CVE-2018-7600 - Drupal 7 Remote Code Execution

RustSecurity

Repository

A Rust implementation of the CVE-2018-7600 exploit targeting vulnerable Drupal 7 installations (<= 7.57). This CLI reproduces this following PoC flow: it poisons a cached renderable form via the user/password path, extracts a form_build_id, then triggers the cached payload through the file/ajax endpoint to achieve remote code execution via a PHP function invocation.

Vulnerability Overview

CVE-2018-7600 is a remote code execution vulnerability affecting Drupal 7 (and Drupal 8 in a different context). In Drupal 7 the issue stems from insufficient sanitization when certain renderable arrays are cached and later rendered. By injecting specially crafted render metadata into an endpoint that is cached, an attacker can cause arbitrary PHP functions to run when the cached data is later rendered or requested.

Technical Details

  • The exploit abuses Drupal's render system and cache to insert a renderable array whose #post_render callback is an arbitrary PHP function (for example passthru).
  • The PoC flow typically posts to ?q=user/password with the crafted renderable array parameters so Drupal caches the poisoned form.
  • After poisoning and receiving a form_build_id, the PoC triggers the payload by calling /file/ajax/name/#value/<form_build_id> with the form_build_id in the POST body. When Drupal renders the cached element, the #post_render callback executes with attacker-controlled markup, enabling command execution.

Description

This Rust CLI constructs performs the two-step sequence (poison then trigger) against a target Drupal 7 site request parameters, parses the HTML response for form_build_id, and then triggers the file/ajax endpoint to execute the function specified by the attacker.

Because the client disables certificate verification (to mirror the original PoC which passed verify=False), the tool will work against targets using self-signed or otherwise invalid TLS certs. This behaviour can be changed in the source if you prefer to require valid certificates.

Usage

Basic usage (default command is whoami, default function is passthru):

cargo run -- -u http://target.com/

Run a custom command and function:

cargo run -- -u http://target.com/ -c "whoami" -f "passthru"

Use an HTTP/S proxy (format: http://127.0.0.1:8080/):

cargo run -- -u http://target.com/ -p http://127.0.0.1:8080/

CLI options summary:

  • -u, target: URL of the target Drupal site (e.g. http://target.com/).
  • -c, --command: Command to execute on target (default: whoami).
  • -f, --function: PHP function to use as the attack vector (default: passthru).
  • -p, --proxy: Optional proxy URL to route requests through.

Example full flow:

  1. Poison the user/password form, inserting #post_render callback and #markup containing the command.
  2. Parse the response to find form_build_id inside form#user-pass.
  3. POST to ?q=file/ajax/name/#value/<form_build_id> with the form_build_id to trigger rendering and execute the command.

Disclaimer

This tool is for educational and authorized penetration testing purposes only. Use responsibly and only on systems you own or have explicit permission to.

Tags

cve-2018-7600

Notes

Some of this writeup is revised by AI. My own writing can be a bit clunky, so I get it to review certain parts to make things flow better and be a bit easier to read.

If you liked this content, please give me a respect on my Hack The Box profile. I'd be happy to hear I've helped you.

If anything here isn't clear, check out the cookbook. If you can't find the answer or need further clarification, please contact me at my e-mail.

Last updated: 2025-10-03