Add NSE script for detecting & exploiting CVE-2014-3704 #226

Closed
wants to merge 5 commits into
from

Projects

None yet

4 participants

@mzet-
mzet- commented Oct 14, 2015

Overview

Following script detects & exploits CVE-2014-3704 vulnerability (pre Auth SQL Injection) in Drupal core.

Running the script

Running the script:
nmap -P0 -p80 -n --script http-vuln-cve2014-3704 --script-args http-vuln-cve2014-3704.cmd="uname -a",
http-vuln-cve2014-8877.uri="/drupal" 192.168.1.1

Where 'cmd' parameter is shell command for execution and 'uri' is path to your Drupal installation.

@jkryanchou

👍

@dmiller-nmap

This looks cool! I'll be doing a bit more testing, but my first question is regarding the password hash: it looks like you always generate a hash of the empty string. Is there a reason for this? If it has to be empty/blank, then it would be better to just include the hash literal (constant salt) to avoid doing all the extra computation. On the other hand, maybe we should expose the password to the user and let them set whatever password they want. Either way, the choice should be documented.

Excited to get this merged soon!

@mzet-
mzet- commented Nov 14, 2015

Hi,

Hash is not blank, password is chosen at random and then hash is generated. Please see the lines 181 & 182 in do_sql_query function:

passwd = stdnse.generate_random_string(10)
passHash = gen_passwd_hash(passwd)

Then passHash is used to construct sql query:

sql_user = url.escape("insert into users (uid,name,pass,mail,status) select max(uid)+1,'" .. user .. "','" .. passHash .. "','" .. email .. "',1 from users;")
@bonsaiviking bonsaiviking Some code cleanup, whitespace, vars
See https://secwiki.org/w/Nmap/Code_Standards for helpful tools to check
for these issues.

Minor code changes:
* replaced a chain of string.char(string.byte()) with string.sub.
* Initialized a few tables inline instead of subsequent index assignments
393f935
@dmiller-nmap

@mzet- I opened a pull request on your branch for some changes that I would like to make before committing this. If you can make sure I did not break anything, I'll be able to get this merged right away. Thanks!

@mzet-
mzet- commented Nov 18, 2015

Daniel,

Thanks for cleanups. I also did some additional cleanups and testing.

@mzet-
mzet- commented Nov 22, 2015

@dmiller-nmap

Script is ready for merging.

@mzet-
mzet- commented Dec 11, 2015

@dmiller-nmap

Is there anything in the script that prevents you from accepting this PR?

@dmiller-nmap

@mzet- I've been involved in the OS X installer issue for a while, but getting back to working through PRs. I'll make this my first priority, thanks for the reminder.

@nmap-bot nmap-bot closed this in bb07040 Dec 14, 2015
@qha qha added a commit to qha/nmap that referenced this pull request Dec 16, 2015
@bonsaiviking @qha bonsaiviking + qha Add http-vuln-cve2014-3704 'Drupalgeddon'. Closes #226 fb988ff
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment