LinkedInExploit ADHackTheBox

Drupal

  • launched in 2001 is another popular open-source CMS.

  • Drupal is written in PHP and supports using MySQL or PostgreSQL for the backend.

  • SQLite can be used if there's no DBMS installed.

  • Like Wordpress which has themse and plugins, Drupal also has themse and modules.

  • Around 1.5% of sites on the internet run Drupal (over 1.1 million sites!), 5% of the top 1 million websites on the internet, and 7% of the top 10,000 sites

  • Drupal accounts for around 2.4% of the CMS market

  • It is available in 100 languages

  • Drupal is community-oriented and has over 1.3 million members

  • Drupal 8 was built by 3,290 contributors, 1,288 companies, and help from the community

  • 33 of the Fortune 500 companies use Drupal in some way

  • 56% of government websites across the world use Drupal

  • 23.8% of universities, colleges, and schools use Drupal worldwide

  • Some major brands that use Drupal include: Tesla and Warner Bros Records

At time of me taking these notes, according to Drupal Usage Statistics, there are about 668,048 active users in 24th Dec 2024. These statistics do not account for EVERY instance of Drupal in use worldwide, but rather instances running the Update Status module, which checks in with drupal.org daily to look for any new versions of Drupal or updates to modules in use.

Footprinting

A Drupal website can be identified in several ways, including by the header or footer message Powered by Drupal, the standard Drupal logo, the presence of a CHANGELOG.txt file or README.txt file, via the page source, or clues in the robots.txt file such as references to /node

Another way to identify Drupal CMS is through nodes. Drupal indexes its content using nodes. A node can hold anything such as a blog post, poll, article, etc. The page URIs are usually of the form /node/<nodeid>.

Note: Not every Drupal installation will look the same or display the login page or even allow users to access the login page from the internet.

Users

Drupal supports three types of users by default:

  1. Administrator: This user has complete control over the Drupal website.

  2. Authenticated User: These users can log in to the website and perform operations such as adding and editing articles based on their permissions.

  3. Anonymous: All website visitors are designated as anonymous. By default, these users are only allowed to read posts.

Enumeration

Newer installs of Drupal by default block access to the CHANGELOG.txt and README.txt files, so we may need to do further enumeration.

Droopscan

There are several other things we could check in this instance to identify the version. Let's try a scan with droopescan as shown in the Joomla enumeration section. Droopescan has much more functionality for Drupal than it does for Joomla.

This instance appears to be running version 8.9.1 of Drupal. At the time of writing, this was not the latest as it was released in June 2020. A quick search for Drupal-related vulnerabilities does not show anything apparent for this core version of Drupal. In this instance, we would next want to look at installed plugins or abusing built-in functionality.

Attacking Drupal

Now that we've confirmed that we are facing Drupal and fingerprinted the version let's look and see what misconfigurations and vulnerabilities we can uncover to attempt to gain internal network access.

Unlike some CMS', obtaining a shell on a Drupal host via the admin console is not as easy as just editing a PHP file found within a theme or uploading a malicious PHP script.

Leveraging PHP Filter Module - Before V8

In older versions of Drupal (before version 8), it was possible to log in as an admin and enable the PHP filter module, which "Allows embedded PHP code/snippets to be evaluated."

From here, we could tick the check box next to the module and scroll down to Save configuration. Next, we could go to Content --> Add content and create a Basic page.

We can now create a page with a malicious PHP snippet such as the one below. We named the parameter with an md5 hash instead of the common cmd to get in the practice of not potentially leaving a door open to an attacker during our assessment. If we used the standard system($_GET['cmd']); we open up ourselves up to a "drive-by" attacker potentially coming across our web shell. Though unlikely, better safe than sorry!

We also want to make sure to set Text format drop-down to PHP code. After clicking save, we will be redirected to the new page, in this example http://drupal-qa.inlanefreight.local/node/3. Once saved, we can either request execute commands in the browser by appending ?dcfdd5e021a869fcc6dfaef8bf31377e=id to the end of the URL to run the id command or use cURL on the command line. From here, we could use a bash one-liner to obtain reverse shell access.

