--- title: "Drupal" date: 2020-09-01T08:42:46+03:00 draft: false tags: ["exploit", "linux", "windows"] --- The Drupal exploiter exploits [CVE-2019-6340](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6340) on a vulnerable Drupal server. ### Description Some field types do not properly sanitize data from non-form sources in certain versions of Drupal server. This can lead to arbitrary PHP code execution in some cases. ### Affected Versions * Drupal 8.5.x (before 8.5.11) and Drupal 8.6.x (before 8.6.10). One of the following conditions must hold: * The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests; OR * The site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. ### Notes * The Infection Monkey exploiter implementation is based on an open-source [Python implementation](https://gist.github.com/leonjza/d0ab053be9b06fa020b66f00358e3d88/f9f6a5bb6605745e292bee3a4079f261d891738a) of the exploit by @leonjza. * For the full attack to work, more than one vulnerable URL is required.