what you don't know can hurt you

Register | Login

FilesNewsUsersAuthors

Home Files News &[SERVICES_TAB]About Contact Add New

Showing 1 - 2 of 2

Files from Jasper Mattsson

Drupal RESTful Web Services unserialize() Remote Code Execution

Posted Mar 6, 2019

Authored by wvu, Charles FOL, Jasper Mattsson, Rotem Reiss | Site metasploit.com

This Metasploit module exploits a PHP unserialize() vulnerability in Drupal RESTful Web Services by sending a crafted request to the /node REST endpoint. As per SA-CORE-2019-003, the initial remediation was to disable POST, PATCH, and PUT, but Ambionics discovered that GET was also vulnerable (albeit cached). Cached nodes can be exploited only once.

tags | exploit, web, php

advisories | CVE-2019-6340

SHA-256 | f0577a61447bee5c1e01e80e2168cbe148e2d1b04abd7c1f41da56482db6d02b

Download | Favorite | View

Drupal Drupalgeddon 2 Forms API Property Injection

Posted Apr 26, 2018

Authored by FireFart, wvu, Nixawk, a2u, Jasper Mattsson | Site metasploit.com

This Metasploit module exploits a Drupal property injection in the Forms API. Drupal versions 6.x, less than 7.58, 8.2.x, less than 8.3.9, less than 8.4.6, and less than 8.5.1 are vulnerable.

tags | exploit

advisories | CVE-2018-7600

SHA-256 | d8e06fe66e7a7c70257d472a150741719f1392fb6c548c25bee9d61d4f3a78cd

Download | Favorite | View