Shulou(Shulou.com)05/31 Report--

How to analyze Drupal remote code execution vulnerability CVE-2019-6339, aiming at this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

Introduction to 0x00

Drupal is an open source content management framework (CMF) written in PHP, which consists of a content management system (CMS) and a PHP development framework (Framework). Drupal is used to build websites. It is a highly modular, open source web content management framework that focuses on collaboration. It is an extensible, standard-compliant system that strives to keep code concise and smaller scripts. Basic core features are included in the Drupal release, and additional features are available through the installation module. Drupal is designed to be customizable, but customization is done by overriding the core functionality or adding modules, rather than modifying the code in the core components. It has also succeeded in separating content management from content presentation.

Overview of 0x01 vulnerabilities

A remote code execution vulnerability exists in the built-in phar stream wrapper (PHP) in versions 7.x before 7.62, 8.6.x before 8.6.6, and 8.5.x before 8.5.9 of Drupal core. Remote attackers can exploit this vulnerability to execute arbitrary php code.

0x02 scope of influence

7.x versions of Drupal core prior to 7.62

8.6.x versions prior to 8.6.6

8.5.x versions prior to 8.5.9

0x03 environment building

1. This vulnerability environment is built using docker in vulhub.

Download address: https://github.com/vulhub/vulhub

two。 After the download is completed, use xftp and other input to the virtual machine where docker and docker-compose are installed, and use the following command to start the vulnerability environment

Cd vulhub-master/drupal/CVE-2019-6339 / # enter the directory

Docker-compose up-d # startup environment

3. Visit http://your-IP:8080 in the browser and install drupal in English when you install it.

4. Choose to install the sqlite database when selecting the database. Next, configure the website information and turn off the automatic check for updates.

5. Click next to see the following page to indicate that the installation is complete

Recurrence of 0x04 vulnerabilities

1. Type http://your-ip:8080/user/1/edit in the browser, enter the user's upload profile image, and construct poc in the image to be uploaded.

Note: the default storage location of drupal images is / sites/default/files/pictures//, default storage name is its original name, so later when exploiting the vulnerability, you can know the specific location of the uploaded image.

two。 Access http://your-ip:8080/admin/config/media/file-system in the browser, enter the path of the previously uploaded image at Temporary directory, phar://./sites/default/files/pictures/2021-01/blog-ZDI-CAN-7232-cat.jpg, and trigger the vulnerability after saving.

3. You need to execute other commands to modify the commands in the picture, and you need to modify the corresponding bytes

0x05 repair recommendation

1. Upgrade Drupal to the latest version.

This is the answer to the question on how to analyze Drupal remote code execution vulnerability CVE-2019-6339. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.