Remote Code Execution with Drupal core (SA-CORE-2018–002)
Riyaz Walikar

I don’t agree about your format for the exploit. I think it will look more like this:{api}?#[]={api_endpoint}&#[]={exploit_code}

Because the patched code is specifically looking at $key[0], which in your example is page[‘#payload’], which doesn’t meet the logic criteria of $key[0] === ‘#’… Therefore, it can’t be in the format you suggested.

Please correct me if I’m wrong!

Also, GreySec have a thread going on this at the moment:

Like what you read? Give Strong Links a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.