Drupal

attacking_common_applications

Drupal is an open-source Content Management System (CMS) written in PHP. The version 11 is currently in development (2024).

It supports MySQL, PostgreSQL, or sqlite.


Drupal Pentester Notes ☠️

attacking_common_applications

Enumeration

We may identify drupal and its version from:

  • The tag <meta name="generator" content="<here>">
  • The CHANGELOG may be exposed at /CHANGELOG.txt
  • The CHANGELOG may be exposed at /README.md
  • The robots.txt may be drupal-specific stuff at /robots.txt
  • The /node/<nodeid> endpoint is specific to drupal

We may use droopescan:

$ droopescan scan drupal -u URL

Foothold

We often want to get an account to exploit.

  • The login page is at /user/login

Exploitation

Before version 8, as an admin, we could enable the "PHP filter" module to execute PHP code:

  • Create a basic page with some PHP code
  • Set the text format to PHP code
  • Access the created node (/node/<your_new_node_id>)

Since version 8 and onwards, the module is not installed by default. We can download them from here (e.g. php module) and install them at Administration > Reports > Available updates.

We could also upload an backdoored module, e.g., a legitimate module in which we added our files. Use /admin/modules/install and access them at /modules/<module_name>/<our_file>.


Well-known CVEs

CVE-2014-3704 (7.x), CVE-2018-7600 and CVE-2018-7602 (7.x, 8.x) are called Drupalgeddon and affect the core of Drupal.

We could exploit them using metasploit:

msf6> exploit/multi/http/drupal_drupageddon