Drupal
Drupal is an open-source Content Management System (CMS) written in PHP. The version 11 is currently in development (2024).
- GitHub (4.0k β)
- Documentation (βͺ)
It supports MySQL, PostgreSQL, or sqlite.
Drupal Pentester Notes β οΈ
Enumeration
We may identify drupal and its version from:
- The tag
<meta name="generator" content="<here>"> - The CHANGELOG may be exposed at
/CHANGELOG.txt - The CHANGELOG may be exposed at
/README.md - The robots.txt may be drupal-specific stuff at
/robots.txt - The
/node/<nodeid>endpoint is specific to drupal
We may use droopescan:
$ droopescan scan drupal -u URL
Foothold
We often want to get an account to exploit.
- The login page is at
/user/login
Exploitation
Before version 8, as an admin, we could enable the "PHP filter" module to execute PHP code:
- Create a basic page with some PHP code
- Set the text format to
PHP code - Access the created node (
/node/<your_new_node_id>)
Since version 8 and onwards, the module is not installed by default. We can download them from here (e.g. php module) and install them at Administration > Reports > Available updates.
We could also upload an backdoored module, e.g., a legitimate module in which we added our files. Use /admin/modules/install and access them at /modules/<module_name>/<our_file>.
Well-known CVEs
CVE-2014-3704 (7.x), CVE-2018-7600 and CVE-2018-7602 (7.x, 8.x) are called Drupalgeddon and affect the core of Drupal.
We could exploit them using metasploit:
msf6> exploit/multi/http/drupal_drupageddon