Leveraging PHP Filter Module - After V8

From version 8 onwards, the PHP Filter module is not installed by default. To leverage this functionality, we would have to install the module ourselves. Since we would be changing and adding something to the client's Drupal instance, we may want to check with them first. We'd start by downloading the most recent version of the module from the Drupal website.

Once downloaded go to Administration > Reports > Available updates.

Note: Location may differ based on the Drupal version and may be under the Extend menu.

From here, click on Browse, select the file from the directory we downloaded it to, and then click Install.

Once the module is installed, we can click on Content and create a new basic page, similar to how we did in the Drupal 7 example. Again, be sure to select PHP code from the Text format dropdown.

With either of these examples, we should keep our client apprised and obtain permission before making these sorts of changes. Also, once we are done, we should remove or disable the PHP Filter module and delete any pages that we created to gain remote code execution.

Uploading Backdoored Module

Drupal allows users with appropriate permissions to upload a new module. A backdoored module can be created by adding a shell to an existing module. Modules can be found on the drupal.org website. Let's pick a module such as CAPTCHA. Scroll down and copy the link for the tar.gz archive.

Create a PHP web shell with the contents:

Next, we need to create a .htaccess file to give ourselves access to the folder. This is necessary as Drupal denies direct access to the /modules folder.

The configuration above will apply rules for the / folder when we request a file in /modules. Copy both of these files to the captcha folder and create an archive.

Assuming we have administrative access to the website, click on Manage and then Extend on the sidebar. Next, click on the + Install new module button, and we will be taken to the install page, such as http://drupal.inlanefreight.local/admin/modules/install Browse to the backdoored Captcha archive and click Install.

Once the installation succeeds, browse to /modules/captcha/shell.php to execute commands.

Drupalgeddon

Over the years, Drupal core has suffered from a few serious remote code execution vulnerabilities, each dubbed Drupalgeddon. At the time of writing, there are 3 Drupalgeddon vulnerabilities in existence.

  • CVE-2014-3704, known as Drupalgeddon, affects versions 7.0 up to 7.31 and was fixed in version 7.32. This was a pre-authenticated SQL injection flaw that could be used to upload a malicious form or create a new admin user.

  • CVE-2018-7600, also known as Drupalgeddon2, is a remote code execution vulnerability, which affects versions of Drupal prior to 7.58 and 8.5.1. The vulnerability occurs due to insufficient input sanitization during user registration, allowing system-level commands to be maliciously injected.

  • CVE-2018-7602, also known as Drupalgeddon3, is a remote code execution vulnerability that affects multiple versions of Drupal 7.x and 8.x. This flaw exploits improper validation in the Form API. (It is authenticated)

As stated previously, this flaw can be exploited by leveraging a pre-authentication SQL injection which can be used to upload malicious code or add an admin user. Let's try adding a new admin user with this PoC script. Once an admin user is added, we could log in and enable the PHP Filter module to achieve remote code execution.

Here we see that we need to supply the target URL and a username and password for our new admin account. Let's run the script and see if we get a new admin user.

Drupalgeddon2

We can use this PoC to confirm this vulnerability.

We can check quickly with cURL and see that the hello.txt file was indeed uploaded.

Now let's modify the script to gain remote code execution by uploading a malicious PHP file.

Next, let's replace the echo command in the exploit script with a command to write out our malicious PHP script.

Next, run the modified exploit script to upload our malicious PHP file.

Finally, we can confirm remote code execution using cURL.

Drupalgeddon3

Drupalgeddon3 is an authenticated remote code execution vulnerability that affects multiple versions of Drupal core. It requires a user to have the ability to delete a node. We can exploit this using Metasploit, but we must first log in and obtain a valid session cookie.

Once we have the session cookie, we can set up the exploit module as follows.

If successful, we will obtain a reverse shell on the target host.

PreviousJoomlaNextServlet Containers/Software Development

Last updated