Drupalgeddon2

Repository contains a single Python exploit script (bixi.py) plus README and MIT LICENSE. The code implements an operational, interactive-ish CLI exploit for CVE-2018-7600 (Drupalgeddon 2) aimed at Drupal (README claims Drupal 7). Exploitation is performed over the network via two HTTP POST requests: (1) POST to the Drupal password reset route (q=user/password) with crafted parameters name[#post_render][]=<injection_type> and name[#markup]=<command> to force Drupal to embed a command and return a form_build_id; (2) POST to the Drupal AJAX endpoint (q=file/ajax/name/#value/<form_build_id>) to trigger rendering and execute the command. The script supports multiple PHP execution primitives (system, passthru, exec, shell_exec), disables TLS verification, uses a fixed browser-like User-Agent, and prints command output by attempting to parse the response as JSON (Drupal AJAX responses are often JSON arrays). It also includes a keyword-to-command mapping for common Linux/Windows enumeration tasks (e.g., reading /etc/passwd, /etc/hosts, Windows hosts file, net user, systeminfo) and a 'test' keyword to validate execution. No persistence, reverse shell, or lateral movement is implemented—this is direct command execution with predefined recon commands.

This repository contains a Rust-based command-line exploit for CVE-2018-7600, a critical remote code execution vulnerability in Drupal 7 (<= 7.57). The exploit works in two stages: first, it poisons the Drupal form cache by sending a crafted POST request to the 'user/password' endpoint, injecting a renderable array with a #post_render callback set to an attacker-controlled PHP function (default: passthru) and #markup containing the command to execute. It then parses the response to extract the form_build_id and triggers the payload by POSTing to the 'file/ajax/name/#value/<form_build_id>' endpoint, causing the PHP function to execute the command on the server. The tool supports custom commands, PHP functions, and optional HTTP/S proxying. The code is contained in a single Rust file (src/main.rs) and is operational, providing real remote code execution if the target is vulnerable. No hardcoded endpoints are present; the user supplies the target URL. The exploit disables TLS certificate verification by default, allowing attacks against servers with invalid certificates.

This repository provides a Python proof-of-concept exploit for the Drupalgeddon2 vulnerability (CVE-2018-7600), which affects several versions of Drupal Core. The main exploit script, 'drupalgeddon2.py', allows an attacker to execute arbitrary system commands on a vulnerable Drupal server by exploiting an AJAX form API flaw. The script supports both single and multiple targets (via a file), custom command execution, multithreading, and output logging. It first checks if the target is likely a Drupal site (by requesting 'CHANGELOG.txt' or looking for Drupal-specific endpoints), then sends a specially crafted POST request to the 'user/register' endpoint to trigger the vulnerability. The exploit is unauthenticated and works over HTTP/S, making it a remote network attack. The repository also includes a README with detailed usage instructions, a sample targets file, and a sample scan log. The exploit is a POC and does not include advanced evasion or post-exploitation features.

This repository contains a Python3 exploit for CVE-2018-7600 (Drupalgeddon2), a critical unauthenticated remote code execution vulnerability in Drupal 7.x and 8.x (pre-patch). The repository consists of a README.md with usage instructions and a single exploit script (poc.py). The exploit works by sending a specially crafted POST request to the /user/register endpoint of a vulnerable Drupal instance, leveraging Drupal's AJAX form rendering to execute arbitrary system commands. The script sets up a reverse shell listener on the attacker's machine (0.0.0.0:1337) and, upon successful exploitation, spawns a fully interactive shell from the target back to the attacker using a Python-based reverse shell payload. The code is operational and provides a real shell if the target is vulnerable and reachable. The main entry point is poc.py, which requires the target URL and the attacker's listener IP as arguments.

This repository contains a working exploit for CVE-2018-7600 (Drupalgeddon2), targeting Drupal 7.x (including 7.56) and possibly early 8.x versions. The exploit is implemented in a single Python script ('drupal7.56-RCE.py') and is accompanied by a detailed README.md in Indonesian, which explains the vulnerability, usage, and mitigation steps. The exploit works by sending a specially crafted POST request to the 'user/password' endpoint of a vulnerable Drupal instance, injecting a payload that leverages the PHP 'passthru' function to execute arbitrary system commands. It then extracts a 'form_build_id' from the server's response and uses it in a second request to the 'file/ajax/name/#value/{form_build_id}' endpoint to trigger the actual command execution. The script is operational and allows the user to specify any command to be executed on the target server, returning the output. The attack vector is network-based, requiring only HTTP access to the vulnerable Drupal instance. No authentication is required. The repository is well-structured, with clear instructions and warnings about legal and ethical use.

This repository provides a Python proof-of-concept exploit for the Drupalgeddon2 vulnerability (CVE-2018-7600), which affects multiple versions of Drupal Core prior to 7.58, 8.3.9, 8.4.6, and 8.5.1. The main exploit script, 'drupalgeddon2.py', is a standalone Python 3 tool that allows an attacker to execute arbitrary system commands on a vulnerable Drupal server by exploiting a flaw in the Drupal AJAX form API. The script supports both single and multiple targets (via a file), multithreading for concurrent exploitation, and customizable command execution. It includes logic to check if a target is likely running Drupal before attempting exploitation. The exploit works by sending a specially crafted POST request to the 'user/register' endpoint with malicious form parameters that trigger the execution of arbitrary commands on the server. The repository also includes a README.md with detailed usage instructions, a sample 'targets.txt' file listing target URLs, and a 'scan_results.log' file with example output. The exploit is classified as a proof-of-concept (POC) and is intended for authorized penetration testing and educational use only.

This repository contains a Python exploit script (cve-2018-7600.py) targeting CVE-2018-7600, also known as Drupalgeddon 2. The exploit leverages a remote code execution vulnerability in Drupal versions 6.x, 7.x, and 8.x (prior to patch). The script allows an unauthenticated attacker to execute arbitrary system commands on a vulnerable Drupal server by abusing the form API and AJAX endpoints. The user provides the target URL, the command to execute, and optionally a PHP function and proxy. The script crafts specific HTTP POST requests to poison the form and then triggers code execution via a secondary AJAX request. The README.md file is a simple disclaimer. The exploit is operational, providing real command execution on the target, and is not a detection script. No hardcoded IPs or domains are present; the target is specified at runtime. The code is a modified version of a public exploit, with clear structure and user input handling.

This repository contains a single file (README.md) that includes a Python proof-of-concept exploit for CVE-2018-7600, a critical remote code execution vulnerability in Drupal 7.x and 8.x. The exploit works by sending a specially crafted POST request to the /user/register endpoint of a target Drupal site, leveraging the 'exec' function to execute a shell command. If successful, the exploit creates a file named 'r3dxploit.txt' on the target server, confirming the vulnerability. The script requires the user to provide the target URL as a command-line argument. The README also provides a brief code analysis and references to official CVE documentation. No hardcoded IPs or domains are present; the target is user-supplied. The exploit demonstrates the vulnerability but does not provide a weaponized or customizable payload.

This repository is a proof-of-concept exploit for CVE-2018-7600 (Drupalgeddon 2), targeting vulnerable Drupal installations (versions before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1). The main exploit logic is implemented in 'exploiter.py', a Python script that automates the exploitation process. The script reads a list of target URLs from a file (e.g., 'hosts.txt'), checks if the site is up and running Drupal, and then sends a specially crafted POST request to the Drupal AJAX user registration endpoint. The payload leverages the 'exec' post-render callback to execute arbitrary shell commands on the server. By default, it writes the output of the 'id' command to a randomly named file on the target, which is then checked for existence to confirm exploitation. The script supports optional Tor proxying for anonymity and can clean up after itself by deleting the created file. The repository includes supporting files such as a README with usage instructions, a requirements.txt for dependencies, and notes/todo files. No hardcoded credentials or real-world endpoints are present; 'https://example.com' is used as a placeholder.

This repository provides a proof-of-concept exploit for CVE-2018-7600 (Drupalgeddon 2), targeting vulnerable versions of Drupal (before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1). The main exploit is implemented in 'exploit.py', a Python script that sends a crafted POST request to the Drupal user registration endpoint, exploiting the form API to execute arbitrary shell commands. The payload writes a file ('hello.txt') to the web server to demonstrate successful exploitation. The repository also includes ModSecurity and .htaccess rules (in 'ModSecurity.txt' and 'htaccess.txt') to help protect against this attack vector. The README provides context, references, and mitigation advice. The exploit is a network-based remote code execution PoC and does not include weaponized or post-exploitation features.

This repository contains a Python exploit script (cve-2018-7600_cmd.py) targeting the Drupalgeddon 2 vulnerability (CVE-2018-7600) in Drupal CMS. The exploit leverages a flaw in Drupal's AJAX API to achieve remote code execution by sending a specially crafted POST request to the /user/register endpoint. The script provides an interactive shell-like interface, allowing the attacker to execute arbitrary system commands on the vulnerable server. The output of each command is written to /exphub.txt on the target, which can be accessed via HTTP. The exploit supports Drupal versions 6.x, 7.x < 7.58, 8.3 < 8.3.9, 8.4 < 8.4.6, and 8.5 < 8.5.1. The repository also includes a README with usage instructions and version information. No hardcoded IPs or domains are present; the target URL is supplied by the user at runtime.

This repository is a proof-of-concept (PoC) exploit for CVE-2018-7600, also known as Drupalgeddon 2, which is a critical remote code execution vulnerability in Drupal Core. The main entry point is 'exploit.php', which prompts the user for a target URL and invokes the exploit logic in 'src/CVE-2018-7600.class.php'. The exploit works by sending a specially crafted POST request to the '/user/register' endpoint of a Drupal site, abusing form rendering to execute arbitrary commands. The payload downloads a file ('hello.txt') from a remote GitHub URL and writes it to the web root of the target server, demonstrating successful code execution. The exploit checks for the presence of this file to confirm vulnerability. The code is written in PHP and uses external libraries for HTTP requests and random user agents. The repository is structured with a clear separation between the exploit logic and the entry point, and includes a README with usage instructions and references. No fake or destructive behavior is present; the exploit is a legitimate PoC for educational and testing purposes.

This repository contains a Python exploit script (drupalgeddon2.py) targeting CVE-2018-7600, also known as 'Drupalgeddon2', a critical remote code execution vulnerability in Drupal versions prior to 7.58, 8.3.9, 8.4.6, and 8.5.1. The exploit works by sending specially crafted POST requests to the /user/register endpoint, abusing the #post_render or #lazy_builder parameters to execute arbitrary PHP code on the server. If successful, the script uploads a PHP reverse shell to the web root of the Drupal installation and triggers it, granting the attacker a remote shell. The exploit is operational and automates the process of vulnerability checking, payload upload, and shell triggering. The repository includes a README with usage instructions and PoC details, a LICENSE file, and a .gitignore. The main exploit logic resides in drupalgeddon2.py, which is the only code file. The exploit is designed for Linux targets and requires the attacker to specify the target URL, local host, and port for the reverse shell connection.

This repository contains a Python exploit script (0-day.py) targeting the Drupalgeddon2 vulnerability (CVE-2018-7600) in Drupal CMS. The exploit leverages a vulnerability in the Drupal form API to achieve unauthenticated remote code execution. The script takes a target URL (-h) and an OS command (-c) as arguments, crafts malicious POST requests to the 'user/password' and 'file/ajax/name/#value/' endpoints, and executes the supplied command on the target server. The repository includes a README referencing the CVE, a .gitignore for Drupal projects, and a GPLv3 license. The exploit is operational, providing direct command execution on vulnerable Drupal installations accessible over the network.

This repository contains a Perl exploit script (drupal.pl) and a README.txt for CVE-2018-7600, a critical remote code execution vulnerability in Drupal CMS. The exploit works by sending a specially crafted POST request to the Drupal user registration endpoint, leveraging the vulnerability to execute arbitrary commands. The script attempts to download a PHP web shell from a remote GitHub URL and save it as shell.php on the target server, providing the attacker with remote code execution capabilities. The README provides basic usage instructions. The repository is straightforward, with the main exploit logic contained in drupal.pl, and is operational with a hardcoded payload (web shell).

This repository contains a proof-of-concept exploit for CVE-2018-7600, a critical remote code execution vulnerability in Drupal 7.x versions prior to 7.58. The exploit is implemented in a single Python script (poc.py) that uses the requests library to interact with a vulnerable Drupal instance. The script crafts specific POST requests to Drupal's user/password and file/ajax endpoints, abusing the form API's #post_render and #markup properties to execute arbitrary system commands (demonstrated with 'id'). The target server's URL must be set in the HOST variable. The exploit demonstrates successful code execution by printing the output of the 'id' command, confirming the vulnerability. The repository is simple, containing only a README and the exploit script, and is intended for demonstration and testing purposes.

This repository is a proof-of-concept (POC) exploit for CVE-2018-7600, a critical remote code execution vulnerability affecting Drupal 7.x and 8.x. The main exploit is implemented in 'payload.py', a Python 2.7 script that sends a specially crafted POST request to the '/user/register' endpoint of a target Drupal site. The payload leverages Drupal's form API to execute arbitrary shell commands on the server. If successful, the exploit writes a file named 'r3dxploit.txt' to the web root, confirming the vulnerability. The repository contains a README with usage instructions and background, a LICENSE file, and a .gitignore. The exploit is a standalone script and does not belong to any framework. It is a POC and does not provide a weaponized or customizable payload, but demonstrates the ability to achieve remote code execution on vulnerable Drupal installations.

This repository contains a Python exploit script (Drupalgeddon2.py) targeting the Drupalgeddon 2 vulnerability (CVE-2018-7600) in Drupal CMS. The exploit works by sending a specially crafted HTTP POST request to the '/user/register' endpoint of a Drupal site, abusing the 'mail[#post_render][]' and 'mail[#markup]' parameters to trigger arbitrary command execution on the server. The script supports both testing for vulnerability (by echoing a string) and exploitation (by executing a user-supplied command). The repository also includes a README.md with usage instructions and a requirements.txt listing dependencies ('requests' and 'argparse'). The main entry point is Drupalgeddon2.py, which is a standalone operational exploit. No hardcoded IPs or domains are present; the target is specified by the user at runtime.

This repository is a comprehensive collection of proof-of-concept and operational exploits for CVE-2018-7600, also known as Drupalgeddon2, a critical remote code execution vulnerability affecting Drupal versions prior to 7.58 and 8.x prior to 8.5.1. The repository contains 8 exploit scripts in various languages (Python, Ruby, Perl, Bash), each demonstrating different approaches to exploiting the vulnerability. The main attack vector is network-based, targeting the Drupal user registration endpoint with specially crafted POST requests that abuse form rendering parameters to achieve arbitrary PHP code execution. Several scripts support mass exploitation by reading lists of target URLs. The exploits can upload webshells (e.g., s.php, shell.php, payload.php) or execute arbitrary commands, providing attackers with persistent access or interactive shells. The repository is well-structured, with each script referencing its original source and intended Drupal version. The README provides a clear mapping of scripts to Drupal versions and sources. No detection-only scripts are present; all scripts are capable of exploitation. The repository is suitable for both proof-of-concept testing and operational exploitation.

This repository contains two Ruby exploit scripts (drupalgeddon2.rb and drupalgeddon2-customizable-beta.rb) targeting the critical remote code execution vulnerability CVE-2018-7600 (Drupalgeddon2) in Drupal CMS. The exploit works against Drupal 7.x < 7.58, 8.x < 8.3.9, 8.4.x < 8.4.6, and 8.5.x < 8.5.1. The main script (drupalgeddon2.rb) automates detection of the Drupal version, attempts code execution via vulnerable form endpoints (/user/register for Drupal 8.x, /user/password for Drupal 7.x), and can either execute arbitrary commands or write a PHP web shell (shell.php) to the web root or writable subdirectories. The customizable version (drupalgeddon2-customizable-beta.rb) allows more granular control over the attack parameters, including the PHP method, form path, and Cloudflare bypass options. The README provides detailed usage instructions, example payloads, and troubleshooting tips. The exploit is operational and provides both direct command execution and persistent shell access if the target is writable. No detection-only scripts are present; both code files are full exploits.

This repository contains a Python exploit script (drupalgeddon2.py) and a README.md file. The exploit targets CVE-2018-7600 (Drupalgeddon2), a critical remote code execution vulnerability in Drupal. The script allows an attacker to execute arbitrary OS commands on a vulnerable Drupal installation by sending specially crafted HTTP POST requests to the target's 'user/password' endpoint. The exploit works by abusing Drupal's form API to inject a 'passthru' function call, passing the attacker's command as a parameter. The script is run from the command line, requiring the attacker to specify the target URL (-h) and the command to execute (-c). The README provides usage instructions and an example. The only fingerprintable endpoint is the user-supplied target URL, exemplified as 'http://www.victim.com'. The code is operational and can be used directly to exploit vulnerable Drupal sites.

This repository contains two Python exploit scripts targeting critical remote code execution vulnerabilities in Drupal 7: CVE-2018-7600 (SA-CORE-2018-002) and CVE-2018-7602 (SA-CORE-2018-004). Both scripts leverage form poisoning and AJAX endpoints to achieve arbitrary command execution on vulnerable Drupal installations. - drupa7-CVE-2018-7600.py exploits the 'user/password' form and triggers code execution via the '/file/ajax' endpoint. It requires only the target URL and can execute arbitrary commands (default: 'id') using a specified PHP function (default: 'passthru'). - drupa7-CVE-2018-7602.py requires valid user credentials and targets the 'user_cancel_confirm_form', poisoning it via the 'destination' parameter and triggering execution through '/file/ajax/actions/cancel/#options/path/'. Both scripts support proxy configuration for traffic interception. The repository is well-structured, with a README providing usage instructions, requirements, and detailed explanations of the attack flow. The exploits are operational, providing real command execution on the target system, and are not part of a larger framework. The main attack vector is network-based, exploiting HTTP endpoints exposed by Drupal 7.