Shulou(Shulou.com)05/31 Report--

How to carry out Drupal XSS vulnerability CVE-2019-6341 analysis, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

Brief introduction of vulnerabilities:

Drupal was born in 2000, is a PHP language based on the development of CMF (content management framework). In some cases, XSS vulnerabilities can be triggered by uploading malicious files through file modules or subsystems.

Threat Typ

XSS

Threat level

Medium

Vulnerability number

CVE-2019-6341

Affected system and application version

In Drupal 7 before 7.65, Drupal 8.6 before 8.6.13, and Drupal 8.5 before 8.5.14.

Recurrence of vulnerabilities:

Using the vulhub environment

Enter the directory: root@kali:/vulhub/drupal/CVE-2019-6341

Start docker

Startup environment

Visit 0.0.1VR 8080

Install CMF and use sqlite database when selecting database

The environment has been built.

1. This vulnerability needs to take advantage of the vulnerability of uploading files in the drupal file module to forge an image file and upload it. The content of the file is actually a piece of HTML code embedded with JS, so that other users may trigger XSS vulnerabilities when they visit this link.

The default storage location of Drupal images is / sites/default/files/pictures//,. The default storage name is its original name, so later, when exploiting the vulnerability, you can know the exact location of the uploaded image.

Use PoC to upload the constructed fake GIF file, and PoC refers to the PoC of thezdi/PoC.

As shown in the figure, enter the following command to construct a sample using PoC and complete the upload function. The first parameter is the target IP and the second parameter is the target port.

(in order not to affect the over-reading experience of poc, I put it at the end and need to pick it up myself.)

Poc uploaded successfully!

Visit: date of poc sent by http://127.0.0.1:8080/sites/default/files/pictures/2020-05() / _ 0

(Firefox and chrome come with xss filtering, so you can use an Edge browser or an IE browser to verify its existence.

The name of the accessed image is _ 0 because of the rule mechanism of Drupal. For more information, please see https://paper.seebug.org/897/.

Exploit poc:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.