Drupal
Drupal supports three types of users by default:
Administrator: This user has complete control over the Drupal website.Authenticated User: These users can log in to the website and perform operations such as adding and editing articles based on their permissions.Anonymous: All website visitors are designated as anonymous. By default, these users are only allowed to read posts.
Discovery/Footprinting
#Verify Drupal on web server
Intrusionz3r0@htb[/htb]$ curl -s http://drupal.inlanefreight.local | grep Drupal
#Node: Drupal indexes its content using nodes. A node can hold anything such as a blog post, poll, article, etc. The page URIs are usually of the form /node/<nodeid>.
Intrusionz3r0@htb[/htb]$ curl -s http://drupal.inlanefreight.local/node/1
#uncover the version
Intrusionz3r0@htb[/htb]$ curl -s http://drupal-acc.inlanefreight.local/CHANGELOG.txt | grep -m2 ""
Attacking Drupal
PHP Filter Module
💡
In older versions of Drupal (before version 8), it was possible to log in as an admin and enable the PHP filter module, which "Allows embedded PHP code/snippets to be evaluated." But from version 8 this module is not installed by default.
Go to Modules -> (Check) PHP Filter -> Save configuration
Then click on Add content -> Select Basic Page or Article -> Write php shellcode on the body -> Select PHP code in Text format -> Select Preview
PHP Filter Module from version 8 onwards
💡
From version 8 onwards, the PHP Filter module is not installed by default. To leverage this functionality, we would have to install the module ourselves.
Download the most recent version of the module from the Drupal website.
wget https://ftp.drupal.org/files/projects/php-8.x-1.1.tar.gz
Once downloaded go to
Administration>Reports>Available updates./admin/reports/updates/install
Click on **
Browse**,select the file from the directory we downloaded it to, and then clickInstall.Once the module is installed, we can click on
Contentand create a new basic page, similar to how we did in the Drupal 7 example. Again, be sure to selectPHP codefrom theText formatdropdown./admin/content
Uploading a Backdoored Module
💡
In current versions it's no longer possible to install plugins by only having access to the web after the default installation.
A backdoored module can be created by adding a shell to an existing module. Modules can be found on the drupal.org website. Let's pick a module such as CAPTCHA. Scroll down and copy the link for the tar.gz archive.
Download the archive and extract its contents.
Create a PHP web shell with the contents
Create a .htaccess file to give ourselves access to the folder. This is necessary as Drupal denies direct access to the /modules folder.
The configuration above will apply rules for the / folder when we request a file in /modules. Copy both of these files to the captcha folder and create an archive.
Click on Manage and then Extend click on the + Install new module button
Leveraging Known Vulnerabilities
Drupalgeddon
CVE-2014-3704, known as Drupalgeddon, affects versions 7.0 up to 7.31 and was fixed in version 7.32. This was a pre-authenticated SQL injection flaw that could be used to upload a malicious form or create a new admin user.
https://www.exploit-db.com/exploits/34992
Drupalgeddon2
CVE-2018-7600, also known as Drupalgeddon2, is a remote code execution vulnerability, which affects versions of Drupal prior to 7.58 and 8.5.1. The vulnerability occurs due to insufficient input sanitization during user registration, allowing system-level commands to be maliciously injected.
https://www.exploit-db.com/exploits/44448
Drupalgeddon3
CVE-2018-7602, also known as Drupalgeddon3, is a remote code execution vulnerability that affects multiple versions of Drupal 7.x and 8.x. This flaw exploits improper validation in the Form API.
https://github.com/rithchard/Drupalgeddon3
https://github.com/oways/SA-CORE-2018-004/blob/master/drupalgeddon3.py
Last updated