54/CVE-2018-7600/assets/89938940/25db4b89-894b-4b9e-8190-247b1aac6013)
** The stripDangerousValues ​​function verifies all the input parameters one by one, the first elements of the input array have a value starting with “#” and the values ​​not whitelisted are removed.
File Snapshot

 [4.0K]  /data/pocs/4abb02276b88caaf2d02cdc5309d9a406be6158b
├── [1.3K]  Drupal_Payload.py
└── [3.9K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →