Drupal 7. x Service Module SQLi & RCE vulnerability analysis and EXP-vulnerability warning-the black bar safety net

2017-04-12T00:00:00
ID MYHACK58:62201785171
Type myhack58
Reporter 佚名
Modified 2017-04-12T00:00:00

Description

Drupal 7. x Service Module SQLi & RCE

In the audit of the Drupal Service module when it is detected on the unserialize()function of a insecure call. Through the vulnerability, can lead to permission to escape, SQL injection, and remote code execution.

0x00 Service Module

In Drupal, the Service module provides an API, opening up some service interface to the external program. As a basis function, allowing any person to use SOAP, REST or XMLRPC to the server to send, retrieve various formats of data. The module in the Drupal front of 150 of the most commonly used module, there are about 45,000 sites in the use of the module.

Service module allows to create different endpoint and different endpoint Settings a different resource. Allowed by the custom API and Web site for data exchange. For example, for the/user/login not only through the JSON can also be through XML access.

Request packet:

POST /drupal-7.54/my_rest_endpoint/user/login HTTP/1.1 Host: vmweb. lan Accept: application/json Content-Type: application/jsonContent-Length: 45Connection: close

{"username": "admin", "password": "password"}

Response packet:

HTTP/1.1 200 OK Date: Thu, 02 Mar 2017 13:58:02 GMT Server: Apache/2.4.18 (Ubuntu) Expires: Sun, 19 Nov 1978 05:00:00 GMT Cache-Control: no-cache, must-revalidate X-Content-Type-Options: nosniff Vary: Accept Set-Cookie: SESSaad41d4de9fd30ccb65f8ea9e4162d52=AmKl694c3hR6tqSXXwSKC2m4v9gd-jqnu7zIdpcTGVw;expires=Sat, 25-Mar-2017 17:31:22 GMT; Max-Age=2000000; path=/; domain=. vmweb. lan; HttpOnly Content-Length: 635 Connection: close Content-Type: application/json

{"sessid":"AmKl694c3hR6tqSXXwSKC2m4v9gd-jqnu7zIdpcTGVw","session_name":"SESSaad41d4de9fd30ccb65f8ea9e4162d52","token":"8TSDrnyPQ3J9VI8G1dtNwc6BAQ_ORp3Ok_vsrdkht00","user":{"uid":"1","name":"admin","mail":"admin@vmweb.lan","theme":"","signature":"","signature_format":null,"created":"1487348324","access":"1488463053","login":1488463082,"status":"1","timezone":"Europe/Berlin","language": "","picture":null,"init":"admin@vmweb.lan","data":false,"roles":{"2":"authenticated user","3":"administrator"},"rdf_mapping":{"rdftype":["sioc:UserAccount"],"name":{"predicates":["foaf:name"]},"homepage":{"predicates":["foaf:page"],"type":"rel"}}}}

0x01 Vulnerability

Service module has these properties can be changed by changing the Http header of Content-Type/Accept field, to achieve the input and output format control. By default, allow the following format:

  • application/xml
  • application/json
  • multipart/form-data
  • application/vnd. php. serialized

For most people, the last format is not common. That is, using the PHP serialized data, the test is as follows:

Request packet:

POST /drupal-7.54/my_rest_endpoint/user/login HTTP/1.1 Host: vmweb. lan Accept: application/json Content-Type: application/vnd. php. serialized Content-Length: 45 Connection: close

a:2:{s:8:"username";s:5:"admin";s:8:"password";s:8:"password";}

Response packet:

HTTP/1.1 200 OK Date: Thu, 02 Mar 2017 14:29:54 GMT Server: Apache/2.4.18 (Ubuntu) Expires: Sun, 19 Nov 1978 05:00:00 GMT Cache-Control: no-cache, must-revalidate X-Content-Type-Options: nosniff Vary: Accept Set-Cookie: SESSaad41d4de9fd30ccb65f8ea9e4162d52=ufBRP7UJFuQKSf0VuFvwaoB3h4mjVYXbe9k6y_dgu_i; expires=Sat, 25-Mar-2017 18:03:14 GMT; Max-Age=2000000; path=/; domain=. vmweb. lan; HttpOnly Content-Length: 635 Connection: close Content-Type: application/json

{"sessid":"ufBRP7UJFuQKSf0VuFvwaoB3h4mjVYXbe9k6y_dgu_i","session_name":"SESSaad41d4de9fd30ccb65f8ea9e4162d52","token":"2tFysvDt1POl7jjJJSCRO7sL1rvlrnqtrik6gljggo4","user":{"uid":"1","name":"admin","mail":"admin@vmweb.lan","theme":"","signature":"","signature_format":null,"created":"1487348324","access":"1488464867","login":1488464994,"status":"1","timezone":"Europe/Berlin","language": "","picture":null,"init":"admin@vmweb.lan","data":false,"roles":{"2":"authenticated user","3":"administrator"},"rdf_mapping":{"rdftype":["sioc:UserAccount"],"name":{"predicates":["foaf:name"]},"homepage":{"predicates":["foaf:page"],"type":"rel"}}}}

View the source code, there is indeed a very secluded deserialization vulnerability. (services/servers/rest_server/includes/ServicesParser. inc)

[1] [2] [3] [4] next