Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-6340 PoC — Drupal core - Highly critical - Remote Code Execution

Source
https://github.com/Sumitpathania03/Drupal-cve-2019-6340
Associated Vulnerability
Title:Drupal core - Highly critical - Remote Code Execution (CVE-2019-6340)
Description:Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.)
Readme
# Research

CVE 2019-6340


    The site as Drupal 8 core RESTful API Services module gets enabled and allows the user to send GET, PATCH or POST Request to the server. 
    
    (GET request is enough to trigger the code execution vulnerability even though PATCH method is disabled)
    
    The site has any other web services module enabled like JSON-API in Drupal 8 or REST services in Drupal 7.


REQUIREMENTS FOR POC

DOCKER.IO

DRUPAL 8.6.9

SQL 5.7

docker run -d  --name mysqldb -e MYSQL_ROOT_PASSWORD=password  mysql:5.7


docker run -d  --name drupal  --link mysqldb -p 8090:80  -e MY_SQL_USER:root -e MY_SQL_PASSWORD:password drupal:8.6.9 


exp run command

python3 exp.py http://Ip_of_drupal_container:port_assigned(if)// "command_to_execuite"




example:- python3 exp.py http://127.0.0.1:8090/ "hostname -I"



EXP ANALYSIS 

Guzzle is a PHP HTTP client that makes it easy to send HTTP requests and trivial to integrate with web services and it used as a exploit to send malicous request to drupal based websites. if we analyse the guzzle script inside exploit code(exp.py) then we can find that a "command" string is replaced with the command that we pass at runtime (eg hostname -I)


![exp](https://user-images.githubusercontent.com/126046383/220545661-f192137f-6c08-4e77-9017-632f9b21e705.png)

when we run exp command first it will look for an existing node so we have to make some nodes on our website ,basically you have add some content on the website

![drupal](https://user-images.githubusercontent.com/126046383/220547340-5bfe3bee-4d7a-4184-a981-6252b731a87f.png)

it will not access any node twice suppose you have added 5 nodes ,so after running your exploit 5 times you have to update your nodes
simply go to content and appy any action on the nodes












REQUEST AND RESPONSE 


![req](https://user-images.githubusercontent.com/126046383/220545688-a1b02910-28e3-4eba-9a87-a8df1f8fde56.png)



![res](https://user-images.githubusercontent.com/126046383/220539690-8682df02-f209-4fb3-9176-76514367cb6a.png)
File Snapshot

 [4.0K]  /data/pocs/9123160c21a5e9f9ef77d3541c45bb11c189397a
├── [4.9K]  exp.py
├── [2.0K]  README.md
└── [4.0K]  req_res
    ├── [ 61K]  req.png
    └── [107K]  res.png

1 directory, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →