A Rust implementation of the CVE-2018-7600 exploit targeting vulnerable Drupal 7 installations (<= 7.57)# CVE-2018-7600 - Drupal 7 Remote Code Execution
[](https://www.rust-lang.org/)[](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7600)
A Rust implementation of the CVE-2018-7600 exploit targeting vulnerable Drupal 7 installations (<= 7.57). This CLI reproduces this following PoC flow: it poisons a cached renderable form via the user/password path, extracts a `form_build_id`, then triggers the cached payload through the file/ajax endpoint to achieve remote code execution via a PHP function invocation.
## Vulnerability Overview
CVE-2018-7600 is a remote code execution vulnerability affecting Drupal 7 (and Drupal 8 in a different context). In Drupal 7 the issue stems from insufficient sanitization when certain renderable arrays are cached and later rendered. By injecting specially crafted render metadata into an endpoint that is cached, an attacker can cause arbitrary PHP functions to run when the cached data is later rendered or requested.
### Technical Details
- The exploit abuses Drupal's render system and cache to insert a renderable array whose `#post_render` callback is an arbitrary PHP function (for example `passthru`).
- The PoC flow typically posts to `?q=user/password` with the crafted renderable array parameters so Drupal caches the poisoned form.
- After poisoning and receiving a `form_build_id`, the PoC triggers the payload by calling `/file/ajax/name/#value/<form_build_id>` with the `form_build_id` in the POST body. When Drupal renders the cached element, the `#post_render` callback executes with attacker-controlled markup, enabling command execution.
### Description
This Rust CLI constructs performs the two-step sequence (poison then trigger) against a target Drupal 7 site request parameters, parses the HTML response for `form_build_id`, and then triggers the `file/ajax` endpoint to execute the function specified by the attacker.
Because the client disables certificate verification (to mirror the original PoC which passed `verify=False`), the tool will work against targets using self-signed or otherwise invalid TLS certs. This behaviour can be changed in the source if you prefer to require valid certificates.
## Usage
Basic usage (default command is `whoami`, default function is `passthru`):
```zsh
cargo run -- -u http://target.com/
```
Run a custom command and function:
```zsh
cargo run -- -u http://target.com/ -c "whoami" -f "passthru"
```
Use an HTTP/S proxy (format: `http://127.0.0.1:8080/`):
```zsh
cargo run -- -u http://target.com/ -p http://127.0.0.1:8080/
```
CLI options summary:
- `-u`, `target`: URL of the target Drupal site (e.g. `http://target.com/`).
- `-c`, `--command`: Command to execute on target (default: `whoami`).
- `-f`, `--function`: PHP function to use as the attack vector (default: `passthru`).
- `-p`, `--proxy`: Optional proxy URL to route requests through.
Example full flow:
1. Poison the `user/password` form, inserting `#post_render` callback and `#markup` containing the command.
2. Parse the response to find `form_build_id` inside `form#user-pass`.
3. POST to `?q=file/ajax/name/#value/<form_build_id>` with the `form_build_id` to trigger rendering and execute the command.
## Disclaimer
This tool is for educational and authorized penetration testing purposes only. Use responsibly and only on systems you own or have explicit permission to.
[4.0K] /data/pocs/a80e499471fc506980d1888be15a5454856a65b9
├── [ 59K] Cargo.lock
├── [ 240] Cargo.toml
├── [3.5K] README.md
└── [4.0K] src
└── [4.1K] main.rs
1 directory, 4 files