A Metasploit module is also available to exploit the Drupalgeddon2 vulnerability, and we can use it by executing this command in msfconsole:
use exploit/unix/webapp/drupal_drupalgeddon2
Now, perform the following steps to exploit the vulnerability:
- To view the options, we run show options, as shown here:
- Next, we set the options of rhosts and rport, as shown in the following screenshot:
- When the exploit is run, it first performs fingerprinting by looking for the Drupal version in the response header or meta tag by making a request to /, as shown here:
- Next, it performs a patch-level check by calling CHANGELOG.txt and looking for the SA-CORE-2018-002 patch, as shown here:
When the previous two steps are complete, the exploit then confirms the existence of RCE by simply calling the printf function to print a value in response:
In the preceding screenshot, we used the testing123 string. If the server responds with testing123, the server has the Drupalgeddon2 vulnerability:
Confirm the RCE using the passthru() function of PHP to execute the id, whoami, and uname -a commands:
The server returns the response to the commands executed, as shown here:
- The final step is to send the PHP meterpreter payload, which is injected and executed in the memory as shown here:
Upon successful execution, we will have a meterpreter session open in our terminal:
Now, let's look at another example of a Drupal exploit and try to understand how it works.