mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-23 13:13:41 +00:00
59 lines
1.8 KiB
Markdown
59 lines
1.8 KiB
Markdown
# Drupal
|
|
|
|
## Username enumeration
|
|
|
|
### Register
|
|
|
|
In _/user/register_ just try to create a username and if the name is already taken it will be notified:
|
|
|
|
|
|
|
|
### Request new password
|
|
|
|
If you request a new password for an existing username:
|
|
|
|
|
|
|
|
If you request a new password for a non-existent username:
|
|
|
|
|
|
|
|
## Number of users enumeration
|
|
|
|
Accessing _/user/<number>_ you can see the number of existing users, in this case is 2 as _/users/3_ returns a not found error:
|
|
|
|
|
|
|
|
|
|
|
|
## Hidden pages enumeration
|
|
|
|
**Fuzz `/node/$` where `$` is a number** \(from 1 to 500 for example\).
|
|
You could find **hidden pages** \(test, dev\) which are not referenced by the search engines.
|
|
|
|
## Code execution inside Drupal with admin creds
|
|
|
|
You need the **plugin php to be installed** \(check it accessing to _/modules/php_ and if it returns a **403** then, **exists**, if **not found**, then the **plugin php isn't installed**\)
|
|
|
|
Go to _Modules_ -> \(**Check**\) _PHP Filter_ -> _Save configuration_
|
|
|
|
|
|
|
|
Then click on _Add content_ -> Select _Basic Page_ or _Article -_> Write _php shellcode on the body_ -> Select _PHP code_ in _Text format_ -> Select _Preview_
|
|
|
|
|
|
|
|
## Post Exploitation
|
|
|
|
### Read settings.php
|
|
|
|
```text
|
|
find / -name settings.php -exec grep "drupal_hash_salt\|'database'\|'username'\|'password'\|'host'\|'port'\|'driver'\|'prefix'" {} \; 2>/dev/null
|
|
```
|
|
|
|
### Dump users from DB
|
|
|
|
```text
|
|
mysql -u drupaluser --password='2r9u8hu23t532erew' -e 'use drupal; select * from users'
|
|
```
|
|
|