关联漏洞
标题:
Drupal 输入验证错误漏洞
(CVE-2019-6340)
描述:Drupal是Drupal社区的一套使用PHP语言开发的开源内容管理系统。 Drupal 8.5.11之前的8.5.x版本和Drupal 8.6.10之前的8.6.x版本中存在输入验证漏洞,该漏洞源于一些字段类型没有正确地过滤数据。远程攻击者可利用该漏洞执行代码。
介绍
# Research
CVE 2019-6340
The site as Drupal 8 core RESTful API Services module gets enabled and allows the user to send GET, PATCH or POST Request to the server.
(GET request is enough to trigger the code execution vulnerability even though PATCH method is disabled)
The site has any other web services module enabled like JSON-API in Drupal 8 or REST services in Drupal 7.
REQUIREMENTS FOR POC
DOCKER.IO
DRUPAL 8.6.9
SQL 5.7
docker run -d --name mysqldb -e MYSQL_ROOT_PASSWORD=password mysql:5.7
docker run -d --name drupal --link mysqldb -p 8090:80 -e MY_SQL_USER:root -e MY_SQL_PASSWORD:password drupal:8.6.9
exp run command
python3 exp.py http://Ip_of_drupal_container:port_assigned(if)// "command_to_execuite"
example:- python3 exp.py http://127.0.0.1:8090/ "hostname -I"
EXP ANALYSIS
Guzzle is a PHP HTTP client that makes it easy to send HTTP requests and trivial to integrate with web services and it used as a exploit to send malicous request to drupal based websites. if we analyse the guzzle script inside exploit code(exp.py) then we can find that a "command" string is replaced with the command that we pass at runtime (eg hostname -I)
when we run exp command first it will look for an existing node so we have to make some nodes on our website ,basically you have add some content on the website
it will not access any node twice suppose you have added 5 nodes ,so after running your exploit 5 times you have to update your nodes
simply go to content and appy any action on the nodes
REQUEST AND RESPONSE
文件快照
[4.0K] /data/pocs/9123160c21a5e9f9ef77d3541c45bb11c189397a
├── [4.9K] exp.py
├── [2.0K] README.md
└── [4.0K] req_res
├── [ 61K] req.png
└── [107K] res.png
1 directory, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。