Exploiting Port 80 – Drupal
Drupal is a free and open-source web content management framework written in PHP and distributed under the GNU General Public License.
When browsing port 80 with Firefox, Apache will present you with a directory listing containing a number of entries:
If you go back to the OpenVAS report, you will see a lot of potential on port 80:
The first thing to do should be to identify Drupal’s version. Analyzing the source code for the Drupal page you can immediately get some information about the website’s structure, namely the fact that many things are coming from the drupal/modules folder.
Digging and researching online will lead you to the discovery of the blog.info file located inside the drupal/modules/blog folder.
Now you know Drupal is version 7.5
Exploiting Drupal using Metasploit
Searching inside MSF, you will find there are several modules available to use against Drupal:
Comparing this list with the vulnerabilities identified by OpenVAS will tell you exploits 2 and 3 are probably going to succeed.
Let’s try to exploit the SQL Injection vulnerability:
This is a low privilege session…
NOTES:
- The targeturi was set to /drupal/ instead of root (/) because that is the Drupal directory on the Apache web server.
- This exploit is supposed to work only against Drupal 7.0 and 7.31 (the vulnerability was fixed in 7.32). The server apparently has version 7.5 and is still vulnerable.
Now let’s try to exploit the remote code execution vulnerability:
And this is another low privilege shell…
Exploiting Port 80 – Payroll Application
Another interesting item is the file payroll_app.php. Clicking on it will load a Payroll Login interface.
The Nmap scan identified a MySQL server running on Metasploitable3. Therefore, it might be a good idea to try a basic SQL injection attack. Let’s use the classic ' OR 1=1#.
Clicking the Ok button with the classic injection string in the User input box will immediately reveal a total of 15 users in the Payroll App.
This could be the beginning of a real SQL Injection attack but instead I went after the code for the Payroll app. I remembered the file was listed in a previous exploit, namely ProFTPD. So, I repeated the exploit and investigated the contents of the file payroll_app.php.
These appear to be the credentials for the Payroll application but they are not…
However, let’s not forget about these credentials as they might still be useful.
Exploiting Port 80 – phpMyAdmin
Opening the phpMyAdmin link will take you to the service login page:
Brute forcing phpMyAdmin using Hydra
Brute forcing this service requires a bit of research but nothing special. You can use the wordlists provided with Kali, or you can add the previous credentials to the customized wordlists.
The credentials are valid for the phpMyAdmin service!
Brute forcing phpMyAdmin using Metasploit
There is a scanner module to use against phpMyAdmin but it’s broken and therefore completely useless:
Exploiting phpMyAdmin using Metasploit
The phpMyAdmin web application running on Metasploitable 3 has a remote code execution vulnerability which can be exploited using the phpmyadmin_preg_replace module:
Unfortunately, something went wrong with this exploit. It might be a simple thing but I decided not to waste time investigating it. Instead, I tried to use the previously collected credentials…
It worked! The created session is a low privilege one, but this means the credentials are valid for phpMyAdmin. Therefore, instead of using them inside MSF, why not use them directly in the phpMyAdmin login page?
From here, everything is your disposal. Take a look at the users table inside the payroll database:
You still need to get root access to the target, so why don’t you add all this information to your user/pass custom wordlists and try to brute force SSH again?
It works! All these accounts have SSH access and on top of that, Leia, Luke, and Han all have sudo privileges so some of these sessions have root access to the target machine.
1 comment:
If you're based in the USA and need Drupal support and maintenance services, I suggest reaching out to LN Webwork. They offer reliable and efficient support services to help you maintain your Drupal site.
Post a Comment