Drupal Attack

Discovery/Footprinting

curl -s http://drupal.inlanefreight.local | grep Drupal

Enumeration

curl -s http://drupal-acc.inlanefreight.local/CHANGELOG.txt | grep -m2 ""

droopescan scan drupal -u http://drupal-qa.inlanefreight.local

Attacking Drupal

Leveraging the PHP Filter Module

• after login select php filters

http://drupal-qa.inlanefreight.local/#overlay=admin/modules

• From here, we could tick the check box next to the module and scroll down to Save configuration. Next, we could go to Content --> Add content and create a Basic page.

From version 8 onwards,

• the PHP Filter module is not installed by default.

• To leverage this functionality, we would have to install the module ourselves.

• Once downloaded go to Administration > Reports > Available updates.

• From here, click on Browse, select the file from the directory we downloaded it to, and then click Install.

• Once the module is installed, we can click on Content and create a new basic page, similar to how we did in the Drupal 7 example. Again, be sure to select PHP code from the Text format dropdown.

Uploading a Backdoored Module

• Drupal allows users with appropriate permissions to upload a new module.

• A backdoored module can be created by adding a shell to an existing module

• Create a PHP web shell with the contents:

• Next, we need to create a .htaccess file to give ourselves access to the folder.

  • This is necessary as Drupal denies direct access to the /modules folder.

• Assuming we have administrative access to the website, click on Manage and then Extend on the sidebar

  • Next, click on the + Install new module button, and we will be taken to the install page, such as http://drupal.inlanefreight.local/admin/modules/install

  • Browse to the backdoored Captcha archive and click Install.