Drupal
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Check meta
Node: Drupal indexes its content using nodes. A node can hold anything such as a blog post, poll, article, etc. The page URIs are usually of the form /node/<nodeid>.
Drupal supports three types of users by default:
Administrator: This user has complete control over the Drupal website.
Authenticated User: These users can log in to the website and perform operations such as adding and editing articles based on their permissions.
Anonymous: All website visitors are designated as anonymous. By default, these users are only allowed to read posts.
Check /CHANGELOG.txt
Newer installs of Drupal by default block access to the CHANGELOG.txt and README.txt files.
In /user/register just try to create a username and if the name is already taken it will be notified:
If you request a new password for an existing username:
If you request a new password for a non-existent username:
Accessing /user/<number> you can see the number of existing users, in this case is 2 as /users/3 returns a not found error:
Fuzz /node/$ where $ is a number (from 1 to 500 for example).
You could find hidden pages (test, dev) which are not referenced by the search engines.
If you have access to the Drupal web console check these options to get RCE:
Drupal RCEDrupalwned: Drupal Exploitation Script that elevate XSS to RCE or Others Critical Vulnerabilities. For more info check this post. It provides support for Drupal Versions 7.X.X, 8.X.X, 9.X.X and 10.X.X, and allows to:
Privilege Escalation: Creates an administrative user in Drupal.
(RCE) Upload Template: Upload custom templates backdoored to Drupal.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
