RCE with Admin Credentials

The PHP plugin is meant to be used for PHP code and the issue here is that the attacker is not supposed to have access to an administrator account Interesting info about PHP filter

Requirements:

  • The PHP plugin to be installed on the application
  • Access to an administrator account

How to check existing plugins?

The default path for Drupal plugins

/modules/<plugin_name>

When it comes to checking what plugins are installed on the application, it does not require authentication. To do this, send a GET request towards the following endpoint to check if the PHP plugin exists:

/modules/php
Response CodeIntel Info
403 ForbiddenPlugin is Installed
404 Not FoundPlugin is not Installed

Performing the RCE

This is the part where Admin access is required.

Finding the PHP filter plugin

  1. Login to the application with the Administrator account
  2. Navigate to the Modules section and note the PHP filter plugin enabled/disabled

Drupal Plugin Image

  1. Press Save configuration > Add content > Basic Page || Article
  2. Write the PHP shell code within the Body
  3. Select PHP code in the Text format menu

Drupal RCE Image

  1. STONKS!

POST Exploitation

  • Read settings.php
find / -name settings.php -exec grep "drupal_hash_salt\|'database'\|'username'\|'password'\|'host'\|'port'\|'driver'\|'prefix'" {} \; 2>/dev/null
  • Dump users from DB (Adapt it accordingly)
mysql -u drupaluser --password='2r9u8hu23t532erew' -e 'use drupal; select * from users'