search
Intrusionz3r0-WriteupsHacktheboxGithubLinkedln

Drupal

circle-info

Newer installs of Drupal by default block access to the CHANGELOG.txt and README.txt files

Drupal supports three types of users by default:

  1. Administrator: This user has complete control over the Drupal website.

  2. Authenticated User: These users can log in to the website and perform operations such as adding and editing articles based on their permissions.

  3. Anonymous: All website visitors are designated as anonymous. By default, these users are only allowed to read posts.

hashtag
Discovery/Footprinting

#Verify Drupal on web server
Intrusionz3r0@htb[/htb]$ curl -s http://drupal.inlanefreight.local | grep Drupal

#Node: Drupal indexes its content using nodes. A node can hold anything such as a blog post, poll, article, etc. The page URIs are usually of the form /node/<nodeid>.
Intrusionz3r0@htb[/htb]$ curl -s http://drupal.inlanefreight.local/node/1

#uncover the version
Intrusionz3r0@htb[/htb]$ curl -s http://drupal-acc.inlanefreight.local/CHANGELOG.txt | grep -m2 ""

hashtag
Attacking Drupal

hashtag
PHP Filter Module

💡

In older versions of Drupal (before version 8), it was possible to log in as an admin and enable the PHP filter module, which "Allows embedded PHP code/snippets to be evaluated." But from version 8 this module is not installed by default.

  • Go to Modules -> (Check) PHP Filter -> Save configuration

  • Then click on Add content -> Select Basic Page or Article -> Write php shellcode on the body -> Select PHP code in Text format -> Select Preview

hashtag
PHP Filter Module from version 8 onwards

💡

From version 8 onwards, the PHP Filterarrow-up-right module is not installed by default. To leverage this functionality, we would have to install the module ourselves.

  1. Download the most recent version of the module from the Drupal website.

    1. wget https://ftp.drupal.org/files/projects/php-8.x-1.1.tar.gz

  2. Once downloaded go to Administration > Reports > Available updates.

    1. /admin/reports/updates/install

  3. Click on **Browse**, select the file from the directory we downloaded it to, and then click Install.

  4. Once the module is installed, we can click on Content and create a new basic page, similar to how we did in the Drupal 7 example. Again, be sure to select PHP code from the Text format dropdown.

    1. /admin/content

hashtag
Uploading a Backdoored Module

💡

In current versions it's no longer possible to install plugins by only having access to the web after the default installation.

A backdoored module can be created by adding a shell to an existing module. Modules can be found on the drupal.org website. Let's pick a module such as CAPTCHAarrow-up-right. Scroll down and copy the link for the tar.gz archivearrow-up-right.

Download the archive and extract its contents.

Create a PHP web shell with the contents

Create a .htaccess file to give ourselves access to the folder. This is necessary as Drupal denies direct access to the /modules folder.

The configuration above will apply rules for the / folder when we request a file in /modules. Copy both of these files to the captcha folder and create an archive.

Click on Manage and then Extend click on the + Install new module button

hashtag
Leveraging Known Vulnerabilities

hashtag
Drupalgeddon

  • CVE-2014-3704arrow-up-right, known as Drupalgeddon, affects versions 7.0 up to 7.31 and was fixed in version 7.32. This was a pre-authenticated SQL injection flaw that could be used to upload a malicious form or create a new admin user.

    • https://www.exploit-db.com/exploits/34992

hashtag
Drupalgeddon2

  • CVE-2018-7600arrow-up-right, also known as Drupalgeddon2, is a remote code execution vulnerability, which affects versions of Drupal prior to 7.58 and 8.5.1. The vulnerability occurs due to insufficient input sanitization during user registration, allowing system-level commands to be maliciously injected.

    • https://www.exploit-db.com/exploits/44448

hashtag
Drupalgeddon3

  • CVE-2018-7602arrow-up-right, also known as Drupalgeddon3, is a remote code execution vulnerability that affects multiple versions of Drupal 7.x and 8.x. This flaw exploits improper validation in the Form API.

    • https://github.com/rithchard/Drupalgeddon3

    • https://github.com/oways/SA-CORE-2018-004/blob/master/drupalgeddon3.py

PreviousWordpressNextTomcat CGI

Last updated