Drupal
Enumeration
Users
- In /user/register just try to create a username and if the name is already taken it will be notified:
The name admin is already taken.
- If you request a new password for an existing username:
Unable to send e-mail. Contact the site administrator if the problem persists.
- If you request a new password for a non-existent username:
Sorry, loremipsum is not recognized as a user name or an e-mail address
- Accessing
/user/<number>
you can see the number of existing users, in this case is 2 as/users/3
returns a not found error:
Pages
- Fuzz From http://drupal.local/node/1 To http://drupal.local/node/500. You could find hidden pages (test, dev) which are not referenced by the search engines.
- curl https://example.com/config/sync/core.extension.yml
- curl https://example.com/core/core.services.yml
- curl https://example.com/config/sync/swiftmailer.transport.yml
Tools
drupwn
droopescanExplotation
searchsploit drupal
searchsploit drupal | grep 'Remote Code Execution'
RCE admin panel Code execution inside Drupal with admin creds You need the plugin php to be installed (check it accessing to /modules/php and if it returns a 403 then, exists, if not found, then the plugin php isn't installed) Go to Modules -> (Check) PHP Filter -> Save configuration
RCE
searchsploit Drupalgeddon2
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution | php/webapps/44449.rb
Post Exploitation
Read settings.php
find / -name settings.php -exec grep "drupal_hash_salt\|'database'\|'username'\|'password'\|'host'\|'port'\|'driver'\|'prefix'" {} \; 2>/dev/null
Dump users from DB