.. / CVE-2014-3704

Exploit for Drupal SQL Injection (CVE-2014-3704)

Description:

The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing specially crafted keys.

Nuclei Template

View the template here CVE-2014-3704.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2014/CVE-2014-3704.yaml

References:

https://www.exploit-db.com/exploits/35150
https://www.exploit-db.com/exploits/34992
https://nvd.nist.gov/vuln/detail/CVE-2014-3704
https://www.drupal.org/SA-CORE-2014-005
https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2014-10-15/sa-core-2014-005-drupal-core-sql
https://www.exploit-db.com/exploits/34993
https://www.exploit-db.com/exploits/34984

.. / CVE-2014-3704 if(localStorage["style"]=="true"){ document.getElementById('pagestyle').setAttribute('href','/assets/styleDark.css'); document.querySelector('input[type="checkbox"]').checked = true }

Exploit for Drupal SQL Injection (CVE-2014-3704)

Description:

Nuclei Template

Validate with Nuclei

.. / CVE-2014-3704