search

dreadlocked / Drupalgeddon2

Exploit for Drupal v7.x + v8.x (Drupalgeddon 2 / CVE-2018-7600 / SA-CORE-2018-002)
575 stars 174 forks source link

Strange behavior with Drupal 7.34 #40

Closed leo72 closed 6 years ago

leo72 commented 6 years ago

Hi dear. I have target site with old Drupal 7. I was sure your script will do it's work, but please see output below. Can you help?

[*] --==[::#Drupalggedon2::]==--

[i] Target : http://www.[sitename].com/

[+] Found : http://www.[sitename].com/CHANGELOG.txt (HTTP Response: 200) [+] Drupal!: v7.34

[*] Testing: Code Execution [i] Payload: echo VXAPFBDO [!] WARNING: Didn't detect form_build_id [!] Target is NOT exploitable ~ HTTP Response: 302

dreadlocked commented 6 years ago

Usually, target doesn't allow users to access /user/password, /user/register, /?q=user/password or /?q=user/register.

Verify if this is the case, otherwise, please notify.

leo72 commented 6 years ago

Target is accessable https://user/password

On Sun, May 13, 2018 at 11:35 PM Dreadlocked notifications@github.com wrote:

Usually, target doesn't allow users to access /user/password, /user/register, /?q=user/password or /?q=user/register.

Verify if this is the case, otherwise, please notify.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/dreadlocked/Drupalgeddon2/issues/40#issuecomment-388650582, or mute the thread https://github.com/notifications/unsubscribe-auth/AAT-OgJY9wWxvKO1WMh4LuT8HEhT5HNhks5tyIsWgaJpZM4TvFz2 .

-- Lev Ananikyan

dreadlocked commented 6 years ago

form_build_id is accesible. Whoever, check that you are being redirected to index.php?q=user/password.

You can use drupalgeddon2-customizable-beta.rb instead the original one, as this allows you to modify some parameters as you like.

EDIT: user/password form has a captcha.

leo72 commented 6 years ago

Thank you very much. How difficult it will be for you to modify the parameters in the file and send to me? Thanks in advance.

On Mon, May 14, 2018 at 3:05 AM Dreadlocked notifications@github.com wrote:

form_build_id is accesible. Whoever, check that you are being redirected to index.php?q=user/password.

You can use drupalgeddon2-customizable-beta.rb instead the original one, as this allows you to modify some parameters as you like.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/dreadlocked/Drupalgeddon2/issues/40#issuecomment-388662546, or mute the thread https://github.com/notifications/unsubscribe-auth/AAT-OoF2hRpVmUettu8fVebW3ChoATPhks5tyLwvgaJpZM4TvFz2 .

-- Lev Ananikyan