Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-26 14:40:37 +00:00
Code Issues Projects Releases Packages Wiki Activity

Translated ['network-services-pentesting/pentesting-web/drupal/README.md

Browse source
This commit is contained in:
Translator 2024-08-12 13:10:24 +00:00
parent b26884610d
commit 1c8032579d
1 changed files with 10 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
network-services-pentesting/pentesting-web/drupal/README.md
View file

@ -25,7 +25,7 @@ Jifunze & fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt
```bash
curl https://www.drupal.org/ | grep 'content="Drupal'
```
* **Node**: Drupal **inaweka maudhui yake kwa kutumia nodes**. Node inaweza **kushikilia chochote** kama vile chapisho la blogu, kura, makala, nk. URI za ukurasa mara nyingi zinafanywa kwa mfumo wa `/node/<nodeid>`.
* **Node**: Drupal **inaweka alama za maudhui yake kwa kutumia nodes**. Node inaweza **kushikilia chochote** kama vile chapisho la blogu, kura, makala, nk. URI za ukurasa mara nyingi zinafanywa kwa mfumo wa `/node/<nodeid>`.
```bash
curl drupal-site.com/node/1
```
@ -35,7 +35,7 @@ Drupal inasaidia **aina tatu za watumiaji** kwa default:
1. **`Administrator`**: Mtumiaji huyu ana udhibiti kamili juu ya tovuti ya Drupal.
2. **`Authenticated User`**: Watumiaji hawa wanaweza kuingia kwenye tovuti na kufanya operesheni kama kuongeza na kuhariri makala kulingana na ruhusa zao.
3. **`Anonymous`**: Wageni wote wa tovuti wanapewa jina la kutotambulika. Kwa default, watumiaji hawa wanaruhusiwa kusoma tu machapisho.
3. **`Anonymous`**: Wageni wote wa tovuti wanapewa jina la kutokuwa na jina. Kwa default, watumiaji hawa wanaruhusiwa tu kusoma machapisho.
### Version
@ -102,13 +102,18 @@ Ikiwa una ufikiaji wa console ya wavuti ya Drupal angalia chaguzi hizi kupata RC
[drupal-rce.md](drupal-rce.md)
{% endcontent-ref %}
## Drupal Kutoka XSS hadi RCE
Kupitia mbinu hii, inawezekana kufikia **Remote Code Execution (RCE)** katika Drupal kupitia **Cross-Site Scripting (XSS)**. https://github.com/nowak0x01/Drupalwned
<br><br>
**Kwa hatua za kina zaidi angalia:** https://nowak0x01.github.io/papers/76bc0832a8f682a7e0ed921627f85d1d.html
## Post Exploitation
### Soma settings.php
```
find / -name settings.php -exec grep "drupal_hash_salt\|'database'\|'username'\|'password'\|'host'\|'port'\|'driver'\|'prefix'" {} \; 2>/dev/null
```
### Piga picha watumiaji kutoka DB
### Dumisha watumiaji kutoka DB
```
mysql -u drupaluser --password='2r9u8hu23t532erew' -e 'use drupal; select * from users'
```
@ -129,8 +134,8 @@ Jifunze & fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt
<summary>Support HackTricks</summary>
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}