search
LinkedIn

Drupal

Drupal is another open-source CMS that is popular among companies and developers. Drupal is written in PHP and supports using MySQL or PostgreSQL for the backend. Additionally, SQLite can be used if there's no DBMS installed. Like WordPress, Drupal allows users to enhance their websites through the use of themes and modules. At the time of writing, the Drupal project has nearly 43,000 modules and 2,900 themes and is the third most popular CMS by market share. Here are a few interesting statisticsarrow-up-right on Drupal gathered from various sources:

hashtag
Discovery

The page URIs are usually of the form /node/<nodeid>.

curl -s http://drupal.inlanefreight.local | grep Drupal


<meta name="Generator" content="Drupal 8 (https://www.drupal.org)" />
      <span>Powered by <a href="https://www.drupal.org">Drupal</a></span>

Drupal supports three types of users by default:

  1. Administrator: This user has complete control over the Drupal website.

  2. Authenticated User: These users can log in to the website and perform operations such as adding and editing articles based on their permissions.

  3. Anonymous: All website visitors are designated as anonymous. By default, these users are only allowed to read posts.

hashtag
Version enumeration

# -m option in grep specifies the number of matches to find before exiting. 
## By using -m2, we are able to extract the first 2 matches in the file.
curl -s http://drupal-acc.inlanefreight.local/CHANGELOG.txt | grep -m2 ""

curl -s http://drupal-acc.inlanefreight.local/CHANGELOG.txt | grep -m1 "Drupal"

hashtag
Automatic scans with Droopescan

From here we can search for known vulnerabilities with searchsploit or exploit-db.

hashtag
Attacking Drupal

hashtag
Before Version 8

Before version 8 we should enable PHP filter module:

Create a basic page under content with the PHP one-liner to gain RCE

Format the page to PHP:

Then we can execute commands from the node where the content has been created. e.g. /node/3?dcfdd5e021a869fcc6dfaef8bf31377e=id

hashtag
From Version 8

From version 8 onwards, the PHP Filterarrow-up-right module is not installed by default. To leverage this functionality, we would have to install the module ourselves. Since we would be changing and adding something to the client's Drupal instance, we may want to check with them first. We'd start by downloading the most recent version of the module from the Drupal website.

Once downloaded go to Administration > Reports > Available updates.

From here, click on Browse, select the file from the directory we downloaded it to, and then click Install.

Once the module is installed, we can click on Content and create a new basic page, similar to how we did in the Drupal 7 example. Again, be sure to select PHP code from the Text format dropdown.

hashtag
Uploading a Backdoored Module

Drupal allows users with appropriate permissions to upload a new module. A backdoored module can be created by adding a shell to an existing module. Modules can be found on the drupal.org website. Let's pick a module such as CAPTCHAarrow-up-right. Scroll down and copy the link for the tar.gz archivearrow-up-right.

Download the archive and extract its contents.

Create a PHP web shell with the contents:

Next, we need to create a .htaccess file to give ourselves access to the folder. This is necessary as Drupal denies direct access to the /modules folder.

Code: html

The configuration above will apply rules for the / folder when we request a file in /modules. Copy both of these files to the captcha folder and create an archive.

Assuming we have administrative access to the website, click on Manage and then Extend on the sidebar. Next, click on the + Install new module button, and we will be taken to the install page, such as http://drupal.inlanefreight.local/admin/modules/install Browse to the backdoored Captcha archive and click Install.

Once the installation succeeds, browse to /modules/captcha/shell.php to execute commands.

hashtag
Leveraging Known Vulnerabilities

Over the years, Drupal core has suffered from a few serious remote code execution vulnerabilities, each dubbed Drupalgeddon. At the time of writing, there are 3 Drupalgeddon vulnerabilities in existence.

  • CVE-2014-3704arrow-up-right, known as Drupalgeddon, affects versions 7.0 up to 7.31 and was fixed in version 7.32. This was a pre-authenticated SQL injection flaw that could be used to upload a malicious form or create a new admin user.

  • CVE-2018-7600arrow-up-right, also known as Drupalgeddon2, is a remote code execution vulnerability, which affects versions of Drupal prior to 7.58 and 8.5.1. The vulnerability occurs due to insufficient input sanitization during user registration, allowing system-level commands to be maliciously injected.

  • CVE-2018-7602arrow-up-right, also known as Drupalgeddon3, is a remote code execution vulnerability that affects multiple versions of Drupal 7.x and 8.x. This flaw exploits improper validation in the Form API.

As stated previously, this flaw can be exploited by leveraging a pre-authentication SQL injection which can be used to upload malicious code or add an admin user. Let's try adding a new admin user with this PoCarrow-up-right script. Once an admin user is added, we could log in and enable the PHP Filter module to achieve remote code execution.

Running the script with the -h flag shows us the help menu.

Here we see that we need to supply the target URL and a username and password for our new admin account. Let's run the script and see if we get a new admin user.

Now let's see if we can log in as an admin. We can! Now from here, we could obtain a shell through the various means discussed previously in this section.

Drupal user management page showing filters for role, permission, and status, with users admin and hacker listed as active administrators.

We could also use the exploit/multi/http/drupal_drupageddonarrow-up-right Metasploit module to exploit this.

hashtag
Drupalgeddon2

We can use thisarrow-up-right PoC to confirm this vulnerability.

Attacking Drupal

We can check quickly with cURL and see that the hello.txt file was indeed uploaded.

Now let's modify the script to gain remote code execution by uploading a malicious PHP file.

Next, let's replace the echo command in the exploit script with a command to write out our malicious PHP script.

Attacking Drupal

Next, run the modified exploit script to upload our malicious PHP file.

Finally, we can confirm remote code execution using cURL.

hashtag
Drupalgeddon3

Drupalgeddon3arrow-up-right is an authenticated remote code execution vulnerability that affects multiple versionsarrow-up-right of Drupal core. It requires a user to have the ability to delete a node. We can exploit this using Metasploit, but we must first log in and obtain a valid session cookie.

HTTP request details showing headers like User-Agent, Accept, and Cookie for drupal-acc.inlanefreight.local.

Once we have the session cookie, we can set up the exploit module as follows.

If successful, we will obtain a reverse shell on the target host.

PreviousJoomlaNextJenkins

Last updated