hacktricks/pentesting/pentesting-web/drupal.md

# Drupal

<details>

<summary><strong>Support HackTricks and get benefits!</strong></summary>

Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!

Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)

Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)

**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**

**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**

</details>

## Drupal

### Username enumeration

#### Register

In _/user/register_ just try to create a username and if the name is already taken it will be notified:

![](<../../.gitbook/assets/image (254).png>)

#### Request new password

If you request a new password for an existing username:

![](<../../.gitbook/assets/image (255).png>)

If you request a new password for a non-existent username:

![](<../../.gitbook/assets/image (256).png>)

### Number of users enumeration

Accessing _/user/\<number>_ you can see the number of existing users, in this case is 2 as _/users/3_ returns a not found error:

![](<../../.gitbook/assets/image (257).png>)

![](<../../.gitbook/assets/image (227) (1) (1) (1).png>)

### Hidden pages enumeration

**Fuzz `/node/$` where `$` is a number** (from 1 to 500 for example).\
You could find **hidden pages** (test, dev) which are not referenced by the search engines.

#### Installed modules info

```bash
#From https://twitter.com/intigriti/status/1439192489093644292/photo/1
#Get info on installed modules
curl https://example.com/config/sync/core.extension.yml
curl https://example.com/core/core.services.yml

# Download content from files exposed in the previous step
curl https://example.com/config/sync/swiftmailer.transport.yml
```

### Code execution inside Drupal with admin creds

You need the **plugin php to be installed** (check it accessing to _/modules/php_ and if it returns a **403** then, **exists**, if **not found**, then the **plugin php isn't installed**)

Go to _Modules_ -> (**Check**) _PHP Filter_ -> _Save configuration_

![](<../../.gitbook/assets/image (252).png>)

Then click on _Add content_ -> Select _Basic Page_ or _Article -_> Write _php shellcode on the body_ -> Select _PHP code_ in _Text format_ -> Select _Preview_

![](<../../.gitbook/assets/image (253).png>)

### Post Exploitation

#### Read settings.php

```
find / -name settings.php -exec grep "drupal_hash_salt\|'database'\|'username'\|'password'\|'host'\|'port'\|'driver'\|'prefix'" {} \; 2>/dev/null
```

#### Dump users from DB

```
mysql -u drupaluser --password='2r9u8hu23t532erew' -e 'use drupal; select * from users'
```

<details>

<summary><strong>Support HackTricks and get benefits!</strong></summary>

Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!

Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)

Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)

**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**

**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**

</details>
GitBook: [#3143] No subject 2022-04-29 01:27:22 +02:00			`# Drupal`
Ad hacktricks sponsoring 2022-04-28 18:01:33 +02:00
			`<details>`

			`<summary><strong>Support HackTricks and get benefits!</strong></summary>`

			`Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`

			`Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`

			`Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`

			`Join the [💬](https://emojipedia.org/speech-balloon/) [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/carlospolopm).`

			`Share your hacking tricks submitting PRs to the [hacktricks github repo](https://github.com/carlospolop/hacktricks).`

			`</details>`

GitBook: [#3143] No subject 2022-04-29 01:27:22 +02:00			`## Drupal`
Ad hacktricks sponsoring 2022-04-28 18:01:33 +02:00
GitBook: [#3143] No subject 2022-04-29 01:27:22 +02:00			`### Username enumeration`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
GitBook: [#3143] No subject 2022-04-29 01:27:22 +02:00			`#### Register`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
GitBook: [#2876] save 2021-11-30 17:46:07 +01:00			`In _/user/register_ just try to create a username and if the name is already taken it will be notified:`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			`![](<../../.gitbook/assets/image (254).png>)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
GitBook: [#3143] No subject 2022-04-29 01:27:22 +02:00			`#### Request new password`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
			`If you request a new password for an existing username:`

GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			`![](<../../.gitbook/assets/image (255).png>)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
			`If you request a new password for a non-existent username:`

GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			`![](<../../.gitbook/assets/image (256).png>)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
GitBook: [#3143] No subject 2022-04-29 01:27:22 +02:00			`### Number of users enumeration`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			`Accessing _/user/\<number>_ you can see the number of existing users, in this case is 2 as _/users/3_ returns a not found error:`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			`![](<../../.gitbook/assets/image (257).png>)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
GitBook: [#3157] No subject 2022-04-30 22:31:18 +02:00			`![](<../../.gitbook/assets/image (227) (1) (1) (1).png>)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
GitBook: [#3143] No subject 2022-04-29 01:27:22 +02:00			`### Hidden pages enumeration`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			Fuzz `/node/$` where `$` is a number (from 1 to 500 for example).\
			`You could find hidden pages (test, dev) which are not referenced by the search engines.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
GitBook: [#3143] No subject 2022-04-29 01:27:22 +02:00			`#### Installed modules info`
GitBook: [master] one page modified 2021-09-20 12:57:53 +02:00
			```bash
			`#From https://twitter.com/intigriti/status/1439192489093644292/photo/1`
			`#Get info on installed modules`
			`curl https://example.com/config/sync/core.extension.yml`
			`curl https://example.com/core/core.services.yml`

			`# Download content from files exposed in the previous step`
			`curl https://example.com/config/sync/swiftmailer.transport.yml`
			```

GitBook: [#3143] No subject 2022-04-29 01:27:22 +02:00			`### Code execution inside Drupal with admin creds`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
GitBook: [#2876] save 2021-11-30 17:46:07 +01:00			`You need the plugin php to be installed (check it accessing to _/modules/php_ and if it returns a 403 then, exists, if not found, then the plugin php isn't installed)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
GitBook: [#3143] No subject 2022-04-29 01:27:22 +02:00			`Go to _Modules_ -> (Check) _PHP Filter_ -> _Save configuration_`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
GitBook: [#3157] No subject 2022-04-30 22:31:18 +02:00			`![](<../../.gitbook/assets/image (252).png>)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			`Then click on _Add content_ -> Select _Basic Page_ or _Article -_> Write _php shellcode on the body_ -> Select _PHP code_ in _Text format_ -> Select _Preview_`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			`![](<../../.gitbook/assets/image (253).png>)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
GitBook: [#3143] No subject 2022-04-29 01:27:22 +02:00			`### Post Exploitation`
GitBook: [master] 2 pages modified 2021-04-01 23:42:37 +02:00
GitBook: [#3143] No subject 2022-04-29 01:27:22 +02:00			`#### Read settings.php`
GitBook: [master] 2 pages modified 2021-04-01 23:42:37 +02:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			```
GitBook: [master] 2 pages modified 2021-04-01 23:42:37 +02:00			`find / -name settings.php -exec grep "drupal_hash_salt\\|'database'\\|'username'\\|'password'\\|'host'\\|'port'\\|'driver'\\|'prefix'" {} \; 2>/dev/null`
			```

GitBook: [#3143] No subject 2022-04-29 01:27:22 +02:00			`#### Dump users from DB`
GitBook: [master] 2 pages modified 2021-04-01 23:42:37 +02:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			```
GitBook: [master] 2 pages modified 2021-04-01 23:42:37 +02:00			`mysql -u drupaluser --password='2r9u8hu23t532erew' -e 'use drupal; select * from users'`
			```
Ad hacktricks sponsoring 2022-04-28 18:01:33 +02:00
			`<details>`

			`<summary><strong>Support HackTricks and get benefits!</strong></summary>`

			`Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`

			`Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`

			`Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`

			`Join the [💬](https://emojipedia.org/speech-balloon/) [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/carlospolopm).`

			`Share your hacking tricks submitting PRs to the [hacktricks github repo](https://github.com/carlospolop/hacktricks).`

			`</details>`