drupal-files

Question

drupal-files

ArjunChandarana opened this issue 5 months ago · comments

Template Information:

Drupal CMS has many default of which few are interesting which gives can be used to identify that Drupal as CMS is being used and also it has files accessible which discloses information about what all plugins are being used and much more.

Nuclei Template:

id: drupal-files
info:
  name: Publicly Accessible Drupal Files
  author: ArjunChandarana
  severity: low
  metadata:
    verified: true
    shodan-query: http.component:Drupal

  tags: Drupal

requests:
  - method: GET
    path:
      - "{{BaseURL}}/sites/default/services.yml"
      - "{{BaseURL}}/contrib/views_data_export/README.md"
      - "{{BaseURL}}/core/install.php"
      - "{{BaseURL}}/core/INSTALL.txt"
      - "{{BaseURL}}/sites/README.txt"
      - "{{BaseURL}}/update.php"
      - "{{BaseURL}}/sites/default/settings.php"

    stop-at-first-match: false
    matchers-condition: or
    matchers:
      - type: word
        part: body
        words:
          - "Views data export"
          - "Administer software update"
          - "parameters"
          - "Drupal"
          - "Installation"
          - "Requirements"
          - "app_root"
        condition: or

      - type: status
        status:
          - 200

Sane · Answer 1 · Mon Apr 22 2024 18:33:11 GMT+0800 (China Standard Time)

Weak matching with matchers-condition: or. Changing it to matchers-condition: and got me some valid results. Not sure if all the words in the matcher list are Drupal-specific, though.

Georgina Reeder · Answer 2 · Mon Apr 22 2024 19:02:39 GMT+0800 (China Standard Time)

Thanks so much for this @ArjunChandarana , we'll take a look into it!

ArjunChandarana · Answer 3 · Mon Apr 22 2024 19:06:11 GMT+0800 (China Standard Time)

Thanks team, let me know if it requires modification. Would be happy to help.

Dhiyaneshwaran · Answer 4 · Tue Apr 23 2024 18:04:09 GMT+0800 (China Standard Time)

Hi @ArjunChandarana , we already have these default files under these templates

http/technologies/drupal-detect.yaml

http/misconfiguration/installer/drupal-install.yaml

/update.php - Access denied (Since it requires a account to login`
/sites/default/services.yml - Blank Page with no Information.
/sites/default/settings.php - variable undefined error

Only these below mentioned endpoints are already present

      - "{{BaseURL}}/core/install.php"
      - "{{BaseURL}}/core/INSTALL.txt"
      - "{{BaseURL}}/sites/README.txt"

Looking forward to hear back from you

Thanks

ArjunChandarana · Answer 5 · Tue Apr 23 2024 18:57:30 GMT+0800 (China Standard Time)

Hi @DhiyaneshGeek , thanks for checking on this. While my testing phase I was able to get output for /sites/default/services.yml this endpoint with some of the information and this would vary from target to target. Regarding this /sites/default/settings.php endpoint I was able to get an error but sometimes it would be possible to get an default settings.php page. And in /update.php endpoint it was possible to get an response that it requires leveraged privileges such as Administrator which confirms that multiple user roles exists.

Dhiyaneshwaran · Answer 6 · Tue Apr 23 2024 19:00:42 GMT+0800 (China Standard Time)

Hi @ArjunChandarana what kinda of information is exposed in these files ?

If there is something sensitive information exposed , we can consider to have template

The existing template detects the default files as i mentioned already

Looking forward to hear back from you

Thanks

ArjunChandarana · Answer 7 · Tue Apr 23 2024 19:11:01 GMT+0800 (China Standard Time)

Hi @DhiyaneshGeek , to my observation and understanding this file generally contains configuration related information which has session related configurations, twig related configurations, which protocols are allowed which are filtered. And additionally some CORS related configuration is disclosed. But this file may contain additional information regarding target configuration which depends on target to target.

ArjunChandarana · Answer 8 · Tue Apr 23 2024 19:11:38 GMT+0800 (China Standard Time)

Also "{{BaseURL}}/core/INSTALL.txt" this endpoint was not found in above 2 templates could you please check on that also.

Dhiyaneshwaran · Answer 9 · Tue Apr 23 2024 20:09:07 GMT+0800 (China Standard Time)

Hi @ArjunChandarana , we can update the existing template and add /core/INSTALL.txt and co-author you there 😄

What do you think about it ?

Thanks

ArjunChandarana · Answer 10 · Tue Apr 23 2024 20:19:32 GMT+0800 (China Standard Time)

Hey @DhiyaneshGeek , that would be great and much appreciated 😁 . Also was thinking out loud that why to miss on any default files which might have some relevant information about the host. If we can add sites/default/services.yml this endpoint in that would be great. Additionally if we can go ahead and create a template regarding improper error handling for this endpoint /sites/default/settings.php - variable undefined error. 👀

Thanks much !

Dhiyaneshwaran · Answer 11 · Tue Apr 23 2024 20:23:24 GMT+0800 (China Standard Time)

Hi @ArjunChandarana

We also have a Discord server, which you’re more than welcome to join. It's a great place to connect with fellow contributors and stay updated with the latest developments!

i'll update the existing template and let you know

Thanks

Dhiyaneshwaran · Answer 12 · Tue May 07 2024 13:50:01 GMT+0800 (China Standard Time)

Hi @ArjunChandarana we further examined that existing templates detects the drupal default files

Adding /core/INSTALL.txt , /sites/default/services.yml will increase the number of request sent.

so we are closing this issue

Thanks