5.7 KiB
Drupal
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
{% embed url="https://websec.nl/" %}
Discovery
- Check meta
curl https://www.drupal.org/ | grep 'content="Drupal'
- Node: Drupal indexes its content using nodes. A node can hold anything such as a blog post, poll, article, etc. The page URIs are usually of the form
/node/<nodeid>
.
curl drupal-site.com/node/1
Enumeration
Version
- Check
/CHANGELOG.txt
curl -s http://drupal-site.local/CHANGELOG.txt | grep -m2 ""
Drupal 7.57, 2018-02-21
{% hint style="info" %}
Newer installs of Drupal by default block access to the CHANGELOG.txt
and README.txt
files.
{% endhint %}
Username enumeration
Drupal supports three types of users by default:
Administrator
: This user has complete control over the Drupal website.Authenticated User
: These users can log in to the website and perform operations such as adding and editing articles based on their permissions.Anonymous
: All website visitors are designated as anonymous. By default, these users are only allowed to read posts.
To enumerate users you can:
- Get number of users: Just access
/user/1
,/user/2
,/user/3
... until it returns an error indicating that the suer doesn't exist. - Registry: Access
/user/register
and try to create a username and if the name is already taken it will be indicated in an error from the server. - Reset password: Try to reset the password of a user and if the user doesn't exist it will be indicated clearly in an error message.
Hidden pages
Just find new pages by looking into /node/FUZZ
where FUZZ
is a number (from 1 to 1000 for example).
Installed modules info
#From https://twitter.com/intigriti/status/1439192489093644292/photo/1
#Get info on installed modules
curl https://example.com/config/sync/core.extension.yml
curl https://example.com/core/core.services.yml
# Download content from files exposed in the previous step
curl https://example.com/config/sync/swiftmailer.transport.yml
Automatic Tools
droopescan scan drupal -u http://drupal-site.local
RCE
If you have access to the Drupal web console check these options to get RCE:
{% content-ref url="drupal-rce.md" %} drupal-rce.md {% endcontent-ref %}
From XSS to RCE
- Drupalwned: Drupal Exploitation Script that elevate XSS to RCE or Others Critical Vulnerabilities. For more info check this post. It provides support for Drupal Versions 7.X.X, 8.X.X, 9.X.X and 10.X.X, and allows to:
- Privilege Escalation: Creates an administrative user in Drupal.
- (RCE) Upload Template: Upload custom templates backdoored to Drupal.
Post Exploitation
Read settings.php
{% code overflow="wrap" %}
find / -name settings.php -exec grep "drupal_hash_salt\|'database'\|'username'\|'password'\|'host'\|'port'\|'driver'\|'prefix'" {} \; 2>/dev/null
{% endcode %}
Dump users from DB
{% code overflow="wrap" %}
mysql -u drupaluser --password='2r9u8hu23t532erew' -e 'use drupal; select * from users'
{% endcode %}
{% embed url="https://websec.nl/" %}
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.