search

dreadlocked / Drupalgeddon2

Exploit for Drupal v7.x + v8.x (Drupalgeddon 2 / CVE-2018-7600 / SA-CORE-2018-002)
579 stars 173 forks source link

Failing to read CHANGELOG.txt (HTTP 405 - GET vs POST) #21

Closed 0xQwip closed 6 years ago

0xQwip commented 6 years ago

Hi

After the recent update, the script is failing to identify the version of Drupal.

[!] MISSING: https://example.com/CHANGELOG.txt (405)

But when in fact the https://example.com/CHANGELOG.txt file is present and also gives HTTP 200.

0xQwip commented 6 years ago

Closing this issue because before me someone else created an issue for the same bug.

0xQwip commented 6 years ago

Reopening the issue because the other earlier issue for the same bug is now closed by the user.

g0tmi1k commented 6 years ago 
405 Method Not Allowed

Guessing there is a WAF or some type of protection on the target.

The PoC isn't designed to bypass them out of the box (nor will it ever be). You will need to enum and tweak it to match the environment. There are places in the script todo so (can't say which as it depends on the target's setup!)

0xQwip commented 6 years ago

Hi @g0tmi1k

I don't think there is some type of WAF blocking that because I have tried drupalgeddon2.rb on https://[REDACTED].com/ and it failed to to retrieve https://[REDACTED].com/CHANGELOG.txt but then I have tried to retrive the same file with Python Requests and it worked. Below is the output of it:

$ python Python 2.7.12 (default, Dec 4 2017, 14:50:18) [GCC 5.4.0 20160609] on linux2 Type "help", "copyright", "credits" or "license" for more information. import requests r = requests.get("https://[REDACTED].com/CHANGELOG.txt") print r <Response [200]> r.text u'\nDrupal 7.31, 2014-08-06\ [......................................................................................................................

g0tmi1k commented 6 years ago

@0xQwip If thats the case, the its def a WAF ;)

The only thing I will say on the matter, pipe the requests though a proxy and see what is different between the two. Because there is one key thing (cough user-agent* cough).

0xQwip commented 6 years ago

@g0tmi1k, :joy: I can confirm it is not a WAF.

I have piped the requests through Burp and the request to https://[REDACTED].com/CHANGELOG.txt and also to ~/core/CHANGELOG.txt ~/includes/bootstrap.inc /core/includes/bootstrap.inc are POST requests (https://imgur.com/rtUgk99) and that is the reason it is failing to retrieve the respective files. When I changed it to GET in Burp it worked fine without changing anything else (not even user-agent :wink: ). (https://imgur.com/vQv8d1Q)

g0tmi1k commented 6 years ago

I stand corrected then! Will fix this :)