a2u / cve-2018-7600 Goto Github PK
View Code? Open in Web Editor NEW💀Proof-of-Concept for CVE-2018-7600 Drupal SA-CORE-2018-002
💀Proof-of-Concept for CVE-2018-7600 Drupal SA-CORE-2018-002
Which version of drupal do you test?
It does no work for me.
drupal version 7.51 and 8.33.
Hi, I have 0 experience in programming but when I was running this code, my kali box kept giving me syntax errors when inputting the url of the website. Here's a screenshot:
I don't exactly know why, but it seemed to be fixed when I replaced the input function on line 13 with the raw_input function.
Hope those with the same errors find this helpful!
This PoC assumes that the document root is writable by www-data, which is hopefully not the case for most installations. A more reliable test would be to write the file to sites/default/files/.
author may forgot add '/',if you read the code,you can find this.
by the way,code is so short :-D
(my longming English)
I am starting to wonder if Drupal was trolling all of us.
Although I don't really think it's a joke, I'm spending some time on that vulnerability, and still nothing.
Maybe after the holidays someone will take it more seriously :)
And credit for my meme will be appreciated in any case :)
I'm attempting to use the ModSecurity rule provided but unfortunately, I cannot get it to work.
[Sat Oct 02 07:41:40.466003 2021] [:error] [pid 1739] [client 192.168.247.129:45424] [client 192.168.247.129] ModSecurity: Warning. Pattern match "#(submit|validate|pre_render|post_render|element_validate|after_build|value_callback|process|access_callback|lazy_builder)|\\[#(submit|validate|pre_render|post_render|element_validate|after_build|value_callback|process|access_callback|lazy_builder)" at ARGS_NAMES:name[#post_render][]. [file "/etc/apache2/modsecurity-crs/coreruleset-3.3.0/rules/drupal.conf"] [line "2"] [id "3295"] [hostname "www.ict379drupal7.com"] [uri "/"] [unique_id "YVgNND9KAmtIGa2izcMOBAAAAAA"]
I'm unsure as to what I'm doing wrong. The exploit is not being blocked, regardless of the pattern being detected.
1.I try to test hello1.txt is not existent,but r.status_code is still 200,why?
2.I can't find hello.txt in the root directory of the website,why?
Any idea to adpat to drupal 6 because it's also vulnerable but it answer not.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.