Drupal 8 to Reverse Shell

by Vince
in Blog
Hits: 3851

In a previous post, I wrote about how to get a reverse shell on Drupal 7 (and possibly earlier).  I'm currently working on a project involving Drupal and I'm also teaching a class this weekend -- I thought... why not pair the two together.  I figured if I built something for the class with Drupal, that would lend a hand with my project.  Familiarity and such.  I "thought" I was going to recycle my knowledge from the previous post but it turns out in Drupal 8, they removed the filter function which allows you to insert PHP into the posts.  After some reading, it turns out their reasoning was due to the fact that hackers can exploit this functionality. 

At this point, I'm kind of annoyed because what I thought was going to take a few minutes, getting from A to B, now must take significantly longer because I have to figure out a way to shell Drupal 8. 

I wanted a lesson and I got one.

First thought was that I would just write a module using a Hello World example I found.  But for various reasons, that didn't work.  First it was Drupal not liking the command line tar.gz and then after I used the GUI version, it just didn't like how I'd written the module.  Or who knows?  In my final, and working, attempt, I pulled down an existing module, added a shell command, uploaded it, and that worked.  Funny enough, the module I chose is called CodeFilter which allows you to post code in pages without the code executing.  In case you're recreating this from exactly my path, you need the CodeFilter beta version in dev for Drupal 8 and not the current version which is for Drupal 7. 

From the main screen, we choose Extend, we search for Update Manager, and we enable it:





Once enabled, we "could" install a new module but we don't have that setup just yet:






Extracting the existing module, I modify the codefilter.module file:






It contained nothing of value and I just added my shell statement:






I save it and I compress it using the GUI version since the command line version was disliked by Drupal:






Now we can Install new module:






We browse to our tar.gz file:






After we hit the Install button, we select Enable newly added modules:






When it finishes, we find our installed module and we enable it:






With our handler setup:






And that's a wrap.  Shellz for everyone!