cbcvebase.
CVE-2014-3704
published 2014-10-16

CVE-2014-3704: The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows…

PriorityP180high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
99.97%
100.0th percentile
The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.

Affected

2 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
drupaldrupal>= 7.0 < 7.327.32

Detection & IOCsextracted from sources · hover to see the quote

url/?q=node&destination=node
cookieSESS<sha256(session_name)[0:32]>[test+<UNION SELECT inject>]=<session_id>
commandUNION SELECT <uid>,'<user>','<pass>','','','',null,0,0,0,1,null,'',0,'',null,<uid>,'<session_id>','','127.0.0.1',0,0,null --
commandname[0 ;insert+into+users+(status,+uid,+name,+pass)+SELECT+1,+MAX(uid)+1,'<user>','<hash>'+FROM+users;insert+into+users_roles+(uid,+rid)+VALUES+((SELECT+uid+FROM+users+WHERE+name='<user>'),3);;# ]=test3&name[0]=test&pass=shit2&test2=test&form_build_id=&form_id=user_login_block&op=Log+in
commandeval(base64_decode("<base64_encoded_payload>"))
cookieSESS<sha256(session_name)[0:32]>[test+<UNION SELECT inject with serialized PHP session>]=<session_id>
  • Detect HTTP requests to Drupal login endpoints where the 'name' parameter contains array keys with SQL keywords (e.g., UNION SELECT, INSERT INTO, UPDATE users) — the SQLi is delivered via crafted array key names in POST body or cookies.
  • Monitor POST requests to /?q=node&destination=node with form_id=user_login_block containing URL-encoded SQL in the name[] parameter keys (e.g., name[0%20;insert+into+users...]).
  • Detect HTTP requests carrying cookies where the Drupal session cookie name (SESS<hash>) contains array-style keys with SQL injection payloads (e.g., SESS<hash>[test+UNION SELECT...]).
  • Alert on HTTP responses containing the string 'mb_strlen() expects parameter 1 to be string' as this indicates successful exploitation of the Drupageddon SQL injection.
  • Detect PHP code injection via Drupal session data: look for session values containing 'wrapper_callback' => 'form_execute_handlers', 'assert', and 'eval(base64_decode(...))' patterns, indicative of the RCE chained exploit.
  • Monitor for new Drupal admin account creation or privilege escalation (INSERT INTO users_roles with rid=3) immediately following login form POST requests, which may indicate successful Drupageddon exploitation.
  • The Metasploit module drupal_drupageddon uses two methods: form-cache PHP injection (TARGET 0) and user-post injection (TARGET 1). Detect by monitoring for new admin user creation, PHP module enablement, and new posts containing PHP code on Drupal 7.0–7.31 instances.
  • ·The cookie-based exploit (EDB-44355 and EDB-35150) only works against HTTPS URLs, as the session cookie name is derived from the hostname portion after stripping the protocol. HTTP targets use a different attack vector (POST body injection).
  • ·The RCE chained exploit (EDB-35150) uses REPLACE/CHAR SQL functions to smuggle serialized PHP session data containing curly braces past SQL string escaping, meaning detection must account for REPLACE(REPLACE(...,CHAR(125)),CHAR(123)) patterns in the injected payload.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.