![]() Contribute to slowmistio/CVE-2018-7601-Exploit-for-Drupal-7 development by creating an account on GitHub. So this was more evidence that the malicious code had been injected into Drupal, but didn't tell us how. This script will exploit the (CVE-2018-7600) vulnerability in Drupal 7 < 7. /bin/bash Drupal 7 - Devel Module Credential Harvester ONLY USE THIS SCRIPT LEGALLY, AGAINST AUTHORIZED TARGETS THE. DC-1 is a beginner friendly machine based on a Linux platform.There is drupal 7 running as a webserver, Using the Drupal 7 exploit we gain the initial. Exploit for Drupal 7 < 7.57 CVE-2018-7600. One trick that's sometimes useful is to search a recent database dump.ĭoing so turned up a reference to the Ratel class within the cache tables, but when we took a closer look inside the cache there wasn't much more info to go on: $ drush ev 'print_r(cache_get("lookup_cache", "cache_bootstrap")) ' We'd grepped the file system and not found any signs of this compromise. However it wasn't immediately obvious how this code was running within the infected Drupal site. ![]() This gist included encoded versions of the dodgy URLs we'd seen when trying to analyse what was slowing the site down. They had also come across a github gist which looked relevant - it had the PHP source code for a Ratel class which appears to be an SEO spam injection tool: Code hosting platform GitHub says it has updated its policies regarding vulnerability research, malware, and exploits, to permit dual-use security research. One of my very excellent colleagues had done some digging and found some more details about the domains which confirmed their apparent dodginess. The -verbose and -authentication parameter can be added in any order after and they are both optional. Under those were some apparent external calls to some dodgy looking domains. The APM traces we were looking at included a _lamda_func under which was a class called Ratel. This potentially allows attackers to exploit multiple attack vectors on a Drupal site Which could result in the site being compromised. ![]() A couple of years ago I was asked to take a look at a Drupal 7 site that was performing poorly where a colleague had spotted a strange function call in an Application Performance Management (APM) system. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |