Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Which version of drupal do you test? #4

Open
exeeee opened this issue Apr 13, 2018 · 13 comments
Open

Which version of drupal do you test? #4

exeeee opened this issue Apr 13, 2018 · 13 comments

Comments

@exeeee
Copy link

exeeee commented Apr 13, 2018

Which version of drupal do you test?
It does no work for me.
drupal version 7.51 and 8.33.
@RicterZ
Copy link

RicterZ commented Apr 13, 2018

Worked on 8.5.0 and 8.4.5 as far as I tested.

@xuxuedong
Copy link

xuxuedong commented Apr 13, 2018 via email
edited
Loading

@AlbinoDrought
Copy link

AlbinoDrought commented Apr 13, 2018
edited
Loading

I'm also having issues running the exploit.py payload from the repo.

Running the netcat reverse shell still works fine for me though: https://gist.github.com/AlbinoDrought/2854ca1b2a9a4f33ca87581cf1e1fdd4

The error I'm getting while running the script is:

--2018-04-13 06:18:04--  https://gist.githubusercontent.com/a2u/66680e1f4abac79d654424ffdb1b410d/raw/d417bbfa8137a1ef53124522a87b1ad1d2b8ec96/hello.txt
Resolving gist.githubusercontent.com... 151.101.0.133, 151.101.64.133, 151.101.128.133, ...
Connecting to gist.githubusercontent.com|151.101.0.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3 [text/plain]
hello.txt: Permission denied

Cannot write to 'hello.txt' (Invalid argument).

In the docker4drupal php container, I seem to have write access to autoload.php, not sure what else.

@a2u
Copy link
Owner

a2u commented Apr 13, 2018

Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1

@exeeee
Copy link
Author

exeeee commented Apr 13, 2018

@RicterZ the hello.txt file is created in the root when you test?

@RicterZ
Copy link

RicterZ commented Apr 13, 2018 via email

@exeeee
Copy link
Author

exeeee commented Apr 13, 2018

@RicterZ ok,I'll try,thank you :)

@MickaelWalter
Copy link

@a2u have you tested on Drupal before 7.58 ?

I tracked the execution flow on Drupal 7.57 with XDebug and the payload was finally stripped before being added to #value because of the function form_type_textfield_value (include/form.inc line 2597) called when processing the mail parameter.

This function replaces the array with an empty string if the input is not scalar...

@Namrud
Copy link

Namrud commented Apr 14, 2018

SO there is no drupalgeddeon which can work for version 7.x?

@hediimisawii
Copy link

hediimisawii commented Apr 14, 2018
edited
Loading

it Works on 8.3.4 for me and 8.6.x

@xuxuedong
Copy link

@0xs3c what's your environment?

@jorrit
Copy link

jorrit commented Apr 15, 2018

I am also curious whether Drupal 7 is vulnerable in the same way. I hope @a2u can add an exploit to this repository when available.

@gtc51
Copy link

gtc51 commented Apr 15, 2018

PoC 7.x can be found here
dreadlocked/Drupalgeddon2#7

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
10 participants
@jorrit @AlbinoDrought @a2u @Namrud @RicterZ @MickaelWalter @xuxuedong @hediimisawii @exeeee @gtc51