Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2019-6340 PoC — Drupal core - Highly critical - Remote Code Execution

Source
https://github.com/ludy-dev/drupal8-REST-RCE
Associated Vulnerability
Title:Drupal core - Highly critical - Remote Code Execution (CVE-2019-6340)
Description:Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.)
Description
(CVE-2019-6340, CVE-2018-7600) drupal8-REST-RCE
Readme
# drupal8-REST-RCE
CVE-2019-6340 drupal8-REST-RCE (/node/1) , CVE-2018-7600 drupal8 RCE (/user/register)

Unix/Linux command - remote code Execution (command "id")

Usage>

    python drupal8-REST-RCE.py <dst_ip> <dst_port> (user defined port)
    
    python drupal8-REST-RCE.py <dst_ip> (default : 80/tcp)
  
[updated!]  
Script editted for supporting python3 (2020.11.07)

Just using Vuln Test for your System
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →