CVE-2019-6340 / SA-CORE-2019-003
Three scripts included to demonstrate how Drupal 8.6.9 is vulnerable to CVE-2019-6340:
- create_node_via_rest.py - Example of normal authenticated node create with REST API
- does_not_correspond.py - Proving the request is processed even without authentication
- exploit.py - Exploit the deserialization and execute a remote command
Download Drupal 8.6.9 from https://www.drupal.org/project/drupal/releases/8.6.9 Do a vanilla install and turn on the four "Web Services" modules.
I did not do all of the investigation on my own, I used a few resources when writing these scripts: