- An attacker could call a Drupal Form API Ajax Request containing the call_user_func auto do function
- Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1
-
In this lab, I use:
- Ubuntu 20.04( PHP 7.2, MariaDB )
- The Drupal version I use in this lab is 8.3.8
- Visual Studio Code for debugging
- Kali 23.4 for running exploit Drupal
- We find the keys that use call_user_func are #pre_render, #post_render, #access_callback, #submit, #lazy_builder, #validate
- The task now is to find which param the user submitted has a render, can change the key, and receive the #post_render key, to call it out.
- When resizing the picture server call drupal API
- The &$array function included here is the array of default elements when sent, let's try debugging without code:
- Suppose you modify the value of mail when uploading:
- When calling the getValue($array, $parents) method, the process is as follows:
$ref prohibits references to $array.
First loop: $ref reference to $array['a'].
Second of the loop: $ref reference to $array['a']['b'].
Third of the loop: $ref reference to $array['a']['b']['c'].
The end result, $ref will be referenced to the value 42.
$array = [
'a' => [
'b' => [
'c' => 42
]
]
];
$parents = ['a', 'b', 'c'];
- After receiving $form value from func getValue. $form will become an argument for the Render function
- The definition of call_user_func
- The result when I use file exploit:
- Patch ** Drupal developers have published a patch, adding a RequestSanitizer class with a stripDangerousValues method to remove all input elements of the array whose keys begin with “#”. This method cleans input in $_GET, $_POST, and $_COOKIES.
** Drupal 8.6.5
/core/lib/Drupal/Core/DrupalKernel.php
/core/lib/Drupal/Core/Security/RequestSanitizer.php
** The stripDangerousValues function verifies all the input parameters one by one, the first elements of the input array have a value starting with “#” and the values not whitelisted are removed.