Copyright: Attribution, allow others to create paper-based, and must distribute paper (based on the original license agreement with the same license Creative Commons )
0x00
This vulnerability is really a great power, and with Drupal will be more use of Fuzzing dictionary should be able to run a lot of loopholes in the host sweep, but other sites do batch might be very costly, so I will not just write Exp and then go deep.
0x01
POC on principle and vulnerabilities on my blog articles have been interpreted here just talk about focusing on the use of the process. With the effect of the POC, I mainly do it from a remote code execution and GetShell terms of use.
Remote code execution exploit:
1. Using super administrator to log in
2. Turn on the site PHP Filter function
3. New aticle, PHP_CODE mode select (php code editor) and preview
4. Preview code is executed after the page is loaded
EXP function corresponds codeExecution in DrupalSQLin class, doing things of this function is to automate this process. I wrote this part is more strenuous, requests to send attachment encountered a problem and did not find more appropriate Python module, and finally there is no way on their own packet of Post spliced, spliced be careful when you recommend a friend encountered the same problem refer to the RFC1867 protocol specification, mosaic structure is as follows:
when the debugger, use burpsuite assisted very effective, you can clearly see the packet format and content of the field every interaction through burpsuite.
GetShell利用:
使用超级管理员进行登录
开启网站的PHP Filter功能
新建block,编辑PHP代码
使用PHP_CODE进行保存
Post请求构造如下:
使用python进行发包,有个缺点就是不直观,我们无法获知我们的数据包构造是否正确,这时候可以使用requests模块的proxies参数,将代理设置为burpsuite,然后就可以分析调试了。不过,使用新建block的方法获取shell可能权限比较小。
在构造请求包的时候,有两个字段是form_build_id和form_token,他们是Drupal自带的防止CSRF所使用的token(类似于Django中的csrf防护)。发包之前必须找到这两个东西,使用小型爬虫即可。
还有一个关键点就是模拟登陆后要保存cookie,因为后续的攻击利用都要携带admin的cookie,否则会执行出错。
0x02
命令执行效果:本地监听端口获取反弹shell
测试环境:本地测试
程序执行:如下图
由于反弹shell的基础是socket,所以通信双发没有完成通信会发生阻塞,这里的表现是接收反弹shell的过程中主线程会阻塞。
反弹出shell的效果:
0x03
这个漏洞威力大,带给对方主机的危害也大,且涉及到用户覆盖以及改变网站原有设置的问题。
如果想要隐蔽地利用,那么需要做很多辅助工作,比如在开启php filter的过程中,涉及到小型爬虫抓取网站原有的配置信息。还有就是管理员的获取方式进行改进,比如插入用户之后将用户加入管理员权限,这个本身我没有测试过,但是是可行的。
接下来就是放出关键部位的代码:
Analog login function
is turned on PHP Filter:
code execution:
0x04
Web about this exp to write it really is not very smooth, because to deal with a lot of details, such as simulated landing, code, csrf the token, even hand stitching POST attachment is not impossible.
On this exploit, in fact, there is a way, is to use the callback mechanism Drupal, the use of SQL Injection to insert some good data structure in the menu_router table, with the final form the RCE, then that is a fancy getshell. Due to limited space, I will not be analyzed here.
Finally, the harm of this site constitutes EXP relatively large (covering possible to change the user name and structure of the site), so just write for everyone to learn to share, focusing on process, not used for illegal purposes.