The next thing I did was search Google for Drupal 7.54 exploits and discovered the one below: Įxploit: The exploitation of the Drupal vulnerability allowed for privilege escalation, SQL injection and, finally, remote code execution. I usually look at the headers first before using a tool because details can be gathered quickly and passively.Īfter reviewing the nmap scan and browsing the site and headers I wanted to check out the Drupal instance running on port 80 in greater detail, so I decided to check out CMSmap for further enumeration! I’ve been waiting for an opportunity to try out CMSmap for content management services like Drupal or Joomla since WPScan is pretty fantastic for WordPress instances.īurp’s proxy is really nice to track all of the pages you’ve visited and spider directories further if needed. I then looked at the headers in the browser’s developer tools and found some interesting details pertaining to the versions of Drupal, PHP, and IIS as well as the HTTP Security Headers. I configured my browser to use the proxy and then I browsed to I was presented with a Drupal page without any content but there was a login form on the page. Yes…I even like developing Java applications! I fired up Burp’s proxy to capture my manual investigation and spidering of the site. Typically if I determine a web service is present I will investigate there first, this is due to the fact I enjoy writing web apps in various languages and frameworks and I’m a developer by trade. I used the flags below to determine the operating system, perform a faster scan, gather details of the discovered ports and their associated services and finally output the results to a variety of formats. Use these techniques responsibly and ethically and always test every flag, switch, command, and exploit in your own test environment prior to running in a customer’s environment.Įngage: I began the enumeration process by scanning the system with nmap. I didn’t give it this name due to frustration! This is a test system and some of the below methods shouldn’t be done in a production environment. Finally help mitigate risk by suggesting security controls to implement.ĭisclaimer: Let’s first answer a question that may already be on your mind, the server’s hostname is actually “Bastard”. If vulnerabilities do exist determine if they can be exploited. Mission: Investigate the system named Bastard (10.10.10.9) and determine if any vulnerabilities exist. Author: Brennan Turner Drupal 7.x Services Module RCEĮscalation: Win32k.sys Elevation of Privilege (CVE-2014-4113)
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |