Drupal faced one of its biggest security vulnerabilities recently. It was so bad, it was dubbed “Drupalgeddon”. It affected every single site that was running Drupal 7.31 (latest at the time) or below, as you can read in this Security Advisory.
The exploit could be executed via SQL Injection. The problem was in the expandArguments() method in abstract DatabaseConnection class (\drupal7\includes\database\database.inc) extending PDO. In this method, under the nested foreach loop iterating over the $data array as $i => $value, the $i variable is never sanitized as it is assumed to be a incrementing integer. However, this is not actually the case when posting inputs with the name attribute as arrays, such as:
|
1 2 |
<input type="text" name="pass[pass1]" value="Password 1"> <input type="text" name="pass[pass2]" value="Password 2"> |
The above will be posted as:
|
1 2 3 4 5 6 7 8 |
$_POST = array( ... 'pass' => array( 'pass1' => 'Password 1', 'pass2' => 'Password 2', ), ... ); |
In this case, you will actually be iterating over the pass array with $i being ‘pass1‘ and ‘pass2‘. All other inputs are sanitized, except for these. This is where SQL could have been injected to exploit any website running Drupal.
This vulnerability could be easily fixed with wrapping the $data array with the array_values() function, although you could have also updated to Drupal 7.32. This function makes any associative array into a regular array with incrementing keys.
From:
|
1 2 3 4 5 6 7 8 |
foreach ($data as $i => $value) { // This assumes that there are no other placeholders that use the same // name. For example, if the array placeholder is defined as :example // and there is already an :example_2 placeholder, this will generate // a duplicate key. We do not account for that as the calling code // is already broken if that happens. $new_keys[$key . '_' . $i] = $value; } |
To:
|
1 2 3 4 5 6 7 8 |
foreach (array_values($data) as $i => $value) { // This assumes that there are no other placeholders that use the same // name. For example, if the array placeholder is defined as :example // and there is already an :example_2 placeholder, this will generate // a duplicate key. We do not account for that as the calling code // is already broken if that happens. $new_keys[$key . '_' . $i] = $value; } |
Drupalgeddon was such a major issue because it affected every single version of Drupal 7 before the 7.32 security update addressing the issue. It’s security risk was rated at 25/25 by the Drupal Security Team. It was also such as easy way to inject SQL. In addition, hours after posting the Security Advisory, there was a Public Service Announcement revealing backdoors were implemented, and would remain even after upgrading to 7.32 providing continuous access to your site from hackers.
This post was created with a video for Google Code-In 2014 to explain Drupalgeddon, and why it was such a major issue.
The best way to poc sqli is to use sleep(xx)… to check the vuln. no modification on the web CMS.