Share
## https://sploitus.com/exploit?id=A5DCD9C9-8109-5535-AA9A-50862819BD9D
# CVE-2024-45440
Drupal CVE-2024-45440
core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist.
# 使用
```
python CVE-2024-45440.py
```
![image](https://github.com/user-attachments/assets/0d66b93e-b34b-43a9-bc80-50ec81c40233)
# 靶场部署
settings.php将通过挂载的方式替换掉容器中的settings.php
替换settings.php后无法进行安装,但直接访问`http://127.0.0.1:8080/core/authorize.php`也能暴露出配置文件的完整路径
正常安装过程如下:
先将docker-ccompose.yml第15行的`- ./settings.php:/opt/drupal/web/sites/default/settings.php`注释掉,才能正常进行安装
启动docker容器
```
docker-compose up -d
```
选择语言
![image-20241226171834277](https://github.com/user-attachments/assets/064b6b23-56f8-4283-a318-9bce48a9d86e)
选择安装方式
![image-20241226171854577](https://github.com/user-attachments/assets/1b316883-6a91-4b39-8509-6abee2943ae7)
设置数据库
![image-20241226172032897](https://github.com/user-attachments/assets/24e88882-8b2c-481a-be84-e9fa3c6a1e92)
其他选项默认
设置网站
![image-20241226172625492](https://github.com/user-attachments/assets/83bd791c-6f10-4c7b-93d8-b825720d7d5e)
其他选项默认,进行安装
接下来模拟开发人员更改/sites/default/settings.php 文件中第 268 行的 hash_salt 变量,我们关闭docker容器
```
docker-compose down
```
然后取消docker-ccompose.yml第15行的`- ./settings.php:/opt/drupal/web/sites/default/settings.php`注释,再次启动容器
```
docker-compose up -d
```
靶场设置完成
# 复现
访问`http://127.0.0.1:8080/core/authorize.php`
![image-20241226170825303](https://github.com/user-attachments/assets/3901c1fd-c0ae-482a-9b22-9824e8a8283b)
暴露出配置文件的完整路径
或者使用脚本
```
python CVE-2024-45440.py
```
![image](https://github.com/user-attachments/assets/0d66b93e-b34b-43a9-bc80-50ec81c40233)