Drupal 7.31 SQL injection getshell exploit detailed and EXP-vulnerability warning-the black bar safety net

2014-10-28T00:00:00
ID MYHACK58:62201455122
Type myhack58
Reporter 佚名
Modified 2014-10-28T00:00:00

Description

0x00

This vulnerability might indeed be great, and Drupal used more also, using Fuzzing to run the dictionary should be swept out of the many vulnerabilities of the host, but do the bulk may be on the other site cause a lot of loss, so I will just write a Exp is no longer deep down.

0x01

On the vulnerability of the principles and POC on my blog has articles to explain, here are just focus on the way the use of the process. With POC's effect, I mainly from remote code execution and GetShell aspect to do use.

Remote code execution:

  1. Use the super administrator login

  2. Open site PHP Filter functionality

  3. New aticle, select PHP_CODE mode to edit the php code and preview

  4. The preview page is loaded it will execute the code

Corresponding to EXP in DrupalSQLin class codeExecution Function, This function do is to put the above-described process automation. I write this part more strenuous, the requests sent attachment has encountered a problem, did not find the comparison appropriate Python module, and finally there is no way on their own to Post data bag stitching, stitching when to be careful, recommends encounter the same problem of friends refer to the RFC1867 Protocol Specification, the splicing structure is as follows:

! 1

In the debugger, use the burpsuite assisted very effectually, by burpsuite and you can clearly see every interaction of the data package format and contents of the field.

GetShell use:

  • Use the super administrator login
  • Open the website of the PHP Filter functions
  • Create a new block, edit the PHP code
  • Use PHP_CODE be saved

The Post request is constructed as follows:

! 2

Using python to contract, there is a drawback is not intuitive, we can not know our packet structure is correct, this time you can use the requests module to the proxies parameter, the proxy settings for burpsuite, and then you can analyze the Debug. However, using the new block method to get the shell possible permissions is relatively small.

In the configuration of a request packet, there are two fields is the form_build_id and form_token, they are Drupal comes with the To prevent CSRF is the use of a token-similar to Django the csrf protection on. The developer must find these two things, the use of small reptiles can be.

! 3

There is also a key point is to simulate after landing to save the cookie, because the follow-up attack using to carry the admin cookie, otherwise it will perform the error.

0x02

Command execution effect: the local listening port get the bounce of the shell

Test environment: local test

Program execution: the following figure

! 4

Due to the bounce of the shell of the base is a socket, so the communication is double no completion of the communication will be blocking occurs, where the performance is to receive the bounce of the shell's process main thread will be blocked.

Bounce out of the shell effects:

! 5

0x03

This vulnerability might large, to bring the other host of the harm is also large, and involves the user to override and change the site of the original set of problems.

If you want to covert use, then you need to do a lot of auxiliary work, such as in turn on the php filter in the process, relates to the small crawlers to crawl the website, the original configuration information. There is the administrator of the access way improvements, such as inserting a user after the user is added to administrator privileges, this itself I have not tested, but is feasible.

The next step is to release key parts of the code:

Analog log function

! 6

Turn on PHP Filter:

! 7

Code execution:

! 8

0x04

To this on the Web exp write-up really is not too smooth, because you want to deal with a lot of details, such as a simulated landing, the CAPTCHA and csrf token, and even freehand stitching POST attachment is not possible.

About this exploit, in fact, there is a method, is to use a Drupal callback mechanism, the use of SQL Injection in the menu_router table, insert some of the constructed data, with the final configuration of the RCE, then that is all kinds of fancy getshell. Due to limited space, I here is not analysis.

Finally, the EXP of the site constitutes harm is relatively large covering a username and it is possible to change the site structure, so it is just written out for everyone to learn the exchange of use, the focus is on process, do not used for illegal purposes.