Drupal is an open source platform for building amazing digital experiences. Flexible and highly scalable, Drupal publishes a single web site or shares content in multiple languages across many devices. Drupal recently released a patch for its critical remote code execution vulnerability known as Drupalgeddon 2.0. This is the second critical remote code execution vulnerability found for famous CMS framework, Drupal.
Digging more on to Drupalgeddon 2.0, All versions of Drupal through 6,7, and 8 are affected by a remote code execution vulnerability which an attacker can execute commands on the target system easily and do a complete take over of the website.
This issue is tracked as CVE-2018-7600 can be exploited simply by accessing a page on the targeted Drupal website. Once exploited, it gives the attacker full control over a site, including access to non-public data and the possibility to delete or modify system data.
More info about the vulnerability and patch details can be found at Drupal’s Security Adversary
Reading All these painful things, I decided to try exploiting the vulnerability and see how easily is for a hacker to get into your Drupal powered website. Installed the vulnerable Drupal version 8.5.0 which is released on 7th March 2018. For testing purpose I used XAMPP on my Windows 10. Below picture shows the newly installed Drupal CMS.
Test bed system details: XAMPP (v 3.2.2) and Drupal (8.5.0)
As the exploit is written for Linux based servers, I did a small modification to work with my Windows based XAMPP setup. The below screenshot shows the used exploit PoC code for testing Drupal RCE vulnerability.
To exploit the Drupal server, just run the python code against it. I used my localhost setup for testing this. Below shows exploiting the Drupal.
On running the above script, the command “calc.exe” was executed on the Drupal server and a Windows calculator popped out. This is shown as in below screenshot.
This shows the easiness of the exploit to go in wild if people wont patch their Drupal CMS immediately. For demo purpose only I have used calculator. An attacker can execute any system commands, compromise and take full control over the Drupal server.