The Drupalgeddon vulnerability is to do with a particular registration form. This form is available in all Drupal installations and can be accessed without any authentication. In this form, the email field allows unsanitized input from the user, which allows attackers to inject an array into the form array structure (as the value of the email field). The following properties can be used to exploit this vulnerability:
- #post_render
- #lazy_builder
- #pre_render
- #access_callback
Metasploit's exploit module uses the #post_render property to inject the payload into the mail array, which looks something like the following:
[ mail[#post_render][]': 'exec', // Function to be used for RCE mail[#type]': 'markup', 'mail[#markup]': 'whoami' // Command ]
Upon rendering, the exec() function will be called, which will execute the whoami command and return the output. Let's now move forward and see this exploit in action.
The following code can be found in /core/lib/Drupal/Core/Render/Renderer.php:
/core/modules/file/src/Element/ManagedFile.php is shown here:
We can see that the form values are broken down using slashes and then used to fetch values using the NestedArray::getValue() function. Based on the data returned, the result is rendered. In this case, $form["user_picture"]["widget"][0] becomes user_picture/widget/0. We can input our own path to the desired element. In the account registration form, there are the mail and name parameters. The name parameter filters user data, but the email parameter does not. We can convert this parameter into an array and submit a line beginning with # as a key.
Going back to /core/lib/Drupal/Core/Render/Renderer.php, we see that the #post_render property takes the #children element and then passes it to the call_user_func() function, as shown here:
This is from PHP's manual:
If we pass call_user_func(system,id), it will be executed as system(id). So, we need #post_render to be defined as exec(), and #children to be defined as the value we want to pass into exec():
[ mail[#post_render][]': printf, mail[#type]': 'markup', 'mail[#children]': testing123 ]
Another method is to use the #markup element, which is used by other exploits available on the internet.