mirror of
https://github.com/carlospolop/hacktricks
synced 2025-01-06 10:18:55 +00:00
45 lines
1.5 KiB
Markdown
45 lines
1.5 KiB
Markdown
# Drupal
|
|
|
|
## Username enumeration
|
|
|
|
### Register
|
|
|
|
In _/user/register_ just try to create a username and if the name is already taken it will be notified:
|
|
|
|
|
|
|
|
### Request new password
|
|
|
|
If you request a new password for an existing username:
|
|
|
|
|
|
|
|
If you request a new password for a non-existent username:
|
|
|
|
|
|
|
|
## Number of users enumeration
|
|
|
|
Accessing _/user/<number>_ you can see the number of existing users, in this case is 2 as _/users/3_ returns a not found error:
|
|
|
|
|
|
|
|
|
|
|
|
## Hidden pages enumeration
|
|
|
|
**Fuzz `/node/$` where `$` is a number** \(from 1 to 500 for example\).
|
|
You could find **hidden pages** \(test, dev\) which are not referenced by the search engines.
|
|
|
|
## Code execution inside Drupal with admin creds
|
|
|
|
You need the **plugin php to be installed** \(check it accessing to _/modules/php_ and if it returns a **403** then, **exists**, if **not found**, then the **plugin php isn't installed**\)
|
|
|
|
Go to _Modules_ -> \(**Check**\) _PHP Filter_ -> _Save configuration_
|
|
|
|
|
|
|
|
Then click on _Add content_ -> Select _Basic Page_ or _Article -_> Write _php shellcode on the body_ -> Select _PHP code_ in _Text format_ -> Select _Preview_
|
|
|
|
|
|
|